SafeGuard Enterprise Administrator help

SafeGuard Enterprise Administrator help
SafeGuard® Enterprise 5.50
Administrator help
Document date: November 2010
Content
1
The SafeGuard Management Center......................................................................................................... 3
2
Operating steps in the SafeGuard Management Center ......................................................................... 6
3
Creating the organizational structure ....................................................................................................... 9
4
Working with multiple database configurations ................................................................................... 20
5
Exporting company and Master Security Officer certificate................................................................ 25
6
Licenses........................................................................................................................................................ 28
7
SafeGuard Enterprise Security Officers .................................................................................................. 36
8
Data encryption.......................................................................................................................................... 55
9
SafeGuard Enterprise Key Management................................................................................................. 58
10 Working with policies ............................................................................................................................... 68
11 Working with configuration packages .................................................................................................... 83
12 Administrative access options for endpoint computers ....................................................................... 84
13 Service Account Lists for Windows logon.............................................................................................. 85
14 POA access accounts for POA logon at unmanaged endpoint computers........................................ 91
15 Security policies .......................................................................................................................................... 97
16 SafeGuard Configuration Protection .................................................................................................... 138
17 User-computer assignment..................................................................................................................... 169
18 Tokens and smartcards............................................................................................................................ 174
1
19 SafeGuard Data Exchange....................................................................................................................... 192
20 Power-on Authentication (POA)........................................................................................................... 199
21 Recovery options ...................................................................................................................................... 211
22 Recovery via Local Self Help................................................................................................................... 212
23 Recovery via Challenge/Response.......................................................................................................... 218
24 System Recovery....................................................................................................................................... 245
25 Inventory and status data......................................................................................................................... 250
26 Reports....................................................................................................................................................... 258
27 SafeGuard Enterprise and BitLocker Drive Encryption ..................................................................... 273
28 SafeGuard Enterprise and BitLocker To Go......................................................................................... 278
29 Events available for reports..................................................................................................................... 280
30 Definitions of the SGMERR codes in Windows event log ................................................................. 289
31 Technical Support .................................................................................................................................... 303
32 Copyright................................................................................................................................................... 304
2
SafeGuard® Enterprise 5.50, Administrator help
1 The SafeGuard Management Center
The SafeGuard Management Center is the central instrument for carrying out all administrative
activities.
The SafeGuard Management Center provides for serving multiple databases and domains by way
of tenant-specific configurations (Multi Tenancy). You are able to administrate different
SafeGuard Enterprise Databases and maintain different configurations. These configurations can
also be exported to and imported from files to ease configuration.
The SafeGuard Management Center does not need to be necessarily installed on one computer
only. It can be installed on any computer on the network from which the databases can be
accessed.
Only privileged users - security officers - can access the SafeGuard Management Center. Several
Security Officers can work with the data simultaneously.
3
SafeGuard® Enterprise 5.50, Administrator help
1.1 Logon to the SafeGuard Management Center
When installing and configuring SafeGuard Enterprise, all essential configuration settings are
carried out and an account is created for a Master Security Officer. This account is required the
first time you log on to the SafeGuard Management Center. To start the Management Center, the
user needs to know the password for the certificate store and have the certificate’s private key.
For further information see the Installation Manual.
Logon depends on whether you run the SafeGuard Management Center in Single Tenancy or in
Multi Tenancy mode.
1.1.1 Logon in Single Tenancy mode
1. Start the SafeGuard Management Center via the Start menu. You will see a logon dialog.
2. Log on as an MSO and enter the certificate store password specified during initial
configuration. Click OK.
Note: If you enter an incorrect password, an error message will be displayed and a delay will be
imposed for the next logon attempt. The delay period will be increased with each failed logon
attempt. Failed attempts will be logged.
The SafeGuard Management Center is opened.
4
SafeGuard® Enterprise 5.50, Administrator help
1.1.2 Logon in Multi Tenancy mode
The Logon process to the Management Center is extended when you have configured several
databases (Multi Tenancy), see Working with multiple database configurations on page 20.
1. Start the SafeGuard Management Center via product folder of the Start menu. The Select
Configurations dialog will be displayed.
2. Select the database configuration you want to use from the drop-down list and click OK. The
selected database configuration is connected to the Management Center and will become
active.
3. To authenticate to the SafeGuard Management Center you are prompted to select the Security
Officer name for this configuration and to enter their certificate store password. Confirm with
OK.
The SafeGuard Management Center will be opened and connected to the selected database
configuration.
Note: If you enter an incorrect password, an error message will be displayed and a delay will be
imposed for the next logon attempt. The delay period will be increased with each failed logon
attempt. Failed attempts will be logged.
5
SafeGuard® Enterprise 5.50, Administrator help
2 Operating steps in the SafeGuard Management Center
The following steps are essential for working with SafeGuard Enterprise to ensure that the
companywide security policies can be applied to the endpoint computers:

Create or import the organizational structure.

Create additional security officers.

Define initial (principal) policy items.

Save to the database.

Export and import configurations.
Day-to-day use
After logging on for the first time, settings can be added as required. The various security officers
can perform actions in accordance with the roles assigned to them.
If new settings are saved to the database, they can be transferred to the endpoint computers where
they become active.
6
SafeGuard® Enterprise 5.50, Administrator help
2.1 The Management Center work area
Navigation window
Toolbar
to select actions
Navigation area
Administrative objects
Tabs
to select different tasks or
to display information
Action area
Displays depend on the selections in the navigation area
A
Associated views
can contain essential elements or information for administration
of the objects currently being processed
Buttons for all administrative actions
Navigation area
The navigation area contains buttons for all administrative actions:

Users & Computers
To import groups and users from an active directory, from the domain or from an individual
computer.

Policies
To create policy items.

Keys & Certificates
To manage keys and certificates.
7
SafeGuard® Enterprise 5.50, Administrator help

Tokens
To manage tokens and smartcards

Security Officers
To create new security officers or roles and define actions for which additional authorization
is required.

Reports
Enables records to be created of all security-related events and their management.
Navigation window
Objects to be processed or which can be created are displayed in the navigation window
(Active Directory objects such as OUs, users and computers, policy items,...) depending on
the administrative task selection.
Action area
For defining settings for the objects selected in the navigation window. The action area contains
various tabs with which objects are processed and settings are carried out.
The action area also includes information about the selected objects.
Associated views
Additional objects and information as required are displayed in these views. They provide useful
information for system administration and they make use of the system easier. For example, keys
can be allocated using drag-and-drop objects.
Toolbar
Contains symbols for the different Management Center actions. Symbols are displayed as and
when they are available for the selected object.
After logon, the Management Center always opens with the view in which it was closed.
8
SafeGuard® Enterprise 5.50, Administrator help
3 Creating the organizational structure
Users and computers can also be defined in SafeGuard Enterprise and do not have to be imported
from the Active Directory. If there is no existing organizational structure, it can be quickly created
in SafeGuard Enterprise along with a structure for managing policy items. It is also possible to
assign policies and/or encryption rules to local users.
A security officer with the respective rights can set up workgroups or domains which have not yet
been imported in order to manage the automatically registered users and computers.
New users/computers logging on to SafeGuard Enterprise are displayed under their
corresponding containers after initial synchronization with the database in the SafeGuard
Management Center. The security officers can then manage them exactly the same as imported
objects.
The directory for these users/computers, .Auto registered, is automatically created in the root
directory and under each domain/workgroup. It cannot be renamed or moved. Objects assigned
to this directory cannot be moved manually either.
9
SafeGuard® Enterprise 5.50, Administrator help
3.1 Registering as a new user
For logging on as a new user, see Power-on Authentication (POA) on page 178. When a new user
logs on to SafeGuard Enterprise for the first time, their database status is checked during the
initial synchronization with the database and the new object is displayed under the respective
container in accordance with the information in the database. If no new workgroup or domain
has been created, the new user is added in Auto.registered under the Root directory. If a domain
has already been created, but the user/computer has not yet been imported, they are added in
Auto.registered under the domain.
Note: Local users cannot log on to SafeGuard Enterprise with an empty password. Local users
who log on to SafeGuard Enterprise with an empty password remain as guests and are not saved
to the database. If, in addition, Windows Autologin is activated for these users, logon is denied to
them. For a successful logon at SafeGuard Enterprise a new password must be created in this case
and the Windows Autologin must be deactivated in the registry of the endpoint computer.
Logon
information about
the local object
Database status
Displayed in the Management Center
Local users
Local users not known
Under master directory, .Auto
registered newly added under its
computer
Local users,
computers +
domains
Domain nodes known
Users/computers present
Already present under domain nodes
Domain nodes known
Users/computers not present
.Auto registered newly added under
domain nodes
10
SafeGuard® Enterprise 5.50, Administrator help
Logon
information about
the local object
Database status
Displayed in the Management Center
Computer
workgroups +
workgroup
Workgroup known
Users/computers not
physically present
Already present under workgroup
Workgroup known
Name of computer
workgroups present under
.Auto registered
Newly added under .Auto registered
workgroup
Caution:
In this case you need to check whether
the Computer workgroups are present
twice in the workgroup. To
differentiate between identical
computers, go to Properties and enter
the Description. We recommend
however that you manually remove
the computer from the .Auto
registered workgroup directory.
Workgroup known
Users/computers not present
Newly added under .Auto registered
workgroup
Workgroup not known
Computer workgroups known
under .Auto registered root
directory
Already present under Root directory,
.Auto registered
Workgroup not known
Computer workgroups not
known under .Auto registered
root directory
Newly added under .Auto registered
root directory
Domain known
Computer domains present
Already present under domain
Domain not known
Newly added under .Auto registered
root directory
Domain not yet synchronized
Newly added under .Auto registered
domain
Computer domains
+ domain
11
SafeGuard® Enterprise 5.50, Administrator help
3.2 Sample use cases for auto-registration
Below you find two use cases on the behavior of auto-registered objects.
Use case 1: Administrating users/computers not part of an Active Directory
In a company not all user or computer objects might necessarily be part of an Active
Directory (AD), e.g. local users. A company might have one or few workgroups so that an
AD is not needed.
This company wants to deploy SafeGuard Enterprise and then add policies to its user/
computer objects. Therefore the company's organizational structure will be built up
manually in the SafeGuard Management Center as follows:
Users & Computers tree:
Root
|_.Authenticated Computers
|_.Authenticated Users
|_.Auto registered
|_SampleWorkgroup (entry added manually)
|_.Auto registered
|_SampleComputer001 (entry
created on logon)
|_SampleComputer002 (entry
created on logon)
|_...
The user and computer objects remain in the .Auto registered folder. But they can be
administered properly with the SafeGuard Management Center (adding or removing
policies etc).
12
SafeGuard® Enterprise 5.50, Administrator help
Use case 2: SafeGuard Enterprise Database and Active Directory out of sync
A user and computer (SafeGuard Enterprise client) are already part of the company's Active
Directory (AD). But the SafeGuard Enterprise database and the AD are out of sync: user
and computer are not listed in the SafeGuard Management Center yet.
The user logs on to the computer (SafeGuard Enterprise client) with the following
credentials:
SampleUser
SamplePassword
Sample Domain
This information is sent to the SafeGuard Enterprise Server. In the SafeGuard
Management Center the following entries are created:
Users & Computers tree:
Root
|_.Authenticated Computers
|_.Authenticated Users
|_.Auto registered
|_SampleDomain (entry created on sync with AD)
|_.Auto registered
|_SampleComputer (entry created on logon)
|_SampleUser (entry created on logon)
Upon the next synchronization between the AD and the SafeGuard Enterprise database the
SampleComputer and the SampleUser are moved automatically to their correct
organizational units (OU).
The MSO can add policies to the .Auto registered folder if desired, but those policies will
apply to SampleComputer and SampleUser only as long as those objects are part of the
.Auto registered folder.
Once they are moved to their organizational units (OU) by synchronization between the
AD and the SafeGuard Enterprise Database, the policies set for those OUs will apply to
SampleComputer and SampleUser as well.
13
SafeGuard® Enterprise 5.50, Administrator help
3.3 Keys and certificates for auto-registered objects
A certificate is produced as required by the server for each auto-registered object.
A local user gets two keys:

the key to the .Auto registered container

the private key generated as required by the server
Local users neither get other keys for their assigned container nor a root key.
Workgroups do not get a key.
3.4 Policies for auto-registered objects
Unlimited policies can be created for auto-registered objects.
Local users are added to the “Authenticated Users” group. Computers are added to the
“Authenticated Computers” group. The policies activated for these groups apply accordingly.
3.5 Creating new workgroup
Security officers with the respective rights assigned can create a container under the root
directory which represents a Windows workgroup. Workgroups do not have a key. They cannot
be renamed.
1. In the SafeGuard Management Center, click Users & Computers.
2. Right-click Root [filter is active] in the navigation window on the left and select New > Create
new workgroup (auto registration).
3. In Common information enter the following:
a) Enter a Full name for the workgroup.
b) Optionally you can add a description of the workgroup.
c) The type of object is displayed under Connection state, in this case Workgroup .
d) To prevent policy inheritance, you may activate Block Policy Inheritance.
e) Confirm details with OK.
The workgroup is now created. The default .Auto registered directory is automatically created
under the workgroup container. It cannot be renamed or deleted.
14
SafeGuard® Enterprise 5.50, Administrator help
3.6 Deleting workgroups
Security officers can delete workgroups. Members assigned to the workgroup are also deleted.
They are automatically re-registered at next logon.
1. In the SafeGuard Management Center click Users & Computers.
2. In the navigation window on the left right-click the workgroup you want to delete and select
Delete. Confirm with Yes.
The workgroup is now deleted. Any members are also deleted.
3.7 Creating a new domain
Security officers with the respective rights can create a new domain under the root directory. You
only have to create a new domain, if you do not want to or are not able to import a domain from
the Active Directory (AD), for instance because there is no AD available.
1. In the SafeGuard Management Center click Users & Computers.
2. Right-click Root [filter is active] in the navigation window on the left and select New > Create
new domain (auto registration).
15
SafeGuard® Enterprise 5.50, Administrator help
3. In Common information enter the following information about the domain controller . All
three name entries must be correct otherwise the domain will not be synchronized:
a) Full name: For example computer name.domain.com or the IP address of the domain
controller
b) Distinguished name: DNS name, for example
DC=computername3,DC=domain,DC=country
c) A description for the domain (optional)
d) Domain Netbios: Name of the domain controller
e) The type of object is displayed under Connection state, in this case Domain .
f) To prevent policy inheritance, you may activate Block Policy Inheritance.
g) Confirm details with OK.
The new domain has now been created. Users and/or computers are automatically assigned to
this domain during auto registration. The default .Auto registered directory is automatically
created under the domain container. It cannot be renamed or deleted.
3.8 Renaming a domain
A security officer with the respective rights can rename a domain and define additional
properties.
1. In the SafeGuard Management Center click Users & Computers.
2. Right-click the domain you want to rename in the navigation window on the left and select
Properties.
3. In Common information under Full name change the domain name and the description if
required.
4. You may change the name of the domain controller in Domain NetBios.
5. You can also define the Wake on LAN mode for automatic reboot in the Container Settings
tab.
6. Confirm with OK.
The changes are now saved.
16
SafeGuard® Enterprise 5.50, Administrator help
3.9 Deleting a domain
Security officers with the respective rights can delete domains. Members assigned to the domain
are also deleted.
1. In the SafeGuard Management Center click Users & Computers.
2. In the navigation window on the left right-click the domain you want to delete and select
Delete. Confirm with Yes.
The domain is now deleted. Any members are also deleted.
3.10 Deleting auto registered computers
When an auto-registered computer is deleted, all local users of this computer are also deleted.
They are automatically re-registered the next time they log on to this computer.
3.11 Filter for local objects
Users & Computers
In Users & Computers you can filter the view in the navigation area on the left according to local
users or search for specific local users.
1. In the SafeGuard Management Center click Users & Computers.
2. In the bottom left of the navigation window click Filter.
3. Activate Local user as Type. If you are looking for a specific user, enter the name of this user.
4. Click the magnifier icon.
The Users & Computers view is filtered according to the criteria.
Logging
Successful/unsuccessful registration of the user, computer or workgroup is logged. You can view
a list of this information in the SafeGuard Management Center under Reports in the event
viewer.
17
SafeGuard® Enterprise 5.50, Administrator help
3.12 Importing the organizational structure from an Active Directory
You have the option of importing an existing organizational structure to the SafeGuard
Enterprise Database, e.g. via an Active Directory.
1. In the SafeGuard Management Center select Tools > Options.
2. Select the Directory tab and click Add.
3. In LDAP Authentication do the following:
a) For Server name or IP enter the NetBIOS name of the domain controller or its IP address.
b) For User credentials enter your Windows user name and password for the (test)
environment.
c) Confirm with OK.
Note: For Windows single computer a directory must be approved on the PC to enable a
connection via LDAP.
4. Click Users & Computers.
5. In the left-hand navigation window, click the root directory Root [filter is active].
6. Select the Synchronize tab in the action area on the right.
7. Select the required directory from the Directory DSN list. Click the magnifier icon, top right.
A graphical representation of the Active Directory structure of the organizational units (OU)
in your company will appear.
8. You do not need to import the entire contents of the Active Directory. Check the
organizational units (OU) to be synchronized.
9. Click Synchronize at the bottom of the action area.
Note: When synchronizing users and their group membership, membership to a 'primary group'
will not be synchronized as it is not visible for the group.
The domains are synchronized. Synchronization details are displayed. You can view a
synchronization protocol in the status bar at the left. When clicking on it, you can copy this
protocol to the clipboard and paste it into an e-mail or file in case you would like to inform your
users on the synchronization results.
18
SafeGuard® Enterprise 5.50, Administrator help
3.13 Importing a new domain from an Active Directory
If you only want to import a new domain from the Active Directory, proceed as follows:
1. In the left-hand navigation window, click the root directory Root [filter is active].
2. Select File > New > Import new domain from AD.
3. Select the Synchronize tab in the action area on the right.
4. Select the required directory from the Directory DSN list. Click the magnifier icon, top right.
A graphical representation of the Active Directory structure of the organizational units (OU)
in your company will appear.
5. Check the domain to be synchronized and click Synchronize at the bottom of the navigation
area.
19
SafeGuard® Enterprise 5.50, Administrator help
4 Working with multiple database configurations
The SafeGuard Management Center allows for use of multiple database configurations (Multi
Tenants). If you want to make use of this feature you need to enable it during installation. For
details see the SafeGuard Enterprise Installation manual.
With Multi Tenancy you are able to configure different SafeGuard Enterprise Database
configurations and maintain them for one instance of the SafeGuard Management Center. This
is particularly useful when you want to have different configurations for different domains,
organizational units or company locations.
Prerequisite: The feature Multi Tenancy must have been installed via a Custom installation.
Initial configuration must have been carried out. For details see the SafeGuard Enterprise
Installation manual.
To ease configuration the following is possible:

Create multiple database configurations.

Select from a list of previously created database configurations.

Import a previously created database configuration from a file.

Export a database configuration to be reused at a later point in time.
20
SafeGuard® Enterprise 5.50, Administrator help
4.1 Creating further database configurations
To create a further SafeGuard Enterprise Database configuration after initial configuration,
proceed as follows:
1. Start the SafeGuard Management Center. The Select Configuration dialog will be displayed.
2. Click New. The SafeGuard Management Center Configuration Wizard starts automatically.
3. The Wizard will guide you through the necessary steps of creating a new database
configuration. Make your settings as required. The new database configuration will be
generated.
4. To authenticate to the SafeGuard Management Center you are prompted to select the Security
Officer name for this configuration and to enter their certificate store password. Confirm with
OK.
The SafeGuard Management Center will be opened and connected to the new database
configuration. When the SafeGuard Management Center is started for the next time, the new
database configuration can be selected from the list.
4.2 Connecting to an existing database configuration
To work on an existing SafeGuard Enterprise Database configuration, proceed as follows:
1. Start the SafeGuard Management Center. The Select Configuration dialog will be displayed.
2. Select the required database configuration from the drop-down list and click OK. The selected
database configuration is connected to the Management Center and will become active.
3. To authenticate to the SafeGuard Management Center you are prompted to select the Security
Officer name for this configuration and to enter their certificate store password. Confirm with
OK.
The SafeGuard Management Center will be opened and connected to the selected database
configuration.
21
SafeGuard® Enterprise 5.50, Administrator help
4.3 Exporting a configuration to a file
To save or reuse a database configuration you may export it to a file. To do so, proceed as follows:
1. Start the SafeGuard Management Center. The Select Configuration dialog will be displayed.
2. Click Export...
3. To secure the configuration file you are prompted to enter and confirm a password that will
encrypt the parts configuration file. Click OK.
4. Specify a file name and storage location for the exported configuration file *.SGNConfig.
5. In case this configuration already exists you are asked if you want to overwrite the existing
configuration.
The database configuration is saved to the specified storage location.
4.4 Importing a configuration from a file
To use or change a database configuration you may import a previously created configuration
into the SafeGuard Management Center. There are two ways to do so:

via the SafeGuard Management Center (for Multi Tenancy)

by double-clicking the configuration file (for Single and Multi Tenancy)
4.5 Importing a configuration via the SafeGuard Management Center
1. Start the SafeGuard Management Center. The Select Configuration dialog will be displayed.
2. Click Import..., locate the required configuration file and click Open.
3. Enter the password for the configuration file defined during the export and click OK.
4. The selected configuration will be displayed. Confirm to activate it with OK.
5. To authenticate to the SafeGuard Management Center you are prompted to select the Security
Officer name for this configuration and to enter their certificate store password. Confirm with
OK.
22
SafeGuard® Enterprise 5.50, Administrator help
The SafeGuard Management Center will be opened and connected to the imported database
configuration.
4.6 Importing a configuration by double-clicking the configuration file
(Single and Multi Tenancy)
Note: This task is available in Single-Tenancy and Multi Tenancy mode.
It is also possible to export a configuration and distribute it to several security officers. The
security officers then only need to directly double-click the configuration file to open a fully
configured SafeGuard Management Center.
This is advantageous when you use SQL authentication for the database and to avoid that the SQL
password is known by every administrator. You then only need to enter it once, create a
configuration file and distribute it to the respective Security Officers’ computers.
Prerequisite: The initial configuration of the SafeGuard Management Center must have been
carried out. For details see the SafeGuard Enterprise Installation manual.
1. Start the SafeGuard Management Center via the product folder of the Start menu.
2. Select Options from Tools menu and select the Database tab.
3. Enter or confirm the credentials for the SQL Database Server connection.
4. Click Export configuration to export this configuration to a file.
5. Enter and confirm a password for the configuration file.
6. Enter a file name and select a storage location.
7. Distribute this configuration file to the security officers’ computers. Let them know the
password for this file as well as the certificate store password needed to authenticate at the
SafeGuard Management Center.
8. The security officers just need to double-click the configuration file.
9. They are prompted to enter the password for the configuration file.
10.To authenticate to the SafeGuard Management Center, they are prompted to enter their
certificate store password.
The SafeGuard Management Center starts with the imported configuration and this
configuration will be made the new default configuration.
23
SafeGuard® Enterprise 5.50, Administrator help
4.7 Fast switching of database configurations
To ease administrative task for several tenants SafeGuard Management Center allows for fast
switching of database configurations.
To switch to another database configuration:
1. In the Management Center select Change configuration... from the File menu.
2. Select the database you want to switch to from the drop-down list and confirm with OK.
The SafeGuard Management Center is automatically restarted with the selected configuration.
Note: This task is also available in Single-Tenancy mode.
4.8 Checking database integrity
When logging on to the database the database integrity is automatically verified. Should this
check result in any errors, the Verify Database Integrity dialog is displayed.
You can also start the database integrity check manually at any time after logon and display the
Verify Database Integrity dialog:
1. Select Tools > Database integrity from the menu bar of the SafeGuard Management Center.
2. Check the tables by clicking Check all or Check selected. Erroneous tables are marked in the
dialog.
To repair them, click Repair.
24
SafeGuard® Enterprise 5.50, Administrator help
5 Exporting company and Master Security Officer
certificate
In a SafeGuard Enterprise installation the following two items are critical and require thorough
backup in a safe location:

the company certificate stored in the SafeGuard Database

the Master Security Officer (MSO) certificate residing in the certificate store of the computer
on which the SafeGuard Management Center is installed.
Both certificates can be exported in form of .p12 files for backup purposes. Installations can then
be restored by importing the relevant company and Security officer certificate as .p12 files and
using them when setting up a new database rather than having to backup and restore the whole
database.
Note: We advise carrying out this task right after initial configuration of the SafeGuard
Management Center.
5.1 Exporting the Master Security Officer certificate
To back up the Master Security Officer certificate of the MSO logged on to the SafeGuard
Management Center, do the following:
1. In the SafeGuard Management Center menu bar, select Tools > Options.
2. Select the Certificates tab and click Export in the <Administrator> Certificate section.
3. You are prompted to enter a password for securing the exported file. Enter a password,
confirm it and click OK.
4. Enter a file name and storage location for the file to be exported and confirm with OK.
The Master Security Officer certificate of the currently logged on MSO is exported as a .p12 file
to the defined location and can be used for recovery purposes.
5.2 Exporting the company certificates
Note: Only Master Security Officers are entitled to export company certificates for backup
purposes.
1. In the SafeGuard Management Center menu bar, select Tools > Options.
2. Select the Certificates tab and click Export in the Company Certificate section.
25
SafeGuard® Enterprise 5.50, Administrator help
3. You are prompted to enter a password for securing the exported file. Enter a password,
confirm it and click OK.
4. Enter a file name and storage location for the file and confirm with OK.
The company certificate is exported as a .p12 file to the defined location and can be used for
recovery purposes.
5.3 Restoring a corrupt SafeGuard Management Center installation
In case the installation of the SafeGuard Management Center got corrupted, but the database is
still intact, the installation can be easily restored by installing the SafeGuard Management Center
afresh and using the existing database as well as the backed up Security Officer certificate.
Do the following:
1. Install the SafeGuard Management Center installation package afresh. Open the SafeGuard
Management Center. The Configuration Wizard is started automatically.
2. In Database Connection, select the relevant database server and configure the connection to
the database if required. Click Next.
3. In Database Settings activate Select an available database and select the relevant database
from the list.
4. In Security Officer Data, do either of the following:

If the backed up certificate file can be found on the computer, it will be displayed. Enter the
password you use for authenticating at the SafeGuard Management Center.

If the backed up certificate file cannot be found on the computer, click Import. Browse for
the backed up certificate file and confirm with Open. Enter the password for the selected
certificate file. Confirm with Yes. Enter and confirm a password for authenticating at the
SafeGuard Management Center.
5. Click Next and then Finish to complete the SafeGuard Management Center configuration.
The corrupt SafeGuard Management Center installation is restored.
26
SafeGuard® Enterprise 5.50, Administrator help
5.4 Restoring a corrupt database configuration
A corrupt database configuration can be restored by installing the SafeGuard Management
Center afresh to create a new instance of the database based upon the backed up certificate files.
This will ensure that all existing SafeGuard Enterprise endpoint computers still accept policies
from the new installation. This avoids having to set up and restore the whole database afresh.

The company and Master Security Officer certificates of the relevant database configuration
must have been exported to .p12 files and must be available and valid.

The passwords for the two .p12 files as well as for the certificate store must be known to you.
Do the following:
1. Install the SafeGuard Management Center installation package afresh. Open the SafeGuard
Management Center. The Configuration Wizard is started automatically.
2. In Database Connection, check Create a new database. Under Database settings, configure
the connection to the database. Click Next.
3. In Security Officer Data, select the relevant MSO and click Import.
4. In Import Authentication Certificate browse for the backed up certificate file. Under Key file
enter and confirm the password specified for this file. Confirm with OK.
5. The MSO certificate is imported. Click Next.
6. In Company Certificate, check Restore using an existing company certificate. Click Import
to browse for the backed up certificate file that contains the valid company certificate. You are
prompted to enter the password specified for the certificate store. Enter the password and
confirm with OK. Confirm the message with Yes. The company certificate is imported.
7. Click Next, then Finish.
The database configuration is restored.
27
SafeGuard® Enterprise 5.50, Administrator help
6 Licenses
To use the SafeGuard Enterprise Management Center as a live system, you need a valid license.
For example, in the SafeGuard Enterprise database, a valid license is a prerequisite for sending
policies to the endpoint computers. The appropriate token licenses are also needed for token
management.
License files are obtained from your sales partner. These files must be imported into the
SafeGuard Enterprise database after installation. The license file contains: data about the number
of licenses purchased per module/name of the licensee and a specified tolerance limit for
exceeding the number of licenses. If the number of available licenses or the tolerance limit is
exceeded, relevant warning/error messages are displayed when you start the SafeGuard
Management Center (see License exceeded on page 32).
In the Users & Computers area, the SafeGuard Management Center provides an overview of the
license status of the installed SafeGuard Enterprise system.
The license status display is available in the Licenses tab for the root node, for domains, OUs,
container objects and workgroups. Here security officers will find detailed information about the
license status and can, if they have the appropriate permission, import licenses to the SafeGuard
Enterprise database.
This chapter describes the licensing concept and how to manage licenses in the SafeGuard
Management Center.
6.1 License file
The license file that you are given to import to the SafeGuard Enterprise database is an .XML file
with a signature. The license file includes the following information:

Company name

Additional information (for example, department, subsidiary)

Date issued

Versions of SafeGuard Enterprise for which the license is valid.

Number of licenses per module

Token license information

License expiry date

License type (demo or full license)

Signature with license signature certificate
28
SafeGuard® Enterprise 5.50, Administrator help
6.2 Token licenses
To manage tokens or smartcards the appropriate token licenses are required. If the appropriate
licenses are not available, creating polices for tokens in the SafeGuard Management Center is not
possible.
6.3 Evaluation and demo licenses
The default license file (evaluation license) or individual demo license files can be used for
evaluation or initial rollout. These licenses are time sensitive and have an expiration date.
However, there are no functional restrictions.
Note: Evaluation and demo licenses may not be used for normal live operation.
6.3.1 Default license file
When the SafeGuard Enterprise Management Center is installed, a default license file is
automatically loaded. This evaluation license (named SafeGuard Enterprise Evaluation License)
holds five licenses for each module and it has a time limit of two years as of the release date of the
SafeGuard Enterprise version in question.
6.3.2 Individual demo license files
If the default license file is insufficient for carrying out an evaluation, there is also the option of
obtaining a demo license customized to your specific needs. In such a case, please contact your
sales partner. The usage of this type of demo license is also subject to a time limit. The license is
also restricted to the number of licenses per module agreed upon with your sales partner in the
individual case.
When you start the SafeGuard Management Center, a warning message reminds you that you are
using demo licenses. If the number of available licenses specified in the demo license is exceeded,
or if the time limit is reached, an error message is displayed, see License exceeded on page 32.
29
SafeGuard® Enterprise 5.50, Administrator help
6.4 License status overview
You access the license status overview as follows:
1. In the SafeGuard Management Center navigation area, click Users & Computers.
2. In the navigation window, on the left-hand side, click on the root node, the domain,
the OU, the container object or the workgroup.
3. In the action area, switch to the Licenses tab on the right-hand side.
The license status appears.
The display is divided into three areas. The upper area shows the name of the customer for whom
the license has been issued, plus the issue date.
The middle area provides details of the license. The individual columns contain the following
details:
Column
Explanation
Status (icon)
Uses an icon to show the status of the licenses (valid,
warning, error) for the module in question.
Feature
Shows the installed module.
Purchased Licenses
Shows the number of licenses purchased for the installed
module.
30
SafeGuard® Enterprise 5.50, Administrator help
Column
Explanation
Used Licenses
Shows the number of licenses used for the installed
module.
Highest Granted Version
Shows the highest SafeGuard Enterprise version for
which the licenses are valid.
Highest Used Version
Shows the latest installed SafeGuard Enterprise version.
Expires
Shows the license's expiry date.
Type
Shows the license type - demo or normal full license.
Tolerance Limit
Shows the tolerance limit specified for exceeding the
number of purchased licenses.
If you display tab Licenses for a domain/OU, the overview shows the status based on the
computer in the relevant branch.
Beneath this overview are details of the licensed token modules.
In the lower area, a message with a background color based on the traffic light principle (green =
valid, yellow = warning, red = error) and an icon shows the global status of the license regardless
of the domain or OU selected. In case of warning or error messages, the lower area also offers
information on how to regain a valid license status.
The icons in the middle and lower areas mean the following:
Valid license
Invalid license: Warning
Invalid license: Error
For information about a license status with a warning or an error, see License exceeded on page 32.
To refresh the license status overview, click Recount used licenses.
31
SafeGuard® Enterprise 5.50, Administrator help
6.5 Importing license files
Prerequisite: To import a license file to the SafeGuard Enterprise database a security officer
needs the "Import license file" permission.
A license file is imported as follows:
1. You have the Management Center open, in the Users & Computers area.
2. In the navigation window, on the left-hand side, click the root node, the domain or
the OU.
3. In the Action area, switch to the Licenses tab on the right-hand side.
4. Click the Import License File button. A window opens allowing you to select the license file.
5. Select the license file you want to import, and click Open.
6. An overview of the contents of the new license file is displayed. Confirm that you wish to
import the license file.
The license file has now been imported to the SafeGuard Enterprise database.
After importing a license file, the module licenses purchased are marked with the license type
regular. Any modules for which no licenses were purchased and for which the evaluation license
(default license file) or individual demo licenses are used are marked with license type demo.
Note: Whenever a new license file is imported, only those modules that are included in this
license file are affected. All other module license information is retained as is from the database.
This import behavior simplifies subsequent evaluation of additional modules after you have
already purchased one or more modules.
6.6 License exceeded
A tolerance value has been set in your license file for exceeding the number of licenses purchased
and the license validity period. If the number of available licenses per module or the validity
period is exceeded, first of all a warning message is displayed. This does not impact the system's
live operation and, in this case, no restriction on its functionality takes effect. You now have the
opportunity to review the license status and upgrade or renew your license. The tolerance value
is usually set to 10% of the number of licenses purchased (minimum value: 5, maximum value:
5,000).
32
SafeGuard® Enterprise 5.50, Administrator help
If the tolerance value is exceeded, an error message is displayed. In this case, a restriction is placed
also on the functionality; the deployment of policies to the endpoint computers is disabled. This
cannot be manually reversed in the SafeGuard Management Center. The license has to be
upgraded or renewed before you can use the full functionality once more. Apart from disabling
policy deployment, the functional restriction does not have an impact on the endpoint
computers, and policies already assigned remain active. Also, clients can still be uninstalled
despite the disabling of policy distribution.
The following sections describe how the system behaves in the case of licenses being exceeded in
the categories Warning and Error, and the action that needs to be taken to reverse the functional
restriction.
6.6.1 Invalid license: Warning
If the number of available licenses (or the highest permitted SafeGuard Enterprise version, for
example due to a software update) is exceeded, a warning message appears when you start the
SafeGuard Management Center.
The SafeGuard Management Center opens and displays the license status overview in the
Licenses tab in the Users & Computers area.
A warning message tells you that the license is invalid. Using the detailed information shown
about the license file you can determine for which module the number of available licenses has
been exceeded. This license status can be reversed by extending, renewing or upgrading the
license, see Invalid license: Error on page 34.
33
SafeGuard® Enterprise 5.50, Administrator help
6.6.2 Invalid license: Error
If the tolerance value for the number of licenses or the period of validity set in the license is
exceeded, the SafeGuard Management Center displays an error message.
In the SafeGuard Management Center, the deployment of policies to the endpoint computers is
disabled.
An error message is also displayed in the Licenses tab in the Users & Computers area.
Using the detailed information shown about the license file you can determine for which module
the number of available licenses has been exceeded.
You have the following options for reversing the functionality restriction:

Redistribute licenses
In order that you have enough available licenses, you can uninstall the software on unused
computers and thereby remove the computers from the SafeGuard Enterprise database.

Upgrade/renew licenses
Contact your sales partner to get your license upgraded or renewed. You will be given a new
license file to import to the SafeGuard Enterprise database.
34
SafeGuard® Enterprise 5.50, Administrator help

Import new license file
If you have renewed or upgraded your license, you can import the license file you receive to
the SafeGuard Enterprise database. The newly imported file replaces the invalid license file.
When you redistribute licenses or import a valid license file, the functional restriction is reversed
and the system will continue to run normally.
35
SafeGuard® Enterprise 5.50, Administrator help
7 SafeGuard Enterprise Security Officers
SafeGuard Enterprise can be administered by one or more security officers. The role-based
management of SafeGuard Enterprise allows splitting the administration among several users.
Any user may be assigned one or more roles. To enhance security additional authorization of an
action can be assigned to an officer’s role.
A top-level administrator, the Master Security Officer (MSO) with all the rights and a certificate
that does not expire is created by default during initial configuration of the SafeGuard
Management Center. Further security officers can then be assigned for specific tasks such as
helpdesk or auditing.
For your convenience, security officers can be hierarchically arranged in the SafeGuard
Management Center navigation area to reflect your company’s organizational structure.
However, this does not imply any hierarchy in terms of rights and roles.
7.1 Security Officer roles
For easy operation SafeGuard Enterprise offers already predefined roles for security officers with
a variety of functions. Additionally, a security officer with the necessary rights can define new
roles from a list of actions/rights and assign them to particular security officers.
The following types of roles are provided:

Master Security Officer (MSO) role

Predefined roles

Customized roles
7.1.1 Master Security Officer
After installing SafeGuard Enterprise, a Master Security Officer (MSO) is created by default
during initial configuration of the SafeGuard Management Center. The Master Security Officer
is the top-level security officer and possesses all the rights and is able to access all objects, i.e.
comparable to a Windows administrator. The Master Security Officer rights cannot be modified.
There may be several Master Security Officers created for one instance of the SafeGuard
Management Center. We strongly recommend to create at least one additional MSO for security
reasons. Additional MSOs may be deleted, but there must always remain one user with the role
of MSO who has been explicitly created as MSO in the SafeGuard Enterprise Database.
36
SafeGuard® Enterprise 5.50, Administrator help
A Master Security Officer can delegate tasks to another person. There are two ways to do this:

A new security officer can be created in Security Officers.

A user or all members of a container imported from the Active Directory and visible in the
SafeGuard Management Center in the root directory can be promoted to security officer in
Users and Computers.
One or more roles and domains can then be assigned to them. For example, a user may be
assigned the role of Supervising Officer plus the role of Helpdesk Officer.
However, the Master Security Officer can also create custom roles and assign them to particular
users.
7.1.2 Predefined roles
In the SafeGuard Management Center, the following security officer roles, apart from the MSO,
are predefined. The assignment of rights to these predefined roles cannot be changed. For
example, if a predefined role has the right to “Create policy items and policy groups”, this right
cannot not be deleted from the role. Neither can a new right be added to a predefined role.
Additional officer authentication however, may be assigned to predefined roles at any point in
time.

Supervising Officer
Supervising Officers are able to see their own node in the Security Officer area and have the
right to manage security officers belonging to their node.

Security Officer
Security Officers dispose of extensive rights including SafeGuard Enterprise configuration,
policy and key management, permissions for monitoring and recovery.

Helpdesk Officer
Helpdesk Officers have the rights to perform recovery actions. Additionally they may display
most function areas of the SafeGuard Management Center.

Audit Officer
To be able to monitor SafeGuard Enterprise, Audit Officers may display most function areas
of the SafeGuard Management Center.

Recovery Officer
Recovery Officers have the rights to repair the SafeGuard Enterprise Database.
37
SafeGuard® Enterprise 5.50, Administrator help
7.1.3 Customized roles
As a security officer equipped with the necessary rights you can define new roles from a list of
actions/rights and assign them to an existing or new security officer. As with predefined roles, you
may enable the additional officer authentication for a function of the role at all times.
When assigning a new role, note the following regarding additional authentication:
Note: If a user has two roles with the same rights assigned and additional authentication is
assigned to one of the roles, this automatically applies to the other role.
A security officer equipped with the necessary rights may add or delete rights to or from a custom
role. Unlike predefined roles, custom roles can even be deleted, as required. If the roles is deleted,
it is no longer assigned to any user. If a user only has one role assigned and this role is deleted, the
user is not able to log on to the SafeGuard Management Center any more.
Note: The role and the actions defined within it determine what a user may and may not do. This
is also true if the user has been assigned more than one role. After the user has logged on to the
Management Center only those areas are activated and displayed that are needed to perform their
role. This also applies to the scripts and API areas. It is therefore important to always activate
displaying the area in which the respective actions are defined. Actions are sorted by function area
and are hierarchically structured. This structure shows which actions are required before certain
other actions can be performed.
7.1.4 Additional officer authentication
Additional officer authentication (also referred to as two persons rule) may be assigned to specific
actions of a role. This means that the user of this role is only permitted to perform a certain action
if a user of another role is present and confirms the performance of this action.
Additional authentication may be assigned to predefined or custom roles alike. As soon as there
are at least two officers with the same role, also the own role can be selected.
The role which is to perform the additional authorization must have been assigned to a user and
there need to be at least two security officers in the SafeGuard Enterprise Database. Once
additional authentication is required for an action, it is required no matter if the user owns
another role that does not require additional authentication for this action.
If an officer without the right to change the additional authentication creates a role, settings for
additional authentication of the new role will be pre-filled to match those set for the creating
officer.
Note: Two security officers must not use the same Windows account on the same PC. Otherwise
it is not possible to separate their access rights properly. Additional authentication may only be
useful when security officers must authenticate via cryptographic tokens/smartcards.
38
SafeGuard® Enterprise 5.50, Administrator help
7.2 Creating a role
Prerequisite: To create a new role, you need the right to display and create security officer roles.
To assign additional authentication you need the right to "Change additional authentication
settings".
Do the following:
1. In the SafeGuard Management Center select Security Officers.
2. Right-click Custom Roles and select New > New custom role.
3. In New custom role, enter a name and description for the role.
4. Assign the actions to this role: Check the boxes next to the required action in the Active
column. Actions are sorted by function area and are hierarchically structured. This structure
shows which actions are required before certain other actions can be performed.
5. If required, assign Additional officer authentication: Click the default setting None and
select the required role from the list. If an officer without the right to change the additional
authentication creates a role, then the additional authentication is prefilled depending on the
additional authentication set for the officer's roles. Additional authentication can be selected,
if set to more than one role of the officer.
6. Click OK.
39
SafeGuard® Enterprise 5.50, Administrator help
The new role is displayed in the navigation window under Custom Roles. When you click the
role, the permitted actions are displayed in the action area on the right.
40
SafeGuard® Enterprise 5.50, Administrator help
7.3 Assigning a role to a security officer
Prerequisite: To assign a role, you need the right to display and modify security officers.
Do the following:
1. Select the respective officer in the navigation window. Their properties are displayed in the
action area on the right.
2. Assign the required roles by checking the relevant boxes next to the available roles. Predefined
roles are displayed in bold.
3. Click the double-headed arrow symbol Refresh in the toolbar.
The role is now assigned to the security officer.
7.4 Displaying officer and role properties
Prerequisite: To get an overview of the security officer properties or the role assignment, you
need the right to display security officers and security officer roles.
Do the following:
1. In the SafeGuard Management Center, click Security Officers.
2. In the navigation area on the left, double-click the object you want get an overview of.
The information displayed in the action area on the right depends on the object selected.
7.4.1 Display MSO properties
The general and modification information of the MSO is diplayed.
7.4.2 Display security officers properties
The general and modification information for the security officer is displayed.
1. In Properties, select the Actions tab to display a summary of actions permitted and the roles
assigned to the security officer.
41
SafeGuard® Enterprise 5.50, Administrator help
7.4.3 Display security officers rights and roles
A summary of actions of all roles assigned to the security officer is displayed. The tree view
displays what actions are required before certain other actions can be performed. Additionally,
the assigned roles can be displayed.
1. In Actions, select an action to display all assigned roles that contain this action.
2. Double-click a role to close the Properties dialog and then display the role’s properties.
7.4.4 Display role properties
The general and modification information for the role are displayed.
1. In Properties, select the Assignment tab to display the security officers assigned to this role.
7.4.5 Display role assignment
1. In Assignment, double-click a security officer to close the Properties dialog and then display
the security officer’s general data and roles.
7.5 Modifying a role
You may do the following:

Modify additional authentication only.

Modify all properties of the role.
The icon next to the roles shows which action is available:
Icon
Description
The role can be modified (add/remove actions).
Additional authentication can be changed.
Both modifications are available.
Note: Predefined roles and the actions assigned to them cannot be modified. If additional
authentication is activated, it can be modified for any role, even for predefined roles.
42
SafeGuard® Enterprise 5.50, Administrator help
7.5.1 Modify additional authentication only
Prerequisite: To assign additional authentication you need the right to display security officer
roles and to "Change additional authentication settings".
Do the following
1. In the Management Center select Security Officers.
2. In the navigation window under Custom Roles, click the role you want to change. In the
action area on the right, click the required setting in the Additional officer authentication
column and select a different role from the list. Predefined roles are displayed in bold.
3. Click the Save icon in the Toolbar to save your changes to the database.
Additional officer authentication has been changed for this role.
7.5.2 Modify all properties of a role
Prerequisite: To change a custom role, you need the right to display and modify security officer
roles. To reassign additional authentication you also need the right to "Change additional
authentication settings".
Do the following:
1. In the Management Center select Security Officers.
2. In the navigation window under Custom Roles, right-click the role you want to change and
select Modify Security Officer Role.
3. Change the properties as required. Change additional authentication properties by clicking
the value in this column and selecting the required role.
4. Click the Save icon in the Toolbar to save your changes to the database.
The role has been modified.
43
SafeGuard® Enterprise 5.50, Administrator help
7.6 Copying a role
To create a new role that has similar properties as an existing role, you may use the existing role
as a template for the new role. You may select a predefined or custom role as template.
Prerequisite: Using existing roles as a template is only available if the currently authenticated
security officer has all the rights contained in the specific role template. So, this function may be
disabled for officers with a limited set of actions.
Do the following:
1. In the SafeGuard Management Center select Security Officers.
2. In the navigation window, right-click the role you want to copy and select New > New copy of
role. In New custom role, all properties of the existing role are already preselected.
3. Enter a new name for this role and change the properties as required.
4. Click the Save icon in the Toolbar to save your changes to the database.
The new role is created.
7.7 Deleting a role
Note: Predefined roles cannot be deleted.
Prerequisite: To delete a role, you need the right to display and delete security officer roles.
Do the following:
1. In the Management Center select Security Officers.
2. In the navigation window under Custom Roles, right-click the role you want to delete and
select Delete. Depending on the role’s properties a corresponding warning message will be
displayed.
Note: When you delete a role, all security officers this role is assigned to will lose it. If the role is
the only one assigned to a security officer, the security officer will no longer be able to log on to
the SafeGuard Management Center unless a superior security officer assigns a new role to the
security officer. If the role is used for additional authentication, the MSO will be requested to
perform additional authentication.
3. To delete the role, confirm the message with Yes.
4. Click the Save icon in the Toolbar to save your changes to the database.
The role is deleted from the navigation window as well as from the database.
44
SafeGuard® Enterprise 5.50, Administrator help
7.8 Creating a Master Security Officer
Prerequisite: To create a new Master Security Officer, you need the right to display and create
security officers.
Do the following:
1. In the SafeGuard Management Center select Security Officers.
2. In the navigation window, right-click the Master Security Officers node and select New >
New Security Officer.
3. Make the relevant entries in New master security officer:
45
Field/check box
Description
Enabled
The officer can be deactivated until further notice. This means that the
officer is in the system but they cannot log on to the SafeGuard
Management Center yet. They can only log on and perform their
administrative tasks when another officer activates them.
Name
Enter the name of the officer as given in the certificates created by
SafeGuard Enterprise in cn =. The officer is also displayed under this name
in the Management Center navigation window. This name must be unique.
Maximum value: 256 characters
Description
Optional
Maximum value: 256 characters
Cell phone
Optional
Maximum value: 128 characters
E-mail
Optional
Maximum value: 256 characters
Token logon
The logon can be done in the following way:
No token The officer may not log on with a token. They have to log on
by inputting the logon information (user name/password).
Optional Logon can be either with a token or by inputting the logon
information. The security officer is free to choose.
Mandatory A token has to be used to log on. To do this, the private key
belonging to the security officer's certificate must be on the token.
SafeGuard® Enterprise 5.50, Administrator help
Field/check box
Description
Certificate
An officer always needs a certificate to log on to the Management Center.
The certificate can either be created by SafeGuard Enterprise or an existing
one can be used. If logging on with a token is essential, the certificate has to
be added to the officer's token.
Create:
The certificate and key file are created as new and saved in a selected
location. Enter and confirm a password for the .p12 key file. The .p12 file
must be available to the officer when logging on. The certificate created is
automatically assigned to the officer and displayed in Certificate. If
SafeGuard Enterprise password rules are used, rules in the Active Directory
should be deactivated.
Note:
Max. length of saving path and filename: 260 characters.
When creating a security officer, the certificate’s public part is sufficient.
When logging on to the Management Center, however, the certificate’s
private section, the key file, is required as well. If it is not available in the
database, it must be available to the security officer, e.g. on a memory stick,
and may be stored in the certificate store during logon.
Certificate
Import:
An existing certificate is used which is assigned to the officer during
import. If the import is from a .p12 key file, the certificate's password must
be known.
If a PKCS#12 certificate container is selected, all certificates are loaded into
the list of assignable certificates. The certificate is then assigned after the
import, by selecting the certificate in the drop down list.
4. Click OK to confirm.
The newly created Master Security Officer is displayed in the navigation window under the
Master Security Officers node. Their properties can be displayed by selecting the respective
officer in the navigation window. The MSO can log on to the SafeGuard Management Center with
the name displayed.
46
SafeGuard® Enterprise 5.50, Administrator help
7.9 Creating a security officer
Prerequisite: To create a security officer, you need the right to display and create security officers.
Do the following:
1. In the SafeGuard Management Center select Security Officers.
2. In the navigation window right-click the security officer’s node where you want to locate the
new security officer and select New > New Security Officer.
3. Make the relevant entries in the New security officer dialog:
47
Field/check box
Description
Enabled
The officer can be deactivated until further notice. This means that the
officer is in the system but they cannot log on to the SafeGuard
Management Center yet. They can only log on and perform their
administrative tasks when another officer activates them.
Name
Enter the name of the officer as given in the certificates created by
SafeGuard Enterprise in cn =. The officer is also displayed under this name
in the Management Center navigation window. This name must be unique.
Maximum value: 256 characters
Description
Optional
Maximum value: 256 characters
SafeGuard® Enterprise 5.50, Administrator help
Field/check box
Description
Cell phone
Optional
Maximum value: 128 characters
E-mail
Optional
Maximum value: 256 characters
Validity
Select from when and to when (date) the officer should be able to log on to
the Management Center.
Token logon
The logon can be done in the following way:
No token The officer may not log on with a token. They have to log with
their credentials (user name/password).
Optional Logon can be either with a token or with the credentials. The
security officer is free to choose.
Mandatory A token has to be used to log on. To do this, the private key
belonging to the security officer's certificate must be on the token.
Certificate
An officer always needs a certificate to log on to the Management Center.
The certificate can either be created by SafeGuard Enterprise or an existing
one can be used. If logging on with a token is essential, the certificate has to
be added to the officer's token.
Create:
The certificate and key file are created as new and saved in a selected
location. Enter and confirm a password for the .p12 key file. The .p12 file
must be available to the officer when logging on. The certificate created is
automatically assigned to the officer and displayed in Certificate. If
SafeGuard Enterprise password rules are used, rules in the Active
Directory should be deactivated.
Note:
Max. length of saving path and filename: 260 characters.
When creating a security officer, the certificate’s public part is sufficient.
When logging on to the Management Center, however, the certificate’s
private section, the key file, is required as well. If it is not available in the
database, it must be available to the security officer, e.g. on a memory stick,
and may be stored in the certificate store during logon.
Certificate
Import:
An existing certificate is used which is assigned to the officer during
import. If the import is from a .p12 key file, the certificate's password must
be known.
If a PKCS#12 certificate container is selected, all certificates are loaded into
the list of assignable certificates. The certificate is then assigned after the
import, by selecting the certificate in the drop down list.
48
SafeGuard® Enterprise 5.50, Administrator help
Field/check box
Description
Security Officer
Roles
Roles
Predefined or custom roles can be assigned to the officer. The rights
associated with each role are displayed under Action Permitted in the
action area when clicking the respective role or when right-clicking the
officer and selecting Properties, Actions. More than one role can be
assigned to a user.
Predefined roles are displayed in bold.
Performing an additional authentication is expressly linked with owning a
particular role.
4. Click OK to confirm.
The newly created security officer is displayed in the navigation window under the respective
Security Officers node. Their properties can be displayed by selecting the respective officer in the
navigation window. The security officer can log on to the SafeGuard Management Center with
the name displayed. Next you need to assign directory objects/domains to the officer so they can
perform their tasks.
7.10 Assigning directory objects to a security officer
For the security officer to be able to perform their tasks they need to have access rights to directory
objects. Access can be granted to domain and workgroup nodes as well as to the ".Autoregistered"
node under the Root directory.
Prerequisite: To assign directory objects to an officer you need the Users and Computers rights
to "Display security officers access rights" and to "Grant/deny access rights to directory".
Do the following:
1. In the SafeGuard Management Center select Users and Computers.
2. In the navigation window on the left, select the required directory objects.
3. In the action area on the right, click the Access tab.
4. To assign the rights for the selected objects, drag & drop the required officer from the far right
into the Access table. To unassign drag the security officer back to the Officers table.
5. Click the Save icon in the Toolbar to save the changes to the database.
The selected objects are available to the selected security officer.
49
SafeGuard® Enterprise 5.50, Administrator help
7.11 Promoting security officers
You may do the following:

promote a user to security officer in the Users and Computers area

promote a security officer to Master Security Officer in the Security Officers area
7.11.1 Prerequisites for promoting a user
A security officer equipped with the necessary rights can promote users to security officers and
assign roles to them.
Security officers created in this way can log on to the SafeGuard Management Center with their
Windows credentials or their token/ smartcard PIN. They can operate and be administrated just
like any other security officers.
The following prerequisites must be met:

Users to be promoted must have been imported from an Active Directory and need to be
visible in the SafeGuard Management Center Users & Computers area.

For a promoted user to log on to the SafeGuard Management Center as security officer a user
certificate must have been created or imported and assigned to them. For logging on with the
Windows credentials the .p12 file containing the private key must exist in the SafeGuard
Enterprise Database. For logging on with token or smartcard PIN, the .p12 file containing the
private key must reside on the token or smartcard.
7.11.2 Promote a user to security officer
Prerequisite: To promote a user, you need to be a Master Security Officer.
Do the following:
1. In the SafeGuard Management Center select Users & Computers.
2. Select the user you want to promote and click the Certificate tab in the action area on the
right.

If a certificate has been assigned to the user, it is displayed in the action area.

If a certificate has not yet been assigned to the user, assign it by clicking the Import
certificate icon in the Toolbar. Locate the necessary certificate store (*.cer) and private key
(*.p12) file and confirm with OK.
3. Right-click the user you want to promote to security officer and select Make this user an
Officer.
50
SafeGuard® Enterprise 5.50, Administrator help
4. Activate the requested roles in Select role(s) and confirm with OK.
Predefined roles are displayed in bold. If a child officer has more roles assigned than the
logged-in officer the additional roles are displayed in italics.
5. Click the Save icon in the Toolbar to save the changes to the database.
The user is now promoted and displayed in the Security Officers area with their user name. Their
properties can be displayed by selecting the respective officer in the navigation window. If the
user’s private key is stored in the database, No token is activated. If the user’s private key resides
on the token or smartcard, Optional is activated.
You may drag & drop the security officer to the required position in the Security Officers tree
view if required.
The security officer can log on to the SafeGuard Management Center with the name displayed.
51
SafeGuard® Enterprise 5.50, Administrator help
7.11.3 Promote a security officer to Master Security Officer
Prerequisite: To promote a security officer you need the right display and modify security
officers.
Do the following:
1. In the SafeGuard Management Center select Security Officers.
2. In the navigation window, right-click the security officer you want to promote and select
Promote to Master Security Officer.
3. If the promoted officer has children you are prompted to select a new parent node for the
children.
The security officer is promoted and displayed under the Master Security Officers node. As a
Master Security Officer the promoted officer will receive all rights to all objects and thus lose all
assigned roles and all individually granted domain access in Users and Computers.
7.12 Demoting Master Security Officers
Prerequisite: To demote Master Security Officers to security officers you need to be a Master
Security Officer.
Do the following:
1. In the SafeGuard Management Center select Security Officers.
2. In the navigation window, right-click the Master Security Officer you want to demote and
select Demote to Security Officer.
3. You are prompted to select a parent node for the officer and to assign at least one role.
The security officer is demoted and displayed under the selected Security Officers node. The
demoted officer will lose all rights to all objects and only receive those rights that are assigned to
their role(s). A demoted officer does not have any rights on domains. You need to individually
grant domain access rights in the Users and Computers area under the Access tab.
52
SafeGuard® Enterprise 5.50, Administrator help
7.13 Changing the security officer certificate
Prerequisite: To change the certificate of a security officer or Master Security Officer, you need
the right to display and modify security officers.
Do the following:
1. In the SafeGuard Management Center select Security Officers.
2. In the navigation window right-click the security officer you want to change the certificate for.
The current certificate assigned is displayed in the action area on the right under Certificates.
3. In the action area, click the Certificates drop-down list and select a different certificate.
4. Click the Save icon in the Toolbar to save the changes to the database.
7.14 Arranging security officers in the tree view
For your convenience, security officers may be hierarchically arranged in the Security Officers
navigation window to reflect the company’s organizational structure.
The tree view can be arranged for all security officers, except for Master Security Officers. MSOs
are displayed in a flat list under the MSO node. The security officers node contains a tree view
where each node represents a security officer. However, this does not imply any hierarchy in
terms of rights and roles.
Prerequisite: To move a security officer in the tree view you need the right to display and modify
security officers.
Do the following:
1. In the SafeGuard Management Center select Security Officers.
2. In the navigation window, drag & drop the officer you want to move to the respective node.
All children of the selected officer will also be moved.
53
SafeGuard® Enterprise 5.50, Administrator help
7.15 Fast switching of security officers
For your convenience, you may quickly restart the SafeGuard Management Center, to log on as a
different officer.
Do the following
1. In the SafeGuard Management Center select File > Change Security Officer. The SafeGuard
Management Center is restarted and the Logon dialog is displayed.
2. Select the security officer you want to log on with to the SafeGuard Management Center and
enter their password. If you are working in Multi Tenancy mode you will be logged on to the
same database configuration.
The SafeGuard Management Center is restarted displaying the view assigned to the logged on
officer.
7.16 Deleting a security officer
Prerequisite: To delete a security officer or Master Security Officer, you need the right to display
and delete security officers.
Do the following
1. In the SafeGuard Management Center select Security Officers.
2. In the navigation window, right-click the security officer or Master Security Officer you want
to delete and select Delete. Note that you cannot delete the officer you are logged on with.
3. If the officer has children you are prompted to select a new parent node for the children.
The officer is deleted from the database.
Note: One Master Security Officer explicitly created as an officer and not only promoted to
security officer must always remain in the database. If a user promoted to security officer is
deleted from the database, their user account is deleted from the database as well.
Note: If the officer to be deleted has been assigned a role that includes additional authentication
and the officer is the only one this role is assigned to, the officer will be deleted nonetheless. It is
assumed that the Master Security Officer will be able to take over additional authorization.
54
SafeGuard® Enterprise 5.50, Administrator help
8 Data encryption
The core of SafeGuard Enterprise is the encryption of data on different data storage devices.
Encryption can be volume or file-based with different keys and algorithms.
Files are encrypted transparently. When users open, edit and save files, they are not prompted for
encryption or decryption.
As a security officer, you specify the settings for encryption in a security policy of the type Device
Protection.
8.1 Volume-based encryption
With volume-based encryption, all data on a volume (including boot files, pagefiles, hibernation
files, temporary files, directory information etc.) are encrypted. Users do not have to change
normal operating procedures or consider security.
Note: If an encryption policy exists for a volume or a volume type and encryption of the volume
fails, the user is not allowed to access it.
To apply volume-based encryption to endpoint computers, create a policy of the type Device
Protection and set the Media encryption mode toVolume-based.
8.1.1 Fast initial encryption
SafeGuard Enterprise offers fast initial encryption as a special mode for volume-based
encryption. It reduces the time needed for initial encryption (or final decryption) of volumes on
endpoint computers by accessing only disk space that is actually in use.
For fast initial encryption, the following prerequisites apply:

Fast initial encryption only works on NTFS-formatted volumes.

NTFS-formatted volumes with a cluster size of 64 KB cannot be encrypted with the fast initial
encryption mode.
Note: This mode leads to a less secure state if a disk has been used before its current usage with
SafeGuard Enterprise. Unused sectors may still contain data. Fast initial encryption is therefore
disabled by default.
To enable fast initial encryption, select the setting Fast initial encryption in a policy of the type
Device Protection.
Note: For volume decryption, the fast initial encryption mode will always be used, regardless of
the specified policy setting. For decryption, the prerequisites listed also apply.
55
SafeGuard® Enterprise 5.50, Administrator help
8.1.2 Volume-based encryption and Windows 7 system partition
For Windows 7 Professional, Enterprise and Ultimate, a system partition is created on endpoint
computers without a drive letter assigned. This system partition cannot be encrypted by
SafeGuard Enterprise.
8.1.3 Volume-based encryption and Unidentified File System Objects
Unidentified File System Objects are volumes that cannot be clearly identified as plain or deviceencrypted by SafeGuard Enterprise. If an encryption policy exists for an Unidentified File System
Object, access to this volume will be denied. If no encryption policy exists, the user can access the
volume.
Note: If an encryption policy with Key to be used for encryption set to an option that enables key
selection (for example, Any key in user key ring) exists for an Unidentified File System Object
volume, there is a period of time between the key selection dialog being displayed and access
being denied. During this time period the volume can be accessed. As long as the key selection
dialog is not confirmed, the volume is accessible. To avoid this, specify a preselected key for
encryption. This period of time also occurs for Unidentified File System Object volumes
connected to an endpoint computer, if the user has already opened files on the volume when an
encryption policy takes effect. In this case, it cannot be guaranteed that access to the volume will
be denied as this could lead to data loss.
8.1.4 Encryption of volumes with enabled Autorun functionality
If you apply an encryption policy to volumes for which Autorun is enabled, the following can
occur:

The volume is not encrypted.

If the volume is an Udentified File System Object (see Volume-based encryption and
Unidentified File System Objects, page 56), access is not denied.
8.1.5 Access to BitLocker To Go encrypted volumes
If SafeGuard Enterprise is used with BitLocker To Go support enabled and a SafeGuard
Enterprise encryption policy exists for a BitLocker To Go encrypted volume, access to the volume
will be denied. If no SafeGuard Enterprise encryption policy exists, the user can access the
volume.
Note: If the Autorun settings for a BitLocker To Go encrypted USB stick are set to the default
values, it can occur that access will not be denied although a SafeGuard Enterprise encryption
policy exists. This only occurs under Windows Vista.
56
SafeGuard® Enterprise 5.50, Administrator help
8.2 File-based encryption
File-based encryption ensures that all data is encrypted, apart from Boot Medium and directory
information. With file-based encryption, even optical media such as CD/DVD can be encrypted.
Also, data can be exchanged with external computers on which SafeGuard Enterprise is not
installed, if policies permit.
Note: Data encrypted using “file-based encryption” cannot be compressed. Nor can compressed
data be file-based encrypted.
Note: Boot volumes are never file-based encrypted. They are automatically exempted from filebased encryption, even if a corresponding rule is defined.
To apply file-based encryption to endpoint computers, create a policy of the type Device
Protection and set the Media encryption mode to File-based.
8.2.1 Excluding applications from encryption
You can define applications to be ignored by the SafeGuard Enterprise filter driver and thereby
excluded from transparent encryption/decryption.
One example is a backup program. To ensure that data is not decrypted when creating a backup,
this application can be exempted from encryption/decryption. The data is backed up in encrypted
form.
A typical use case is for example to define backup programs as exempted so they will always be
able to read and back up encrypted data.
Applications which might trigger malfunctions when used alongside SafeGuard Enterprise, but
do not require encryption, can generally be exempted from encryption.
You can define applications to be excluded from encryption/decryption in a policy of the type
Device Protection with the target Local Storage Devices. The full name of the executable file
(optionally including path information) is used to specify Unhandled Applications.
57
SafeGuard® Enterprise 5.50, Administrator help
9 SafeGuard Enterprise Key Management
When importing the directory structure, the standard version of SafeGuard Enterprise
automatically generates keys for:

Domains

Containers/OUs

Groups
and assigns them to the corresponding objects. Computer and user keys are generated as
required.
Keys cannot be deleted! They are retained permanently in the SafeGuard Enterprise database.
The first time a endpoint computer is booted, SafeGuard Enterprise generates a computer key for
that computer (defined machine key).
Each user obtains all their keys at logon from their user key ring. The user key ring comprises the
following:

A personal key

the keys of the groups of which the user is a member

the keys of the overall Container/OUs of the groups of which the user is a member.
The keys in the user key ring determine the data which that user can access. The user can access
only that data for which they have a specific key.
To display all keys for a user, click Users & Computers and select the Keys tab.
To display all keys, click Keys & Certificates in the SafeGuard Management Center. You can
generate lists for Assigned Keys and Inactive Keys.
58
SafeGuard® Enterprise 5.50, Administrator help
3
4
2
1
1. Click Users & Computers to open the display
2. The keys of all ticked objects are displayed in the action area and in the respective views.
3. Action area: Display depends on the selections in the navigation area. All keys assigned to the
object are displayed.
4. All available keys are displayed here. Keys already assigned to the selected object are grayed
out. Select Filter to switch between keys already assigned to an object (active) and keys not yet
assigned to an object (inactive),
After the import, each user receives a number of keys which can be used for data encryption.
59
SafeGuard® Enterprise 5.50, Administrator help
9.1 Keys for data encryption
Users are assigned keys for the encryption of specific volumes when defining policies of the type
Device Protection. Volumes are as follows:
60
SafeGuard® Enterprise 5.50, Administrator help
When you carry out the settings for each media you are offered the option: Keys to be used for
encryption.
Here you decide which keys a user can or must use for encryption:
61

Any key in user key ring
After logging on to Windows users can select which keys they would like to use to encrypt a
particular volume.
A dialog is displayed in which the user can select the required key.

Any key in user key ring except user key
A user may not use their own personal key to encrypt data.

Any group key in user key ring
The user may only select one of the group keys in their user key ring.

Defined computer key
is the unique key generated exclusively for this computer by SafeGuard Enterprise the first
time this machine is booted up. The user has no other options.
A defined computer key is typically used for the boot and system partition and for drives on
which Documents and Settings are located.
SafeGuard® Enterprise 5.50, Administrator help

Defined key on list
This option allows you to define a specific key which the user must use for encryption. To
specify a key for a user in this way you need to define a key under Defined key for encryption
(is displayed once you select Defined key on list).
Click the [...] button next to the option Defined key for encryption to display a dialog in
which you can specify a key.
Ensure that the user is also in possession of the corresponding key when specifying keys in
this way.
Search here for key names or key IDs.
Enter a search term.
All matching keys are displayed here.
Highlight the selected key and click OK.
The selected key will be used for encryption on the endpoint computer.
9.2 Certificates

SafeGuard Enterprise can be verified with signed SHA1, MD2 and MD5 certificates.

If Certification Authority (CA) certificates are deleted in the database and you do not wish to
use them again, you should remove these certificates manually from all Administrator PCs in
the local store.

SafeGuard Enterprise can then only communicate with expired certificates if old and new keys
are present on the same card.
62
SafeGuard® Enterprise 5.50, Administrator help

The combination of CA certificates and CRL (Certificate Revocation List) on a smartcard
must match. Otherwise users cannot log on to the respective computers. Please check that the
combination is correct. SafeGuard Enterprise does not carry out this check!

The logon certificates for security officers must be located in “MY”.

CA certificates cannot be obtained from a token and stored in the database or certificate store.
If you wish (or need) to use CA certificates, these need to be available in file form and not just
on a token. The same applies for CRLs.

Note that, when importing a user certificate, the certificate's public and private sections are
both imported. If only the public part is imported, only authentication with a token is
supported.
9.3 Virtual Clients
Virtual Clients are specific encrypted key files that can be used for recovery in a Challenge/
Response procedure when the required user information is not available and usually, Challenge/
Response would not be supported, for example when the POA is corrupted.
To enable a Challenge/Response procedure in this complex disaster situation, specific files called
Virtual Clients can be created and must be distributed to the user prior to the Challenge/Response
session. Challenge/Response can then be initiated with the help of these Virtual Clients via a key
recovery tool on the endpoint computer. The user then only needs to inform the helpdesk officer
of the required key or keys and enter the response code in order to regain access to the encrypted
volumes.
Recovery is either possible with the help of a single key or by using an encrypted key file
containing several keys.
In the SafeGuard Management Center Keys & Certificates area you have the following
possibilities:
63

Create and export Virtual Clients

Create and export encrypted key files containing several keys

Display and filter Virtual Clients and exported key files

Delete Virtual Clients
SafeGuard® Enterprise 5.50, Administrator help
9.3.1 Creating Virtual Clients
Virtual Client files can be used by different computers and for several Challenge/Response
sessions.
1. Open the SafeGuard Management Center and click Keys & Certificates.
2. Click Virtual Clients in the left-hand navigation window.
3. In the toolbar click Add Virtual Client.
4. Enter a unique name for the Virtual Client and click OK. The Virtual Clients are identified in
the database by these names.
5. Save the Virtual Client to the database by clicking the Save icon in the toolbar.
The new Virtual Client is displayed in the action area.
64
SafeGuard® Enterprise 5.50, Administrator help
9.3.2 Exporting Virtual Clients
After creating the Virtual Client you need to export it to a file. This file is always called
recoverytoken.tok and needs to be distributed to the help desk. This file must be available to
in the endpoint computer environment when starting a Challenge/Response session via a
recovery tool, for example when the POA is corrupted. The user must place the Virtual Client file
recoverytoken.tok in the same folder as the recovery tool so that a Challenge/Response may
be supported.
1. Open the SafeGuard Management Center and click Keys & Certificates.
2. Click Virtual Clients in the left-hand navigation window.
3. In the action area search for the respective Virtual Client by clicking the magnifier icon. The
available Virtual Clients are displayed.
4. Select the required entry in the action area and click Export Virtual Client in the toolbar.
5. Select a location to store the file recoverytoken.tok and click OK.
6. A message is displayed stating the successful storage and the location of the file.
7. Distribute this Virtual Client file recoverytoken.tok to the respective SafeGuard
Enterprise users.
Store this file in a save place, e.g. on a memory stick. In case of a Challenge/Response this file
needs to be located in the same folder as the recovery tool.
65
SafeGuard® Enterprise 5.50, Administrator help
9.3.3 Creating and exporting key files for Virtual Client recovery
When multiple keys are needed to recover access to encrypted volumes during a Virtual Client
recovery, the security officer can combine them in one exported file. This key file is encrypted
with a random password which is stored in the database. The password is unique for each created
key file.
The encrypted key file needs to be transferred to the user and must be available to the user when
starting a Challenge/Response session via a recovery tooI.
In the Challenge/Response session the password for the key file is transmitted with the response
code. The key file can then be decrypted with the password and all volumes encrypted with the
available keys can be accessed again.
1. Open the SafeGuard Management Center and click Keys & Certificates.
2. Click Virtual Clients and then Exported Key Files in the left-hand navigation window.
3. In the toolbar click New export key file.
4. In Export keys to a key file enter the following:

Directory: Click [...] to select a location for the key file.

File name: The key file is encrypted with a random password which is displayed here, in
File name. You cannot change this name.

Click Add key or Remove key to add or remove keys. A popup window is displayed to
search for and select the required keys. Confirm the selection with OK.

Click OK to confirm all entries.
66
SafeGuard® Enterprise 5.50, Administrator help
5. Distribute this key file to the respective endpoint computer environment. It must be available
to them prior to entering the response code on the client side.
9.3.4 Displaying and filtering Virtual Client views
To find the requested Virtual Client or keys more easily during a Challenge/Response there are
several filter and search possibilities in the SafeGuard Management Center under Keys &
Certificates.
Views for Virtual Clients
1. Click Virtual Clients in the left-hand navigation window.
2. Click the magnifier icon to generate a complete list of all Virtual Clients.
3. Filter the Virtual Clients by Symbolic name or Key GUID.
Views for exported key files
1. Click Virtual Clients, then Exported Key Files.
2. Click the magnifier icon to generate a complete list of all exported key files.
3. Click the + icon next to the required key file to display the keys contained in the file.
9.3.5 Deleting Virtual Clients
To delete a Virtual Client proceed as follows:
1. Open the SafeGuard Management Center and click Keys & Certificates.
2. Click Virtual Clients in the left-hand navigation window.
3. In the action area search for the respective Virtual Client by clicking the magnifier icon. The
available Virtual Clients are displayed.
4. Select the required entry in the action area and click Delete Virtual Client in the toolbar.
5. Save the changes to the database by clicking the Save icon in the toolbar.
The Virtual Client is deleted from the database.
67
SafeGuard® Enterprise 5.50, Administrator help
10 Working with policies
The following sections explain the administrative tasks concerning policies, for example creating,
grouping and backing up policies.
All policy settings available with SafeGuard Enterprise are described in Security Policies.
10.1 Creating policies
To create a new policy, do the following:
1. Logon to the SafeGuard Management Center with the password set during initial
configuration.
2. Click Policies in the navigation area.
3. In the navigation window, right-click Policy Items and select New.
4. Select the policy type. A dialog for naming the policy of the selected policy type is displayed.
5. Enter a name and optionally a description for the new policy.
Policies for Device Protection:
When creating a policy for device protection, you also have to specify the target for device
protection in this dialog. Possible targets are:

Mass storage (boot volumes/other volumes)

Removable media

Optical drives
For each target, a separate policy has to be created. Later on you can combine the individual
policies in a policy group named Encryption, for example.
6. Click OK.
The new policy is displayed in the navigation window below Policy Items. In the action area, all
settings for the selected policy type are displayed.
68
SafeGuard® Enterprise 5.50, Administrator help
10.2 Editing policy settings
When selecting a policy in the navigation window, you can edit the policy settings in the action
area.
A red icon in front of a „not configured“ setting indicates that for this policy setting a
value has to be defined. To be able to save the policy, you first have to select a setting
other than „not configured“.
10.2.1 Setting policy settings to default values
In the toolbar the following icons are available for setting policy settings:
Displays default values for not configured policy settings.
Sets marked policy setting to “not configured”.
Sets all policy settings in an area to “not configured”.
Sets the default value for the marked policy
Sets all policy settings in an area to the default value.
10.2.2 Differentiating between machine- and user-specific policies
Policy color blue
Policy is applied to machines only, not users.
Policy color black
Policy is applied to machines and users
10.3 Policy groups
SafeGuard Enterprise policies need to be combined in policy groups. A policy group may contain
different policy types.
If you sum up policies of the same type in a group, the settings will be merged automatically. In
this case, you can define priorities for utilizing the settings. The settings of a policy with a higher
priority overwrite the settings of a policy with a lower priority. If an option is set to not
configured, the setting will not be overwritten in a policy of a lower priority.
69
SafeGuard® Enterprise 5.50, Administrator help
Exception concerning device protection:
Policies for device protection will only be merged, if they were defined for the same target (e.g.
boot volume). If they point at different targets, the settings will be added.
10.3.1 Combining policies into groups
The individual policies of different types must have been created beforehand.
To group policies, do the following:
1. Click Policies in the navigation area.
2. in the navigation window, right-click Policy Groups and select New.
3. Click New Policy Group. A dialog for naming the policy group is displayed.
4. Enter a name and optionally a description for the policy group. Click OK.
5. The new policy group is displayed in the navigation window below Policy Groups.
6. Select the policy group. The action area shows all elements required for grouping the policies.
7. To add the policies to the group, drag them from the list of available policies to the policy area.
8. You can define a priority for each policy by arranging the policies in order using the context
menu.
If you sum up policies of the same type in a group, the settings will be merged automatically.
In this case, you can define priorities for utilizing the settings. The settings of a policy with a
higher priority overwrite the settings of a policy with a lower priority. If an option is set to not
configured, the setting will not be overwritten in a policy of a lower priority.
Exception concerning device protection:
Policies for device protection will only be merged, if they were defined for the same target (e.g.
boot volume). If they are pointed at different targets, the settings will be added.
9. Save the policy via File > Save.
The policy group now contains the settings of all individual policies.
70
SafeGuard® Enterprise 5.50, Administrator help
10.3.2 Policy grouping results
The result of policy grouping is displayed separately.
To display the result, click the Resulting tab.

For each policy type a separate tab is shown.
The settings resulting from combining the individual policies into a group are displayed.

For policies for device protection, a tab for each policy target (e.g. boot volumes, drive X etc.)
is shown.
10.4 Backing up policies and policy groups
You can create backups of policies and policy groups as XML files. If necessary, the relevant
policies/policy groups can then be restored from these XML files.
To create a backup of a policy/policy group:
1. Select the policy/policy group in the navigation window under Policy Items or Policy Groups.
2. Right-click to display the context menu and select Backup Policy.
The Backup Policy command is also available in the Actions menu.
3. In the Save As dialog enter a file name for the XML file and select the a storage location for the
file. Click Save.
The backup of the policy/policy group is stored as an XML file in the specified directory.
10.5 Restoring policies and policy groups
To restore a policy/policy group from an XML file, do the following:
1. Select Policy Items/Policy Groups in the navigation window.
2. Right-click to display the context menu and select Restore Policy.
The Restore Policy command is also available in the Actions menu.
3. Select the XML file from which the policy/policy group is to be restored and click Open.
The policy/policy group is restored.
71
SafeGuard® Enterprise 5.50, Administrator help
10.6 Assigning policies
To assign policies, proceed as follows:
1. Click Users & Computers. Select the container object (e.g. OU or domain) in the navigation
window. Click the Policies tab if necessary.
All items required for policy assignment are displayed in the action area.
Assigning policy via drag&drop
Displays all policies assigned to the container object.
Displays all existing
policies.
2. To assign a policy, drag the policy from the list and drop it into the policy area.
3. You can define a Priority for each policy by arranging the policies in order using the context
menu. The settings of higher-ranked policies override those below.
If you select No Override for a policy, its settings will not be overridden by those from other
policies.
Note: If you select No Override for a low-priority policy, this policy will take higher priority than
a higher-ranking policy.
72
SafeGuard® Enterprise 5.50, Administrator help
.
You can set the priority (using the context menu)
and you can define whether the policy may
be overridden by other settings.
Already applied policies
. grayed out.
are
.Authenticated Users and .Authenticated Computers indicate that
the policy applies to all users and computers in the container
object.
4. The .Authenticated users and .Authenticated computers are displayed in the activation area.
The policy now applies to all groups within the OU and/or domain.
10.6.1 Activating policies for individual groups
Policies are always assigned to an OU, a domain or a workgroup. They apply by default to all
groups in those container objects (.Authenticated users and .Authenticated computers groups are
displayed in the activation area).
However, you can also define policies and activate them for one or more groups. These policies
then apply exclusively to these groups.
To define a policy which is to apply only to a specific group, proceed as follows:
1. Assign the policy to the OU the group is contained in.
2. .Authenticated Users and .Authenticated Computers are displayed in the activation area.
73
SafeGuard® Enterprise 5.50, Administrator help
3. Drag these two groups from the activation area to the list of available groups. In this
constellation, the policy is not effective either for users or computers.
4. Now drag the required group (or multiple groups) from the list of available groups into the
activation area.
. Authenticated Users and Authenticated Computers are
removed
Drag group into activation area to activate policy for this
group.
This policy now applies exclusively to this group.
If policies have also been assigned to the higher-ranking OU, this policy applies to this group in
addition to those defined for the whole OU.
10.7 Disabling policy deployment
Security officers can diable the deployment of policies to the endpoint computers by using the
button Enable/disable policy deployment in the SafeGuard Management Center toolbar or by
selecting the command Enable/disable policy deployment from the Edit menu. When clicking
the button, selecting the command or pressing F3, no policies will be sent to the endpoint
computers. By clicking the button, selecting the command or pressing F3 again, you can reverse
the disabling of policy deployment and policies will be sent again.
Note: For disabling policy deployment, a security officer needs the right “Enable/disable policy
deployment“. This right has been assigned by default to the predefined roles Master Security
Officer and Security Officer. However, this right can also be assigned to new user-defined roles.
74
SafeGuard® Enterprise 5.50, Administrator help
10.8 Rules for assigning and analyzing policies
The management and analysis of policies is carried out according to the rules outlined in this
chapter.
10.8.1 Assigning and activating policies
To enable a policy to be implemented for a user/computer, you need to assign it to a container
object (root nodes, domain, OU, BuiltIn container or workgroup). For the policy assigned to the
user/computer to become effective, when you assign a policy anywhere in the hierarchy, all
computers (authenticated computers) and all users (authenticated users) are activated
automatically (assignment without activation is not enough). All users and all computers are
combined into these groups.
10.8.2 Policy inheritance
Policies can only be passed between container objects. Only container objects can pass on policies
from higher-ranking container objects. Policies can be activated within a container provided it
contains no further container objects (at group level). There can be no inheritance between
groups.
10.8.3 Policy inheritance hierarchy
Where policies are assigned along a hierarchy chain, the policy implemented is the highest
ranking; closest in the case of a target object (user/computer). This means that as the distance to
the target object increases a policy will be superseded by policies which are closer.
10.8.4 Direct and indirect assignment of policies
Direct assignment
The user/computer obtains a policy which is assigned directly to the container object in which it
is located (membership alone is not sufficient). The container object has not passed on this policy!
Indirect assignment
The user/computer obtains a policy which the container object in which it is actually located
(membership as a user of a group located in another container object is not sufficient) has
inherited from a higher-ranking container object.
75
SafeGuard® Enterprise 5.50, Administrator help
10.8.5 Activating/deactivating policies
For a policy to be effective for a computer/user, it has to be activated at group level (policies can
only be activated at group levels). It makes no difference if this group is in the same container
object or not. All that matters here is that the user or computer has been directly or indirectly
(through inheritance) assigned to the policy.
If a computer or user is outside an OU or inheritance line and is a member of a group which is inside
this OU, this activation does not apply to this user or computer. Because there is no valid
assignment for this user or computer (directly or indirectly). The group was, indeed, activated but
an activation can only apply to users and machines for which there is also a policy assignment. I.e.
the activation of policies cannot go beyond container boundaries if there is no direct or indirect
policy assignment for that object.
A policy becomes effective when it has been activated for user groups or computer groups. The
user groups and then the computer groups are analyzed (authenticated users and authenticated
computers are also groups). Both results are OR-linked. If this OR-link gives a positive value for
the computer/user relationship, the policy applies.
Note: If more than one policy is active for an object the individual policies are, while complying
with the rules described, merged. I.e. the actual settings for an object can be composed of multiple
different policies.
A group can have the following activation settings:

Activated
A policy has been assigned. The group is displayed in the activation area of the SafeGuard
Management Center.

Not activated
A policy has been assigned. The group is not in the activation area.
If a policy is assigned to a container, the activation setting for a group (activated) determines
whether that policy for that container feeds into the calculation of the resulting policy.
Inherited policies cannot be controlled by these activations. “Block policy inheritance” would
have to be set at the more local OU so the more global policy cannot be effective here.
76
SafeGuard® Enterprise 5.50, Administrator help
Example1:
There is a valid assignment of policy P1 for the OU AUTHMANUELL and an
activation for the group Auth-User-Group. Emil and Gunther are members of the
Auth-User-Group group. Although user Gunther is also a member of the AuthUser-Group group, policy P1 does not apply to him but only to user Emil. As there
is no valid assignment of policy P1 for user Gunther (user Gunther does not belong
to the OU AUTHMANUELL) the activation of the Auth-User-Group group has
no effect for him.
Example 2
Structure of the ADs as on the right
Policy P1 is assigned to the OU Auth-User
and is effective only for the OU Auth-User
and its sub-OUs
For Authenticated Users and for
Authenticated Computer , Policy P1 is
NOT activated
Policy P1 is only activated for the global group
Global_Group (only user Gunther is a
member of this group. The Global_Group
itself is directly beneath the domain node.)
Policy P1 is effective for user Gunther because
he has received (indirectly) a valid assignment
of the policy from the OU Auth-User . This
example illustrates that the activation of a
policy can be done anywhere in the Active
Directory. All that matters here is that there is
a valid assignment.
77
SafeGuard® Enterprise 5.50, Administrator help
10.8.6 User/group settings
Policy settings for users (settings shown in black in the SafeGuard Management Center) take
priority over policy settings for computers (settings shown in blue in the SafeGuard Management
Center). If user settings are done in a policy for computers, those settings will be overridden by
the policy for the user.
Note: Only the user settings will be overridden. If a policy for users also includes machine settings
(settings shown in blue), these will not be overridden by a user policy!
Example 1:
If password length 4 has been defined for a computer group, the user group is assigned value 3 for
the same setting and this user is subject to password length 3 on a computer in the computer
group.
Example 2:
If a server interval of 1 minute is defined for a user group, and the value 3 for a machine group,
value 3 is used because value 1 minute is a machine setting which was defined in a policy for users.
10.8.7 Contradictory encryption policies
Two policies - P1 and P2 - are created. File based encryption for Drive E:\ was defined for P1, and
volume based encryption for Drive E:\ was defined for P2. P1 is assigned the OU FBE-User and
P2 the OU VBE-User.
Case 1: A user from OU FBE-User logs on first to the Client XP-100 (container computer). Drive
E:\ is file based encrypted. If a user from the OU VBE-User then logs on to Client XP-100, Drive
E:\ will be volume based encrypted. If both users have the same key, both can access the drives or
files.
Case 2: A user from OU VBE-User logs on first to the computer XP-100 (container computer).
The drive is volume based encrypted. If, now, a user from OU FBE-User logs on and has the same
key as users from OU VBE-User, Drive E:\ (the volume based encryption is kept) will be file based
encrypted within the volume based encryption. However, if the user from OU FBE-User does not
have the same key, they cannot access Drive E:\.
78
SafeGuard® Enterprise 5.50, Administrator help
10.8.8 Priority within an assignment
The policy with the highest priority (1) ranks above a policy with a lesser priority within an
assignment.
Note: If a policy with a lesser priority but which has been designated “No override” is assigned to
the same level as a higher ranking policy, this policy will take priority despite its lower ranking.
10.8.9 Priority within a group
The policy with the highest priority (1) ranks above a policy with a lesser priority within a group.
10.8.10 Status indicators
Setting status indicators allows the standard rules for policies to be changed.

Block policy inheritance
Set for containers for which you do not wish higher-ranking policies to apply (right-hand
mouse click the object in the Properties navigation window).

No Override
Set during assignment process this policy cannot be overridden by another policy.
Block Policy Inheritance
If you do not want a container object to inherit a policy from a higher object, select “Block Policy
Inheritance” to prevent this. If “Block Policy Inheritance” has been selected for a container object
it will not be affected by higher-ranking policy settings (exception: “No Override” activated when
policy was assigned).
No Override
The further away the policy assignment with “No Override” is from the target object, the stronger
the effect of this policy for all the lower-ranking container objects will be. This means that a higher
ranking container subject to “No Override” overrides the policy settings of a lower ranking
container. So, e.g., a domain policy can be defined whose settings cannot be overridden, even if
“Block policy inheritance” has been set for an OU!
Note: If a policy with a lesser priority but which has been designated “No Override” is assigned
to the same level as a higher ranking policy, this policy will take priority despite its lower ranking.
79
SafeGuard® Enterprise 5.50, Administrator help
10.8.11 Settings in policies
Replay Machine Settings
You will find this setting under:
Policy Items > policy of the type General Settings > Loading of settings > Policy loopback
If you select “Replay Machine Settings” in the field Policy Loopback of a policy of the type
General Settings and the policy comes from a computer (“Replay Machine Settings” does not
affect user policies), this policy is replayed at the end of the analysis. This then overrides any user
settings and the machine settings apply. All machine settings inherited directly or indirectly by
the machine (including policies which have not been applied by the “Replay Machine Settings”
policy loopback) are rewritten.
Ignore User
You will find this setting under:
Policy Items > policy of the type General Settings > Loading of Settings > Policy Loopback
If you select “Ignore User” for a policy for a computer in the field Policy Loopback of a policy of
the type General Settings and the policy comes from a machine, only the machines settings are
analyzed. User settings are not analyzed.
No Loopback
You will find this setting under:
Policy Items > policy of the type General Settings > Loading of Settings > Policy Loopback
No loopback describes the standard behavior. User policies take priority over computer policies.
Analyzing the settings “Ignore User” and “Replay Machine Settings”
If there are active policy assignments, the machine policies are analyzed and consolidated first. If,
with the Policy Loopback option, this amalgamation of individual policies gives the value “Ignore
User”, the policies that would have been fixed for the user will not be analyzed. This means that
the same policies apply both for the user and for the machine.
If, after amalgamating the individual machine policies, the value with the Policy Loopback
attribute is “Replay machine settings”, the user policies are amalgamated with the machine
policies. After the amalgamation, the machine policies are rewritten and, where appropriate,
override settings from the user policies. If a setting is present in both policies, the machine policy
value overrides the user policy value.
If the consolidation of the individual machine policies results in the standard value (“No Policy
Loopback”), user settings take priority over machine settings.
80
SafeGuard® Enterprise 5.50, Administrator help
Order of the execution of policies
Ignore User Computers
Replay Machine Settings Computer -> User -> Computer The first “machine execution” is
required for the policies which are written before user logon (e.g. background image at logon).
No Loopback (standard setting): Computer -> User
10.8.12 Other definitions
The decision as to whether it is a user or machine policy depends on the policy's origin. A user
object “brings” a user policy, while a computer “brings” a computer policy. The same policy can
be a machine or a user policy, depending on the perspective.

User policy
Any policy provided by the user for analysis. If a policy is implemented via only one user, the
machine-related settings of that policy are not applied, i.e. computer-related settings do not
apply. Default values do.

Computer policy
Any policy provided by the machine for analysis. If a policy is implemented via just one
computer, the user-specific settings for this policy are also applied! The computer policy
therefore represents a policy “for all users”.
81
SafeGuard® Enterprise 5.50, Administrator help
82
SafeGuard® Enterprise 5.50, Administrator help
11 Working with configuration packages
In the SafeGuard Management Center you can create the following types of configuration
packages:

Configuration package for managed computers
Computers that have a connection to the SafeGuard Enterprise Server receive their policies via
this Server. For successful operation after installation of the SafeGuard Enterprise Client
software, you need to create a configuration package for managed computers and deploy it to
them.
After the first configuration of the endpoint computer via the configuration package, the
computer receives policies via the SafeGuard Enterprise Server after you have assigned them
in the Users & Computer area of the SafeGuard Management Center.

Configuration package for unmanaged computers
Unmanaged computers are never connected to the SafeGuard Enterprise Server at any point
in time, they operate in standalone mode. They receive their policies via configuration
packages. For successful operation, you need to create a configuration package containing the
relevant policy groups and distribute it to the endpoint computers via company distribution
mechanisms. New configuration packages needs to be created and distributed to the endpoint
computers whenever the policy settings are changed.

Configuration package for the SafeGuard Enterprise Server
For successful operation, you need to create a configuration package for the SafeGuard
Enterprise Server, defining the database and SSL connection, enabling the scripting API and
so on.
For a detailed description on how to create the different kinds of configuration packages, see the
SafeGuard Enterprise Installation manual.
Note: Check your network and computers in regular intervals for outdated or unused
configuration packages and, for security reasons, make sure to delete them. Always ensure to
uninstall the “old” configuration packages before installing the new one on the computer/server.
83
SafeGuard® Enterprise 5.50, Administrator help
12 Administrative access options for endpoint computers
To cater for access requirements for administrative tasks after the installation of SafeGuard
Enterprise on endpoint computers, SafeGuard Enterprise offers the following administrative
access options:

Service accounts for Windows logon
With service accounts, administrators can log on (Windows logon) to endpoint computers
after the installation of SafeGuard Enterprise without activating the Power-on Authentication
and without being added as users to the computers. Service accounts lists are defined in the
Policies area of the SafeGuard Management Center and assigned via policies to the endpoint
computers. Users included on a service account list are treated as guest users when logging on
at the endpoint computer.
Note: Service account lists are assigned to endpoint computers via policies. They should be
assigned in the first SafeGuard Enterprise configuration package you create for the configuration
of the endpoint computers.
For detailed information on service accounts, see Service Account Lists for Windows logon,
page 85.

POA access accounts for POA logon on unmanaged endpoint computers protected by
SafeGuard Enterprise
For unmanaged endpoint computers, i.e., endpoint computers operating in standalone mode,
SafeGuard Enterprise offers POA access accounts. POA access accounts are predefined local
accounts that enable users to log on (POA logon) to endpoint computers after the Power-on
Authentication has been activated to perform administrative tasks. The accounts are defined
in the Users and Computers area of the SafeGuard Management Center (user ID and
password) and assigned to the endpoint computers via POA access groups included in
configuration packages.
For detailed information on POA access accounts, see POA access accounts for POA logon at
unmanaged endpoint computers, page 91.
84
SafeGuard® Enterprise 5.50, Administrator help
13 Service Account Lists for Windows logon
A typical scenario for most implementations is that a rollout team installs new computers in an
environment including the installation of SafeGuard Enterprise. For installation or verification
reasons, rollout operators may log on to the respective computer before the end user receives the
new machine and is able to activate the Power-on Authentication.
Thus, the scenario may be as follows:
1. SafeGuard Enterprise is installed on an endpoint computer.
2. After rebooting the computer, the rollout operator logs on.
3. The rollout operator is added to the POA and the POA becomes active. The rollout operator
becomes owner of the computer.
Upon receiving the computer the end user will not be able to log on to the POA and needs to
perform a Challenge/Response procedure.
To prevent that administrative operations on a SafeGuard Enterprise protected computer lead to
an activation of the Power-on Authentication and the addition of rollout operators as users and
machine owners to the computer, SafeGuard Enterprise offers the possibility of creating service
account lists for SafeGuard Enterprise protected computers. The users included in these lists are
thereby treated as SafeGuard Enterprise guest users.
With service accounts the scenario is as follows:
1. SafeGuard Enterpriseis installed on an endpoint computer.
2. After rebooting the computer, a rollout operator included on a service account list logs on
(Windows logon).
3. According to the service account list applied to the computer the user is identified as a service
account and will be treated as a guest user.
The rollout operator will not be added to the POA and the POA will not become active. The
rollout operator will not become owner of the computer. The end user can log on and activate the
POA.
Note: As the service account list functionality is especially helpful during the rollout phase of an
implementation, it is recommended to assign service account lists as early as in the first
SafeGuard Enterprise configuration package created in the SafeGuard Management Center for
configuring the SafeGuard Enterprise protected endpoint computer after installation.
85
SafeGuard® Enterprise 5.50, Administrator help
13.1 Creating service account lists and adding users
To create service account lists and add users, do as follows:
1. Click Policies in the navigation area.
2. Select Service account lists in the policy navigation window.
3. In the context menu of Service account lists, click New > Service account list.
4. Enter a name for the service account list and click OK.
5. Select the new list under Service account lists in the policy navigation window.
6. Right-click in the action area to open the context menu for the service account list. In the
context menu, select Add.
7. A new user line is added. Enter the User Name and the Domain Name in the respective
columns and press Enter. To add further users, repeat this step.
8. Save your changes by clicking the Save icon in the toolbar.
The service account list is now registered and can be selected for assignment when creating a
policy.
13.2 Additional information for entering user and domain names
There are different methods for specifying users in service account lists using the two fields User
Name and Domain Name (see Covering different combinations for logging on, page 86).
Furthermore, certain restrictions apply for valid input in these fields (see Restrictions, page 88).
13.2.1 Covering different combinations for logging on
The two separate fields User Name and Domain Name per list entry offer the flexibility to cover
all available combinations for logging on, for example "[email protected]" or "domain\user".
To handle several user name/domain name combinations, you can use asterisks (*) as wild cards.
An asterisk is allowed as the first sign, the last sign and the only sign.
86
SafeGuard® Enterprise 5.50, Administrator help
For example:

User Name: Administrator

Domain Name: *
This combination specifies all users with the user name "Administrator" who log on to any
network or local machine.
The predefined domain name [LOCALHOST] available in the drop-down list of the Domain
Name field stands for the logon on any local workstation.
For example:

User Name: "*admin"

Domain Name: [LOCALHOST]
This combination specifies all users whose user names end on "admin" and who log on to any
local machine.
Furthermore, users may log on in different ways, e.g.:

user: test, domain: mycompany or

user: test, domain: mycompany.com.
As domain specifications in the service account lists are not automatically resolved, there are
three possible methods for specifying the domain correctly:

You know exactly how the user is going to log on and enter the domain accordingly.

You create several service account list entries.

You use wild cards to cover all different cases (user: test, domain: mycompany*).
Note: To avoid any problems caused by the fact that Windows may not use the same character
sequence, but truncate names, it is recommended to enter the FullQualifiedName and the
NetBIOS name or use wildcards.
87
SafeGuard® Enterprise 5.50, Administrator help
13.2.2 Restrictions
Asterisks are only allowed as the first sign, the last sign and the only sign. Following are examples
for valid and invalid strings using asterisks:

Valid strings are for example admin*, *, *strator, *minis*.

Invalid strings are for example **, Admin*trator, Ad*minst*.
Furthermore the following restrictions apply:

The character ? is not allowed in user logon names.

The characters / \ [ ] : ; | = , + * ? < > " are not allowed in domain names.
13.3 Editing and deleting service account lists
As a security officer with the right Modify service account lists you can edit or delete service
account lists at any time:

To edit a service account list, double-click it in the policy navigation window. The service
account list is opened and you can add, delete or modify user names on the list.

To delete a service account list, select it in the policy navigation window, open the context
menu and select Delete.
13.4 Assigning a service account list via policy
To select and assign a service account list, do as follows:
1. Create a new policy of the type Authentication or select an existing one.
2. Under Logon Options, select the required service account list from the drop-down list of the
Service Account List field.
Note: The default setting of this field is [No list], i.e. no service account list applies. Rollout
operators logging on to the computer after installation of SafeGuard Enterprise will therefore
not be treated as guest users and may activate Power-on Authentication and be added to the
computer. To undo the assignment of a service account list, select the [No list] option.
3. Save your changes by clicking the Save icon in the toolbar.
You can now transfer the policy to the respective computers to make the service accounts
available on the computer.
88
SafeGuard® Enterprise 5.50, Administrator help
Note: If you select different service account lists in different policies which are all relevant
according to the RSOP (Resulting Set of Policies, the settings valid for a specific computer/group),
the service account list assigned in the last policy applied will overrule all previously assigned
service account lists. Service account lists will not be merged.
13.5 Transferring the policy to the endpoint computer
The service account list functionality is especially helpful and important during initial installation
in the rollout phase of an implementation. It is therefore recommended to transfer the service
account settings to the endpoint computer immediately after installation. To make the service
account list available on the endpoint computer at this point, include a policy of the type
Authentication when you create the initial configuration package for configuring the endpoint
computer after installation.
You can change the service account list settings at any time and the changes will be transferred to
the endpoint computer via the server in the usual way.
13.6 Logging on to an endpoint computer using a service account
At the first Windows logon after rebooting the computer, a user included on a service account list
logs on to the respective machine as a SafeGuard Enterprise guest user. This first Windows logon
to the machine neither kicks off a pending Power-on Authentication nor adds the user to the
computer. The SafeGuard Enterprise System Tray icon balloon tool tip "Initial user
synchronisation completed" will not be displayed.
13.6.1 Service account status display on the endpoint computer
In addition, the guest user logon status is also available via the System Tray Icon. For further
information the System Tray Icon refer to the SafeGuard Enterprise User help, chapter System
Tray icon and balloon tool tip (description of the user state field).
89
SafeGuard® Enterprise 5.50, Administrator help
13.7 Log events
Actions performed regarding service account lists are reported by the following log events:
SafeGuard Management Center

Service account list <name> created

Service account list <name> modified

Service account list <name> deleted
SafeGuard Enterprise protected computer

Windows user <domain/user name> logged on at <timestamp> to machine <domain/
workstation name> as SGN service account.

New service account list <name> imported.

Service account list <name> deleted.
90
SafeGuard® Enterprise 5.50, Administrator help
14 POA access accounts for POA logon at unmanaged
endpoint computers
For unmanaged computers protected by SafeGuard Enterprise, i. e., computers operating in
standalone mode, SafeGuard Enterprise offers POA access accounts. After SafeGuard Enterprise
has been installed and the Power-on Authentication (POA) has been activated, access to endpoint
computers to perform administrative tasks may be required. With POA access accounts, users
can log on at the Power-on Authentication on endpoint computers for administrative tasks
without having to initiate a Challenge/Response procedure. There is no automatic logon to
Windows. The users logging on with POA access accounts log on to Windows with their existing
Windows accounts.
14.1 Creating POA access accounts
To create POA access accounts, do as follows:
1. Click Users & Computers in the navigation area of the SafeGuard Management Center.
2. In the Users and Computers navigation window under POA, select POA Users.
3. In the context menu of POA Users, click New > Create new user.
The Create new user dialog is displayed.
4. In the Full name field, enter a name, i.e. the logon name, for the new POA user.
5. Optionally, enter a description for the new POA user.
6. Enter a password for the new POA access account and confirm it.
Note: To enhance security, the password should adhere to certain minimum complexity
requirements, e.g., minimal length of 8 characters, mixture of numerical and alphanumerical
characters etc. If the password you have entered is too short, a warning message will be displayed.
7. Click OK.
The new POA access account is created and the POA user (i.e. the POA access account) is
displayed under POA users in the Users & Computers navigation area.
91
SafeGuard® Enterprise 5.50, Administrator help
14.2 Changing the password for a POA access account
To change the password for a POA access account, do as follows:
1. Click Users & Computers in the navigation area of the SafeGuard Management Center.
2. In the Users & Computers navigation window under POA, POA Users, select the relevant
POA user.
3. In the context menu of the POA user, select Properties.
The properties dialog for the POA user is displayed.
4. In tab General under User Password, enter the new password and confirm it.
5. Click OK.
The new password applies for the relevant POA access account.
14.3 Deleting POA access accounts
To delete POA access accounts, do as follows:
1. Click Users & Computers in the navigation area of the SafeGuard Management Center.
2. In the Users and Computers navigation window under POA, POA Users, select the relevant
POA access account.
3. Right-click on the POA access account and select Delete from the context menu.
The POA access account, i.e. the POA user, is deleted and is no longer displayed in the Users and
Computers navigation window.
Note: If the user is part of one or several POA groups, the POA access account will also be
removed from all groups. However, the POA access account will still be available on the endpoint
computer until a new configuration package has been created and assigned. For further details on
POA groups, see Creating POA access account groups, page 93. For further details on changing the
POA access account assignment, see Changing POA access accounts assignments on endpoint
computers, page 96
92
SafeGuard® Enterprise 5.50, Administrator help
14.4 Creating POA access account groups
To be able to assign POA access accounts to endpoint computers via configurations packages, the
accounts must be arranged in groups. When creating configuration packages, you can select a
POA access account group for assignment.
To create POA access account groups, do as follows:
1. Click Users & Computers in the navigation area of the SafeGuard Management Center.
2. In the Users and Computers navigation area under POA, select POA Groups.
3. In the context menu of POA Groups, click New > Create new group.
The Create new group dialog is displayed.
4. In the Full name field, enter a name for the new POA group.
5. Optionally, enter a description for the new POA group.
6. Click OK.
The new POA access account group is created and is displayed under POA Groups in the Users
and Computers navigation area. You can now add users, i.e. POA access accounts, to the POA
access account group.
14.5 Adding accounts to POA access account groups
To add users, i.e. POA access accounts, to POA access account groups, do as follows:
1. Click Users & Computers in the navigation area of the SafeGuard Management Center.
2. In the Users and Computers navigation window under POA, POA Group, select the relevant
POA group.
In the action area of the SafeGuard Management Center on the right-hand side, the Members tab
is displayed.
3. In the SafeGuard Management Center toolbar, click the Add icon (green plus sign).
The Select member object dialog is displayed.
4. Select the user, i.e. POA access account, you want to add to the group.
5. Click OK.
The POA access account is added to the group and displayed in the Members tab.
93
SafeGuard® Enterprise 5.50, Administrator help
Note: You can also add accounts to groups by selecting the POA user, i.e. POA access account, in
the navigation window and following the steps described above. The only difference in this
approach is that the action area displays the Member of tab after selecting the user. This tab shows
the groups the user has been assigned to. The basic workflow is identical.
14.6 Removing members from POA access account groups
To remove members, i.e. POA access accounts, from POA access account groups, do as follows:
1. Click Users & Computers in the navigation area of the SafeGuard Management Center.
2. In the Users and Computers navigation window under POA, POA Group, select the relevant
POA group.
In the action area of the SafeGuard Management Center on the right-hand side, the Members tab
is displayed.
3. Select the user you want to delete from the group.
4. In the SafeGuard Management Center toolbar, click the Remove (Delete) icon (red cross
sign).
The user is removed from the group.
Note: You can also remove members from groups by selecting the POA user, i.e. POA access
account, in the navigation window and following the steps described above. The only difference
in this approach is that the action area displays the Member of tab after selecting the user. This
tab shows the groups the user has been assigned to. The basic workflow is identical.
14.7 Assigning POA access accounts to endpoint computers
To assign POA access groups to endpoint computers via configuration packages, do as follows:
1. In the SafeGuard Management Center, select Configuration Package Tool from the Tools
menu.
2. Select an existing configuration package or create a new one.
3. Specify a POA Group created beforehand in the Users and Computers area of the SafeGuard
Management Center, to be applied to the computers.
The default setting for the POA group is No Group.
Furthermore, an empty group is available for selection by default. This group can be used to
delete a POA access account group assignment on endpoint computers. For further details see
Deleting POA access accounts from endpoint computers, page 95.
94
SafeGuard® Enterprise 5.50, Administrator help
4. Specify an output path for the configuration package.
5. Click Create Configuration Package.
6. Deploy the configuration package to the endpoint computers.
By installing the configuration package, the users, i.e. POA access accounts, included in the group
are added to the POA on the endpoint computers. The POA access accounts are available for POA
logon.
14.8 Deleting POA access accounts from endpoint computers
POA access accounts can be deleted from endpoint computers by assigning an empty POA access
account group. Do as follows:
1. In the SafeGuard Management Center, select the Configuration Package Tool from the Tools
menu.
2. Select an existing configuration package or create a new one.
3. Specify an empty POA Group created beforehand in the Users area of the SafeGuard
Management Center, or select the empty POA group that is available by default in the
Configuration Package Tool.
4. Specify an output path for the configuration package.
5. Click Create Configuration Package.
6. Deploy the configuration package to the endpoint computers.
By installing the MSI file, all POA access accounts are removed from the endpoint computers, i.e.
all relevant users are removed from the POA.
95
SafeGuard® Enterprise 5.50, Administrator help
14.9 Changing POA access accounts assignments on endpoint
computers
To change the POA access accounts assignment for endpoint computers, do as follows:
1. Create a new POA access account group or modify an existing one.
2. Create a new configuration package and select the new or modified POA access account
group.
The new POA access account group is available on the endpoint computer, all users included are
added to the POA. The new group overwrites the old one. POA access account groups are not
merged.
14.10 Logging on to an endpoint computer using a POA access
account
To log on using a POA access account, do as follows:
1. Switch on the computer.
The Power-on Authentication logon dialog is displayed.
2. Enter the User name and the Password of the predefined POA access account.
You are not automatically logged on to Windows. Therefore, the Windows logon dialog is
displayed.
3. In the Domain field, select the domain <POA>.
4. Log on to Windows using your existing Windows user account.
96
SafeGuard® Enterprise 5.50, Administrator help
15 Security policies
The SafeGuard Enterprise policies include all settings which need to be active to implement
a companywide security policy on the endpoint computers.
The SafeGuard Enterprise policies can incorporate settings for the following areas (policy types):
97

General Settings
Contains for example settings for transfer rate, background images, etc.

Authentication
Contains settings for logon mode, device lock, etc.

PINs
Defines the requirements for used PINs.

Passwords
Defines the requirements for used passwords.

Passphrases
Defines the requirements for used passphrases. Passphrases are used for secure data exchange
with SafeGuard Data Exchange during key generation.

Device protection
Contains the settings for volume- or file based encryption (including settings for SafeGuard Data
Exchange and SafeGuard Portable): algorithms, keys, the drives on which data is to be encrypted,
etc.

Specific machine settings
Contains settings for the Power-on Authentication (activate/deactivate), for secure Wake On
LAN, display options, etc.

Logging
Defines the events to be logged and their output destinations.

Configuration protection
Contains settings (allow/block) for the usage of ports and peripheral devices (PDAs,
removable media, printers, etc.).
SafeGuard® Enterprise 5.50, Administrator help
15.1 General settings
Policy setting
Explanation
LOADING OF SETTINGS
Policy Loopback
Replay Machine Settings
If “Replay Machine Settings” is selected for a policy in the field
Policy Loopback, and the policy originates from a machine
(“Replay Machine“ setting of a user policy does not have any
effect), this policy is implemented again at the end. This then
overrides any user settings and the machine settings apply.
Ignore User
If you select “Ignore User” for a policy (machine policy) in the
field Policy Loopback and the policy originates from a
machine, only the machine settings are analyzed. User settings
are not analyzed.
No Loopback
No loopback is the standard behavior in which user policies
take priority over machine policies.
How are settings “Ignore User” and “Replay Machine
Settings” analyzed?
If there are active policy assignments, the machine policies are
analyzed and consolidated first. If consolidation of the various
policies results in the “Ignore User” attribute in policy
loopback, policies that would have been applied for the user
are no longer analyzed. This means that the same policies
apply to the user as to the machine.
If “Replay Machine Settings” value is applied in the case of the
policy loopback, once the individual machine policies have
been consolidated, the user policies are then merged with the
machine policies. After consolidation the machine policies are
re-written and override any user policy settings. This means
that if a setting is present in both policies, the machine policy
value overrides the user policy value.
If the consolidation of individual machine policies results in
the standard value, the following applies: User settings take
priority over machine settings.
98
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
TRANSFER RATE
Connection interval to
server (min)
Determines the period in minutes after which a SafeGuard
Enterprise Client sends a policy (changes) enquiry to the
SafeGuard Enterprise Server.
Note: To prevent a large number of clients contacting the
server at the same time, communication is always carried out
in a period of +/- 50% of the set connection interval. Example:
Setting “90 minutes” results in a communication period
between the client and the server of 45 to 135 minutes.
LOGGING
Feedback after number of
events
The log system, implemented as Win32 Service “SGM
LogPlayer”, collects log entries generated by SafeGuard
Enterprise for the central database and stores them in local log
files. These are located in the Local Cache in the
“Auditing\SGMTransLog” directory. These files are
transferred to the transport mechanism which then sends
them to the database via the SGN Server. Transfer takes place
as soon as the transport mechanism has succeeded in creating
a connection to the server.
The log file therefore increases in size until a connection has
been established. To limit the size of each log file, it is possible
to set a maximum number of log entries in the policy. Once
the preset number of entries has been reached the logging
system places the log file in the SGN Server transport queue
and starts a new log file.
CUSTOMIZATION
Language used on client
99
Determines the language in which settings for SafeGuard
Enterprise are displayed on the endpoint computer:
Besides the supported languages, users may select the
computer's operating system language setting.
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
LOGON RECOVERY
Activate logon recovery after
Windows Local Cache
corruption
The Windows Local Cache is the start and the end point for
the data exchange between the endpoint computer and the
server. It stores all keys, policies, user certificates and audit
files. All data stored in the local cache are signed and cannot be
changed manually.
By default logon recovery is deactivated. i.e. the Windows
Local Cache will be restored automatically from its backup. In
this case, no Challenge/Response procedure is required for
repairing the Windows Local Cache. If the Windows Local
Cache is to be repaired explicitly via a Challenge/Response
procedure, set this field to “YES“.
Enable Local Self Help
Enable Local Self Help
Determines whether users are permitted to log on to their
computers via Local Self Help if they have forgotten their
password. Using Local Self Help the user can log on by
answering a specified number of previously defined questions
in the Power-on Authentication. Thus, in case of an
emergency, the user can regain access to their computer even
if neither telephone nor internet connection are available. A
Challenge/Response procedure is not necessary in this case.
Local Self Help helps reducing help desk efforts and cost.
Notice: For the user to be able to use Local Self Help,
automatic logon to Windows has to be enabled. Otherwise,
Local Self Help will not work.
Minimal length of answers
In this field, define the minimum length (in characters) for the
answers to be saved for Local Self Help on the endpoint
computer.
Welcome text under
Windows
In this field you can specify the individual information text to
be displayed in the first dialog when launching the Local Self
Help Wizard on the endpoint computer. Prior to specifying
the text here, it has to be created and registered.
Users can define their own
questions
As a security officer you can define the set of questions to be
answered centrally and distribute it to the endpoint computer
via the policy. However, you can also grant the users the right
to define their own questions. To entitle users to define their
own questions, select option Yes in this field.
100
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
Challenge / Response (C/R)
Enable logon recovery via
C/R
Determines whether a user is permitted to generate a challenge
in the Power-on Authentication (POA) to regain access to
their computer via a Challenge/Response procedure.
YES: User is permitted to generate a challenge. In this case, the
user can regain access to their computer via a C/R procedure
in case of emergencies.
NO: User is not permitted to issue a challenge. In this case, the
user cannot initiate a C/R procedure to regain access to their
computer in case of an emergency.
Allow automatic logon to
Windows
Allows the user to log on to Windows automatically after
authentication via Challenge/Response.
YES: User is automatically logged on to Windows.
NO: Windows logon screen appears.
Anwendungsfall: A user has forgotten their password. After
the Challenge/Response procedure, SafeGuard Enterprise logs
the user on at the computer without an SGN password. In this
case automatic Windows logon is switched off and the
Windows logon screen is displayed. The user cannot log on
because they do not know the SGN password (= Windows
password). “YES” allows automatic logon and the user is able
to move on from the Windows logon screen.
Information text
Displays an information text when the Challenge button is
pressed in the POA. Information texts can include, e.g. “Please
contact Support Desk on telephone number 01234-56789.”
Prior to specifying a text here, you must create it as a text file
in the policy navigation area under Information text.
IMAGES
Prerequisite:
New images must be registered in the policy navigation area
of the SafeGuard Management Center under Images. The
images will only be available after registration.
Supported formats: .BMP, PNG, JPEG.
Swaps the blue background bitmap with the SafeGuard design
for the background of your choice. Customers might for
example use the company logo in POA and at Windows logon.
Maximum file size for all background bitmaps: 500 KB
Background image in POA
101
Resolution: 1024x768 (VESA mode)
Colors: unlimited.
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
Background image in POA
(low resolution)
Resolution: 640x480 (VGA mode)
Colors: 16 colors
Swaps the SafeGuard Enterprise bitmap displayed in the POA
logon dialog. For example, the company logo can be displayed
in this dialog.
Logon image in POA
Resolution: 413 x 140 pixels
Colors: unlimited.
Logon image in POA
(low resolution)
Resolution: 413 x 140 pixels
Colors: 16
102
SafeGuard® Enterprise 5.50, Administrator help
15.2 Authentication
The way users log on to their workstation (with or without token) is determined in a policy of type
Authentication.
Policy setting
Explanation
ACCESS
Users may only boot from hard disk
Determines whether users may start the PC from
the hard drive and/or another medium.
YES: Users can only boot from the hard disk. The
POA does not offer the option to start the PC with
a floppy disk or other external medium.
NO: Users may start the PC from hard disk,
floppy disk or external medium (USB, CD etc.)
LOGON OPTIONS
Logon mode
Determines how a user needs to authenticate
themselves at the POA.

User ID/Password
The user may not log on with a token. Logon
must be via user name and password in the
POA.

Token
The user can only log on to the POA using a
token or smartcard. This process offers a
higher level of security. The user is requested
to insert the token at logon. User identity is
verified by token ownership and PIN
presentation. After the user has entered the
correct PIN, SafeGuard Enterprise
automatically reads the data for user logon.
Notice: Once this logon process has been selected,
users can only log on using a previously issued
token.
A combination of the above settings is allowed. To
test whether logon using a token works, first select
both settings. Only deselect logon mode User ID/
Password, if authentication using the token was
successful.
103
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation

Logon options using token
Fingerprint
Select this setting to enable logon with Lenovo
Fingerprint Reader
Users to whom this policy applies can then log on
with a fingerprint or a user name and password.
This procedure provides the maximum level of
security.
When logging on, the user swipes his or her
finger over the fingerprint reader. Upon
successful recognition of the fingerprint, the
Power-on Authentication process reads the
user’s credentials and logs the user on to Poweron Authentication. The system then transfers the
credentials to Windows, and the user is logged
on to the computer.
Notice:
After selecting this logon procedure, the user can
log on only with a pre-enrolled fingerprint or a
user name and password. Token and fingerprint
logon procedures cannot be combined on the same
computer.
Determines the type of token or smartcard to be
used at the user PC.

Non-cryptographic:
Authentication at POA and Windows based
on user credentials.

Kerberos:
Certificate-based authentication at POA and
Windows.
The SO issues a certificate in a PKI and stores
it on the token. This certificate is imported as a
user certificate into the SafeGuard Enterprise
database. If an automatically generated
certificate already exists in the database, it is
replaced by the imported certificate.
Hint: Challenge/Response is not possible with a
token supporting Kerberos as no user credentials
are provided in the POA that could be used for a
Challenge/Response procedure.
104
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
PIN used for autologon with token
Specify a default PIN to enable the user to
automatically log on at the Power-on
Authentication using a token or smartcard. The
user is requested to insert the token at logon and is
then passed through the Power-on
Authentication. Windows will be started.
PIN rules do not need to be observed.
Notice:
This option is only available, if Token has been
selected as Logon mode.

If this option is activated, then Pass-through
to Windows must be set to Disable passthrough to Windows.
Display unsuccessful logons for this user
Displays (setting: YES) after logon at POA and
Windows a dialog showing information on the
last failed logon (user name/date/time).
Display last user logon
Displays (setting: YES) after logon at POA and
Windows a dialog showing information on the
Disable “forced logoff” in workstation
lock
105


last successful logon (user name/date/time)

last user credentials of the logged on user
If users wish to exit the endpoint computer for a
short time only, they can click Block workstation
to block the computer for other users and unlock
it with the user password.
If this option is set to NO, the user who has locked
the computer as well as an administrator can
unlock the it.
If an administrator unlocks the computer, the
currently logged on user is logged off
automatically. Setting this field to YES changes
this behavior. In this case, only the user can
unlock the computer. The administrator cannot
unlock it and the user will not be logged off
automatically. Note: This setting only takes effect
under Windows XP.
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
Activate user/domain preselection
YES: The POA saves the user name and domain of
the last logged on user. Users therefore do not
need to enter their user names every time they log
on.
NO: The POA does not save the user name and
the domain of the last logged on user.
Pass through to Windows
Note: For the user to be able to grant other users
access to their computer, the user has to be
permitted to deactivate logon passthrough to
Windows.
Service Account List

Let user choose freely
The user can decide by enabling/disabling this
option in the POA logon dialog whether
automatic logon at Windows is to be
performed.

Enforce pass-through to Windows
The user will always be automatically logged
on to Windows.

Disable pass-through to Windows
After the POA logon, the Windows logon
dialog will be displayed. The user has to log on
to Windows manually.
To prevent that administrative operations on a
SafeGuard Enterprise protected computer lead to
an activation of the Power-on Authentication and
the addition of rollout operators as users to the
computer, SafeGuard Enterpriseoffers the
possibility of creating service account lists for
SafeGuard Enterprise endpoint computers. The
users included in these lists are thereby treated as
SafeGuard Enterprise guest users.
Prior to selecting a list here you first have to create
the lists in the Policies navigation are under
Service Account Lists.
106
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
BitLocker Options
BitLocker Logon mode
BitLocker Fallback Logon mode
107
You can select from the following options for the
BitLocker logon mode.

TPM: The key for logon is stored on the TPM
chip.

TPM + PIN: The key for logon is stored on the
TPM chip and a PIN is also required for logon.
Settings for the PIN are given under PIN and
password.

USB Memory Stick: The key for logon is
stored on a USB stick.

TPM + USB Memory Stick: The key for logon
is stored on the TPM chip and on a USB stick.
Logon can either be with the TPM chip or USB
stick.
In case logon fails, SafeGuard Enterprise offers
logon with USB stick as a fallback mechanism or
an error message output.
Note: If you select USB Memory Stick as the logon
mode, this option is not offered.
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
TPM platform validation profile
If TPM can be found on the endpoint computer, it
can be configured which type of TPM platform
validation profile should be used.
The TPM platform validation profile specifies the
measurements that are used to protect BitLocker
encryption keys.
A platform validation profile consists of a set of
Platform Configuration Register (PCR) indices.
Microsoft recommends to use the default TPM
platform validation profile in Windows Vista,
which secures the following:

the encryption key against changes to the Core
Root of Trust of Measurement (CRTM), BIOS,
and Platform Extensions (PCR 0)

Option ROM Code (PCR 2)

Master Boot Record (MBR) Code (PCR 4)

NTFS Boot Sector (PCR 8)

NTFS Boot Block (PCR 9)

Boot Manager (PCR 10)

BitLocker DE Access Control (PCR 11)
Note: This option is only available if you select
TPM as logon mode. If USB Memory Stick is the
selected logon mode, this option is not offered.
For further information on the TPM validation
profile follow this link:
http://msdn2.microsoft.com/en-us/library/
aa376469.aspx
FAILED LOGONS
Maximum no. of failed logons
Determines how many times a user can attempt to
log on using an invalid user name or password.
After incorrectly entering a user name or
password three times in a row for instance, a
fourth attempt will trigger the “Response to a
failed logon” setting.
108
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
Display „Logon failed“ messages in POA Defines level of detail for messages on failed
logons:

Standard: Shows a short description.

Verbose: Displays more detailed information.
Reaction to failed logons
Lock machine
Determines whether the PC is locked after failed
attempts to log on.
The computer lock can be lifted by an
administrator who must reboot the PC and log on.
In this context, also take Windows user lock into
consideration.
TOKEN OPTIONS
Action if token logon status is lost
Allow unblocking of token
Defines behavior after removing the token from
the computer:
Possible actions include:

Lock Computer

Present PIN dialog

No Action
Determines whether the token may be unblocked
at logon.
LOCK OPTIONS
109
Lock screen after X minutes inactivity
Determines the time after which an unused
desktop is automatically locked.
The default value is 0 minutes in which case the
desktop will not be locked.
Lock screen at token removal
Determines whether the screen is locked if a token
is removed during a session.
Lock screen after resume
Determines whether the screen is locked if the
computer is reactivated from standby mode.
SafeGuard® Enterprise 5.50, Administrator help
15.3 Creating forbidden PIN lists for use in policies
For policies of the type PIN a list of forbidden PINs can be created to define character sequences
which must not be used in PINs.
Note: In the lists, forbidden PINs are separated by a space or line break.
The text files containing the required information have to be created prior to registering them in
the SafeGuard Management Center. The maximum files size for text files is 50 KB. SafeGuard
Enterprise only uses Unicode UTF-16 coded texts. If you do not create the text files in this format,
they will be automatically converted upon registration.
In case of a conversion process, a message will be displayed indicating that the file is being
converted.
To register text files, do the following:
1. In the policy navigation area, right-click Information text and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
3. Click [...] to select the previously created text file. If the file needs to be converted, a message
will be displayed.
4. Click OK.
The new text item is displayed as a subnode below Information text in the policy navigation area.
If you select a text item, its contents will be displayed in the window on the right-hand side. The
text item can now be selected when creating policies.
Proceed as described to register further text items. All registered text items will be shown as
subnodes.
Note: Using the Modify Text button, you can add new text to existing text. When clicking this
button, a dialog is displayed for selecting another text file. The text contained in this file will be
appended at the end of the existing text.
110
SafeGuard® Enterprise 5.50, Administrator help
15.4 Syntax rules for PINs
PINs can contain numbers, letters and special characters (e.g. + - ; etc.). However, when issuing
a new PIN, do not use any character with the combination ALT + < character > as this input mode
is not available at Power-on Authentication. Rules for PINs used to log on to the system are
defined in policies of the type PIN.
Note: If password rules have been defined in the SafeGuard Management Center, no rules should
be defined in Active Directory.
Policy setting
Explanation
RULES
111
Min. PIN length
Displays how many characters a PIN must comprise when
changed by the user. The required value can be entered
directly or increased/reduced using the arrow keys.
Max. PIN length
Displays the maximum number of characters a PIN must
comprise when changed by the user. The required value can
be entered directly or increased/reduced using the arrow
keys.
Min. number of letters
Min. number of digits
Min. number of special
characters
This setting specifies that a PIN may not consist exclusively
of letters, numbers or special characters, but must consist of a
combination of at least two (e.g. 15flower etc). This setting is
only practical, if a minimum PIN length of greater than 2 has
been defined.
Case sensitive
This setting is only effective with Use forbidden PIN list and
User name as PIN forbidden.
Case 1: You have entered “board” in the list of forbidden
PINs. If the Case sensitive option is set to YES, additional
password variants such as BOARD, BoaRD will not be
accepted and logon will be denied.
Case 2: “EMaier” is entered as a user name. If option Case
sensitive is set to YES and option User name as PIN
forbidden is set to NO, user EMaier cannot use any variant
of this user name (e.g. “emaier“ or “eMaiER“) as a PIN.
Keyboard row forbidden
Consecutive key sequences include e.g. “123” or “qwe”.
A maximum of two adjacent characters on the keyboard is
allowed. Consecutive key sequences relate only to the
alphanumerical keyboard area.
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
Keyboard column forbidden
Refers to keys arranged consecutively in columns on the
keyboard such as “yaq1”, “xsw2” or “3edc” (but not “yse4”,
“xdr5” or “cft6”!). A maximum of two adjacent symbols in a
single keyboard column is permitted. If you disallow keypad
columns, combinations like these are rejected as PINs.
Consecutive key sequences relate only to the alphanumerical
keyboard area.
3 or more consecutive
characters forbidden
Activation of this option disallows key sequences

which are consecutive series of ASCII code symbols in
both ascending and descending order (“abc”; “cba”; “;<”
etc.).

which consist of three or more identical symbols
(“aaa” or “111”).
User name as PIN forbidden
Determines whether user name and PIN may be identical.
YES: Users may use their Windows user names as PINs.
NO: Windows user name and PIN must be different.
Use forbidden PIN list
Determines whether certain character sequences must not be
used for PINs. The character sequences are stored in the list
of forbidden PINs (e.g. .txt file).
List of forbidden PINs
Defines character sequences which must not be used for
PINs. If a user uses a forbidden PIN, an error message will be
displayed.
Important prerequisite:
A list (file) of forbidden PINs must be registered in the
Management Center in the policies navigation area under
Information text. The list is only available after registration.
Maximum file size: 50 KB
Supported format: Unicode
Defining forbidden PINs
In the list, forbidden PINs are separated by a space or line
break.
Wildcard: Wildcard character “*” can represent any character
and any number of characters in a PIN. Therefore *123*
means that any series of characters containing 123 will be
disallowed as a PIN.
112
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
Notice:

If the list contains only a wildcard, the user will no longer
be able to log on to the system after a forced password
change.

Users must not be permitted to access the file.

Option Use forbidden PIN list must be activated.
CHANGES
PIN change after min. (days)
Determines the period during which a password may not be
changed. This setting prevents the user from changing a
password too many times within a specific period.
Example:
User Miller defines a new PIN (e.g. “13jk56”). The minimum
change interval for this user (or group to which this user is
assigned) is set to five days. After two days the user wants to
change the PIN to “13jk56”. The PIN change is rejected
because Mrs. Miller may only define a new password after five
days have passed.
PIN change after max. (days)
If the maximum period of validity is activated, the user has to
define a new PIN after the set period has expired.
Notify of forced change
before (days)
A warning message is displayed “n” days before PIN expiry
reminding the user to change their PIN in “n” days.
Alternatively, the user may change the PIN immediately.
GENERAL
PIN history length
113
Determines when previously used PINs can be reused.
It makes sense to define the history length in conjunction
with the PIN change after max. (days) setting.
Example:
The PIN history length for user Miller is set to 4, and the
number of days after which the user must change their PIN is
30. Mr. Miller is currently logging on using the PIN
“Informatics”. After the 30 day period expires, he is asked to
change his PIN. Mr. Miller types in “Informatics” as the new
PIN and receives an error message that this PIN has already
been used and he needs to select a new PIN. Mr. Miller
cannot use PIN “Informatics” until after the fourth request to
change the PIN (in other words PIN history length = 4).
SafeGuard® Enterprise 5.50, Administrator help
15.5 Creating forbidden password list for use in policies
For policies of the type Password a list of forbidden passwords can be created to define character
sequences which must not be used in passwords.
Note: In the lists, forbidden passwords are separated by line breaks.
The text files containing the required information have to be created prior to registering them in
the SafeGuard Management Center. The maximum files size for text files is 50 KB. SafeGuard
Enterprise only uses Unicode UTF-16 coded texts. If you do not create the text files in this format,
they will be automatically converted upon registration.
In case of a conversion process, a message will be displayed indicating that the file is being
converted.
To register text files, do the following:
1. In the policy navigation area, right-click Information text and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
3. Click [...] to select the previously created text file. If the file needs to be converted, a message
will be displayed.
4. Click OK.
The new text item is displayed as a subnode below Information text in the policy navigation area.
If you select a text item, its contents will be displayed in the window on the right-hand side. The
text item can now be selected when creating policies.
Proceed as described to register further text items. All registered text items will be shown as
subnodes.
Note: Using the Modify Text button, you can add new text to existing text. When clicking this
button, a dialog is displayed for selecting another text file. The text contained in this file will be
appended at the end of the existing text.
114
SafeGuard® Enterprise 5.50, Administrator help
15.6 Syntax rules for passwords
Passwords can contain, numbers, letters and special characters (e.g. + - ; etc.). However, when
issuing a new password, do not use any character with the combination ALT + < character > as
this input mode is not available at Power-on Authentication. Rules for passwords used to log on
to the system are defined in policies of the type Password.
Note: If password rules have been defined in the SafeGuard Enterprise Management Center, no
rules should be defined in Active Directory.
Policy setting
Explanation
RULES
115
Min. password length
Displays how many characters a password must comprise
when changed by the user. The required value can be entered
directly or increased/reduced using the arrow keys.
Max. password length
Displays the maximum number of characters a password
must comprise when changed by the user. The required value
can be entered directly or increased/reduced using the arrow
keys.
Min. number of letters
Min. number of digits
Min. number of special
characters
This setting specifies that a password may not consist
exclusively of letters, numbers or special characters, but must
consist of a combination of at least two (e.g. 15flower etc).
This setting is only practical, if a minimum password length
of greater than 2 has been defined.
Case sensitive
This setting is only effective with Use forbidden password
list and User name as password forbidden.
Case 1: You have entered “board” in the list of forbidden
passwords. If option Case sensitive option is set to YES,
additional password variants such as BOARD, BoaRD will
not be accepted and logon will be denied.
Case 2: “EMaier” is entered as a user name. If option Case
sensitive is set to YES and option User name as password
forbidden is set to NO, user EMaier cannot use any variant
of this user name (e.g. “emaier“ or “eMaiER“) as a password.
Keyboard row forbidden
Consecutive key sequences include e.g. “123” or “qwe”.
A maximum of two adjacent characters on the keyboard is
allowed. Consecutive key sequences relate only to the
alphanumerical keyboard area.
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
Keyboard column forbidden
Refers to keys arranged consecutively in columns on the
keyboard such as “yaq1”, “xsw2” or “3edc” (but not “yse4”,
“xdr5” or “cft6”!). A maximum of two adjacent symbols in a
single keyboard column is permitted. If you disallow
keyboard columns, combinations like these are rejected as
passwords. Consecutive key sequences relate only to the
alphanumerical keyboard area.
3 or more consecutive
characters forbidden
Activation of this option disallows key sequences

which are consecutive series of ASCII code symbols in
both ascending and descending order (“abc”; “cba”; “;<”
etc.).

which consist of three or more identical symbols (“aaa” or
“111”).
User name as password
forbidden
Determines whether user name and password may be
identical.
YES: Windows user name and password must be different.
NO: Users may use their Windows user names as passwords.
Use forbidden password list
Determines whether certain character sequences must not be
used for passwords. The character sequences are stored in the
list of forbidden passwords (e.g. .txt file).
116
SafeGuard® Enterprise 5.50, Administrator help
117
Policy setting
Explanation
List of forbidden passwords
Defines character sequences which must not be used for
passwords. If a user uses a forbidden password, an error
message will be displayed.
Important prerequisite:
A list (file) of forbidden passwords must be registered in the
Management Center in the policies navigation area under
Information text. The list is only available after registration.
Maximum file size: 50 KB
Supported format: Unicode
Defining forbidden passwords
In the list, forbidden passwords are separated by a line break.
Wildcard: The wildcard character “*” can represent any
character and any number of characters in a password.
Therefore *123* means that any series of characters
containing 123 will be disallowed as a password.
Note:

If the list contains only a wildcard, the user will no longer
be able to log on to the system after a forced password
change.

Users must not be permitted to access the file.

Option Use forbidden password list must be activated.
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
User password
synchronization to other
SGN Clients
This field determines the procedure of synchronizing
passwords when users, who work on several SafeGuard
Enterprise user PCs and are defined as users on these
computers, change their passwords. The following options
are available:

Slow (wait for user to log on)
If a user changes their password on a SafeGuard
Enterprise endpoint computer and intends to log on to
another computer on which the user is also registered,
they have to log on using their old password at the Poweron Authentication first. Password synchronization will
only be performed after logging on using the old
password first.

Fast (wait for machine to connect)
If a user changes their password on a SafeGuard
Enterprise endpoint computer, password
synchronization with other computers, on which the user
is also registered, will be performed as soon as the other
computer has established a connection to the server. This
is for example the case, when another user, who is also
registered as a user on the computer, logs on to the
computer in the meantime.
CHANGES
Password change allowed
after min. (days)
Determines the period during which a password may not be
changed. This setting prevents the user from changing a
password too many times within a specific period. If the user
is forced to change to change their password by Windows or
if the user changes their password after a warning message
has been displayed stating that the password will expire in x
days, this setting will not be evaluated!
Example:
User Miller defines a new password (e.g. “13jk56”). The
minimum change interval for this user (or group to which this
user is assigned) is set to five days. After two days the user
wants to change the password to “13jk56”.The password
change is rejected because Mrs. Miller may only define a new
password after five days have passed.
Password expires after (days)
If the maximum period of validity is activated, the user has to
define a new password after the set period has expired.
118
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
Notify of forced change
before (days)
A warning message is displayed “n” days before password
expiry reminding the user to change their password in “n”
days. Alternatively, the user may change the password
immediately.
GENERAL
Password history length
119
Determines when previously used passwords can be reused.
It makes sense to define the history length in conjunction
with the Password expires after (days) setting.
Example:
The password history length for user Miller is set to 4, and
the number of days after which the user must change their
password is 30. Mr. Miller is currently logging on using the
password “Informatics”. After the 30 day period expires, he is
asked to change his password. Mr. Miller types in
“Informatics” as the new password and receives an error
message that this password has already been used and he
needs to select a new password. Mr. Miller cannot use
password “Informatics” until after the fourth request to
change the password (in other words password history length
= 4).
SafeGuard® Enterprise 5.50, Administrator help
15.7 Passphrase for SafeGuard Data Exchange
The user must enter a passphrase for secure data exchange via SafeGuard Data Exchange which
is used to generate local keys. The keys generated on the endpoint computers are also stored in
the SafeGuard Enterprise database. The requirements are defined in policies of the type
Passphrase.
For further details on SafeGuard Data Exchange and SafeGuard Portable refer to the SafeGuard
Enterprise User help.
Policy setting
Explanation
RULES
Min. passphrase length
Defines the minimum number of characters for the
passphrase from which the key is generated. The required
value can be entered directly or increased/reduced using the
arrow keys.
Max. passphrase length
Defines the maximum number of characters for the
passphrase. The required value can be entered directly or
increased/reduced using the arrow keys.
Min. number of letters
Min. number of digits
Min. number of special
characters
This setting specifies that a passphrase may not consist
exclusively of letters, numbers or symbols, but must consist
of a combination of that least two (e.g. 15 flower etc). This
setting is only practical if a minimum passphrase length of
greater than 2 has been defined.
Case sensitive
This setting is effective when User name as passphrase
forbidden is active.
Example: “EMaier” is entered as a user name. If the option
Case sensitive is set to YES and User name as passphrase
forbidden is set to NO, user EMaier cannot use any variant
of this user name (e.g. emaier or eMaiER) as a passphrase.
Keyboard row forbidden
Consecutive key sequences include e.g. “123” or “qwe” A
maximum of two adjacent characters on the keyboard is
allowed. Consecutive key sequences relate only to the
alphanumerical keyboard area.
Keyboard column forbidden
Refers to keys arranged consecutively in columns on the
keyboard such as “yaq1”, “xsw2” or “3edc” (but not “yse4”,
“xdr5” or “cft6”!). A maximum of two adjacent characters in
a single keyboard column is permitted. If you disallow
keyboard columns, these combinations are rejected for
passphrases. Consecutive key sequences relate only to the
alphanumerical keyboard area.
120
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
3 or more consecutive
characters forbidden
Activation of this option disallows key sequences
User name as passphrase
forbidden
121

which are consecutive series of ASCII code symbols in
both ascending and descending order (“abc”; “cba”; “;<”
etc.).

which consist of three or more identical symbols (“aaa” or
“111”).
Determines whether the user name and passphrase may be
identical.
YES: Windows user name and passphrase must be different.
NO: Users may use their Windows user names as
passphrases.
SafeGuard® Enterprise 5.50, Administrator help
15.8 Device Protection
The core of SafeGuard Enterprise is the encryption of data on different data storage devices.
Encryption can be volume or file based with different keys and algorithms. Policies of the type
Device Protection also include settings for SafeGuard Data Exchange and SafeGuard Portable.
For further details on SafeGuard Data Exchange and SafeGuard Portable refer to the SafeGuard
Enterprise User help.
Policy setting
Explanation
Media encryption mode
Used to protect devices (PCs, Notebooks and PDAs) and all
types of removable media.
The primary objective is to encrypt all data stored on local
or external storage devices. The transparent operating
method enables users to continue to use their usual
applications e.g. Microsoft Office as usual.
Transparent encryption means that all encrypted data
(whether in encrypted directories or volumes) is
automatically decrypted in the main memory as soon as it is
opened in a program. A file is automatically re-encrypted
when it is saved.
The following options are available:

No Encryption

Volume based (= transparent, sector based encryption)
Ensures that all data is encrypted (incl. boot files,
swapfiles, idle files/hibernation files, temporary files,
directory information etc.) without the user having to
change normal operating procedures or consider
security.
Note:
If an encryption policy exists for a volume or a volume type
and encryption of the volume fails, the user is not allowed to
access it.
Windows 7 System Partition:
Note that for Windows 7 Professional, Enterprise and
Ultimate, a system partition is created on endpoint
computers without a drive letter assigned. This system
partition cannot be encrypted by SafeGuard Enterprise.
Access to Unidentified File System Objects:
Unidentified File System Objects are volumes that cannot be
clearly identified as plain or device-encrypted by SafeGuard
Enterprise. If an encryption policy exists for an Unidentified
File System Object, access to this volume will be denied. If
no encryption policy exists, the user can access the volume.
122
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
Note: If an encryption policy with Key to be used for
encryption set to an option that enables key selection (e.g.,
Any key in user key ring) exists for an Unidentified File
System Object volume, there is a period of time between the
key selection dialog being displayed and access being
denied. During this time period the volume can be accessed.
As long as the key selection dialog is not confirmed, the
volume is accessible. To avoid this, specify a preselected key
for encryption (see description of policy setting Key to be
used for encryption).
Furthermore, this period of time also occurs for
Unidentified File System Object volumes connected to an
endpoint computer, if the user has already opened files on
the volume when an encryption policy takes effect.
In this case, it cannot be guaranteed that access to the
volume will be denied as this could lead to data loss.
Volumes with enabled Autorun functionality:
If Autorun is enabled for a volume for which an encryption
policy exists, the following problems can occur:

The volume is not encrypted.

If the volume is a UFO, access is not denied.
Access to BitLocker To Go encrypted volumes:
If SafeGuard Enterprise is used with BitLocker To Go
support enabled and a SafeGuard Enterprise encryption
policy exists for a BitLocker To Go encrypted volume, access
to the volume will be denied. If no SafeGuard Enterprise
encryption policy exists, the user can access the volume.
Note: If the Autorun settings for a BitLocker To Go
encrypted USB stick are set to the default values, it can
occur that access will not be denied although a SafeGuard
Enterprise encryption policy exists. This only occurs under
Windows Vista.
123
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
For further information on BitLocker To Go, see SafeGuard
Enterprise and BitLocker To Go on page 278.

File based (= transparent, file based encryption (Smart
Media Encryption))
Ensures that all data is encrypted (apart from Boot
Medium and directory information) with the benefit
that even optical media such as CD/DVD can be
encrypted or data can be swapped with external
computers on which SafeGuard is not installed
(provided policies permit).
Note: Data encrypted u.sing “File based encryption” cannot
be compressed. Nor can compressed data be file based
encrypted.
Boot volumes will never be file-based encrypted. They will
be automatically exempt from file-based encryption, even if
a corresponding rule is defined.
GENERAL SETTINGS
Algorithm to be used for
encryption
Sets the encryption algorithm.
List of all usable algorithms with respective standards:
AES256: 32 bytes (256 bits)
AES128: 16 bytes (128 bits)
AES256 with diffuser
AES128 with diffuser
124
SafeGuard® Enterprise 5.50, Administrator help
125
Policy setting
Explanation
Key to be used for encryption
Defines which key is used for encryption. You can define
specific keys (e.g. machine key or a defined key) or you can
allow the user to select a key. You can also restrict the keys
which a user is allowed to use.
The following options are available:

Any key in user key ring
All keys from a user's key ring are displayed and the user
can select any one of them.
Note: This option has to be selected, if you define a
policy for file based encryption for an unmanaged
endpoint computer protected by SafeGuard Enterprise
(standalone).

Any key in user key ring except user key
All except user keys from a user's key ring are displayed
and the user can select any one of them.

Any group key in user key ring
All group keys from a user's key ring are displayed and
the user can select any one of them.

Defined machine key:
The machine key is used - the user CANNOT select a key
Notice: This option has to be selected, if you define a
policy for volume based encryption for a unmanaged
endpoint computer protected by SafeGuard Enterprise
(standalone mode). If you nevertheless select Any key in
user key ring and the user selects a locally created key for
volume based encryption, access to this volume will be
denied.

Any key in key ring, except locally created keys
All except locally generated keys from a key ring are
displayed and the user can select any one of them.

Defined key on list
The administrator can select any available key when
setting policies in the Management Center.
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
The key has to be selected under Defined key for
encryption.
Notice:
If option Defined machine key is used
If SafeGuard Enterprise Device Encryption is not installed
on a endpoint computer (no POA, no volume based
encryption), a policy defining the Defined machine key as
the key to be used for file based encryption will not become
effective on this computer. The defined machine key is not
available on a computer of this type. The data cannot be
encrypted.
Policies for unmanaged endpoint computers protected by
SafeGuard Enterprise (standalone):
Note that only option Any key in user key ring can be used
when creating policies for unmanaged endpoint computers.
In addition, creating local keys must be allowed for this type
of endpoint computer.
In case the media passphrase feature is activated for
unmanaged endpoint computers, the Media Encryption Key
is automatically used as Defined key for encryption, since
no group keys are available on unmanaged endpoint
computers. Selecting another key under Defined key for
encryption when creating a removable media policy for
unmanaged endpoint computers will have no effect.
126
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
Defined key for encryption
This field becomes only active, if you have selected option
Defined key on list in the Key to be used for encryption
field. Click [...] to display dialog Find Keys. Click Find now,
to search for keys and select a key from the list displayed.
In case a policy of Type Device protection with target:
Removable Media this key is used to encrypt the Media
Encryption Key when the media passphrase functionality is
enabled (User may define a passphrase for a device: Yes)
For Device Protection policies for removable media the
settings

Key to be used for encryption

Defined key for encryption
therefore have to be specified independently from each
other.
Policies for unmanaged endpoint computers protected by
SafeGuard Enterprise (standalone):
In case the media passphrase feature is activated for
unmanaged endpoint computers, the Media Encryption Key
automatically is used as Defined key for encryption
automatically, since no group keys are available on
unmanaged endpoint computers.
User is allowed to create a local
key
This setting determines whether the user can generate a
local key on their computer or not.
Local keys are generated on the endpoint computer based
on a passphrase entered by the user. The passphrase
requirements can be set in policies of the type Passphrase.
These keys are also saved in the database. The user can use
them on any computer they are logged on to.
Local keys can be used for secure data exchange via
SafeGuard Data Exchange (SG DX).
VOLUME-BASED SETTINGS
Users may add or remove keys
to or from encrypted volume
127
YES: Endpoint computer users may add/remove keys to/
from a key ring. The dialog is displayed via the context
menu command Encryption / Encryption tab.
NO: Endpoint computer users may not add additional keys
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
Reaction to unencrypted
volumes
Defines how SafeGuard Enterprise handles unencrypted
media:
The following options are available:

Reject (= text medium is not encrypted)

Accept only blank media and encrypt

Accept all media and encrypt
User may decrypt volume
Allows the user to decrypt the volume via a context menu
command in Windows Explorer.
Fast initial encryption
Select this setting to enable the fast initial encryption mode
for volume-based encryption. This mode reduces the time
needed for initial encryption on endpoint computers.
Note: This mode may lead to a less secure state.
For further information, see Fast initial encryption on page
55.
Proceed on bad sectors
Specifies whether encryption should proceed or be stopped
in case bad sectors are detected. The default setting is YES.
FILE BASED SETTINGS
Initial encryption of all files
Automatically starts initial encryption for a volume after
user logon. The user may need to select a key from the key
ring beforehand.
User may cancel initial
encryption
Enables a user to cancel initial encryption.
User is allowed to access
unencrypted files
Defines whether a user may access unencrypted data on a
volume.
User may decrypt files
Enables a user to decrypt individual files or whole
directories (via the Windows Explorer extension <rightclick>).
User may define a Media
Passphrase for devices
Enables a user to define a media passphrase on his
computer. The media passphrase allows to easily access all
used local keys on computers without SafeGuard Data
Exchange via SafeGuard Portable.
128
SafeGuard® Enterprise 5.50, Administrator help
129
Policy setting
Explanation
Unhandled Applications
Allows other applications to be defined which are to be
ignored by the SafeGuard Enterprise filter driver and
thereby excluded from transparent encryption/decryption.
The delimiter to be used for these applications is ’;’.
One example of an unhandled application is a backup
program. To ensure that data is not decrypted when
creating a backup, this application can be exempted from
encryption/decryption. The data is backed up in encrypted
form.
Note: Since these are machine-specific settings, they are not
applied until the endpoint computer is rebooted.
Defining unhandled applications
Typical use:
Backup programs can be defined as exempted so they will
always be able to read and back up encrypted data.
Applications which might trigger malfunctions when used
alongside SafeGuard Enterprise, but do not require
encryption, can generally be exempted from encryption.
The full name of the executable file (optionally including
path information) is used to specify an exempted
application.
Note: Unhandled applications can only be defined for local
storage devices. For a global policy of the type Device
Protection, target Local Storage Devices must be selected.
For all other targets, option Unhandled Applications is not
available.
Removable media only
Copy SG Portable
to Removable Media
If this option is switched on, SafeGuard Portable is copied to
any removable media connected to the endpoint computer.
SafeGuard Portable enables the exchange of encrypted data
with removable media without the recipient having
SafeGuard Enterprise installed.
The recipient can decrypt and re-encrypt the encrypted files
using SafeGuard Portable and the corresponding
passphrase. The recipient can re-encrypt files with
SafeGuard Portable or use the original key for encryption.
SafeGuard Portable does not have to be installed or copied
to the recipient's computer but can be used directly from
the removable media.
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
Default initial encryption key
This field offers a dialog for selecting a key which is used for
file based initial encryption. If you select a key here, the user
cannot select a key when initial encryption starts. Initial
encryption starts without user interaction.
The key selected will always be used for initial encryption.
Example:
Prerequisite: A default key for initial encryption has been
set.
When the user connects a USB device to the computer,
initial encryption automatically starts. The key defined is
used. The user does not have to interfere.
If the user afterwards wants to re-encrypt files or save new
files on the USB device, he can select any key (if allowed and
available). If the user connects a different USB device, the
key defined for initial encryption will be used again. This
key will also be used for all encryption processes that follow
until the user explicitly selects a different key.
Note: In case the media passphrase feature has been
activated, this option is deactivated. The Defined key for
encryption will be used.
Plaintext folder
The folder specified here will be created on every removable
media. Files that are copied to this folder will always
stay plain.
130
SafeGuard® Enterprise 5.50, Administrator help
15.9 Specific machine settings - basic settings
Policy setting
Explanation
POWER-ON AUTHENTICATION (POA)
131
Enable Power-on
Authentication
Defines whether the POA is permanently switched on or
off.
Note: For security reasons we strongly recommend to keep
the POA switched on. Deactivating the POA reduces the
system security to Windows logon security and increases
the risk of unauthorized access to encrypted data.
Forbid guest user
Defines whether a user is entitled to log on to Windows.
Access denied if no connection
to the server (days) (0 = no
check)
Refuses POA logon if the PC has not been connected to the
server for longer than a set period.
Only assigned user may log on
Defines whether a user is entitled to log on to Windows.
YES: Only users recognized in POA can log on.
NO: Users not recognized in POA can log on.
Import of new users allowed
for
Determines whether another user can be added to the POA.
Differentiates between simply machine owners or any user
present in the POA.
Secure Wake On LAN (WOL)
The “Secure Wake On LAN” policy enables the endpoint
computer to prepare for software rollouts in which the
necessary parameters such as temporary deactivation of
POA and a time interval for Wake On LAN can be imported
directly into and analyzed by the endpoint computer. The
rollout team can design a scheduling script using the
commands provided to guarantee maximum endpoint
computer protection despite deactivated POA.
Please be advised that deactivating the POA - even for a
limited number of boot processes - reduces the level of
security for your system!
EXAMPLE:
The SW rollout team notifies SafeGuard Enterprise SO
about a planned software rollout for the 25th September
2010 between 03:00 and 06:00 am. 2 reboots are required.
The local software rollout agent must be able to log on to
Windows.
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
The SO creates the following policy and assigns it to the
corresponding endpoint computers:
Number of auto logons (0 = no WOL): 5
Windows logon permitted during WOL: Yes
Start of time slot for external WOL Start: 24th Sept. 2010,
12:00
End of time slot for external WOL Start: 25th Sept. 2010,
06:00
The SO provides a buffer of 3 for automatic logons.
The security officer sets the time interval to 12 o'clock
midday on the day before the software rollout to allow the
scheduling script SGMCMDIntn.exe to be started promptly
and WOL starts no later than the 25th September at 3:00
am.
The software rollout team produces two commands for the
scheduling script:
- Starting 24th Sept.2010, 12:15 am, SGMCMDIntn.exe /
WOLstart
- Starting 26th Sept.2010, 09.00 am SGMCMDIntn.exe /
WOLstop
The software rollout script is dated 25.09.2010, 03:00. WOL
can be explicitly deactivated again at the end of the script
using SGMCMDIntn.exe /WOLstop.
All endpoint computers logging in before the 24th of
September 2010 and which connect to the rollout servers
will receive the new policy and the scheduling commands.
Any endpoint computer on which the schedule triggers the
command SGMCMDIntn/WOLstart between 24th Sept.
2010, 12:00 midday and 25th Sept. 2010, 06:00 am falls
within the WOL time interval and therefore Wake On LAN
will be activated.
132
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
Number of auto logons
Defines the number of reboots while Power-on
Authentication is switched off for Wake On LAN.
This setting temporarily overwrites the Enable Power On
Authentication setting until the automatic logons reach the
preset number. Power-on Authentication is then
reactivated.
Example: the number of automatic logons is set to 2;
“Enable Power-on Authentication” is switched on. The PC
boots twice without authentication via POA.
For Wake On LAN, we always recommend allowing three
more reboots than necessary to overcome any unforeseen
problems.
Windows logon allowed
during WOL
Determines whether Windows logon is permitted during
Wake On LAN, e.g. for a software update. This setting is
interpreted by the POA.
Start of time slot for external
WOL start
End of time slot for external
WOL start
Date and time can be either selected or input for the start
and end of the Wake On LAN (WOL).
Date format: MM/DD/YYYY Time format: HH:MM
The following input combinations are possible:

Defined start and end of WOL.

End of WOL is defined, start is open.
 No entries: no time interval has been set.
In the event of a planned software rollout, the SO should set
the timeframe for the WOL such that the scheduling script
can be started early enough to allow all endpoint computers
sufficient time for booting.
WOLstart: The starting point for the WOL in the
scheduling script must be within the time interval set in the
policy. If no interval is defined, WOL is not locally activated
on the SafeGuard Enterprise protected endpoint computer.
WOLstop: This command is carried out irrespective of the
final point set for the WOL.
Note: From version 5.20 a WOL setting will only take effect,
if a time interval has been defined. In case of a version
update this also means that WOL policies defined in version
5.10 will at first no longer be effective. After migration the
security officer will have to define a timeframe for these
policies in addition.
133
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
DISPLAY OPTIONS
Display machine identification
Displays either the computer name or a defined text in the
POA title bar.
If the Windows network settings include the machine name
this is automatically incorporated into the basic settings.
Machine identification text
The text to be displayed in the POA title bar.
If you have selected Defined name in the Display machine
identification field, you can enter the text in this input field.
Display legal notice
Displays a text box with a configurable content which is
displayed prior to authentication in the POA. In some
countries a text box with certain content must be displayed
by law.
The box needs to be confirmed by the user before the
system continues.
Prior to specifying a text, the text has to be registered as a
text item in the policy navigation area under Information
text.
Legal notice text
The text to be displayed as a legal notice.
In this field, you can select a text item registered under
Information text in the policy navigation area.
Display additional information Displays a text box with a configurable content which
appears after the legal notice (if activated).
You can define whether the additional information is to be
displayed

Never

Every system start

Every logon
Additional information text
The text to be displayed as additional information.
In this field, you can select a text item registered under
Information text in the policy navigation area.
Show for (sec.)
In this field you can define how long (in seconds) additional
information is to be displayed.
You can specify the number of seconds after which the text
box for additional information will be closed automatically.
The user can close the text box any time by clicking OK.
134
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
Enable and show the system
tray icon
The SafeGuard Enterprise System Tray Icon the user can
access all user functions quickly and easily on the endpoint
computer. In addition, information about the endpoint
computer status (new policies received, ...) can be displayed
in balloon tool tips.
Yes:
The system tray icon is displayed in the information area of
the taskbar and the user is continually informed via balloon
tool tips about the status of the SafeGuard Enterprise
protected endpoint computer.
No:
The system tray icon is not displayed. No status information
for the user via the balloon tool tips.
Silent:
The system tray icon is displayed in the information area of
the taskbar but there is no status information for the user
via the balloon tool tips.
Show overlay icons in Explorer Defines whether Windows key symbols will be shown to
indicate the encryption status of volumes, devices, folders
and files.
Virtual Keyboard in POA
Defines whether a virtual keyboard can be shown on request
in the POA dialog for entering the password.
INSTALLATION OPTIONS
Uninstallation allowed
135
Determines whether uninstallation of SafeGuard Enterprise
is allowed on the endpoint computers. When
Uninstallation allowed is set to No, SafeGuard Enterprise
cannot be uninstalled, even by somebody having
administrator rights, while this setting is active within a
policy.
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
CRYPTOGRAPHIC BASIC INFRASTRUCTURE FRAMEWORK SETTINGS
Windows cryptographic
toolkits
Possible options:

SafeGuard Cryptographic Engine

AET SafeSign TPM Support: Random number generator
hardware; requires a special mainboard in the PC.
TOKEN SUPPORT SETTINGS FOR PKCS #11 MODULE 1
Module name
Registers the PKCS#11 Module of a token.
The following options are available:

Siemens CardOS API

AET SafeSign Identity Client

Charismathics Smart Security Interface

Aladdin eToken PKI Client

RSA Authentication Client 2.x

RSA Smart Card Middleware 3.x

ActivIdentity ActivClient

a.sign Client

Gemalto .NET Card

Gemalto Classic Client

Gemalto Access Client

IT Solution trustWare CSP+

Estonian ID Card

NetKey 3.0
136
SafeGuard® Enterprise 5.50, Administrator help
Policy setting
Explanation
License information for Siemens and Charismatics:
Note that the use of the respective middleware for the
standard operating system requires a license agreement with
Siemens Medical/Charismatics. To obtain licenses, please
refer to:
Services to wait for
137

Global Siemens Healthcare Headquarters
Siemens AG
Healthcare Sector
Henkestrasse 127
D-91052 Erlangen
Federal Republic of Germany
Tel.: +49 69 797 6602

http://www.charismathics.com/cryptoshop/
shop_content.php
or
[email protected]
This setting is used for problem solving with specific tokens.
Our Support team will provide corresponding settings as
required.
SafeGuard® Enterprise 5.50, Administrator help
16 SafeGuard Configuration Protection
Enterprise networks are currently characterized by a proliferation of easily accessible computer
ports, such as USB, FireWire and PCMCIA. In addition, a variety of communication adapters
(such as Bluetooth, IrDA, and WLAN) and device types (such as storage devices, printers, digital
cameras, smart phones, and PDAs) all enable effortless access to endpoints using these ports and
devices.
These devices enable optimal accessibility and productivity, but they leave endpoints wide open
to infiltration. With the amount of corporate data residing on endpoints estimated at over 60%,
endpoints may be the most valuable, and vulnerable, part of the enterprise network.
Today, enterprise IT is focusing on the tradeoffs between productivity and security. Enterprises'
need for productivity attracts them to innovative devices and security concepts. But they are
severely challenged to maintain the ultimate precautionary measures against leakage, theft, fraud,
virus invasion, eavesdropping and the general misuse of information and resources.
According to Vista research, 70% of IT security breaches originate from within the enterprise.
Thus, enterprises today are making internal security, especially internal access to network
resources, their highest priority, even above gateway solutions like antivirus and firewalls. Today's
greatest enterprise security challenge is providing access to key information without exposing it
to risk and trusting internal users while retaining enough control over their actions to verify their
reliability.
True protection can only be obtained by establishing a "digital wall" around each computer and
by intelligently protecting its ports, while judiciously allowing access of approved devices.
138
SafeGuard® Enterprise 5.50, Administrator help
16.1 The SafeGuard Configuration Protection solution
Together with SafeGuard PortAuditor (see the SafeGuard PortAuditor User Guide), SafeGuard
Configuration Protection provides a comprehensive solution which enables organizations to see
what ports and devices are being used in their organization (visibility), to define a policy that
controls their usage and to protect data in motion.
SafeGuard Configuration Protection controls every endpoint and every device, over every
network or interface. It monitors real-time traffic and applies customized, highly-granular
security policies over all physical, wireless and storage device interfaces, including:
1. Physical interfaces:
a) USB
b) FireWire
c) PCMCIA
d) Secure Digital (SD)
e) Parallel
f) Serial
g) Modem
2. Wireless:
a) WLAN
b) Bluetooth
c) InfraRed (IrDA)
3. Storage:
a) Removable Storage Devices
b) External Hard Drives
c) CD/DVD Drives
d) Floppy Drives
e) Tape Drives
139
SafeGuard® Enterprise 5.50, Administrator help
SafeGuard Configuration Protection detects and allows restriction of devices by device type,
model, or even specific device serial number. For storage devices, SafeGuard Configuration
Protection allows a security officer to block all storage devices completely. WLAN controls are
based on MAC address, SSID, or network security level.
16.1.1 Features
1. Port Control – SafeGuard Configuration Protection can intelligently allow, block, or restrict
the usage of any or all computer ports in your organization according to the computer on
which they are located, the user who is logged in and/or the type of port. SafeGuard
Configuration Protection controls: USB, PCMCIA, FireWire, Secure Digital, Serial, Parallel,
Modem (e.g. dialup, 3G etc.), WLAN, IrDA, and Bluetooth ports.
2. Device Control – Highly granular identification and approval of devices, including a
comprehensive list of device types and robust white listing of device models and even distinct
devices (by serial number).
3. Storage Control – Special control over external and internal storage devices including
Removable Media, External Hard Drives, CD/DVD, Floppy and Tape drives. Policy can block
usage of device types, models, and even distinct devices (by serial number).
4. Block Hybrid Network Bridging - SafeGuard Configuration Protection allows security
officers to control and prevent simultaneous use of various networking protocols that can lead
to inadvertent or intentional hybrid network bridging (such as WLAN bridging and 3G card
bridging). Configuring SafeGuard Configuration Protection Clients to block access to WLAN,
Bluetooth, Modems, or IrDA links while the main wired TCP/IP network interface is
connected to a network enables users to employ the various networking protocols only when
they are disconnected from the network - avoiding the creation and potential abuse of a hybrid
network bridge.
Note: Internal ports such as storage busses such as IDE, SCSI, ATA and S-ATA, which are used
to connect internal hard disk drives as well as PCI and PCI-X are allowed by default.
5. Block USB and PS/2 Hardware Key-Loggers - Blocking USB hardware key loggers which can
tap and record every keystroke in your endpoints as well as render PS/2 hardware key loggers
useless.
6. End User Messages – Whenever SafeGuard Configuration Protection Client enforces policies
on an endpoint computer, a message is provided to the user in order to notify him or her on
blocked ports or devices.
140
SafeGuard® Enterprise 5.50, Administrator help
16.2 Protection by SafeGuard Configuration Protection
SafeGuard Configuration Protection protects your endpoints as follows:
16.2.1 Port control
SafeGuard Configuration Protection can intelligently allow, block, or restrict the usage of any or
all computer ports in your organization according to the computer on which they are located, the
user who is logged in and/or the type of port. SafeGuard Configuration Protection controls: USB,
PCMCIA, FireWire, Secure Digital, Serial, Parallel, Modem (e.g. dialup, 3G etc.), WLAN, IrDA
and Bluetooth ports.
A blocked port is unavailable, as if its wires were cut. An indication that a port is blocked is given
when the computer boots or when a policy is applied that disables a previously allowed port.
16.2.2 Device control
In addition to controlling port access, SafeGuard Configuration Protection provides another level
of granularity by enabling you to define which devices can access a port.
For USB, PCMCIA, and FireWire ports you can define which device types, device models and/or
distinct devices can access a port, as follows:
141

Devices Types: This option enables you to restrict access to a port according to the type of
device that is connected to it. Examples of device types are printing devices, network adapters,
human interface devices (such as a mouse) or imaging devices.
The device types that are available for selection are built into SafeGuard Configuration
Protection.
If you would like to allow a device that is not of one of the types listed here, you can use the
Models or the Distinct Devices option, described below.

Models: This option refers to the model of a specific device type, such as all HP printers or all
M-Systems USB Memory Sticks.

Distinct Devices: This option refers to a list of distinct devices each with their own unique
serial number, meaning each is an actual specific device. For example: the CEO's PDA may be
allowed and all other PDAs may be blocked.
SafeGuard® Enterprise 5.50, Administrator help
Protection against Hardware Key Loggers
Hardware Key Loggers are devices that can be placed by a hostile entity between a keyboard and
its host computer in order to tap and record keyboard input and steal vital information, especially
identity and password.
With SafeGuard Configuration Protection you can immunize your users against this threat:
SafeGuard Configuration Protection can detect hardware key loggers connected to a USB or
PS/2 port, and your policy can specify whether hardware key loggers should be blocked when
detected.
16.2.3 Storage control
Storage control provides an additional level of detail in which to specify the security requirements
of your organization. This can apply to all storage devices, internal or external, fixed or
detachable. You can block storage devices completely.
Similarly to non-storage devices, described in the previous section, storage devices can be also
approved according to their type, model, or distinct ID.
Autorun control
With SafeGuard Configuration Protection, you can let your end-users use their new sophisticated
storage devices, while ensuring your endpoints are not exposed to potential exploits and risky
applications these devices may carry. You can easily block auto-launch activities as part of your
security policy. Using our unique granular Client technology, you can still allow smart storage
devices to be used and block only their auto-run functionality which may be unsafe.
16.2.4 WLAN control
WLAN control ensures that users only connect to approved networks. You can specify which
networks or ad hoc links are allowed access. You can specify the MAC address of the access
points, SSID of the network, authentication method and encryption methods to define approved
links.
142
SafeGuard® Enterprise 5.50, Administrator help
16.2.5 SafeGuard PortAuditor
Although not an integral part of SafeGuard Configuration Protection, SafeGuard PortAuditor is
a tool that goes hand in hand with SafeGuard Configuration Protection and completes it by
providing you with a full view of what ports, devices and networks are (or were previously) in use
by your organization's users. You use the output of a SafeGuard PortAuditor scan to select the
devices and networks whose usage you want to approve.
More detail is provided in the SafeGuard PortAuditor User Guide.
16.3 Configuration protection policies
A configuration protection policy specifies which ports are allowed, blocked, or restricted.
Restricted means that only specified device types, device models, distinct devices, or WLAN
connections can gain access through this port.
A policy specifies the access permissions of storage device types, storage device models, and
distinct storage devices, as well as WLAN connections, enabling you to specify whether they are
allowed, blocked, or restricted (in the same manner as for devices).
A policy can also block Hardware Key Loggers that are connected to a USB or a PS/2 port.
143
SafeGuard® Enterprise 5.50, Administrator help
Hardware Key Loggers are devices that can be placed by a hostile entity between a keyboard and
its host computer in order to log keyboard input. Your policy can specify whether hardware key
loggers should be blocked when detected by SafeGuard Configuration Protection.
SafeGuard Configuration Protection takes a positive security approach, meaning all devices are
allowed unless you define a policy blocking their access.
In the sections that follow we describe how to define a policy.
16.3.1 Defining configuration protection policies: workflow
The following is an overview of the workflow for defining a new policy. A reference is provided
from each of these steps to a sub-section that describes it in detail.
The workflow suggests a simple and straightforward order for performing these steps, from
which you can deviate, if you prefer.

Step 1: Scan computers and detect port/device/WLAN usage: use SafeGuard PortAuditor to
scan the computers in your network in order to detect the devices and WLAN networks that
are currently connected and those that were previously connected (specified in their
computer's registry), as described in the SafeGuard PortAuditor User Guide. You will use this
information when defining a policy in order to easily specify which ports and devices are
allowed, blocked, or restricted.

Step 2: Plan your policy describes the information that you should gather in order to properly
plan the best endpoint protection policy for your organization.

Step 3: Create a policy describes how to create a new policy. You can create as many policies
as needed, one for your entire organization or a different one for each group of computers or
users.

Step 4: Define port control describes how to define the port control aspect of your policy,
meaning which ports are allowed, which are blocked and which are restricted to be used only
by certain devices. In addition, this section describes how to prevent hybrid network bridging.

Step 5: Define device control describes how to define more specifically which devices are
allowed to connect through the restricted ports on your endpoints.

Step 6: Define storage control describes how to define more specifically which storage devices
are allowed to connect to your endpoints.

Step 7: Define WLAN control describes how to define which WLAN connections are
approved.

Step 8: Define file control describes how to define the permissions for file types transferred
from and to storage devices.
144
SafeGuard® Enterprise 5.50, Administrator help

Step 9: Save and publish the policy describes the options for saving the policy in the policy
database and publishing it so it can be associated to the relevant endpoint computers.
16.3.2 Step 1: Scan computers and detect port/device/WLAN usage
Although not an integral part of SafeGuard Configuration Protection, SafeGuard PortAuditor is
a tool that goes hand in hand with SafeGuard Configuration Protection and completes it by
providing you with a full view of what ports, devices and networks are (or were previously) in use
by your organization's users. You use the output of a SafeGuard PortAuditor scan to select the
devices and networks whose usage you want to approve.
145
SafeGuard® Enterprise 5.50, Administrator help
16.3.3 Step 2: Plan your policy
Before you start defining your policy, you should take the time to plan the policy best suited to
your organization. The best SafeGuard Configuration Protection policy for your organization is
one that meets its security needs while still fulfilling the requirements of the people who need
access through the ports your organization's computers.
The first thing to plan for is the types of OU (Organizational Units) and groups to which the
policies will apply.
User and computer policies
By default, SafeGuard Configuration Protection uses User Group and Computer Group
definitions that are controlled by Active Directory. Each option has its own benefits, as described
below.

Per user groups: Defining your policies per user groups enables you to be specific regarding
the permissions for each user.
Policies that apply to users override policies that apply to computers.
If you decide to manage your organization by assigning policies to user groups, we
recommend that you still define one or more general policies for computers. This enables the
protection of each computer port even when no user is logged in.
Using the combination of user policies and computer policies means that, for example, you
can block USB storage devices on all the Customer Service department's computers, but you
can allow the manager of the department a more permissive policy according to his/her user
name and password, regardless of the computer into which he/she is logged.

Per computer groups: Defining your policies by computers enables the protection of the
endpoints of your organization's computers regardless of the user who is logged in.
SafeGuard Configuration Protection enforces policies as follows: it first applies a user policy, if
one exists for the user that is currently logged in. If not, SafeGuard Configuration Protection
looks for a policy that applies to the computer, and uses it, if found. This means that when no user
is logged in, the computer-bound policy is used. It is therefore advised to distribute user-based
policies, so that a user is given the same policy regardless of the computer into which he or she is
logged, and to set computer based policies that are more restrictive. These computer-based
policies should still grant access to such devices as a mouse and keyboard, to be used when no
user, or a user outside of the domain, is logged in.
The initial configuration of the SafeGuard Configuration Protection Client allows all port and
device activity, meaning that nothing is blocked. A permissive configuration is necessary so that
all port activity is not automatically blocked immediately following the installation of the
SafeGuard Configuration Protection Client.
This means that until you actually define and distribute policies to your endpoints (per user or
per computer), the machine that was just installed with SafeGuard Configuration Protection
Client will continue to operate as before (no blocking of ports and devices).
146
SafeGuard® Enterprise 5.50, Administrator help
Note: The machine policy is used as fallback policy in case the user policy cannot be used or is
being tampered. It is therefore recommended to create both machine and user policy while the
user policy is the more permissive one.
Note: Depending on the endpoint computer, it can take several seconds for the SafeGuard
Configuration Protection Client to enforce a change of policies after logon. This means in case
the machine policy is more restrictive than the user policy it takes a few seconds before the user
gains access to the devices.
16.3.4 Step 3: Create a policy
Policies are created as described for all other policies.
16.3.5 Step 4: Define port control
This step includes setting port permissions as well as hybrid network bridging permissions.
Port permissions
SafeGuard Configuration Protection enables positive security by allowing access to all ports in all
computers to which a policy is distributed unless that policy specifies that access to that port is
blocked, as follows. For each port (USB, FireWire, PCMCIA, Secure Digital, Serial, Parallel,
Modem, WLAN, IrDA, or Bluetooth), you can specify the following:

Allow: This option specifies that the port can be used for any purpose, without any restrictions
on this communication channel.

Block: This option means that no access can be performed through this port. The port is
unavailable as if its wires were cut.

Restrict: For USB, FireWire, PCMCIA, and WLAN ports you also have the option to specify
that access to ports of this type is Restricted. A Restricted setting enables you to define more
specifically (meaning with higher granularity) which devices or connections are allowed to
access the port. For example, you can specify that only USB devices of a specific model or even
specific USB devices (meaning distinct devices with a unique serial number) are allowed
access. For physical ports, this is done using the Device Control option described in Step 5:
Define Device Control and the Storage Control option described in Step 6: Define Storage
Control. For wireless ports, this is done using the WLAN Control option described in Step 8:
Define WLAN Control.
Note: The Device Control and WLAN Control aspects of a policy only apply to ports that are
restricted.
The Storage Control aspect of a policy applies both to restricted and allowed ports.
For each port, specify whether its action type is Allow, Block, or Restrict by selecting the
appropriate option in the drop-down menu.
147
SafeGuard® Enterprise 5.50, Administrator help
Note: Internal ports such as storage busses such as IDE, SCSI, ATA and S-ATA, which are used
to connect internal hard disk drives as well as PCI and PCI-X are allowed by default.
Note: The settings for SecureDigital in the Physical Ports section are relevant when SecureDigital
is used as a port. In case SecureDigital is connected through a USB adapter, it becomes a USB
mass storage device. If SecureDigital is connected directly to the PC or laptop, recognition
depends on the actual PC or laptop model.
Hybrid Network Bridging permissions
SafeGuard Configuration Protection allows administrators to control and prevent simultaneous
use of various networking protocols that can lead to inadvertent or intentional hybrid network
bridging (such as WLAN bridging and 3G card bridging). Configuring SafeGuard Configuration
Protection Clients to block access to WLAN, Bluetooth, Modems, or IrDA links while the main
wired TCP/IP network interface is connected to a network enables users to employ certain
networking protocols only when they are disconnected from the network - avoiding the creation
and potential abuse of a hybrid network bridge.
Hybrid Network Bridging permissions are set in the Anti Hybrid Network Bridging section.
16.3.6 Step 5: Define device control
In the Port Control section, for USB, FireWire, and PCMCIA ports you can specify that access to
ports of these types is restricted (this is true for WLAN ports, too, which is discussed in Step 8:
Define WLAN Control). Selecting Restrict enables you to define more specifically, using the
Device Control section, which devices are allowed to access these ports.
The Device Control section enables you to specify which device types are allowed access, and to
assign the corresponding White List, which you use to specify which device models or distinct
devices are allowed access. If a device is not defined as allowed in one of the ways described below,
then it is blocked. The Device Control aspect of a policy applies to all the ports that are Restricted.
Device Control - settings

All Devices (top area): in this area you can Allow, Restrict, or Block access to all device types.
If you select Allow or Block for All Devices, the rest of the section is disabled.
You can also Allow or Block hardware key loggers.

Devices Types (middle area): if you have selected the Restrict option for All Devices as
described in the previous paragraph, this option enables you to allow or restrict access to a
device according to its type. For example: Printing Devices, Network Adapters, or Imaging
Devices.
148
SafeGuard® Enterprise 5.50, Administrator help
The device types available for selection are built into SafeGuard Configuration Protection. If
you would like to allow a device that is not of one of the types listed here, add it to your list of
approved devices – the White List - using the Approved Model or the Distinct Devices
option, described below. A description of the supported Device Types is provided in
Supported Device Types.

Unknown Devices (bottom area): This option enables you to determine whether access to
unknown devices is granted or not.
Device Control - White List
The section offers to assign a White List for Device Models and/or a White List for Distinct
Devices:

White List for Device Models: This option refers to the model of a specific device type, such
as a specific model of HP printers, such as LaserJet 4050N. Specify a White List file containing
such devices.

White List for Distinct Devices: This option refers to distinct devices with a unique serial
number, meaning an actual specific device. Specify a White List file containing such devices.
For example: the CEO’s personal printer may be permitted to connect, while other printing
devices are not.
Note: This section is disabled whenever you select Allow or Block in the All Devices option. See
Defining Device Control.
Note: In cases where a device belongs to more than one group, and those groups have the same
permissions, SafeGuard Configuration Protection will choose between the groups arbitrarily.
Defining device control
1. In the All Devices section, specify in the drop-down menu whether All Devices are Allowed,
Restricted, or Blocked.
Note: Select Allow or Block when you do not want to apply granular device control at this point
in time. Alternatively, use this option when you wish to override existing granular definitions but
want to return to them at a later time.
2. If you select Allow or Block for All Devices, there is nothing more you need to do in the Device
Control section and you can now skip to Step 6: Define Storage Control.
3. If you selected Restrict for All Devices, define whether Hardware Key Loggers are Allowed or
Blocked.
Note: If the SafeGuard Configuration Protection Client suspects a USB Hardware Key Logger is
connected to the keyboard, and Hardware Key Loggers are Blocked, the keyboard is blocked, too.
To activate the keyboard, advise the user to connect it directly to the computer.
149
SafeGuard® Enterprise 5.50, Administrator help
Note: When you block Hardware Key Loggers, both USB and PS/2 Key Loggers are blocked.
When SafeGuard Configuration Protection Client protects against PS/2 Key Loggers, no user
message is displayed. Nevertheless, the Key Logger device is rendered useless, since the
information it logs is scrambled.
In addition, note that when a PS/2 Key Logger is blocked while working with a PS/2 Keyboard
Video Mouse (KVM), the KVM switching between computers will not work from the keyboard.
You can switch computers by pressing the KVM itself.
4. If you selected Restrict for All Devices, set permissions for each Device Type in the Device
Types section as follows:
a) Allow: allows all devices of this type.
b) Restrict: all devices are blocked unless they are specifically approved in the White List
described in Approving Devices and WLAN Connections.
5. Select the White List for Device Models and White List for Distinct Devices to add to your
allowed devices in the White List as described in White Lists - Approving Devices and WLAN
Connections.
16.3.7 Step 6: Define storage control
Storage devices may typically be the main conduits for information leakage in an organization.
SafeGuard Configuration Protection enables you to control access by allowing full access, or
blocking any device that is identified as a storage device. This includes removable media such as
USB Memory Sticks, digital cameras and so on, as well as traditional devices, such as floppy
drives, CD/ DVD drives, external hard drives, and tape drives.
The Storage Control aspect of a policy is enforced across all ports through which a storage device
can connect. This includes Allowed or Restricted ports, as well as ports that are not protected by
SafeGuard Configuration Protection. On a port that is Blocked all storage devices are blocked,
since blocking a port is similar to cutting its wires.
Note: Since attacks and leakage directly via internal hard drives is not common, SafeGuard
Configuration Protection does not handle blocking or restricting of these drives, so as not to
disrupt ongoing work.
150
SafeGuard® Enterprise 5.50, Administrator help
Storage control - settings
This section includes the following areas:
1. All Storage Devices: in this area you can Allow, Restrict, or Block access to all storage devices.
If you select Allow or Block for All Storage Devices, the rest of the section is disabled.
You can also determine whether you want to allow or block the Autorun feature available on
some storage devices such as CD/DVD.
2. Storage Types: if you have selected the Restrict option for All Storage Devices, this option
enables you to allow, or restrict access to a storage device according to its type. For example:
Removable Devices or CD/DVD Drives. The device types available for selection are built into
SafeGuard Configuration Protection and include the following types and options:
a) Removable Media: Applies to all plug-and-play storage devices, such as USB Memory
Sticks, Digital Camera, Portable MP3 players, and so on.
b) Allow smart functionality of Removable Media: Set this option to Allow to allow the usage
of removable media that implement smart functionality. Set this option to Block to block
the smart functionality of such devices.
c) External Hard Drives
d) CD/DVD Drives
e) Floppy Devices
f) Tape Devices
Removable Media, External Hard Drives, CD/DVD Drives and Floppy Drives can additionally be
set to Read Only.
Use the White List to approve the usage of specific Storage Models or Distinct Storage Devices.
A description of the supported Device Types is provided in Supported Device Types. For an
explanation of how to define options in this section refer to Defining Storage Control.
Storage Control - White List
The section offers to assign a White List for Storage Device Models and/or a White List for
Distinct Storage Devices:
1. White List for Storage Device Models: This option refers to the model of a specific storage
device type, such as a specific USB Memory Stick model.
2. White List for Distinct Storage Devices: Distinct storage devices with a unique serial
number, meaning an actual specific device. For example: the CEO's personal USB Memory
Stick may be permitted to connect, while other USB Memory Sticks devices are not.
151
SafeGuard® Enterprise 5.50, Administrator help
Note: This section is disabled whenever you select the Allow or Block option for All Storage
Devices.
Note: Select Allow or Block when you do not want to apply granular storage device control at
this point in time, but plan to define it later on. Alternatively, use this option when you wish to
override existing granular definitions but want to return to them at a later time.
16.3.8 Step 7: Define WLAN control
In addition to devices, SafeGuard Configuration Protection controls and monitors your WLAN
connections in order to ensure that endpoint computers use authorized, secure connections only.
In the Port Control section, you can specify that access to a WLAN port is Restricted. Selecting
Restricted enables you to define more specifically, using the WLAN Connection Types section,
which networks are allowed to access this port.
Note: When restricting the use of WLAN as a port, SafeGuard Configuration Protection
monitors and regulates WLAN connections over Microsoft WZC infrastructure. Any device
driver that would try to access the network card, not using WZC will be blocked.
Note: If you are using a lot of WLAN cards which enforce proprietary drivers you can only Allow
or Block WLAN as a port.
WLAN Control - settings
WLAN Connection Types: this option enables you to Allow or Restrict access to WLAN
networks, and to Allow or Block WLAN Peer-to-Peer connections. In the case of WLAN
networks, if you choose Restrict you may further specify which specific networks are approved.
WLAN Control - White List
White List for WLAN: This option refers to distinct networks, including their authentication and
encryption properties.
Note: This section is disabled whenever you select the Allow option for networks.
152
SafeGuard® Enterprise 5.50, Administrator help
Defining WLAN control
To define WLAN control:
1. Go to the WLAN option in the Wireless Ports section. Set WLAN to Restrict. This enables the
options below WLAN Connection Types.
2. In the WLAN Connection Types section set permissions for WLAN Networks (Infrastructure)
as follows:
a) Allow: allows connection to all WLAN networks.
b) Restrict: all networks are blocked unless they are specifically approved in the White List as
described in White Lists - Approving Devices and WLAN Connections.
3. In the WLAN Connection Types section set permissions for Peer-to-Peer (Ad Hoc) as follows:
a) Allow: allows all peer-to-peer WLAN connections.
b) Block: blocks all peer-to-peer WLAN connections.
In this option, more granular permissions are not available.
16.3.9 Step 8: Define File Control
SafeGuard Configuration Protection allows you to set permissions not only for storage devices,
but also for the files transferred to and from these devices. This is achieved by inspecting files for
their type as they are transferred to/from external storage devices. This technology allows for
highly reliable classification of files by inspecting the file header contents rather than using file
extensions, thus preventing users from easily bypassing the protection by renaming file
extensions.
By inspecting both files downloaded to external storage devices and those uploaded to the
protected endpoint, multiple benefits can be achieved:

An additional protection layer to prevent data leakage

Prevention of the introduction of viruses/malware via external storage devices

Prevention of the introduction of inappropriate content via external storage devices, e.g.
unlicensed software, unlicensed content (e.g. music and movies), non work-related content
such as private pictures etc.
With this feature, you can define policies which approve/block specific file types on the inbound
and outbound channels.
153
SafeGuard® Enterprise 5.50, Administrator help
SafeGuard Configuration Protection’s File Control includes the following:

File Type Control - the ability to control transfer of files according to their type.
File Control is applicable to removable storage devices, external hard disks and CD/DVD.
File Control - settings
This section includes the following areas:
1. Storage Type: in this area you can Apply file type control to storage types or Exclude storage
types from file type control.
The storage types available for selection are built into SafeGuard Configuration Protection
and include the following:
a) Reading from removables
b) Writing to removables
c) Reading from external hard drives
d) Writing to external hard drives
e) Reading from CD/DVD media
2. If you select Apply or Exclude for at least one of the storage types the rest of the section (File
Types) is activated. You can set the following permissions for each file type:
a) Allow
b) Read Only
c) Write Only
d) Block
The permissions for file types apply to all storage types to which you have applied file control
in the Storage Types section.
154
SafeGuard® Enterprise 5.50, Administrator help
The following table lists the file types and extensions supported by SafeGuard Configuration
Protection File Type Control.
155
File Type
Extensions
Description
Microsoft Office
DOC
Microsoft Word Document
DOCX
Microsoft Word Document
DOCM
Microsoft Word Document
DOT
Microsoft Word Template
DOTX
Microsoft Word Template
DOTM
Microsoft Word Template
RTF
Rich Text Format
PPT
Microsoft PowerPoint Presentation
PPTX
Microsoft PowerPoint Presentation
PPTM
Microsoft PowerPoint Presentation
POT
Microsoft PowerPoint Template
POTX
Microsoft PowerPoint Template
POTM
Microsoft PowerPoint Template
PPS
Microsoft PowerPoint Show
PPSX
Microsoft PowerPoint Show
PPSM
Microsoft PowerPoint Show
PPA
Microsoft PowerPoint Add-In
PPAM
Microsoft PowerPoint Add-In
XLS
Microsoft Excel Workbook
XLSX
Microsoft Excel Workbook
XLSM
Microsoft Excel Workbook
XLSB
Microsoft Excel Workbook
XLT
Microsoft Excel Template
XLTX
Microsoft Excel Template
XLTM
Microsoft Excel Template
XLA
Microsoft Excel Add-In
XLAM
Microsoft Excel Add-In
MPP
Microsoft Project Project
SafeGuard® Enterprise 5.50, Administrator help
Published
Documents
Web Pages
Images
MPT
Microsoft Project Template
VSD
Microsoft Visio Drawing
VDX
Microsoft Visio Drawing
VSS
Microsoft Visio Stencil
VSX
Microsoft Visio Stencil
VST
Microsoft Visio Template
VTX
Microsoft Visio Template
PUB
Microsoft Publisher
ONE
Microsoft OneNote Sections
ADP
Microsoft Access Project
ADE
Microsoft Access Project Extension
PDF
Adobe Acrobat Document
PS
Post Script Document
EPS
Encapsulated Post Script
HTML
HTML Web Page
HTM
HTML Web Page
MHT
Archived Web Page
MHTML
Archived Web Page
PHP
PHP Script
HLP
Windows Help File
CHM
Compiled Help File
ASP
Active Server Page
ASPX
ASP.NET Web Page
ASMX
ASP.NET Webservices
JHTML
Java HTML Web Page
JSP
Java Server Page
JPG
JPEG Image
JPEG
JPEG Image
GIF
GIF Image
BMP
Bitmap Image
DIB
Device Independent Bitmap Image
156
SafeGuard® Enterprise 5.50, Administrator help
Multimedia
157
PNG
PNG Image
TIF
Tagged Image Format
TIFF
Tagged Image Format
MDI
Office Document Imaging File
JNG
JNG Image
MNG
MNG Image
ICO
Windows Icon
CUR
Windows Cursor
WMF
Windows Metafile Image
EMF
Enhanced Windows Metafile Image
FH9
Macromedia Freehand 9 Graphics
JP2
JPEG-2000 Image
PBM
Portable Bitmap
PGM
Portable Graymap Bitmap
PPM
Portable Pixelmap Bitmap
PSD
Adobe Photoshop Graphics
CDR
CorelDRAW Vector Graphics
SVG
Scalable Vector Graphics
WAV
Waveform Audio
WMA
Windows Media Audio
MP2
MPEG Audio
MP3
MPEG Audio
AIFF
Audio Interchange
AIF
Audio Interchange
AU
AU Audio
RA
RealMedia Streaming Media
MID
Musical Instrument Digital Sound
MIDI
Musical Instrument Digital Sound
RMI
Musical Instrument Digital Sound
SDS
Musical Instrument Digital Sound Sample
VOC
Creative Lab's Soundblaster Audio
SafeGuard® Enterprise 5.50, Administrator help
Text & Program
Code
OGG
Ogg Vorbis Codec Audio
VOX
Dialogic Audio
FLAC
Free Loseless Codec Audio
MPEG
MPEG Multimedia
MPG
MPEG Multimedia
AVI
Audio Video Interleave
ASF
Advanced Streaming Format
WMV
Windows Media Multimedia
MOV
QuickTime Video Clip
SWF
Flash Animation File
FLI
FLIC Animation
FLC
FLIC Animation
TXT
Text File
CSV
Formatted Text (Comma Delimited)
PRN
Formatted Text (Space Delimited)
CPP
C++ Program Code
C
C/C++ Program Code
H
C/Java Header File
XML
XML File
F
FORTRAN Program Code
T90
FORTRAN Program Code
MAKEFILE
Compilation Control File
MAKEFILE.IN
Compilation Control File
PL1
PL1 Program Code
ASM
Assembler Program Code
PAS
PASCAL Program Code
JAVA
JAVA Program Code
M4
Meta4 Program Code
BCPL
BCPL Program Code
CS
Visual C#.NET Program Code
PL
Perl Program Code
158
SafeGuard® Enterprise 5.50, Administrator help
Executables
Compressed
Archives
159
PM
Perl Program Code Module
PY
Python Program Code
PDB
Visual C++/.NET Program Database
BAS
BASIC Program Code
VB
Visual Basic Program Code
VBS
VBScript Script
JS
JavaScript Source Code
EXE
Executable
DLL
Dynamic Link Library
PIF
Windows Program Information File
BAT
Batch
COM
Command
OCX
ActiveX - Object Linking and Embedding (OLE)
Control Extension
CMD
Command
CPL
Windows Control Panel Extension
SCR
Windows Screen Saver
VXD
Virtual Device Driver
SYS
System Device Driver
CLASS
Java Bytecode
PYC
Python Compiler Script (Bytecode)
LIB
Program Library Common Object File Format
(COFF)
INS
InstallShield Script
OBJ
Object File
O
Object File
ZIP
ZIP Compressed Archive
ARJ
ARJ Compressed Archive
RAR
WinRAR Compressed Archive
GZIP
GZIP Compressed Archive
TAR
Tape Archive
SafeGuard® Enterprise 5.50, Administrator help
CD/DVD Disc
Images
Databases
Microsoft Outlook
JAR
JAR Compressed Archive
ACE
WinAce Compressed Archive
HQX
Macintosh BinHex 4 Compressed Archive
LZH
LHA Compressed Archive
LHA
LHA Compressed Archive
AR
AIX Small Indexed Archive
ARC
LH ARC Compressed Archive
CAB
Cabinet Compressed Archive
**_
Compressed Installation Files (e.g. EX_, DL_)
ISO
ISO Disc Image
BIN
BIN Disc Image
CIF
EasyCD Creator Disc Image
CCD
CloneCD Disc Image
IMG
CloneCD Disc Image
MDF
Alcohol 120% Disc Image
DAA
PowerISO Disc Image
C2D
WinOnCD Disc Image
MDB
Microsoft Access Database
ACCDB
Microsoft Access Database
ACCDT
Microsoft Access Database Template
MDA
Microsoft Access Add-In
MDW
Microsoft Access Workgroup
MDE
Microsoft Access Compiled Database
MYD
MySQL MyISAM Database
MYI
MySQL MyISAM Database Index
FRM
MySQL MyISAM Generic Dictionary
DBF
dBase Database
DBT
Microsoft FoxPro Database
GDB
Borland InterBase Database
PX
Paradox Database
PST
Outlook Personal Folder
160
SafeGuard® Enterprise 5.50, Administrator help
PGP Encryption
Computer-Aided
Design (CAD)
Adobe FrameMaker
DBX
Outlook Express E-mail Folder
PGP
Pretty Good Privacy (PGP) Encrypted
ASC
Pretty Good Privacy (PGP) Armored Encrypted
CTX
Pretty Good Privacy (PGP) Ciphertext
DWG
AutoCAD Drawing
DXF
AutoCAD Interchange
ASM
Pro/ENGINEER Assembly
PRT
Pro/ENGINEER Model
DOC
Adobe FrameMaker/FrameBuilder Document
FM
Adobe FrameMaker Document
FRM
Adobe FrameMaker Document
BOOK
Adobe FrameMaker Book
MIF
Adobe FrameMaker Interchange Format
16.3.10 Step 9: Save and publish the policy
Policies are saved and published as described for all other policies.
161
SafeGuard® Enterprise 5.50, Administrator help
16.4 White Lists - approving devices and WLAN connections
The explanations in the following sections refer to adding approved devices to the Device Control
White List and adding approved storage devices to the Storage Control White List. Where
differences exist between adding storage and non-storage devices, they are pointed out and
explained.
Explanations on how to add approved WLAN networks can be found in Adding WLAN
Connections.
SafeGuard Configuration Protection provides you with three levels of permissions:

Devices Types and Storage Types: This option enables you to allow or restrict access to an
endpoint according to the type of device that is connected. For example: Removable Media,
Network Adapters, Human Interface devices (such as a mouse), or Imaging Devices. The
device types and storage types available for selection are built into SafeGuard Configuration
Protection and are found in the Device Control section and the Storage Control section.
A device type may be allowed (default), blocked, or restricted. If you restrict a device type,
all devices of this type are blocked unless specifically approved in a White List.

White List for Device Models: This option refers to approving models of devices or storage
devices, such as all HP printers or all M-Systems USB Memory Sticks.

White List for Distinct Devices: This option refers to approving distinct devices or storage
devices, each with its own unique serial number, meaning each is an actual specific device.
For example, if you wish to approve the use of the CEO’s USB Memory Stick and block all
other USB Memory Stick devices, you should set the Removable Media storage type to
Restrict, and then enter the identifying parameters of the CEO's USB Memory Stick in a
White List for specific Distinct Storage Devices.
This section describes how to

create a White List and

how to add approved models or distinct devices to a White List either from the list of devices
whose usage was detected in your organization by SafeGuard PortAuditor, or manually.
162
SafeGuard® Enterprise 5.50, Administrator help
16.4.1 Creating White Lists
To register a White List, proceed as follows:
1. Select White List in the policy navigation area.
2. In the context menu of White List, click New > White List.
3. In field White List name enter a name for the White List.
4. Selecting the White List type
White Lists can be created for:

Device Models

Distinct Devices

Storage Device Models

Distinct Storage Devices

WLAN Networks
The individual White Lists can be selected when defining policy settings.
5. Specify whether you want to create the White List manually or whether you intend to use the
result of a scan of the computers by SafeGuard PortAuditor as a source.
Note: The results of the SafeGuard PortAuditor scan have to be available (XML file), if you intend
to create the White List based on this source.
a) Create White List manually
If you select this option, an empty White List will be opened in the SafeGuard Management
Center after clicking OK. In this empty White List you can create entries manually.
b) Import from SafeGuard Port Auditor Result
If you select this option, the result of the scan by SafeGuard PortAuditor will be imported.
163

You can select the file provided by SafeGuard PortAuditor via the [...] button.

After clicking OK the contents of the imported file will be displayed in the SafeGuard
Management Center.
SafeGuard® Enterprise 5.50, Administrator help
16.4.2 Adding a device using a SafeGuard PortAuditor file
Prerequisite: Creating a device information file
In order to create a file that contains the information about the devices you wish to approve, use
SafeGuard PortAuditor to scan the required computers. SafeGuard PortAuditor scans the
selected computers and reports on all devices and WLAN networks currently or previously
connected to those computers. The audit results are stored in an .XML file. To learn about
SafeGuard PortAuditor refer to SafeGuard PortAuditor 3.2 User Guide.
16.4.2.1 Step 1: Get device information
In this step you specify the file from which to gather the information about devices that will be
added, i.e. the location of the SafeGuard PortAuditor .XML file that contains the required device
information. After you have selected the required file using [...], click OK to continue.
16.4.2.2 Step 2: Select devices
Step 2 displays a table of the devices detected on the endpoints in your network and enables you
to select the ones to add. The table is divided into categories, depending on whether the White
List to which you are adding devices is a Device Models White List or a Distinct Devices White
List, and whether you are adding storage devices or non-storage devices.
Selectable devices have a check box beside them which you should check if you want to approve
the device model or the distinct device, as the case may be. You can also select or deselect all or
marked devices when you right-click in the table.
Note: You cannot add storage devices to the Device Control White List.
Note: You cannot add devices or storage devices without a distinct ID to a Distinct Devices
White List.
Occasionally, a device may not be identified as a storage device by SafeGuard PortAuditor. This
may happen, for example, when a device class has not been embedded by the manufacturer. In
this case, if you know that it is in fact storage, you may add it to your policy's storage white list.
You must avoid adding storage devices to a Device Control White List or adding non-storage
devices to a Storage Control White List, as they will be ignored by the SafeGuard Configuration
Protection Client.
Note: When you add a device that already belongs to another device White List in this policy, and
the White List permissions differ, the most permissive will apply.
164
SafeGuard® Enterprise 5.50, Administrator help
16.4.2.3 Step 3: Save White List
Save the White List by clicking the
icon in the SafeGuard Enterprise toolbar.
Using the Modify contents button you can insert the contents from another file into the White
List.
New entries will be appended at the end of the White List.
16.4.3 Adding a device manually
If you have created an empty White List, you have to add the entries manually.
Or if you want to add devices to an existing White List, as in the case of devices that have not been
connected to any endpoint in your organization and therefore do not appear in the SafeGuard
PortAuditor audit results, you also have to add them manually.
The following instructions apply both when adding storage devices (in Storage Control) and when
adding non-storage devices (in Device Control).
Note: When you add a device that already belongs to another device White List in this policy, and
the White List permissions differ, the most permissive will apply.
To add a device manually:
1. Click the
icon in the SafeGuard Enterprise toolbar to add a new entry to the White List.
2. Enter the required information in the following fields:
a) Port – optional
b) Device Description – optional
c) Device Information – optional
d) Vendor (Vendor ID) – optional
e) Product (Product ID) – optional
f) Hardware ID/Instance ID – required
Double-check that you have entered the correct data in all fields and save the White List.
Selecting an entry and clicking the
from the White List.
icon in the SafeGuard Enterprise toolbar removes the entry
Note: Vendor ID (VID), Product ID (PID), Hardware ID (HID) and Instance ID (IID) can be
found in the SafeGuard PortAuditor scan results, on a sticker attached to the product itself or in
Windows Device Manager.
165
SafeGuard® Enterprise 5.50, Administrator help
16.4.4 Adding WLAN connections
WLAN links are added to the WLAN Network White List in much the same way this is done in
the case of devices; add a WLAN White list, then add approved links to this White List using the
data from the SafeGuard Port Auditor file, or manually.
16.4.4.1 Adding a WLAN link manually
If you want to add WLAN links that were not detected by SafeGuard PortAuditor, and as a result
cannot be added using the import mechanism, you can do so manually.
Entering WLAN Network Information
Now you define the parameters a network must match in order for it to be approved for
connection.
You can identify a network by its name and/or by its MAC address. After you enter a network
name or a MAC address, you can also specify authentication and data encryption parameters
which must be matched. Only networks matching all the parameters are approved.
To add a WLAN link manually:
1. Open the White List for WLAN connections.
2. Click the
icon in the SafeGuard Enterprise tool bar to add a new entry to the White List.
3. Enter Network Name, MAC Address or both. It is required to add information to at least one
of the two fields.
4. If you want to specify the Network Name only, enter the name and continue with step 6.
5. If you want to specify the MAC Address only, enter the address and continue with step 6.
6. To define security settings, specify the required Authentication and Data Encryption settings
from the dropdown list. Adding information to these fields is optional.
Note: The Data Encryption options available in the dropdown list depend on the selected
Authentication type. For example, for WPA authentication, the encryption options are TKIP or
AES, whereas in the case of 802.1X authentication only WEP encryption is available for selection.
7. Double-check that you have entered the correct data in all the fields and save the White List.
166
SafeGuard® Enterprise 5.50, Administrator help
16.5 Supported device types
This chapter lists the device types that SafeGuard Configuration Protection provides for your
selection when building a policy.
For non-storage devices you can restrict the usage of devices on USB, FireWire, and PCMCIA
ports. SafeGuard Configuration Protection provides a selection of built-in types in the Device
Control window to enable you to define which types of devices are approved or blocked. If you
require control of a device type that is not listed here, you can use the Distinct Device restriction
feature described in White Lists -Approving Devices and WLAN Connections.
For storage devices, SafeGuard PortAuditor is able in most cases to identify whether a device is
a storage device or a non-storage device, by detecting its volume, or using its embedded class data.
This ability helps categorize and organize device lists into storage devices and simple (nonstorage) devices for your selection, thus enabling you to define your policy more easily. SafeGuard
Configuration Protection provides a selection of built-in types in the Storage Control window to
enable you to define which types of devices will be approved or blocked.
The following device type lists are divided into non-Storage devices and storage devices.
16.5.1 Non-storage device types
The following lists the non-storage built-in device types for which a policy can be defined in
SafeGuard Configuration Protection.
Note: Device Control for non-storage devices can only be defined for USB, FireWire, and
PCMCIA ports.
1. Human Interface Device – devices used to control the operation of computer systems.
Typical examples include keyboards and pointing devices, such as: mouse, trackballs, and
joysticks.
2. Printing Devices – Printers connected over USB, PCMCIA, or FireWire.
3. Personal Data Assistants (PDAs) - These include:
a) Windows Mobile / Pocket PC Devices
b) Blackberry Devices
c) Palm OS Devices
4. Mobile Phones – New models of cellular phones, categorized in USB as 'Wireless USB
Devices'.
5. Network Adapters - Communication devices such as: Ethernet network adapters, WLAN
adapters, and USB-connected ADSL and cable modems.
167
SafeGuard® Enterprise 5.50, Administrator help
6. Imaging Devices - Primarily devices such as scanners and digital still cameras.
7. Audio/Video Devices - devices such as: microphones, telephones, volume controls, web
cameras, digital camcorders, digital television tuners and digital still-image cameras that
support video streaming.
8. Smartcards - smartcard devices.
9. Content Security Devices - used to provide special security features, such as strong
authentication, biometric identification and software licensing.
16.5.2 Storage device types
Protection of storage devices applies to all non-blocked ports, meaning that it applies to the
specified storage device no matter to which port it is connected as long as that port is not defined
as blocked.
Note: Device Control for storage devices can be defined for any port type including, for example,
parallel ports, USB, FireWire, and PCMCIA ports.
The following lists the storage built-in device types that are supported by SafeGuard
Configuration Protection.

Removable Media – These devices range from storage-only devices, such as USB Memory
Sticks and SD flash cards, to devices that have a unique purpose, but appear to the computer
as a new storage drive, such as portable digital music players, digital cameras and PDAs.

External Hard Drives – hard disk devices which are externally attached (e.g. via USB).

CD/DVD Drives – both internally and externally attached.

Floppy Devices – both internally and externally attached.

Tape Devices – both internally and externally attached.
168
SafeGuard® Enterprise 5.50, Administrator help
17 User-computer assignment
SafeGuard Enterprise manages the information about which users are allowed to log on to a
particular machine in a list which is referred to below as the UMA (User-Machine-Assignment).
For a user to be included in the UMA, they must have logged on once to a computer on which
SafeGuard Enterprise has been installed and be registered in the SafeGuard Management Center
as a “full” user in terms of SafeGuard Enterprise. A “full” user is one for whom a certificate has
been generated after the first logon and for whom a key ring has been created. Only then can this
user data be replicated on other computers. After replication, the user can log on to this computer
at the POA.
In the standard setting, the first user to log on to the computer after the installation of SafeGuard
Enterprise is entered in the UMA as the owner of that computer.
This attribute allows the user, having authenticated themselves at Power-on Authentication, to
enable other users to log on to that computer (see Importing further users on page 181). They will
also be added to the UMA for this computer.
An automatic list is thereby generated which determines which user is allowed to log on to which
computer. This list can be edited in the SafeGuard Management Center.
17.1 User-computer assignment in the SafeGuard Management Center
Users can be allocated to specific computers in the SafeGuard Management Center. If a user is
assigned to a computer in the SafeGuard Management Center (or vice versa) this allocation is
incorporated into the UMA. The user data (certificate, key, etc.) is replicated on this computer
and the user can log on to this computer.
When setting this assignment, the administrator can also specify who can allow other users to log
on to this computer.
Under Type the Management Center indicates how the user was added to the SafeGuard
Enterprise database. Adopted means that the user has been added to the UMA on a endpoint
computer.
Note: If no one is assigned in the Management Center and no user is specified as the owner, the
first user to log on after the installation of SafeGuard Enterprise on the computer is entered as the
owner. This user can then allow further users to log on to this computer, see Importing further
users on page 181.
If users are assigned to this computer in the Management Center at a later date, they can then log
on at the Power-on Authentication. Nevertheless such users must be full users (with existing
certificate and key). The owner of the computer does not need to assign access entitlements in this
case.
169
SafeGuard® Enterprise 5.50, Administrator help
The following settings are used to specify who is allowed to add users to the UMA:

Ownership: If this setting is activated, the user can be registered as the owner of a computer.

User is Owner: This setting means that this user is entered in the UMA as the owner. No
further users can be included in UMA. Only one user per computer can be entered in the
UMA as the owner.
The Import of new users allowed for policy setting in policies of the type Specific Machine
Settings determines who is allowed to add further users to the UMA.

Import of new users allowed for
Nobody
Even the user entered as the owner cannot add more users to the UMA. The option for an
owner to add further users is switched off.
Owner (default setting)
Users can only be added to the UMA by the owner.
Note: A Security Officer may always add users in the SafeGuard Management Center.
Everybody
Lifts the restriction that users may only be added by the owner.
170
SafeGuard® Enterprise 5.50, Administrator help
Example:
The following example shows how you can assign logon entitlements in SafeGuard
Management Center to just three users (User_a, User_b, User_c) for Computer_ABC.
First: Specify the response you require in SafeGuard Enterprise Management Center.
SafeGuard Enterprise is installed on all endpoint computers during the night. In the
morning, the users are to log on to the computer according to their logon details.
1. In SafeGuard Management Center, assign User_a, User_b and User_c to
Computer_ABC. (Users & Computers -> Select computer_ABC -> Assign
user via Drag&Drop). You have thereby specified a UMA.
2. In a computer policy select the setting Import of new users allowed for to
Nobody. Since User_a, User_b and User_c are not allowed to add new users is
not necessary to specify a user as an owner.
3. Assign the policy to the computer and/or to a point within the directory
structure at which it will be active for the computer.
When the first user logs on to Computer_ABC (see Logging on on page 179), an autologon is
implemented for the POA. The computer policies are sent to the endpoint computer. Since
User_a is included in the UMA and will become a full user when logging on to Windows.
The user's policies, certificates and keys are sent to the endpoint computer. The POA is
activated.
Note: The user can check the status message in the SafeGuard System Tray Icon (balloon
tool tip) when this process has completed.
User_a is now a full user in terms of SafeGuard Enterprise and after the first logon can
authenticate him or herself at the POA and is automatically logged on.
User_a now leaves the computer and User_b wants to log on. As the POA is activated, there
is no more autologon.
User_b and User_c have two options for gaining access to this computer.
a) User_a deactivates the Passthrough Logon to Windows option in the POA
logon dialog and logs on.
b) User_b uses Challenge/Response to log on at the POA.
In both cases, the Windows logon dialog is displayed.
171
SafeGuard® Enterprise 5.50, Administrator help
User_b can enter his or her Windows credentials. The user's policies, certificates and keys
are sent to the endpoint computer. The user is activated in the POA. User_b is now a full
user in terms of SafeGuard Enterprise and after the first logon can authenticate themselves
at the POA and will be automatically logged on.
While the computer policy specifies that no one can import users to this computer, since
these users are already in the UMA, User_b and User_c nevertheless gain “full” user status
at the Windows logon and are activated in the POA.
No other users will be added to the UMA or will ever therefore be able to authenticate
themselves at the Power-on Authentication. Any users logging on to Windows who are not
User_a, User_b or User_c are excluded from the UMA in this scenario and will never be
active in the POA.
Users can always be added later on in the SafeGuard Management Center. However, their
key ring will not be available after the first logon as synchronisation will only be triggered by
this first logon. After logging on again, the key ring will be available and the users can access
their computers according to the policies applying. If they have never successfully logged on
to an endpoint computer, they can be added as described above.
Block User
If you activate the check box in the Block User column the user is no longer allowed to log on to
the relevant computer. Furthermore, the computer will be automatically shut down, if the
relevant user is logged on as soon as the policy with this setting becomes active on the computer.
17.1.1 Groups
Computer groups can also be assigned to a user (account) and/or user groups can be assigned to
a computer in the SafeGuard Management Center.
Example: Service account
Therefore it is for instance possible to use a single service account to service a large number
of computers. For this purpose the computers concerned must be in a single group. This
group is then assigned to a service account (user). The owner of the service account can
then log on to all computers within this group
Also, by assigning a group containing different users, these users can then log on to a specific
computer in a single step.
172
SafeGuard® Enterprise 5.50, Administrator help
17.2 Assignment of user and computer groups
To assign a user to a group of computers, proceed as follows:
Note: You can assign individual users to a computer or vice versa using the same process as for
groups.
1. Click Users & Computers.
2. To assign a group of computers to single user, select the user.
3. Click the Computer tab in the action area.
All computers and computer groups are displayed under Available computers.
4. Drag the selected groups from the list of available groups into the action area.
5. You will see a dialog asking whether the user should be the owner of all computers.
If there is no specified owner in SafeGuard Enterprise Management, the first user to log on to
this computer is automatically entered as the owner. The user is the entitled to allow other
users to access this computer. The condition is that the user “Can be owner”.

Answering Yes to this question means that the first user to log on to this computer becomes
the owner and can allow access to other users.

Answering No to this question means that the user will not be the owner of this computer.
It is not generally necessary for a service account owner to be the owner of the computer. This
setting can be changed after initial assignment.
6. After answering the question, all computers from the assigned group are displayed in the
action area.
The user can log on to all computers assigned in this way.
A user group can be assigned to a single computer using the same process.
173
SafeGuard® Enterprise 5.50, Administrator help
18 Tokens and smartcards
Tokens and smartcards are hardware components that help an authorized user with the
authentication process on a computer system. They can be used to store certificates, digital
signatures and biometric details. Data cannot be manipulated.
Nowadays, authentication using a user name and password often no longer meets the customer's
need to have the best possible protection against external access. So, as an alternative and to
improve security, SafeGuard Enterprise provides logon using tokens and smartcards. Token
logon is based on the principle of a two-stage authentication: A user has a token (ownership), but
can only use the token, if they know the specific token password (knowledge). When a token or
smartcard is used, users only need the token and a PIN for authentication.
Note: From SafeGuard Enterprise's perspective, smartcards and tokens are treated in the same
way. So the terms “token” and “smartcard” can be understood as the same thing in the product
and in the manual.
Tokens are supported:

in the Power-on Authentication

at operating system level

to log on to the Management Center
When a token is issued to a user, data such as the manufacturer, type, serial number, logon data
and certificates are stored in the SafeGuard Enterprise database. In such cases, tokens are
identified by the serial number and then recognized in SafeGuard Enterprise.
This gives important benefits:

It is evident which tokens are in circulation and which users they are assigned to.

It is evident when they were issued.

If a token is lost, the Security Officer can identify it and block it for authentication. This
prevents the misuse of data.

However, the Security Officer can use Challenge/Response to temporarily allow logon without a
token, e.g. if a user has forgotten their PIN.
174
SafeGuard® Enterprise 5.50, Administrator help
18.1 Smartcards
To be able to use a smartcard with SafeGuard Enterprise, a card reader and a card driver for the
PC are both required as well as the smartcard. Also, for the smartcards and card readers to
communicate with SafeGuard Enterprise certain middleware, in the form of a PKCS#11 module,
is required.
18.1.1 Smartcards and smartcard readers/drivers
SafeGuard Enterprise supports non-cryptographic and cryptographic logon procedures with
Power-on Authentication. With non-cryptographic smartcards, user ID and password are stored
on the card. Cryptographic smartcards are used to authenticate RSA key pairs (certificates).
Windows

On the Windows operating system level, PC/SC-compatible card readers are supported. The
PC/SC interface regulates the communication between the PC and smartcard. Many of these
card readers are already a part of the Windows installation.

Smartcards require PKCS#11 compatible smartcard drivers if they are to be supported by
SafeGuard Enterprise.
Power-on Authentication
Refer to the Release Notes for a detailed list of all the supported smartcards, smartcard readers
and smartcard drivers.
175

With Power-on Authentication, the PC/SC interface is supported which regulates the
communication between PC and smartcard. The supported smartcard drivers are a fixed
implementation and users may not add other drivers. The appropriate smartcard drivers have
to be enabled by means of a policy in SafeGuard Enterprise.

The interface for smartcard readers is standardized and many card readers have a USB
interface or an ExpressCard/54 interface and implement the CCID standard. In SafeGuard
Enterprise this is a prerequisite to be supported with Power-on Authentication. Plus, on the
driver side, the PKCS#11 module has to be supported.
SafeGuard® Enterprise 5.50, Administrator help
18.1.2 Supported smartcards with Power-on Authentication
SafeGuard Enterprise supports a large number of smartcards and smartcard readers, plus
common smartcard drivers with Power-on Authentication. With SafeGuard Enterprise, tokens/
smartcards which support 2.048-bit RSA operations are supported. As support for smartcards is
enhanced from release to release, the tokens and smartcards supported in whatever is the current
version of SafeGuard Enterprise are listed in the Release Notes.
18.1.3 Supported middleware
The middleware in the list below is supported via the relevant PKCS#11 module. PKCS#11 is a
standardized interface for connecting cryptographic tokens/smartcards to different software.
Here, it is used for the communication between cryptographic token/smartcard, the smartcard
reader and SafeGuard Enterprise.
.
Manufacturer
Middleware
ActivIdentity
ActivClient
Aladdin
eToken PKI Client
AET
SafeSign Identity Client
Charismatics
Smart Security Interface
RSA
RSA Authentication Client 2.x
RSA Smart Card Middleware 3.x
Siemens
CardOS API
A-Trust
a.sign Client
Gemalto
Gemalto .NET Card
Gemalto Classic Client
Gemalto Access Client
IT Solution GmbH
IT Solution trustWare CSP+
Sertifitseerimiskeskus AS
Estonian ID Card
T-Systems
NetKey 3.0
176
SafeGuard® Enterprise 5.50, Administrator help
License information for Siemens and Charismatics:
Note that the use of the respective middleware for the standard operating system requires a
license agreement with Siemens Medical/Charismatics. To obtain licenses, please contact:

Global Siemens Healthcare Headquarters
Siemens AG
Healthcare Sector
Henkestrasse 127
D-91052 Erlangen
Federal Republic of Germany
Tel.: +49 69 797 6602

http://www.charismathics.com/cryptoshop/shop_content.php
or
[email protected]
The middleware is set using a policy in SafeGuard Enterprise. The SafeGuard Enterprise Client
configuration package must also be installed on the PC on which the Management Center is
running.
18.2 USB tokens
Like smartcards, USB tokens consist of a smartcard reader and a smartcard, both units being
located in a single casing.
18.2.1 Supported USB tokens with Power-on Authentication
SafeGuard Enterprise supports a wide range of USB tokens. As a prerequisite, the smartcard used
must be supported by the Power-on Authentication of SafeGuard Enterprise and the respective
drivers must be supported as well. The USB tokens also have to be supported by the relevant
middleware.
As support for tokens is enhanced from release to release, the tokens and smartcards supported
in the respective version of SafeGuard Enterprise are listed in the Release Notes.
177
SafeGuard® Enterprise 5.50, Administrator help
18.3 Working with tokens
Proceed as follows in order to be able to use tokens for authentication:
1. Initialize empty tokens
2. Issue tokens for users and security officers
3. Write certificates and keys on tokens
4. Define policies for tokens
You can also use tokens that have data from a different application for authentication providing
that there is enough storage space for the certificates and logon information on them.
SafeGuard Enterprise provides you with the following features so that you can easily administer
tokens:

Display and filter token information

Initialize, change, reset and block PINs

Read and delete token data

Block token
178
SafeGuard® Enterprise 5.50, Administrator help
18.4 Initializing a token
Before an “empty”, unformatted token can be issued to a user in SafeGuard Enterprise, it needs
to be prepared for use - i.e. initialized - according to the instructions provided by the token
manufacturer. When it is initialized, basic information e.g. the standard PIN, is written to it. The
token manufacturer's initialization software is used to do this.
Please refer to the token manufacturer concerned for more information.
18.4.1 Installing middleware on the endpoint computer
Next install the correct middleware, both on the PC which the SafeGuard Management Center is
running on and the relevant user PC, see Supported middleware on page 176.
18.4.2 Activating middleware (PKCS#11 module)
Before issuing the token you need to assign the correct middleware in form of the PKCS#11
module by defining a policy in the SafeGuard Management Center. You should do this both for
the computer which the SafeGuard Management Center is running on and for the user PC. Only
then can SafeGuard Enterprise communicate with the token. You can define the setting for
PKCS#11 module, using a policy, as follows.
Prerequisite: the middleware is installed on the relevant PC and the token has been initialized.
The SafeGuard Enterprise Client configuration package must also be installed on the PC which
the Management Center is running.
In the SafeGuard Management Center, click Policies.
1. Plug the token into the USB interface. SafeGuard Enterprise reads in the token.
2. Create a new policy of the type Specific Machine Settings or select an existing policy of this
type.
3. In the work area on the right-hand side, under Token support settings > Module Name,
select the appropriate middleware. Save the settings.
4. Assign the policy.
SafeGuard Enterprise can now communicate with the token and administer the token. The token
can now be issued.
179
SafeGuard® Enterprise 5.50, Administrator help
18.5 Issuing a token
When a token is issued in SafeGuard Enterprise, data is written on the token which is then used
for authentication. This data consists of credentials and certificates.
In SafeGuard Enterprise, tokens can be issued for these user roles:

Tokens for normal users

Tokens for Security Officers (SO)
Both user and Security Officer (SO) can access the token. The user is the person who should use
the token. Only the user can access private objects and keys. The SO can only access public
objects, but can reset the user's PIN.
18.5.1 Issuing a token or smartcard to a user
180
SafeGuard® Enterprise 5.50, Administrator help
Prerequisite: The token must be initialized and the relevant PKCS#11 module must be activated.
The SafeGuard Enterprise Client configuration package must also be installed on the PC which
the Management Center is running.
Open the Management Center and click Users & Computers.
1. Connect the token to the USB interface. SafeGuard Enterprise reads in the token.
2. Mark the user for whom a token is to be issued, and open the Token Data tab in the work area
on the right-hand side.
3. In the Token Data dialog, proceed as follows:
a) Select the user ID and domain of the user selected and enter your Windows password.
b) Click Issue Token.
4. In dialog Issue Token select the appropriate slot for the token.
5. Issue a new User PIN and repeat the entry.
6. Under SO PIN enter the standard PUK received from the manufacturer or the PIN issued
when the token was initialized.
Note: If you only fill in the User PIN (required) field, the user PIN must match the PIN which
was issued when the token was initialized. You then have no need to repeat the user PIN or input
a SO PIN.
7. Click Issue token now.
The token is issued, the logon information written on the token and the token information saved
in the SafeGuard Enterprise database. You can display the data in the Token area in tab Token
Information.
181
SafeGuard® Enterprise 5.50, Administrator help
18.5.2 Issuing a token or smartcard to a Security Officer
When SafeGuard Enterprise is installed for the first time, the first Security Officer (SO) already
has the option of having themselves issued with a token and specifying the logon mode (see
Installation Guide). For all other security officers, a token is issued in the SafeGuard Enterprise
Management Center.
Prerequisite: The token must be initialized and the relevant PKCS#11 module must be activated.
You need the rights to be able to make entries for the SO.
In the SafeGuard Management Center, click Security Officers.
1. Connect the token to the USB interface. SafeGuard Enterprise reads in the token.
2. In the navigation window on the left, mark Security Officer and in the context menu select
New > New Officer.
3. If the SO is to authenticate either with or without a token, in the work area on the right-hand
side activate Token logon: Optional.
4. If the SO is to only authenticate with the token, activate Token logon: Mandatory. With this
setting, the private key remains on the token. The token must always be plugged in, or the
system will need to be rebooted.
5. If you wish to create a new certificate, click Create. Enter the password for the certificate twice
and confirm with OK. Specify the location for saving the certificate.
182
SafeGuard® Enterprise 5.50, Administrator help
6. If you wish to import certificates, click Import. Open the relevant certificate file. Searching is
first done in a certificate file, then on the token. The certificates may remain in whatever the
storage location is.
7. Activate the roles and domains that are to be assigned to the SO.
8. Confirm the entries with OK.
The SO is created, the token is issued, the logon data is, depending on the setting, written on the
token, and the token information is saved in the SafeGuard Enterprise database. You can display
the data in the Token area in tab Token Information.
18.6 Putting certificates on a token or smartcard
Not only logon information but also certificates can be written to a token. Just the private part of
the certificate (.p12 file) may be saved on the token. However, users then normally can only access
their private key when logging on with the token. It is recommended that PKI certificates are
used.
You can assign authentication data to different types of token:

by generating certificates directly on the token

by assigning data which is already on the token

by importing certificates from a file
Note: CA certificates cannot be obtained from a token and stored in the database or certificate
store. If you wish (or need) to use CA certificates, these need to be available in file form and not
just on a token. This also applies to CRLs (Certificate Revocation List).
Moreover, the CA certificates must match the CRL on the token before users can log on to the
computers concerned. Please check that the CA and CRL are correct. SafeGuard Enterprise does
not carry out this check!
SafeGuard Enterprise can then only communicate with expired certificates if old and new keys
are present on the same card.
18.6.1 Generating certificates with tokens
You can generate new certificates straight from the token if, for example, there is no certificate
structure present.
Note: If only the private part of the certificate is written on to the token, the user can only access
their private key with the token. The private key then only resides on the token. If the token is lost,
the private key can no longer be accessed.
183
SafeGuard® Enterprise 5.50, Administrator help
Prerequisite: The token is issued.
In the SafeGuard Management Center, click Users & Computers.
1. Plug the token into the USB interface. SafeGuard Enterprise reads in the token.
2. Mark the user for whom a certificate is to be generated, and open the Certificate tab in the
work area on the right-hand side.
3. Click Generate and assign certificate by token. Note that the length of the key must match
the size of the token.
4. Select the slot and enter the token PIN. Click Create.
The token generates the certificate and assigns it to the user.
18.6.2 Assigning token certificates to a user
If there are already certificates on the token which you wish to assign to the user, proceed as
follows:
Prerequisite: The token is issued.
In the SafeGuard Management Center, click Users & Computers.
1. Plug the token into the USB interface. SafeGuard Enterprise reads in the token.
2. Mark the user for whom you want to assign a certificate, and open the Certificate tab in the
work area on the right-hand side.
3. Click the Assign a certificate from a token icon in the SafeGuard Management Center
toolbar. Select the relevant certificate from the list and enter the token's PIN.
4. Confirm with OK.
The certificate is assigned to the user.
18.6.3 Putting a certificate from a file onto the token
If you want to add the private part of the certificate (.p12 file) from a file to the token, proceed as
follows:
Prerequisite: The token is issued.
In the SafeGuard Management Center, click Tokens.
184
SafeGuard® Enterprise 5.50, Administrator help
1. Plug the token into the USB interface. SafeGuard Enterprise reads in the token.
2. Mark the token to which you want to add the private part of the certificate and, in the work
area on the right, open the Logon Information & Certificates tab.
3. Click the P12 to token icon in the SafeGuard Management Center toolbar. Select the relevant
certificate file.
4. Enter the token's PIN and the password for the .p12 file and confirm with OK.
The private part of the certificate is added to the token. Now you need to assign it to a user, see
Assigning token certificates to a user on page 184.
Note: For a token with Kerberos support you need to select this procedure. The certificate must
be recognized by SafeGuard Enterprise and added to the token. If there is already an autogenerated certificate, the imported certificate will overwrite it.
18.7 Assigning policies for tokens
When you assign policies you can specify other token options. These relate to:

PINs

Logon mode

Defining token PINs for POA autologon

What happens when the status of the token is no longer recognized

Unblocking the token

The middleware to be used (PKCS#11 module)
18.8 Using tokens to log on at the Power-on Authentication
To log on at the Power-on Authentication using a token, proceed as follows:
Prerequisite: Note that the USB support is activated in the BIOS. The token support must be
initialized and the token issued for you.
1. Plug the token into the USB interface.
2. Switch on the PC and wait until the Power-on Authentication stops.
3. Enter the token PIN.
You are logged on to SafeGuard Enterprise.
185
SafeGuard® Enterprise 5.50, Administrator help
Logon mode at the Power-on Authentication
There are two ways of logging on using a token. A combination of both logon methods is possible.

Logging on with user ID/password

Logging on with token
When logging on with token/smartcard, you can either select the non-cryptographic method
or the Kerberos (cryptographic) method. With Kerberos, Challenge/Response procedures are
not possible, as there is no logon information available in the POA.
The security officer specifies the method to be used for users and computers in a policy of type
Authentication.
18.9 Enabling POA autologon with default token PINs
With a policy distributed default token PIN automatic user logon may be achieved at the Poweron Authentication. This saves issuing each single token separately and enables users to
automatically log on at the Power-on Authentication without any user interaction.
When a token is used at logon and a default PIN is assigned to the computer, the user is passedthrough at the Power-on Authentication without having to enter any PIN.
As a security officer you may set the specific PIN in a policy of type Authentication and assign it
to different computers or computer groups, for example to all computers residing in the same
location.
To enable autologon with a default token PIN, proceed as follows:
1. In the SafeGuard Management Center, click Policies.
2. Select a policy of type Authentication.
3. Under Logon Options in Logon mode, select Token.
4. In PIN used for autologon with token, specify the default PIN to be used for autologon. PIN
rules do not need to be observed in this case.
Note: This setting is only available if you select Token as possible Logon Mode
5. In Pass-through to Windows set Disable pass-through to Windows. If you do not select this
setting when a default PIN is specified, you will not be able to save the policy.
If you want to enable the Pass-through to Windows option, you can later create another
policy of type Authentication with this option enabled and assign it to the same computer
group, so that the RSOP finally has both policies active.
186
SafeGuard® Enterprise 5.50, Administrator help
6. Optionally specify further token settings.
7. Save your settings and assign the policy to the relevant computers or computer groups.
If the autologon on the endpoint computer has been successful, Windows will be started.
If the autologon on the endpoint computer has failed, the user will be prompted to enter the token
PIN at the Power-on Authentication.
18.10 Initializing, changing and blocking PINs
If you are a Security Officer, you can change both the user PIN and the SO PIN, and also force the
user PIN to be changed. This is usually required when a token is first issued. You can also initialize
PINs, i.e. issue them as new and block them.
You can use policies to specify other PIN options for the endpoint computer.
Note: When changing a PIN, note that some token manufacturers specify their own PIN rules
which may contradict SafeGuard Enterprise PIN rules. So it may not be possible to change a PIN
in the way you want, even if it complies with the SafeGuard Enterprise PIN rules. So you should
always refer to the token manufacturer's PIN rules. These are displayed in the Token area under
Token Information in the Management Center.
PINs are managed in the Management Center under Tokens. The token is plugged in and marked
in the navigation window on the left.
18.10.1 Initializing user PIN
Prerequisite: The SO PIN must be known.
1. To issue the user PIN anew, click the Initialize user PIN icon. Enter the SO PIN.
2. Enter the new user PIN, repeat the entry and confirm with OK.
The user PIN is initialized.
18.10.2 Changing an SO PIN
Prerequisite: The previous SO PIN must be known.
1. To change the SO PIN, click the Change SO PIN icon in the SafeGuard Management Center
toolbar.
2. Enter the old SO PIN.
187
SafeGuard® Enterprise 5.50, Administrator help
3. Enter the new SO PIN, repeat the entry and confirm with OK.
The SO PIN is initialized.
18.10.3 Changing a user PIN
Prerequisite: The user PIN must be known.
1. To change the user PIN, click the Change user PIN icon in the SafeGuard Management
Center toolbar.
2. Enter the old and the new user PIN, repeat the new user PIN, and confirm with OK.
The user PIN is initialized. If you have changed the PIN for another user, inform them about the
change.
18.10.4 Forcing PIN change
To force a PIN change proceed as follows:
1. Click the Force PIN change icon in the SafeGuard Management Center toolbar.
The next time the user logs on with the token, they will have to change their user PIN.
18.10.5 PIN history
The PIN history can be deleted. To do this, click the Delete PIN history icon in the SafeGuard
Management Center toolbar.
18.11 Managing tokens and smartcards
In the Tokens area of the Management Center, the Security Officer can: get an overview of tokens
and certificates that have been issued; filter overviews; block tokens for authentication; and read
or delete the data on a token.
188
SafeGuard® Enterprise 5.50, Administrator help
18.11.1 Displaying token/smartcard information
If you are a Security Officer you can display information about all or individual tokens that have
been issued, and filter overviews.
Prerequisite: The token must be plugged in.
In the SafeGuard Management Center, click Tokens.

Information about an individual token:
Mark the token concerned under Token Slots. The manufacturer, type, serial number,
hardware details and PIN rules are displayed under Token Information. You can also see
which user the token is assigned to.

Overview of tokens:
Mark Issued Tokens. You can display all the tokens that have been issued or filter the
overview by user. The token's serial number, the assigned users and the issue date are
displayed. You can also see if the token is blocked.
189
SafeGuard® Enterprise 5.50, Administrator help
18.11.2 Reading token/smartcard information
If you are a Security Officer you can use the user PIN issued for the token to see what data is on
the token.
Prerequisite: The token must be plugged in. The Security Officer must know the PIN. Or it must
be initialized, see Initializing user PIN on page 187.
In the SafeGuard Management Center, click Tokens.
1. On the left of the navigation area, under Token Slots, mark the token concerned and select the
Logon Information & Certificates tab.
2. Click the Get user credentials icon and enter the user PIN for the token.
The data on the token is displayed.
190
SafeGuard® Enterprise 5.50, Administrator help
18.11.3 Deleting token/smartcard information
If you are a Security Officer you can delete the information that has been written on the token by
SafeGuard Enterprise.
Prerequisite: The token must be plugged in.
In the SafeGuard Management Center, click Tokens.
1. Mark the token concerned under Token Slots on the left of the navigation area.
2. Click the Wipe token icon in the SafeGuard Management Center toolbar.
3. Enter the SO Pin that was assigned to the token and confirm with OK.
All data managed by SafeGuard Enterprise is deleted. Certificates remain on the token.
The user PIN is reset to 1234.
Deleted tokens are thus automatically deleted from the list of issued tokens.
18.11.4 Blocking token or smartcard
If you are a Security Officer you can block tokens. This is useful, e.g., if a token has been lost.
In the SafeGuard Management Center, click Tokens.
1. Mark Issued Tokens on the left of the navigation area.
2. Mark the token to be blocked and click the Block token icon in the SafeGuard Management
Center toolbar.
The token is blocked for authentication and the assigned user can no longer use it to log on. The
token can only be unblocked with the SO PIN.
191
SafeGuard® Enterprise 5.50, Administrator help
19 SafeGuard Data Exchange
SafeGuard Data Exchange is used to encrypt data stored on removable media connected to a
computer and to exchange these data with other users. All encryption and decryption processes
run transparently and involve minimum user interaction.
Only users who have the appropriate keys can read the contents of the encrypted data. All
subsequent encryption processes run transparently.
In central administration, you define how data on removable media are handled.
As a security officer you define the specific settings in a policy of the type Device Protection with
Device protection target: Removable Media.
For SafeGuard Data Exchange file based encryption has to be used.
Group Keys
To exchange encrypted data between users, SafeGuard Enterprise group keys have to be used. If
the group key is in the users’ key rings, the users get full transparent access to removable media
connected to their computers.
On computers without SafeGuard Enterprise accessing the encrypted data on removable media
is not possible, except the central defined domain/group key which can be used together with the
media passphrase.
Note: To use/share encrypted data on removable media also on/with computers/users that do not
have SafeGuard Enterprise, SafeGuard Portable can be used. SafeGuard Portable requires the
usage of local keys or a media passphrase.
Local Keys
SafeGuard Data Exchange supports encryption using local keys. Local keys are created on the
computers and can be used to encrypt data on removable media. They are created by entering a
passphrase and are backed up in the SafeGuard Enterprise database.
Note: By default a user is allowed to create local keys. In case users should not be able to do so
you have to disable this option explicitly. This has to be done in a policy of the type Device
Protection with Device protection target: Local Storage Devices (General Settings > User is
allowed to create local key: No).
If local keys are used to encrypt files on removable media, these files can be decrypted using
SafeGuard Portable on a computer without SafeGuard Data Exchange. When the files are opened
with SafeGuard Portable the user is prompted to enter the passphrase that was specified when the
key was created. If the user knows the passphrase they can open the file.
192
SafeGuard® Enterprise 5.50, Administrator help
Using SafeGuard Portable every user who knows the passphrase can get access to an encrypted
file on removable media. This way it is also possible to share encrypted data with partners, who
do not have SafeGuard Enterprise. They only need to be provided with SafeGuard Portable and
the passphrase for the files they should have access to.
If different local keys are used to encrypt files on removable media, you can even restrict access
to files. For example: You encrypt the files on a USB stick using a key with passphrase my_localkey
and encrypt a single file named ForMyPartner.doc using the passphrase partner_localkey. If you
give the USB stick to a partner and provide them with the passphrase partner_localkey, they will
only have access to ForMyPartner.doc.
Note: By default SafeGuard Portable is automatically copied to all removable media connected
to the system. If you do not want SafeGuard Portable to be automatically copied to removable
media, deactivate the Copy SG Portable to Removable Media option in a policy of the type
Device Encryption.
Media passphrase
Additionally SafeGuard Data Exchange allows to specify that one single media passphrase for all
removable media - except optical media - has to be created on the computers. The media
passphrase provides access to the centrally defined domain/group key as well as to all used local
keys in SafeGuard Portable. The user only has to enter one single passphrase and gets access to all
encrypted files in SafeGuard Portable, regardless of the local key used for encryption.
On every computer a unique Media Encryption Key for data encryption is automatically created
for each device. This key is protected with the media passphrase and a centrally defined domain/
group key. On a computer with SafeGuard Data Exchange it is therefore not necessary to enter
the media passphrase to access encrypted files on the removable media. Access is granted
automatically if the appropriate key is part of the user’s key ring.
The domain/group key to be used has to be specified under Defined key for encryption.
Media passphrase functionality is available when the User may define a Media Passphrase for
devices option is activated in a policy of the type Device Protection.
When this setting becomes active on the computer, the user is automatically prompted to enter a
media passphrase, when he connects removable media for the first time. The media passphrase is
valid on every computer the user is allowed to log on to. The user may also change the media
passphrase and it will be synchronized automatically when the passphrase known on the
computer and the media passphrase of the removable media are out of sync.
In case the user forgets the media passphrase, it can be recovered by the user without any need of
a Help Desk.
Note: To enable the media passphrase activate the User may define a Media Passphrase for
devices option in a policy of the type Device Encryption.
193
SafeGuard® Enterprise 5.50, Administrator help
Media passphrase and unmanaged endpoint computers
On an unmanaged endpoint computer, i.e. the computers operating in standalone mode, without
an activated media passphrase feature no keys are available after installation has been completed
since unmanaged endpoint computers only use local keys. Before encryption can be used, the user
has to create a key.
In case the media passphrase feature is activated in a removable media policy for these computers,
the media encryption key is created automatically on the computer and can be used for
encryption immediately after installation has been completed. It is available as a predefined key
in the users key ring and is displayed as <user name> in dialogs for key selection.
If available, the media encryption keys will also be used for all initial encryption tasks.
19.1 Best practice
This section describes some typical use cases for SafeGuard Enterprise and how to implement
them by creating the appropriate policies.
Bob and Alice are two employees of the same company and have SafeGuard Data Exchange
installed, Joe is an external partner and does not have SafeGuard Enterprise installed on his PC.
19.1.1 Company internal use only
Bob wants to share encrypted data on removable media with Alice. Both belong to the same group
and therefore have the appropriate group key in their SafeGuard Enterprise key ring. As they are
using the group key they can access the encrypted files transparently without the need to enter a
passphrase.
You have to specify the settings in a policy of the type Device Protection\Removable Media:

Media Encryption Mode: File based

Key to be used for encryption: Defined key on list

Defined key on list: <group/domain key > (e.g. [email protected]=...)
to ensure that both share the same key
194
SafeGuard® Enterprise 5.50, Administrator help
If company policies additionally define that all files on removable media have to be encrypted in
any situation, add the following settings:

Initial encryption of all files: Yes
Ensures that files on removable media are encrypted as soon as the media is connected to the
system for the first time.

User may cancel initial encryption: No
The user cannot cancel initial encryption, for example to postpone it.

User is allowed to access encrypted files: No
If plain files on removable media are detected, access to them will be denied.

User may decrypt files: No
The user is not permitted to decrypt files on removable media.

Copy SG Portable to Removable Media: No.
As long as data on removable media are shared within the workgroup SafeGuard Portable is
not necessary. Also, SafeGuard Portable would allow to decrypt files on computers without
SafeGuard Enterprise.
The users can share data just by exchanging their devices. When they connect the devices to their
computers they have transparent access to encrypted files.
Note: This use case can be fulfilled by using SafeGuard Enterprise Device Encryption where the
whole removable device is sector-based encrypted.
19.1.2 Home office or personal use on 3rd party PCs
Home office:
Bob wants to use his encrypted removable media on his home PC, where SafeGuard Enterprise is
not installed. On his home PC Bob decrypts files using SafeGuard Portable. By defining one
media passphrase for all of Bob’s removable media, he only has to open SafeGuard Portable and
enter the media passphrase. Afterwards Bob has transparent access to all encrypted files
regardless of the key used to encrypt them.
Personal use on 3rd party PCs:
Bob plugs in the removable device on Joe's (external partner) computer and enters the media
passphrase to get access to the encrypted files stored on the device. Bob can now copy the files either encrypted or unencrypted - to Joe's computer.
195
SafeGuard® Enterprise 5.50, Administrator help
Behavior on endpoint computer

Bob plugs in the removable device for the first time.

The Media Encryption Key, which is unique for each device, is created automatically.

Bob is prompted to enter the media passphrase for offline use via SG Portable.

There is no need to bother the user with knowledge about keys to be used or the key ring. The
Media Encryption Key will always be used for data encryption without any user interaction.
The Media Encryption Key is not even visible to the user but only the centrally defined group/
domain key.

Bob and Alice within the same group or domain have transparent access since they share the
same group/domain key.

If Bob wants to access encrypted files on a removable device on a computer without SafeGuard
Data Exchange, he can use the media passphrase within SafeGuard Portable.
You have to specify the settings in a policy of the type Device Protection\Removable Media:

Media Encryption Mode: File based

Key to be used for encryption: Defined key on list

Defined key on list: <group/domain key > (e.g. [email protected]=...)
to ensure that both share the same key.

User may define (media) passphrase: Yes
The user defines one media passphrase on their computer which is valid for all their removable
media.

Copy SafeGuard Portable to removable media: Yes
SafeGuard Portable gives the user access to all encrypted files on the removable media by
entering a single media passphrase on the system without SafeGuard Data Exchange.
If the company policies additionally define that all files on removable media have to be encrypted
in any situation, add the following settings:

Initial encryption of all files: Yes
Ensures that files on removable media are encrypted as soon as the media is connected to the
system for the first time.

User may cancel initial encryption: No
The user cannot cancel initial encryption, for example to postpone it.

User is allowed to access encrypted files: No
If plain files on removable media are detected, access to them will be denied.
196
SafeGuard® Enterprise 5.50, Administrator help

User may decrypt files: No
The user is not permitted to decrypt files on removable media.
At work, Bob as well as Alice have transparent access to encrypted files on removable media. At
home or on 3rd party PCs, they can use SafeGuard Portable to open encrypted files. The users
only have to present the media passphrase and have access to all encrypted files. This is a simple
but effective way to encrypt data on every removable media. The goal of this configuration is to
reduce user interaction to a minimum but to encrypt each and every file on removable media as
well as give the users access to the encrypted files in offline mode. The user is not permitted to
decrypt files on removable media.
Note: In this configuration users are not allowed to create local keys since it is not necessary for
that use case. This has to be specified in a policy of the type Device Protection with
Device protection target: Local Storage Devices (General Settings > User is allowed to create
local key: No).

Copy SafeGuard Portable to Removable Media: No.
As long as data on removable media are shared in the work group SafeGuard Portable is not
necessary. Also SafeGuard Portable would allow to decrypt files without SafeGuard
Enterprise.
At work the user has transparent access to encrypted files on removable media. At home they use
SafeGuard Portable to open encrypted files. The user only has to present the media passphrase
and has access to all encrypted files, regardless of the key used for encrypting them.
19.1.3 Share removable media with external party
Bob wants to hand out an encrypted device to Joe (external party) who does not have SG Data
Exchange installed and therefore has to use SG Portable. In assumption that Bob does not want
to give Joe access to all encrypted files on the removable media he can create a local key and
encrypt the files with this local key. Joe can now use SG Portable and open the encrypted files via
the passphrase of the local key, whereas Bob still can use the media passphrase to access any
encrypted file on the removable device.
Behavior on computer
197

Bob plugs in the removable device for the first time.
The Media Encryption Key, which is unique for each device, is created automatically.

Bob is prompted to enter the media passphrase for offline use.

The Media Encryption Key gets used for data encryption without any user interaction, but…

Bob can now create or select a local key (e.g. called JoeKey) for the encryption of specific files
that shall be exchanged with Joe.

Bob and Alice within the same group or domain have transparent access since they share the
same group/domain key
SafeGuard® Enterprise 5.50, Administrator help

If Bob wants to access encrypted files on a removable device on a computer without SafeGuard
Data Exchange, he can use the media passphrase within SafeGuard Portable.

Joe can access the specific files by entering the passphrase of the JoeKey without having access
to the whole removable media.
You have to specify the settings in a policy of the type Device Protection\Removable Media:

Media Encryption Mode: File based

Key to be used for encryption: Any key in user key ring
Allows the user to choose different keys for encrypting files on their removable media.

Defined key for encryption: <group/domain key > (e.g. [email protected]=...)
To ensure that the user can share data in their work group and to give them transparent
access to removable media when they connect them to their computer at work.

User may define a Media Passphrase for devices: Yes
The user defines one media passphrase on their computer which is valid for all their removable
media.

Copy SafeGuard Portable to removable media: Yes
SafeGuard Portable gives the user access to all encrypted files on the removable media by
entering a single media passphrase on the system without SafeGuard Data Exchange.
If the company policies additionally define that all files on removable media have to be encrypted
in any situation, add the following settings:

Initial encryption of all files: Yes
Ensures that files on removable media are encrypted as soon as the media is connected to the
system for the first time.

User may cancel initial encryption: No
The user cannot cancel initial encryption, for example to postpone it.

User is allowed to access encrypted files: No
If plain files on removable media are detected, access to them will be denied.

User may decrypt files: No
The user is not permitted to decrypt files on removable media.
At work Bob as well as Alice have transparent access to encrypted files on removable media. At
home they can use SafeGuard Portable to open encrypted files by entering the media passphrase.
If Bob or Alice wants to hand out the removable media to a 3rd party PC that does not have
SafeGuard Data Exchange installed, they can use local keys to ensure that the external party can
access only some specific files. This is an advanced configuration, which means more interaction
for the user by allowing them to create local keys on their computer.
Note: A prerequisite for this example is, that the user is allowed to create local keys. (default
setting in SafeGuard Enterprise).
198
SafeGuard® Enterprise 5.50, Administrator help
20 Power-on Authentication (POA)
SafeGuard Enterprise identifies the user even before the operating system starts up. To do this,
SafeGuard Enterprise's own system core starts before this. It is protected against modifications
and is saved, hidden, on the hard disk. Only when the user has been properly authenticated in the
POA, the actual operating system (Windows) is started from the encrypted partition and the user
is logged on automatically to Windows later. The procedure is the same when the computer is
switched back on from hibernation (Suspend to Disk).
The SafeGuard Enterprise Power-on Authentication has benefits such as:

a graphical user interface with mouse support and draggable windows, so it is easy to read and
use.

a graphical layout which, following guidelines, can be adapted by corporate computers
(background image, logon image, welcome message, etc.).

support for many card readers and smartcards

support for Windows user accounts and passwords even pre-boot, no more separate
credentials which the user has to remember

support for Unicode and therefore also foreign language passwords and user interfaces
20.1 Logging on
SafeGuard Enterprise works with certificate-based logging on. So users need keys and certificates
to successfully log on at the Power-on Authentication. However, user-specific key and certificates
are only created after a successful Windows logon. I.e. only users who have successfully logged on
to Windows can also be authenticated in the Power-on Authentication.
199
SafeGuard® Enterprise 5.50, Administrator help
To clarify how a user logs on in SafeGuard Enterprise, a brief introduction follows. For a detailed
description of the POA logon procedures, refer to the SafeGuard Enterprise User help.
Note: Under Windows Vista users first have to press CTRL+ALT+DEL to start autologon and
logon. The administrator can deactivate this setting in the MMC console in the group policy
object editor under Windows Settings > Security Settings > Local Policies > Deactivate
Security Options (Interactive logon: CTRL+ ALT+DEL not required).
20.1.1 SafeGuard Autologon
When logging on for the first time, SafeGuard Enterprise Autologon appears after starting the
endpoint computer.
What happens?
1. An autouser is logged on.
2. The client is automatically registered on the SGN server.
3. The machine key is sent to the SGN server and stored in the SGN database.
4. Machine policies are sent to the endpoint computer.
20.1.2 Windows logon
The Windows logon dialog appears. The user logs on.
What happens?
1. User ID and the encrypted password are sent to the server.
2. User policies, certificates and keys are created and sent to the endpoint computer.
3. The POA is activated.
20.1.3 POA logon
When the endpoint computer restarts, the POA appears.
What happens?
1. Certificates and keys are available for the user and they can log on at the POA.
2. All the data is securely encrypted with the user's public RSA key.
3. Any other users who want to log on must first be imported to the POA.
200
SafeGuard® Enterprise 5.50, Administrator help
20.1.4 Logon delay
On a SafeGuard Enterprise protected computer, a logon delay applies if a user provides incorrect
credentials during authentication at Windows or at the Power-on Authentication. With every
failed logon attempt the delay is increased. After a failed logon a dialog is shown to display the
remaining delay time.
Note: If a user enters an incorrect PIN during token logon, there will be no delay.
You can specify the number of logon attempts allowed in a policy of the type Authentication
using option Maximum no. of failed logons.
20.1.5 Machine lock
In a policy of the type Authentication you can also specify that the computer is to be locked after
the set number of failed logon attempts by setting option Lock Machine to Yes. For unlocking
their computer, users have to initiate a Challenge/Response procedure.
20.2 Importing further users
The first user to log on in Windows is automatically registered in the POA. At first, no other
Windows user can log on to the POA.
Further users must be imported with the assistance of the first user. For a detailed description of
importing further users, refer to the SafeGuard Enterprise User help.
A policy setting specifies who is permitted to import a new user. You can find this policy in the
Management Center under
Policy items

Type: Computer-specific

Field: Importing new users allowed for
Default setting: owner
201
SafeGuard® Enterprise 5.50, Administrator help
An endpoint computer's owner is specified in the Management Center under
Users & Computers

Mark <endpoint computer name>

Users tab
Note: For unmanaged endpoint computers, i.e., endpoint computers operating in standalone
mode, SafeGuard Enterprise offers POA access accounts. POA access accounts are predefined
local accounts that enable users to log on (POA logon) to endpoint computers after the Power-on
Authentication has been activated to perform administrative tasks. The accounts are defined in
the Users and Computers area of the SafeGuard Management Center (user ID and password)
and assigned to the endpoint computers via POA access groups included in configuration
packages.
Note: For detailed information on POA access accounts, see POA access accounts for POA logon
at unmanaged endpoint computers, page 4
20.3 Configuring the Power-on Authentication
The POA dialog consists of these components:

Logon image

Dialog text

Language of the keyboard layout
You can alter the look of the POA dialog to suit your preferences using, e.g., policy settings in the
SafeGuard Management Center.
202
SafeGuard® Enterprise 5.50, Administrator help
20.3.1 Background and logon image
By default the background and logon images that appear in the POA are in SafeGuard design.
However, different images can be shown, e.g. the company’s logo.
Background and logon images are defined via a policy of the type General Settings.
For usage in SafeGuard Enterprise, background and logon images must fulfill certain
requirements:
Background image
Maximum file size for all background images: 500 KB
SafeGuard Enterprise supports two variants for background images:

1024x768 (VESA mode)
Colors: no restrictions
Option in policy type General Settings: Background image in POA

640x480 (VGA mode)
Colors: 16
Option in policy type General Settings: Background image in POA (low resolution)
Logon image
Maximum file size for all logon images: 100 KB
SafeGuard Enterprise supports two variants for logon images:

413x140
Colors: no restrictions
Option in policy type General Settings: Logon image in POA

413x140
Colors: 16
Option in policy type General Settings: Logon image in POA (low resolution)
Images, information texts and lists have to be created as files (BMP, PNG, JPG or text files) first
and can then be registered in the navigation window.
203
SafeGuard® Enterprise 5.50, Administrator help
20.3.1.1 Registering images
To register images do the following:
1. In the Policies navigation area right-click Images and select New > Image.
2. Enter a name for the image in the Image Name field.
3. Click [...] to select the previously created image.
4. Click OK.
The new image will be shown as a subnode of Images in the policy navigation area. If you select
the image, it will be displayed in action area. The image can now be selected when creating
policies.
Proceed as described to register further images. All registered images will be shown as subnodes.
Note: Using the Modify Image button you can exchange the picture assigned. Upon clicking this
button a dialog is displayed for selecting a different image.
20.3.2 User defined information text in the POA
You can customize the POA to display the following user-defined information texts:

Information text to be displayed upon initiating a Challenge/Response procedure for logon
recovery (e.g.: “Please contact Support Desk on telephone number 01234-56789.”)
Option in policy type General Settings: Information text

Legal notices to be displayed after logging on to the POA
Option in policy type Specific Machine Settings: Legal notice text

Text for additional information to be displayed after logging on to the POA
Option in policy type Specific Machine Settings: Additional information text
20.3.2.1 Registering information texts
The text files containing the required information have to be created prior to registering them in
the SafeGuard Management Center. The maximum files size for information texts is 50 KB.
SafeGuard Enterprise only uses Unicode UTF-16 coded texts. If you do not create the text files in
this format, they will be automatically converted upon registration.
In case of a conversion process, a message will be displayed indicating that the file is being
converted.
204
SafeGuard® Enterprise 5.50, Administrator help
To register information texts:
1. In the Policies navigation area right-click Information text and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
3. Click [...] to select the previously created text file. If the file needs to be converted, a message
will be displayed.
4. Click OK.
The new text item is displayed as a subnode below Information text in the policy navigation area.
If you select a text item, its contents will be displayed in the window on the right-hand side. The
text item can now be selected when creating policies.
Proceed as described to register further text items. All registered text items will be shown as
subnodes.
Note: Using the Modify Text button, you can add new text to existing text. When clicking this
button a dialog is displayed for selecting another text file. The text contained in this file will be
appended at the end of the existing text.
20.3.3 Language for POA dialog text
After installation of the SafeGuard Enterprise encryption software, the POA dialog text is
displayed in the default language which is set in Windows' Regions and Language Options on the
endpoint computer when installing SafeGuard Enterprise.
After installation, the language in which the POA dialog text is displayed can only be changed via
a policy defined in the SafeGuard Management Center. Changing the default language under
Windows does not affect the language of the POA dialog text.
The language for the POA dialog text is defined via a policy of the type General Settings (option
Language used on Client).
205
SafeGuard® Enterprise 5.50, Administrator help
20.3.4 Keyboard Layout
Almost every country has its own keyboard layout, i.e. the keys are assigned differently. The
keyboard layout in the POA is significant when entering user names, passwords and response
code.
As the default, SafeGuard Enterprise adopts the keyboard layout in the POA which is set in
Windows' Regional and Language Options for the Windows default user at the time SafeGuard
Enterprise is installed. If “German” is the keyboard layout set under Windows, the German
keyboard layout will be used in the POA.
The language of the keyboard layout being used is displayed in the POA, e.g. “EN” for English.
Apart from the default keyboard layout, the US keyboard layout (English) can also be used.
There are certain exceptions:

The keyboard layout is, indeed, supported, but the absence of a font (e.g. for Bulgarian) means
that only special characters are displayed in the User Name field.

No specific keyboard layout is available (e.g. Dominican Republic). In these cases, the POA
falls back on the original keyboard layout. For the Dominican Republic, this is “Spanish”.
Note: All the unsupported keyboard layouts use the US keyboard layout as the default. This also
means that the only characters that are recognized and can be keyed in are those which are
supported in the US keyboard layout. So users can only log on to the POA if their user name and
password is composed of characters that are supported by the US keyboard layout or the
respective fallback keyboard of their language.
20.3.4.1 Virtual keyboard
SafeGuard Enterprise provides a virtual keyboard which users can show/hide at the POA and
click the on-screen keys to enter credentials etc.
As a security officer you can activate/deactivate the display of the virtual keyboard in a policy of
the type Specific Machine Settings using the Virtual Keyboard option.
Virtual keyboard support must be activated/deactivated via a policy setting.
The virtual keyboard will support different layouts and it will be possible to change the layout
using the same options as for changing the POA keyboard layout.
206
SafeGuard® Enterprise 5.50, Administrator help
20.3.4.2 Changing the keyboard layout
The Power-on Authentication keyboard layout including the virtual keyboard layout can be
changed retrospectively.
To change the language of the keyboard layout, do as follows:
1. Select Start > Control Panel > Regional and Language Options > Advanced.
2. In the Regional Options tab, select the required language.
3. In the Advanced tab activate option Apply all settings to the current user account and to the
default user profile under Default user account settings.
4. Confirm your settings with OK.
The POA remembers the keyboard layout used for the last successful logon and automatically
enables it for the next logon. This requires two reboots of the endpoint computer. If the
remembered keyboard layout is deactivated via Regional and Language Options, it is still
maintained up to the point where the user selects a different one.
Note: Additionally, it is required to change the language of the keyboard layout for non-Unicode
programs.
If the language you want is not available on the system, Windows may prompt you to install it.
After you have done so you need to reboot the computer twice so that, first, the new keyboard
layout can be read in by the Power-on Authentication and, secondly, the POA can set the new
layout.
You can change the required keyboard layout for the Power-on Authentication using the mouse
or keyboard (Alt+Shift).
You can see which languages are installed and available on the system via Start > Run > regedit >
HKEY_USERS\.DEFAULT\Keyboard Layout\Preload.
207
SafeGuard® Enterprise 5.50, Administrator help
20.4 Supported Hotkeys in the Power-on Authentication
Certain hardware settings and functionalities can lead to problems when booting endpoint
computers, causing the system to hang. The Power-on Authentication supports a number of
hotkeys for modifying these hardware settings and deactivating functionalities. Furthermore,
grey and black lists covering functions known to cause problems are integrated in the .msi file
installed on the computer.
We recommend you install an updated version of the POA configuration file prior to any
significant deployment of SafeGuard Enterprise. The file is updated on a monthly basis and made
available to download from here: ftp://POACFG:[email protected]
You can customize this file to reflect the hardware of a particular environment.
Note: When defining a customized file, only this will be used instead of the one integrated in the
.msi file. Only when no POA configuration file is defined or found, the default file will be applied.
To install the POA configuration file, enter the following command:
MSIEXEC /i <Client MSI package> POACFG=<path of the POA configuration file>
For further information see the knowledgebase: http://www.sophos.com/support/
knowledgebase/article/65700.html.
The following hotkeys are supported in the POA:

Shift F3 = USB Legacy Support (on/off)

Shift F4 = VESA graphic mode (off/on)

Shift F5 = USB 1.x and 2.0 support (off/on)

Shift F6 = ATA Controller (off/on)

Shift F7 = USB 2.0 support only (off/on)
USB 1.x support remains as set by Shift F5.

Shift F9 = ACPI/APIC (off/on)
208
SafeGuard® Enterprise 5.50, Administrator help
USB Hotkeys dependency matrix
Shift F3
Shift F5
Shift F7
Legacy
USB 1.x
USB 2.0
Comment
off
off
off
on
on
on
3.
on
off
off
off
on
on
Default
off
on
off
on
off
off
1., 2.
on
on
off
on
off
off
1., 2.
off
off
on
on
on
off
3.
on
off
on
off
on
off
off
on
on
on
off
off
on
on
on
on
off
off
2.
1. Shift F5 disables both USB 1.x and USB2.0.
Note: Pressing Shift F5 during boot time will considerably reduce the time the POA is launched.
However, please be aware that if the computer uses a USB keyboard or USB mouse, they might
be disabled when pressing Shift F5.
2. If no USB support is active, the POA tries to use BIOS SMM instead of backing up and
restoring the USB controller. The Legacy mode may work in this scenario.
3. Legacy support is active, USB is active. The POA tries to backup and restore the USB
controller. The system might hang depending on the BIOS version used.
You can specify changes that can be carried out using hotkeys when installing SafeGuard
Enterprise encryption software using a .mst file. This is done using the appropriate call in
combination with msiexec.
NOVESA
Defines whether VESA or VGA mode is used.0 = VESA mode (standard)1 = VGA
mode
NOLEGACY
Defines whether Legacy Support is activated after POA log on.0 = Legacy Support
activated 1 = Legacy Support not activated (standard)
ALTERNATE:
Defines whether USB devices are supported by the POA. 0 = USB support is
activated (standard)1 = no USB support
NOATA
Defines whether int13 device driver is used.0 = standard ATA device driver
(default)1 = Int13 device driver
ACPIAPIC
Defines whether ACPI/APIC support is used.0 = no ACPI/APIC support (default)1
= ACPI/APIC support active
209
SafeGuard® Enterprise 5.50, Administrator help
NOVESA
Defines whether VESA or VGA mode is used.0 = VESA mode (standard)1 = VGA
mode
20.5 Disabled POA and Lenovo Rescue and Recovery
If the Power-on Authentication is disabled on the computer, the Rescue and Recovery
authentication should be enabled for protection against access to encrypted files from the Rescue
and Recovery environment.
For details on activating the Rescue and Recovery authentication please refer to the Lenovo
Rescue and Recovery documentation.
210
SafeGuard® Enterprise 5.50, Administrator help
21 Recovery options
For recovery, SafeGuard Enterprise offers different options that are tailored to different scenarios:

Logon recovery via Local Self Help
Local Self Help enables users who have forgotten their password to log on to their computers
without the assistance of a help desk. Even in situations where neither telephone nor network
connections are available (for example aboard an aircraft), users can regain access to their
computers. To log on, they answer a predefined number of questions in the Power-on
Authentication.
Local Self Help reduces the number of calls concerning logon recovery, thus freeing the help
desk staff from routine tasks and allowing them to concentrate on more complex support
requests.
For detailed information see Recovery via Local Self Help, page 212.

Recovery via Challenge/Response
The Challenge/Response recovery mechanism is a secure and efficient recovery system that
helps users who cannot log on to their computers or access encrypted data. During the
Challenge/Response procedure, the user provides a challenge code generated on the endpoint
computer to the help desk officer who in turn generates a response code that authorizes the
user to perform a specific action on the computer.
With recovery via Challenge/Response, SafeGuard Enterprise offers different workflows for
typical recovery scenarios requiring help desk assistance.
For detailed information see Recovery via Challenge/Response, page 218.

System recovery
SafeGuard Enterprise offers different methods and tools for recovery regarding crucial system
components and SafeGuard Enterprise components, for example:

Corrupted MBR

SafeGuard Enterprise kernel problems

Volume access problems

Windows boot problems

GINA problems
For detailed information see System Recovery, page 245.
211
SafeGuard® Enterprise 5.50, Administrator help
22 Recovery via Local Self Help
SafeGuard Enterprise offers Local Self Help for SafeGuard Enterprise protected computers to
enable users who have forgotten their password to log on to their computers without the
assistance of the help desk.
With Local Self Help, users can, for example, regain access to their laptops in situations where
neither telephone nor network connections are available and where they cannot use a Challenge/
Response procedure (for example aboard an aircraft). The user can log on to their computer by
answering a predefined number of questions in the Power-on Authentication.
As a security officer you can define the set of questions to be answered centrally and distribute it
to the computer via a policy. We provide you with a predefined question theme as a template. You
can use this question theme as is or modify it. In the relevant policy, you can also grant the users
the right to define their own questions.
For providing the initial answers and editing the questions, the Local Help Self Wizard is available
on the endpoint computer after the function has been enabled by policy. For a detailed
description of Local Self Help on the endpoint computer refer to the SafeGuard Enterprise User
help, chapter Recovery via Local Self Help.
Local Self Help reduces the number of calls concerning logon recovery, thus freeing the help desk
staff from routine tasks and allowing them to concentrate on more complex support requests.
22.1 Defining Local Self Help settings via policy
You define the settings for Local Self Help in a policy of the type General Settings under Logon
Recovery - Enable Local Self Help. This is where you enable the function to be used on the
endpoint computers and define further rights and parameters.
22.1.1 Enabling Local Self Help
To activate Local Self Help for use on endpoint computers, select Yes in the Enable Local Self
Help field.
After the policy has become effective on the computers, this setting entitles the users to use Local
Self Help for logon recovery. To be able to use Local Self Help, the users now have to activate this
recovery method by answering a specified number from the set of questions received or by
creating and answering their own questions - depending on permission.
For this purpose, the Local Self Help Wizard will be available via the System Tray Icon in the
Windows taskbar after receiving the policy and restarting the computer.
212
SafeGuard® Enterprise 5.50, Administrator help
22.1.2 Defining further settings
Besides enabling Local Self Help you can define the following parameters for this function in a
policy of the type General Settings:

Minimal length of answers
In this field, define the minimum length of the answers in characters. The default is 1.

Welcome text under Windows
In this field you can specify the individual information text to be displayed in the first dialog
when launching the Local Self Help Wizard on the computer. Prior to specifying the text here,
it has to be created and registered.

Users can define their own questions
There are the following possible scenarios for the definition of questions for Local Self Help:

As a security officer you define the questions and distribute them to the users. The users
are not permitted to define their own questions.

As a security officer you define the questions and distribute them to the users. In addition,
the users are permitted to define their own questions. When answering the minimum
number of questions required for activating Local Self Help, the users can choose between
predefined questions and their own questions or use a combination of both.

You entitle the users to define their own questions. The users activate Local Self Help on
their computers by defining and answering their own questions.
To entitle users to define their own questions, select option Yes in the Users can define their own
questions field.
22.2 Defining questions
To be able to use Local Self Help on the endpoint computer, the user has to answer and save at
least ten questions. To log on at the Power-on Authentication via Local Self Help, the user has to
answer five questions randomly selected from these ten questions.
If the user is not permitted to define their own questions, you therefore have to transfer at least
ten predefined questions to the computer with the policy to enable the user to activate Local Self
Help.
For registering and editing Local Self Help questions you as a security officer need the right to
Modify selfhelp questions.
213
SafeGuard® Enterprise 5.50, Administrator help
22.2.1 Using the template
For Local Self Help a predefined question theme is available. By default, this question theme is
available in German and English in the policy navigation area under Local Self Help questions.
Optionally, the question theme is also available in French, Italian, Spanish, and Japanese. You can
additionally import these language versions into the policy navigation area.
Note: When entering answers in Japanese to activate Local Self Help on endpoint computers,
users have to use Romaji (Roman) characters. Otherwise the answers will not match when users
enter them in the Power-on Authentication.
You can use the predefined question theme as is, edit it or delete it.
If you leave the two language versions of the predefined question theme as is and enable Local Self
Help via a policy of the type General Settings, the two predefined question themes will be
transferred automatically to the endpoint computers with the policy.
22.3 Importing question themes
Using the import procedure, you can import additional language versions of the predefined
question theme or your own question lists created as .XML files.
To import a set of questions:
1. Create a new question theme (see Creating a new question theme and adding questions, page
215.
2. In the Policies navigation area select the new question theme under Local Self Help
questions.
3. Right-click in the action area to open the context menu for the question theme. In the context
menu, select Import.
4. Select the required directory and question theme and click Open.
The imported questions are displayed in the action area. You can now save the question theme as
is or edit it.
214
SafeGuard® Enterprise 5.50, Administrator help
22.4 Creating a new question theme and adding questions
Besides using question themes in different languages, you can also create new question themes
covering different topics, to provide users with several different question themes to suite their
preferences.
To create a new question theme and add questions do the following:
1. In the Policies navigation area select Local Self Help questions.
2. Right-click Local Self Help questions and select New > Question Theme.
3. Enter a name for the question theme and click OK.
4. In the Policies navigation area select the new question theme under Local Self Help
questions.
5. Right-click in action area to open the context menu for the question theme. In the context
menu, select Add.
6. A new question line is added. Enter your question and press Enter. To add further questions
repeat this step.
7. To save your changes click the Save icon in the toolbar.
Your question theme is registered and will be automatically transferred with the policy of the type
General Settings enabling Local Self Help on the endpoint computers.
22.5 Editing question themes
To edit existing question themes do the following:
1. In the Policies navigation area select the required question theme under Local Self Help
questions.
2. You can now add, modify or delete questions.
215

To add questions, right-click in the action area, to display the context menu. In the context
menu, click Add. A new line is added to the question list. Enter your question on the line.

To modify questions, click the required question text in the action area. The question is
marked by a pencil icon. Enter your changes on the question line.
SafeGuard® Enterprise 5.50, Administrator help

To delete questions, select the required question by clicking on the grey box at the
beginning of the question line in the action area and click Delete in the context menu of
the question.
3. To save your changes click the Save icon in the toolbar.
The modified question theme is registered and will be transferred with the policy of the type
General Settings that will enable Local Self Help on the endpoint computers.
22.6 Deleting question themes
To delete an entire question theme, right-click the required theme Local Self Help questions in
the Policies navigation area, and select Delete.
Note: If you delete a question theme after users have answered some of these questions to activate
Local Self Help on their computers, the users’ answers become invalid, as the questions no longer
exist.
22.7 Registering welcome texts
You can register a welcome text to be displayed in the first dialog of the Local Self Help Wizard
in the Policies navigation area of the SafeGuard Management Center.
The text files containing the required information have to be created prior to registering them in
the SafeGuard Management Center. The maximum files size for information texts is 50 KB.
SafeGuard Enterprise only uses Unicode UTF-16 coded texts. If you do not create the text files in
this format, they will be automatically converted upon registration.
In case of a conversion process, a message will be displayed indicating that the file is being
converted.
To register information texts:
1. In the Policies navigation area right-click Information text and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
216
SafeGuard® Enterprise 5.50, Administrator help
3. Click [...] to select the previously created text file. If the file needs to be converted, a message
will be displayed.
4. Click OK.
The new text item is displayed as a subnode below Information text in the Policies navigation
area. If you select a text item, its contents will be displayed in the window on the right-hand side.
The text item can now be selected when creating policies.
Proceed as described to register further text items. All registered text items will be shown as
subnodes.
217
SafeGuard® Enterprise 5.50, Administrator help
23 Recovery via Challenge/Response
To smoothen the workflow and to reduce help desk costs, SafeGuard Enterprise provides a
Challenge/Response recovery solution. SafeGuard Enterprise offers help to users failing to log on
to their computers or failing to access encrypted data by providing a user-friendly Challenge/
Response mechanism.
This functionality is integrated in the SafeGuard Management Center as a Recovery Wizard.
23.1 Benefits of Challenge/Response
The challenge/response mechanism is a secure and efficient recovery system to fall back on.

No confidential data is exchanged in unencrypted form throughout the entire process.

There is no point in third parties eavesdropping on this procedure because the data they spy
out cannot be used at any later point in time or on any other devices.

The computer to be accessed does not need an online network connection. The Response
Code Wizard for the Helpdesk also runs on an unmanaged computer without any SafeGuard
Enterprise Server connection. There is noneed for a complex infrastructure.

The user can start working again quickly. No encrypted data is lost only because the password
has been forgotten.
23.2 Typical situations for requiring help desk assistance

A user has forgotten the password for logging on and the computer has been locked.

The Power-on Authentication local cache is partly damaged.

A user is not available at the moment due to illness or vacation but the data on the computer
must be accessible to a colleague.

A user wants to access a volume encrypted with a key that is not available on the computer.
SafeGuard Enterprise offers different recovery workflows for these typical scenarios enabling the
users to access their computers again.
218
SafeGuard® Enterprise 5.50, Administrator help
23.3 Challenge/Response workflow
The Challenge/Response procedure is based on two components:

The endpoint computer on which the Challenge code will be generated.

The SafeGuard Management Center where, as a help desk officer with sufficient rights, you
will create a response code that will authorizes the user to perform the requested action on
their computer.
1. On the endpoint computer, the user requests the challenge code. Depending on the recovery
type, this is either requested in the Power-on Authentication or via the KeyRecovery Tool.
A challenge code in form of an ASCII character string will be generated and displayed.
2. The user contacts the help desk and provides the necessary identification as well as the
challenge code to the help desk.
3. The help desk launches the Recovery Wizard in the SafeGuard Management Center.
4. The help desk selects the appropriate recovery type, confirms the identification information
and the challenge code and selects the required recovery action.
A response code in form of an ASCII character string will be generated and displayed.
5. The help desk provides the user with the response code e.g. via phone or text message.
6. The user enters the response code. Depending on the recovery type, this is either done in the
POA or via the KeyRecovery Tool.
The user is then permitted to perform the authorized action, for example resetting the password
and may resume working.
219
SafeGuard® Enterprise 5.50, Administrator help
23.4 User password change requirements
As part of the SafeGuard Enterprise recovery process the user may be forced to change their
Windows password. The following table provides details on when changing the password will be
required. The first four columns show specific conditions which can occur during the Challenge/
Response procdure. The last column indicates whether the user is forced to change the Windows
password based on the conditions indicated in the previous columns.
Condition: C/R
issued with user
logon and show
passwordoption
Condition: C/R
issued with user
logon
Condition:
Domain
controller
available
Condition: Show
password option
declined by user
Result: User is
forced to change
Windows
password
Yes
Yes
Yes
No
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
No
No
Yes
Yes
n/a
Yes
No
Yes
No
n/a
No
No
No
No
n/a
No
23.5 Launching the Recovery Wizard
To be able to perform a recovery procedure, make sure you have the required rights and
permissions.
1. Log on to the SafeGuard Management Center.
2. Click Tools > Recovery in the menu bar.
The SafeGuard Recovery Wizard is started. You can select which type of recovery is requested.
220
SafeGuard® Enterprise 5.50, Administrator help
23.6 Recovery types
Select which type of recovery you want to use. The following recovery types are provided:

Challenge/Response for SafeGuard Enterprise Clients (managed)
Challenge/Response for computers that are centrally managed by the SafeGuard Management
Center. They are listed in the Users & Computers area in the SafeGuard Management Center.

Challenge /Response using Virtual Clients
Easy recovery for encrypted volumes can be achieved when using specific files called Virtual
Clients in cases where Challenge/Response would usually not be supported, for example when
the POA is corrupted.

Challenge/Response for Sophos SafeGuard Clients (standalone)
Challange/Response fo computers that are locally managed. They never have any connection
to the SafeGuard Enterprise Server. For each of these computers a key recovery file is
generated during configuration. It contains the defined machine key which is encrypted with
the company certificate. If this recovery key file is available, e.g. on a memory stick or via a
shared network path so that the help desk officer can access it, Challenge/Response for a
standalone computer is supported.
Note: Also see the logon recovery method Local Self Help that does not require any help desk
assistance.
221
SafeGuard® Enterprise 5.50, Administrator help
222
SafeGuard® Enterprise 5.50, Administrator help
23.7 Recovery via Challenge/Response for
SafeGuard Enterprise Clients
SafeGuard Enterprise offers recovery for SafeGuard Enterprise protected endpoint computers
registered in the database in various disaster scenarios, such as password recovery or accessing
data by booting from external media.
Challenge/Response is supported for both SafeGuard Enterprise native computers or BitLocker
encrypted endpoint computers. During Challenge/Response it is dynamically determined which
type of computer is in use and the recovery workflow is adjusted accordingly.
23.7.1 Recovery actions for SafeGuard Enterprise Clients
The recovery workflow depends on which type of endpoint computer recovery is requested for.
Note: For BitLocker encrypted computers the only recovery action is to recover the key used to
encrypt a specific volume. No password recovery is provided.
23.7.1.1 Recovering the password at POA level
One of the most common scenarios is that users have forgotten their password. By default
SafeGuard Enterprise is installed with an activated Power-on Authentication (POA). The POA
password for accessing the computer is the same as the Windows password.
If the user has forgotten the password at POA level, the SafeGuard Enterprise helpdesk officer will
generate a response for Booting SGN client with user logon, but without displaying the user
password. However, in this case, after entering the response code the computer will boot into the
operating system, so the user has to change the password at Windows level subject to the
condition that the domain is accessible. The user can then log on to Windows as well as to the
Power-on Authentication with the new password.
Best practice for recovering the password at POA level
Note: We recommend to primarily using the following methods when the user has forgotten their
password to avoid that the password has to be centrally reset:
Note: Use Local Self Help. With recovery via Local Self Help the user can have the current
password displayed and may continue using this password without having to reset it and without
any help desk assistance. For further information, see Recovery via Local Self Help on page 4.
Note: When using Challenge/Response: We recommend avoiding centrally resetting the
password in the Active Directory prior to the Challenge/Response procedure. Avoiding this will
ensure that the password remains synchronized between Windows and SafeGuard Enterprise.
Ensure that the Windows help desk is educated accordingly.
223
SafeGuard® Enterprise 5.50, Administrator help
As a SafeGuard Enterprise help desk officer, generate a response for Booting SGN client with
user logon with option Display user password. This is advantageous as the password then does
not have to be reset in the Active Directory. The user may continue working with the old
password and change it locally afterwards, if desired.
23.7.1.2 Displaying the user password
SafeGuard Enterprise offers users to have their password displayed during Challenge/Response.
This is advantageous as the password then does not have to be reset in the Active Directory. The
option is only available if Booting SGN client with user logon is requested.
23.7.1.3 A different user needs to boot the SafeGuard Enterprise protected computer
In this case the user who needs to access the computer will boot the computer and enter their user
name. The user will then request a Challenge. The SafeGuard help desk will generate a Response
of type Booting SGN client without user logon and Passthrough to Windows enabled. The user
will be logged on and may use the computer.
23.7.1.4 Accessing data by booting from external media
Challenge/Response can also be used to allow a computer to be booted from external media such
as WinPE. To do so, the user has to select Continue Booting from: Floppy Disk/External
Medium in the POA logon dialog and initiate the Challenge. When receiving the response the
user can enter the credentials in the POA as usual and continue booting from external medium.
The following requirements must be fulfilled to access an encrypted volume:

The device to be used must contain the SafeGuard Enterprise filter driver. A detailed
description on how to create such a driver CD can be found in our knowledge database:
http://www.sophos.com/support/knowledgebase/article/108805.html.

The user must boot from the external medium and must have the right to do so. This right can
be granted to the user by defining a policy in the SafeGuard Management Center and assigning
it to the computer: (policy type Authentication > Access: User may only boot from hard disk
must be set to „No“). By default the right to boot from external media is not assigned.

The endpoint computer must generally support booting from different media other than a
fixed hard drive.

Only volumes encrypted with the defined machine key can be accessed. This key encryption
type can be defined in a device encryption policy in the SafeGuard Management Center and
assigned to the computer.
Please note that using external media such as a WinPE to access an encrypted drive will only
partly allow access to the volume.
224
SafeGuard® Enterprise 5.50, Administrator help
23.7.1.5 Restoring the SafeGuard Enterprise policy cache
This procedure is necessary, if the SafeGuard policy cache is damaged. The local cache stores all
keys, policies, user certificates and audit files. By default, logon recovery is deactivated when the
local cache is corrupted, i.e. it will be restored automatically from its backup. In this case, no
Challenge/Response procedure is required for repairing the local cache. However, logon recovery
can be activated by policy, if the local cache is to be repaired explicitly via a Challenge/Response
procedure. In this case, the user is prompted automatically to initiate a Challenge/Response
procedure, if the local cache is corrupted.
23.7.2 Response for SafeGuard Enterprise Clients
To generate a response during Challenge/Response for a SafeGuard Enterprise Client, the name
of the respective endpoint computer and the domain are required.
Note: This name must always be the distinguished name of the computer.
1. In the Recovery type window, select SafeGuard Enterprise Client (managed).
2. Select the required domain from the list.
3. Enter the required computer name. There are several possibilities to do so:

Select a name by clicking [...] in the Computer information section of the Recovery type
dialog. Afterwards, click Find now. A list of computers is displayed. Select the required
computer and click OK. The computer name is now displayed in the Recovery type
window below Domain.

Enter the short name of the computer. When clicking Next, the database is searched for
this name and if found, the distinguished computer name is displayed.

Enter the computer name directly in distinguished name format, for example:
CN=Desktop1,OU=Development,OU=Headquarter,DC=Sophos,DC=edu
4. Click Next.
The program then dynamically determines if a native SafeGuard Enterprise computer or
BitLocker encrypted computer is in use and adjusts the recovery workflow accordingly. In case of
a native SafeGuard Enterprise computer the next step requires the selection of the user
information.
225
SafeGuard® Enterprise 5.50, Administrator help
After checking the database for the respective computer, the corresponding user name and
domain is required for recovery of a SafeGuard Enterprise Client.
1. Select the required domain of the user.
2. Enter the required user name. There are several possibilities to do so:

Select the user name by clicking [...] in the User information section of the Logon
recovery dialog. Afterwards, click Find now. A list of users is displayed. Select the required
name and click OK. The name is now displayed in the Recovery type window below
Domain.

Enter the name of the user directly. Make sure the name is spelled correctly.
3. Click Next. A window is displayed where you can enter the challenge code.
4. Enter the challenge code the user has passed on to you and click Next. The challenge code is
verified. If the code has been entered incorrectly, Invalid is displayed below the block
containing the error.
226
SafeGuard® Enterprise 5.50, Administrator help
5. If the challenge code has been entered correctly, the recovery action requested by the
SafeGuard Enterprise Client as well as the possible recovery actions on the client are displayed.
The possible actions for response depend on the actions requested on the client side when
calling the challenge. For example, if Crypto token requested is required on the client side,
the available actions for response are Boot SGN client with user logon and Boot SGN client
without user logon.
6. Select the action the user needs to perform.
227
SafeGuard® Enterprise 5.50, Administrator help
7. If Booting SGN client with user logon has been selected as response action, you may
additionally select Show user password to have the password displayed on the target
computer.
8. Click Next.
9. A response code is generated. Read the response code to the user. A spelling aid is provided.
You can also copy the response code to the clipboard.
The user can then enter the response code on the endpoint computer and perform the
authorized action.
228
SafeGuard® Enterprise 5.50, Administrator help
23.8 Response for BitLocker encrypted SafeGuard Enterprise Clients
For BitLocker encrypted computers a volume that cannot be accessed any more may be
recovered.
In order to perform a response during Challenge/Response for a SafeGuard Enterprise Client, the
name of the respective endpoint computer and the domain are required.
Note: This name must always be the distinguished name of the computer.
1. In the Recovery type window select SafeGuard Enterprise Client.
2. Select the required domain form the list.
3. Enter the required computer name. There are several possibilities to do so:

Select a name by clicking [...] in the Computer information section of the Recovery type
dialog. Afterwards, click Find Now. A list of computers is displayed. Select the required
computer and click OK. The computer name is then displayed in the Recovery type
window below Domain.

Enter the short name of the computer. When clicking Next, the database is searched for
this name and if found, the distinguished computer name is displayed.

Enter the computer name directly in distinguished name format, for example:

CN=Desktop1,OU=Development,OU=Headquarter,DC=Utimaco,DC=edu
4. Click Next.
The program then dynamically determines if a native SafeGuard Enterprise computer or
BitLocker encrypted computer is in use and adjusts the recovery workflow accordingly. In case of
a BitLocker encrypted computer the next step requires the selection of the required volume.
After checking the database for the respective computer, the required volume is needed for
recovery of a BitLocker encrypted endpoint computer.
1. Select the volume to be accessed from the list and click Next.
2. The Recovery Wizard then displays the corresponding 48-digit recovery key.
3. Read this key to the user.
The user can then enter the key to recover the BitLocker encrypted volume on the endpoint
computer.
229
SafeGuard® Enterprise 5.50, Administrator help
230
SafeGuard® Enterprise 5.50, Administrator help
23.9 Recovery via Challenge/Response using Virtual Clients
With Virtual Client recovery SafeGuard Enterprise offers recovery of encrypted volumes even in
complex disaster situations, e.g.when the POA is corupted. It can be applied to managed clients
as well as to standalone computers.
Note: Virtual Client recovery should only be used to resolve complex disaster situations. If, for
instance, only a key is missing to recover a volume, the best way to recover the volume would
simply be to assign the missing key to the respective user’s key ring.
23.9.1 Recovery workflow using Virtual Clients
To access the encrypted computer, the following general workflow applies:
1. Obtain the SafeGuard Enterprise recovery disk from technical support.
2. The help desk may download the Windows PE recovery disk with the latest SafeGuard
Enterprise filter drivers from the Sophos support site. For further information see the
knowledgebase: http://www.sophos.com/support/knowledgebase/article/108805.html.
3. Create the Virtual Client in the SafeGuard Management Center.
4. Export the Virtual Client to a file.
5. Boot the computer from the recovery disk.
6. Import the Virtual Client file into the KeyRecovery Tool.
7. Initiate the Challenge in the KeyRecovery Tool.
8. Confirm the Virtual Client in the SafeGuard Management Center.
9. Select the required recovery action.
10.Enter the challenge code in the SafeGuard Management Center.
11.Generate the response code in the SafeGuard Management Center.
12.Enter the response code into the KeyRecovery tool.
The computer can be accessed again.
231
SafeGuard® Enterprise 5.50, Administrator help
23.9.2 Booting the computer from the recovery disk
Make sure that the boot sequence in the BIOS settings allows booting from CD.
1. On the endpoint computer, insert the recovery disk and start the computer. The integrated file
manager opens. At a glance, you can see the mounted volumes and drives.
The contents of the encrypted drive are not visible in the file manager. Neither the file system, nor
the capacity and used/free space are indicated in the properties of the encrypted drive.
232
SafeGuard® Enterprise 5.50, Administrator help
2. At the bottom of the file manager in section Quick Launch, click the KeyRecovery icon to
open the KeyRecovery Tool. The Key Recovery Tool displays the key ID of the encrypted
drives.
3. Find the key ID of the drives that you need to access. The key ID will be requested later on.
Next import the Virtual Client into the Key Recovery Tool.
23.9.3 Importing the Virtual Client into the KeyRecovery Tool

The computer has been booted from the recovery disk.

Ensure that the USB drive with the Virtual Client file recoverytoken.tok stored on it has been
mounted successfully.
1. In the Windows PE file manager select the drive on which the Virtual Client is stored. The file
recoverytoken.tok will be displayed on the right.
233
SafeGuard® Enterprise 5.50, Administrator help
2. Select the file recoverytoken.tok and drag it to the drive in which the KeyRecovery Tool is
located. There, drop it into the Tools\SGN-Tools directory.
234
SafeGuard® Enterprise 5.50, Administrator help
23.9.4 Initiating the Challenge in the Recover Keys Tool
1. At the bottom of the Windows PE file manager in section Quick Launch, click the
KeyRecovery icon to open the KeyRecovery Tool. The Key Recovery Tool displays the key ID
of the encrypted drives.
The tool is started displaying a list of all volumes and their corresponding encryption information
(key ID).
2. Select the volume you want to decrypt and click Import by C/R to generate the
Challenge Code.
As reference in the SafeGuard Enterprise database the Virtual Client file is used and stated in the
challenge. The Challenge code is generated and displayed.
3. Communicate the Virtual Client name and the challenge code to the help desk, e.g. via phone
or text message. A spelling aid is provided.
235
SafeGuard® Enterprise 5.50, Administrator help
23.9.5 Generating a Response using Virtual Clients
To access a SafeGuard Enterprise protected computer and to generate a Response using Virtual
Clients two actions are required:
1. Confirm the Virtual Client in the SafeGuard Management Center database.
2. Select the requested recovery action:

Challenge can be initiated to recover a single key for accessing an encrypted volume on a
computer that is connected to the SafeGuard Enterprise Server. Select Key requested
recovery key from the database

Challenge can be initiated to recover a single key for accessing an encrypted volume on a
standalone computer that is never connected to the SafeGuard Enterprise server. Select
Key requested key recovery file (standalone)

Challenge can be initiated to recover multiple keys for accessing encrypted volumes ona
computer that is connected to the SafeGuard Enterprise Server. The keys are stored in one
file which is encrypted with a random password stored in the database. The password is
unique for each created key file. Within the response code the password is transferred to
the target computer. Select Key file requested
236
SafeGuard® Enterprise 5.50, Administrator help
23.9.6 Confirming the Virtual Client
The Virtual Client must have been created in the SafeGuard Management Center in Virtual
Clients and must be available in the database.
1. In the SafeGuard Management Center click Tools > Recovery to open the Recovery Wizard.
2. In Recovery type select Virtual Client.
3. Enter the name of the Virtual Client the user has given to you. There are different ways to do
so:

Enter the unique name directly.

Select a name by clicking [...] in the Virtual Client section of the Recovery type dialog.
Then click Find now. A list of Virtual Clients is displayed. Select the required Virtual
Client and click OK. The Virtual Client name is then displayed in the Recovery type
window below Virtual Client.
4. Click Next to confirm the name of the Virtual Client file.
Next select the requested recovery action.
23.9.7 Selecting the requested key (managed clients)
You must have selected the required Virtual Client in the SafeGuard Management Center
Recovery Wizard.
Prerequisite:
A response can only be initiated for assigned keys. If a key is inactive, i.e. the key is not assigned
to at least one user, a Virtual Client Response is not possible. In such a case the inactive key can
be reassigned to any other user and a response for this key can be generated again.
1. In the Recovery wizard, in Virtual Client, select the requested recovery action Key requested
and click Next.
2. Activate Select recovery key from the database.
3. Click [...]. You can either display the keys by key ID or by symbolic name. Click Search, select
the key and click OK.
4. Confirm with Next. The window for entering the challenge code is displayed.
5. Enter the challenge code the user has passed on to you and click Next. The challenge code is
verified.
237
SafeGuard® Enterprise 5.50, Administrator help
If the challenge code has been entered correctly, the response code is generated. If the code has
been entered incorrectly, Invalid is displayed below the block containing the error.
6. Pass the response code on to the user. A spelling aid is provided. You can also copy the
response code to the clipboard.
The requested key is transferred to the user environment within the response code.
23.9.8 Selecting the key recovery file (standalone computer)
You must have selected the required Virtual Client in the SafeGuard Management Center
Recovery Wizard.
The required key recovery file needed to regain access to the computer must be accessible to the
help desk, e.g. on a network share.
1. In the Recovery wizard, in Virtual Client, select the requested recovery action Key requested
and click Next.
2. Activate Select key recovery file containing recovery key.
3. Click [...] next to this option to browse for the respective file. For better identification the
recovery files carry the name of the computer: computername.GUID.xml.
4. Confirm with Next. The window for entering the challenge code is displayed.
5. Enter the challenge code the user has passed on to you and click Next. The challenge code is
verified.
If the challenge code has been entered correctly, the response code is generated. If the code has
been entered incorrectly, Invalid is displayed below the block containing the error.
6. Pass the response code on to the user. A spelling aid is provided. You can also copy the
response code to the clipboard.
The requested key is transferred to the user environment within the response code.
238
SafeGuard® Enterprise 5.50, Administrator help
23.9.9 Selecting several keys in a key file
You must have selected the required Virtual Client file in the SafeGuard Management Center
Recovery Wizard.
You must have created the key file beforehand in the SafeGuard Management Center in Keys &
Certificates and the password encrypting the key file must have been stored in the database.
1. In the Recovery wizard, in Virtual Client, select the requested recovery action Password for
key file selected and click Next.
2. Click [...] next to this option and then Search. Select the key file and click OK.
3. Confirm with Next. The window for entering the challenge code is displayed.
4. Enter the challenge code the user has passed on to you and click Next. The challenge code is
verified.
If the challenge code has been entered correctly, the response code is generated. If the code has
been entered incorrectly, Invalid is displayed below the block containing the error.
5. Pass the response code on to the user. A spelling aid is provided. You can also copy the
response code to the clipboard.
The password for the encrypted key file is transferred within the response code. The key file is
then deleted.
239
SafeGuard® Enterprise 5.50, Administrator help
23.9.10 Entering the Response code in the KeyRecovery Tool
1. In the KeyRecovery Tool on the endpoint computer, enter the response code the help desk has
given to you.
Within the response code the required key or password for the key file is transported.
2. Click OK. The drive selected for Challenge/Response has been decrypted.
3. To ensure that description has been successful, select the decrypted drive in the Windows PE
file manager:
The contents of the decrypted drive are now displayed in the file manager. The file system as well
as the capacity and used/free space are now indicated in the properties of the decrypted drive.
Access to the data stored on this partition is recovered. As a result of the successful decryption
you can read, write and copy data from and/or to the respective drive.
240
SafeGuard® Enterprise 5.50, Administrator help
23.10 Challenge/Response for Sophos SafeGuard Clients (standalone)
SafeGuard Enterprise also provides Challenge/Response for unmanaged computers (Sophos
SafeGuard Clients). They never have any connection to the SafeGuard Enterprise Server, not even
temporarily. They operate in standalone mode. As they are not registered in the SafeGuard
Enterprise database no information on their identification needed for a Challenge/Response is
available.
For these computers, SafeGuard Enterprise provides Challenge/Response e.g. when the user has
forgotten their password or entered the password incorrectly too often. Recovery information
needed for a Challenge/Response is in this case based on the key recovery file. On each endpoint
computer this key recovery file is generated during deployment of the SafeGuard Enterprise
encryption software.
If this key recovery file is accessible to the help desk, e.g. via a shared network path, Challenge/
Response for a SafeGuard Enterprise protected computer may be provided.
To facilitate searching and grouping of the recovery files the files will carry the name of the
computer: computername.GUID.xml in their file names. This allows for wild card search with
asterisks (*), for example: *.GUID.xml.
Note: When a computer is renamed , it will not be renamed accordingly in the computer’s local
cache. The local cache stores all keys, policies, user certificates and audit files. The new computer
name therefore has to be removed from the local cache so that only the previous name will
remain, even if a computer is renamed under Windows.
23.10.1 Recovery actions for Sophos SafeGuard Clients (standalone)
Challenge/Response for an endpoint computer can be initiated in the following situations:

The user has entered the password incorrectly too often.

The user has forgotten the password.

A corrupted cache needs to be repaired.
For an unmanaged computer no user key is available in the database. Therefore, the only recovery
action possible in a Challenge/Response session is Booting SGN client without user logon.
The Challenge/Response procedure will enable the computer to boot through Power-on
Authentication. The user will then be able to log on to Windows.
241
SafeGuard® Enterprise 5.50, Administrator help
Potential recovery use cases:
The user has entered the password incorrectly too often at POA level and the computer is
locked.
The computer is locked, and the user is prompted to initiate a Challenge/Response procedure to
unlock the computer. As in this case resetting the password is not needed because the user still
remembers the current password, Challenge/Response procedure will enable the computer to
boot through Power-on Authentication. The user can then enter the correct password at
Windows level and use the computer again.
The user has forgotten the password
Note: We recommend to primarily use Local Self Help to recover a forgotten password. With
recovery via Local Self Help the user can have the current password displayed in a confidential
way in the Power-on Authentication and may continue using it. This will avoid that the password
has to be reset at all and will also avoid help desk assistance. For further information, see Recovery
via Local Self Help, page 4.
When recovering a forgotten password via Challenge/Response a password reset is required.
1. The Challenge/Response procedure will enable the computer to boot through Power-on
Authentication.
2. In the Windows logon dialog, the user does not know the correct password either and
therefore needs to change it at Windows level. This requires further recovery actions outside
the scope of SafeGuard Enterprise, via standard Windows means.
Note: We recommend avoiding centrally resetting the password prior to the Challenge/Response
procedure. Avoiding this will ensure that the password remains synchronized between Windows
and SafeGuard Enterprise. Ensure that the Windows help desk is educated accordingly.
3. We recommend using the following methods to reset the password at Windows level.

Via a service or administrator account available on the endpoint computer with the
required Windows rights.

Via a Windows password reset disk on the endpoint computer.
As a help desk officer you may inform the user which procedure should be used and either
provide the the additional Windows credentials or the required disk.
4. The user enters the new password at Windows level that the help desk has provided. The user
then changes this password immediately to a value only known to the user.
242
SafeGuard® Enterprise 5.50, Administrator help
5. SafeGuard Enterprise detects that the newly chosen password does not match the current
SafeGuard Enterprise password used in the POA. The user is therefore prompted to enter the
old SafeGuard Enterprise password and, since the user has forgotten this password, needs to
click Cancel.
6. In SafeGuard Enterprise, the definition of a new password without providing the old one
requires a new certificate. The user has to confirm this procedure.
7. A new user certificate will be created based on the newly chosen Windows password. This
enables the user to log on to the computer again and to log on at the Power-on Authentication
with the new password.
Note: Keys for SafeGuard Data Exchange
Note: When the user has forgotten the Windows password and has to enter a new one, a new user
certificate is created as well. Therefore, the user will not be able to use the keys already created for
SafeGuard Data Exchange any longer. To be able to continue using the already generated user
keys for SafeGuard Data Exchanges the user has to remember the SafeGuard Data Exchange
passphrases to reactivate these keys.
The local cache needs to be repaired
The local cache stores all keys, policies, user certificates and audit files. By default, logon recovery
is deactivated when the local cache is corrupted, i.e. it will be restored automatically from its
backup. In this case, no Challenge/Response procedure is required for repairing the local cache.
However, logon recovery can be activated by policy, if the local cache is to be repaired explicitly
via a Challenge/Response procedure. In this case, the user is prompted automatically to initiate a
Challenge/Response procedure, if the local cache is corrupted.
23.10.2 Generating a response for unmanaged computers using the
key recovery file
Note: The key recovery file generated during installation of the SafeGuard Enterprise encryption
software needs to be stored in a location a help desk officer is able to access and the name of the
file must be known.
To generate a response, do the following:
1. In the SafeGuard Management Center, select Tools > Recovery from the menu bar to open
the Recovery Wizard.
2. In Recovery type, select Shophos SafeGuard Client (standalone).
243
SafeGuard® Enterprise 5.50, Administrator help
3. Locate the required key recovery file by clicking Browse. For better identification, the recovery
files carry the name of the computer: computername.GUID.xml.
4. Enter the challenge code the user has passed on to you and click Next. The challenge code is
verified.
If the challenge code has been entered correctly, the recovery action requested by the computer
as well as the possible recovery actions are displayed. If the code has been entered incorrectly,
Invalid is displayed below the block containing the error.
5. Select the required action to be taken by the user and click Next.
6. A response code is generated. Communicate the response code to the user. A spelling aid is
provided. You may also copy the response code to the clipboard.
The user can enter the response code, perform the requested action and resume working.
244
SafeGuard® Enterprise 5.50, Administrator help
24 System Recovery
SafeGuard Enterprise encrypts files and drives transparently. Boot drives can also be encrypted,
so decryption functionalities such as code, encryption algorithms and encryption key must be
available very early in the boot phase. Therefore encrypted information cannot be accessed if the
crucial SafeGuard Enterprise modules are unavailable or do not work.
The following sections cover possible error sources and recovery methods.
24.1 Recover data by booting from an external medium
This recovery type can be applied when the user can still log on at the POA but cannot access the
encrypted volume any more. In this case, access to the encrypted data can be regained by booting
the computer via a Windows PE recovery disk customized for SafeGuard Enterprise.
Prerequisites:

The user booting from the external medium must have the right to do so. This right can either
be configured in the SafeGuard Management Center within a policy of type Authentication
(User may decrypt volume set to Yes) or can be obtained for a one-time use via a Challenge/
Response procedure.

The computer must support booting from different media than the fixed hard drive.
To regain access to encrypted data on the computer, do the following:
1. Obtain the SafeGuard Enterprise Windows PE disk from technical support.
The help desk may download the Windows PE recovery disk with the latest Sophos SafeGuard
filter drivers from the Sophos support site. For further information see the knowledgebase:
http://www.sophos.com/support/knowledgebase/article/108805.html.
2. Log on at the Power-on Authentication with your credentials.
3. Insert the Windows PE recovery disk into the computer.
4. In the POA logon dialog under Continue booting from: select external medium.The
computer is started.
Access to the data stored on this partition is recovered.
245
SafeGuard® Enterprise 5.50, Administrator help
24.2 Corrupted MBR
For resolving problems with a corrupted MBR SafeGuard Enterprise offers the tool
BE_Restore.exe.
For a detailed description on how to restore a corrupted MBR with this tool refer to the SafeGuard
Tools Guide.
24.3 Code
It is possible to access a hard disk with damaged kernel boot code as keys are stored separately
from the kernel in the so-called KSA (Key Storage Area). By separating the kernel and the keys,
this type of drive can be decrypted when hooked up to another computer.
To do this, the user logging on to the other computer needs a key for the KSA of the unbootable
partition on their key ring.
In the worst case, the partition is only encrypted using the other computer's Boot_Key. In such a
case, the Master Security Officer or the Recovery Officer must assign this Boot_Key to the user.
For a detailed description of this procedure, see “Slaving” a hard disk, page 248.
24.4 Volumes
SafeGuard Enterprise provides drive-based encryption. This includes saving encryption
information consisting of the boot sector, primary and backup KSA and the original boot sector
on each drive itself.
As soon as one of the below units is damaged, the volume cannot be accessed any longer:

either of the two Key Storage Areas (KSA)

Original MBR
246
SafeGuard® Enterprise 5.50, Administrator help
24.4.1 Boot sector
During the encryption process a volume's boot sector is swapped for the SafeGuard Enterprise
boot sector.
The SafeGuard Enterprise boot sector holds information about

the location of the primary and backup KSA in clusters and sectors in relation to the start of
the partition

the size of the KSA
Even if the SafeGuard Enterprise boot sector is damaged, encrypted volumes cannot be accessed.
The tool BE_Restore can restore the damaged boot sector. For a detailed description of this utility
refer to the SafeGuard Tools Guide.
24.4.2 Original boot sector
The original boot sector is the one that is run after the DEK (Data Encryption Key) has been
decrypted and the algorithm and the key have been loaded to the BE filter driver.
If this boot sector is defective, Windows is unable to access the volume. Normally the common
error message “Device is not formatted. Would you like to format it now? Yes/No” is displayed.
Nonetheless, SafeGuard Enterprise will load the DEK for this volume. A tool that is used to repair
the boot sector needs to be compatible with the SafeGuard Enterprise Upper Volume Filter.
24.5 Windows boot problems
Its cryptographic design of the volume-specific key (boot sector, Key Storage Area KSA) makes
SafeGuard Enterprise extremely flexible.
You can save a damaged system by booting a restore medium from the SafeGuard Enterprise
Power-on Authentication (Windows PE with the SafeGuard Enterprise encryption subsystem
installed). These media have transparent en-/decryption access to volumes encrypted with
SafeGuard Enterprise. The cause of the unbootable system can be remedied from there.
24.5.1 Encryption subsystem
Encryption subsystems are for example BEFLT.sys. Carry out the procedure described under
Windows boot problems and repair the system.
247
SafeGuard® Enterprise 5.50, Administrator help
24.5.2 GINA problems
GINA problems such as circular loops may be resolved as follows: Carry out the procedure
described under Windows boot problems and repair the system.
24.6 Setting up WinPE for SafeGuard Enterprise
To get access to encrypted drives with a computer's BOOTKEY within a WinPE environment,
SafeGuard Enterprise offers WinPE with the required SafeGuard Enterprise function modules
and drivers. To start SetupWinPE enter the following command:
SetupWinPE -pe2 <WinPE image file>
WinPE image file being the full path name of a WinPE image file
SetupWinPE makes all the changes needed.
Note: Note that, with this type of WinPE environment, only encrypted drives that are encrypted
with the BOOTKEY can be accessed. Drives that are encrypted with a user key cannot be accessed
because the keys are not available in this environment.
24.7 “Slaving” a hard disk
SafeGuard Enterprise allows encrypted volumes or hard disks to be enslaved. It permits the end
user, the Windows administrator and the SafeGuard Enterprise Security Officer to connect or
remove new volumes or hard disks in spite of sector-based encryption.
A volume's Key Storage Area (KSA) holds all the information required, i.e.:

The randomly generated DEK (Data Encryption Key).

An ID for the encryption algorithm used to encrypt the volume.

The list of GUIDs for the KEKs (Key Encryption Keys) that can encrypt and decrypt the DEK.

The volume itself contains its size.
A volume encrypted with SafeGuard Enterprise can be accessed from all SafeGuard Enterprise
protected computers, provided that the user or computer possess a KEK for the KSA of the
volume on their key ring.
Users or computers must be able to decrypt the DEK encrypted by the KEK.
Many users and computers can access a volume that has been encrypted with a distributable KEK
such as an OU, group or domain key, because many users/computers of a domain have this key
on their key ring.
248
SafeGuard® Enterprise 5.50, Administrator help
However, a volume that is only encrypted with the individual boot key (“Boot_machinename”)
of the SafeGuard Enterprise protected computer can only be accessed by that particular
computer.
If a volume does not boot on its original computer, it may be “enslaved” on another SafeGuard
Enterprise protected computer. However, the correct book key cannot be accessed then. It has to
be made accessible.
Whenever the user attempts to access the volume from another computer, this can be done,
because the KEKs in the KSA and the key rings of the other users or computers match again.
24.7.1 Example
Alice has her own personal user key. Whenever she is logged on to her other computer
(“Laptop_Alice”), she cannot access the volume that is encrypted with the boot key of the
“SGNCLT” computer.
The SafeGuard Enterprise protected computer “SGMCLT” only has its own boot key
BOOT_SGMCLT.
The Security Officer assigns the boot key “BOOT_SGNCLT” to Alice as follows:
1. Select user Alice
2. Click the “Binocular” icon in the SafeGuard Enterprise toolbar. This opens the search dialog
which can also display boot keys.
3. Select the “BOOT_SGMCLT” key.
Now Alice has two keys - “User_Alice” and “BOOT_SGMCLT”. This can be verified under Keys
& Certificates.
The “BOOT_SGMCLT” has been assigned twice - to the SGMCLT computer and to user Alice.
Alice can now access the encrypted volume of any other SafeGuard Enterprise protected endpoint
computer which she is able to log on to.
She can then easily use tools such as Windows Explorer and regedit.exe to resolve the reason for
the boot problem.
If, in the worst case, the problem is not resolved, she can save data on another drive, reformat the
volume or set it up as new again.
249
SafeGuard® Enterprise 5.50, Administrator help
25 Inventory and status data
SafeGuard Enterprise reads a huge amount of inventory and status data from the endpoint
computers. This data shows the current known global state of each computer. This data is clearly
displayed in the SafeGuard Management Center in the Users & Computers area in the
Inventory tab.
As a Security Officer, you can view and print out the inventory and status data displayed in the
SafeGuard Management Center. For example, you can print out reports as evidence that end
devices have been encrypted. Wide-ranging sort and filter features provide support for you as you
select the relevant data.
The Inventory provides, e.g., the following data about each machine:

Applied policy

The encryption status of all media

The POA status and the POA type

Data on the installed SafeGuard Enterprise modules

The WOL status

User data
250
SafeGuard® Enterprise 5.50, Administrator help
25.1 Viewing inventory data
Inventory data is accessed as follows:
Open the SafeGuard Management Center.
1. In the navigation area of the SafeGuard Management Center, click the Users & Computers
button.
2. In the navigation window, click the relevant container (domain, workgroup or computer) on
the left-hand side.
3. In the action area, switch to the Inventory tab on the right-hand side.
4. In the Filter area, select the filter to be applied on the inventory display, see Filtering inventory
data on page 252.
Note: If you are selecting a particular computer, you receive the inventory data as soon as you
switch to the Inventory tab. The Filter area is not available here.
5. In the Filter area, click the magnifier icon.
The inventory and status data appears in a summarized table for all the machines in the container
selected. The tabs Drives, Users and Features are also available for each machine.
251
SafeGuard® Enterprise 5.50, Administrator help
By clicking a column header you can sort the inventory data based on the values of the selected
column. The context menu for each column offers a number of features for sorting, grouping and
adjusting the display.
25.1.1 Filtering inventory data
When working from an OU, filters can be defined to limit the display based on particular criteria.
The following fields are available for defining filters in the Filter area of the Inventory tab:
Field
Description
Computer Name
To display the inventory and status data for a particular
computer, enter the computer's name in this field.
Include sub-containers
Activate this field, if you want to include sub-containers in
the display.
Show last modified
Use this field to specify the number of last changes to be
displayed.
You can also use the Filter Editor to create user-defined filters. You can open the Filter Editor
with the context menu for each column. In the Filter Builder window you can define your own
filters and apply them to the column concerned.
25.1.2 Refreshing inventory data
The user PCs usually send an update of the inventory data when the data have changed.
The Request Inventory Refresh command can be used to manually request a refresh of the
computer's current inventory data. This command is available for a particular computer or for all
the computers in a node (optionally including sub-nodes) in the context menu and in the Actions
menu in the SafeGuard Management Center menu bar. The command can also be selected using
the context menu for the list entries.
If you select this command or click the Request Inventory Refresh icon in the toolbar, the
relevant computers send their current inventory data.
252
SafeGuard® Enterprise 5.50, Administrator help
As is the case with other areas in the Management Center, to refresh the display in the SafeGuard
Management Center, you can use the Refresh command, which you will find in the context menu
for individual computers or all the computers in a node and in the View menu in the menu bar.
You can also use the Refresh double-headed arrow icon in the toolbar to refresh the display.
25.1.3 Overview
The individual columns in the overview show the following information:
253
Column
Explanation
Machine Name
Shows the computer's name.
Operating System
Shows the computer's operating system.
Last Policy Received
Shows when (date and time) the computer received the last
policy.
Encrypted Drives
Shows the computer's encrypted drives.
Unencrypted Drives
Shows the computer's unencrypted drives.
POA Type
Specifies whether the computer in question is a BitLocker
client or a native SafeGuard Enterprise client.
POA
Specifies whether Power-on Authentication is activated for
the computer.
WOL
Specifies whether Wake On LAN is activated for the
computer.
Modification Date
Shows the date when the inventory data changed due to an
inventory refresh request or the computer sending new
inventory data.
Refresh requested
Shows the date of the last refresh request. The value
displayed in this field will be deleted, when the request is
processed by the computer.
Parent DSN
Shows the Distinguished Name of container object the
computer is subordinated to. This column is only
displayed, if the field Including subcontainers has been
activated in the Filter area.
SafeGuard® Enterprise 5.50, Administrator help
25.1.4 Drives tab
The Drives tab shows the inventory and status data for the drives on the computer concerned.
Column
Explanation
Drive Name
Shows the name of the drive.
Type
Shows the drive type, e.g. Fixed, Removable Medium or
CD-ROM/DVD.
State
Shows the drive's encryption status.
Algorithm
For encrypted drives this field shows the algorithm used
for encryption.
254
SafeGuard® Enterprise 5.50, Administrator help
25.1.5 Users tab
The Users tab shows the inventory and status data for the users on the computer concerned.
255
Column
Explanation
User name
Shows the user name of the user in question.
User is Owner
Specifies whether the user is defined as the machine's
owner.
User is Locked
Specifies whether the user is locked.
SafeGuard® Enterprise 5.50, Administrator help
25.1.6 Features tab
The Features tab provides an overview of all the SafeGuard Enterprise modules installed on the
computer.
Column
Explanation
Module Name
Shows the name of the installed SafeGuard Enterprise
module.
Version
Shows the software version of the installed SafeGuard
Enterprise module.
256
SafeGuard® Enterprise 5.50, Administrator help
25.2 Printing inventory reports
The data shown in the Inventory tab can be printed out as inventory reports using the File menu
in the SafeGuard Management Center menu bar.
To get a print preview before printing, select File > Print Preview. The print preview provides
various features, such as exporting the document in a range of output formats (for example, .PDF)
or editing the page layout (for example, header and footer).
To print the document immediately, select File > Print.
257
SafeGuard® Enterprise 5.50, Administrator help
26 Reports
Recording security-related incidents is a prerequisite for detailed system analysis. The events
logged facilitate the exact tracking of processes on a specific workstation or within a network. By
logging events, you can for example verify security breaches committed by third parties.
The logging functionality also supports the administrator or security officer in determining errors
in granting user rights and correcting them.
SafeGuard Enterprise logs all endpoint computer activities and status information as well as
administrator actions and security-related events and saves them centrally. The logging
functionality records events triggered by installed SafeGuard products. The type of logs is defined
in logging policies. This is also where you specify the output and saving location for the logged
events: the Windows Event Log of the respective endpoint computer or the SafeGuard Enterprise
Database.
Provided that you have the required rights as a security officer you can view, print and archive the
status information and log reports displayed in the SafeGuard Management Center. The
SafeGuard Management Center offers comprehensive sorting and filter functions which are very
helpful when selecting relevant events from the information available.
Automated analyses of the log database, e.g. via Crystal Reports or Microsoft System Center
Operations Manager, are also possible. SafeGuard Enterprise protects the log entries against
unauthorized manipulation using signatures on the client as well as on the server side.
Depending on the logging policy defined and assigned, events of the following categories can be
logged:

Authentication

Administration

System

Encryption

Client

Communication

Access control
258
SafeGuard® Enterprise 5.50, Administrator help
26.1 Application scenarios
The SafeGuard Enterprise logging functionality is a user-friendly and comprehensive solution for
recording and analyzing events. The following examples show typical application scenarios for
the SafeGuard Enterprise Reports functionality.
Central monitoring of workstations within a network
The responsible security officer wants to be informed about critical events (for example,
unauthorized data access, a number of failed logon attempts within a specified time frame) on a
regular basis. Using a logging policy, the security officer can configure logging processes to log all
security-related events occurring on the endpoint computers concerned in a local log file. This log
file is transferred to the SafeGuard Enterprise Database via the SafeGuard Enterprise Server after
a number of events specified in another policy has been reached. The security officer can retrieve,
view and analyze the events in the Event Viewer of the SafeGuard Management Center. Thus, the
processes performed on different endpoint computers can be audited without staff being able to
influence logging.
Monitoring mobile users
In general, mobile users are not constantly connected to the company network. Sales
representatives in the field will for example disconnect their notebooks for a meeting. As soon as
they log on to the network again, the SafeGuard Enterprise events logged during the offline period
will be transferred. The logging functionality thus provides an exact overview on the user’s
activities during the time that the relevant computer was not connected to the network.
26.2 Prerequisite
A machine on which only the SafeGuard Enterprise Management Center is installed does not
have a connection to the server after initial installation. To be able to use the logging functionality,
the client package has to be executed on the machine. By doing so the machine is activated as a
client at the server and the logging functionality can be used.
For further information on client packages refer to the SafeGuard Enterprise Installation Manual.
259
SafeGuard® Enterprise 5.50, Administrator help
26.3 Destinations for logged events
There are two possible destinations for logged events: the Windows Event Viewer or the
SafeGuard Enterprise Database. Only events related to a SafeGuard product are written to the
relevant destination.
The output destinations for events to be logged are specified in the logging policy.
26.3.1 Windows Event Viewer
Events for which you define the Windows Event Viewer as a destination in the logging policy will
be logged in the Windows Event Viewer. The Windows Event Viewer can be used to display and
manage logs for system, security and application events. You can also save these event logs. For
these procedures an administrator account for the relevant endpoint computer is required. In the
Windows Event Viewer an error code is displayed instead of a descriptive event text.
Note: This chapter describes the processes of viewing, managing and analyzing event logs in the
SafeGuard Management Center. For further information on viewing and managing event logs
using the Windows Event Viewer, please refer to your Microsoft Documentation.
26.3.2 SafeGuard Enterprise Database
Events for which you define the SafeGuard Enterprise Database as a destination in the logging
policy are collected in a local log file in the local cache of the relevant endpoint computer in
directory auditing\SGMTranslog. Log files are submitted to a transport mechanism which
transfers them to the database via the SafeGuard Enterprise Server. By default, the file is
submitted as soon as the transport mechanism has successfully established a connection to the
server. To limit the size of a log file, you can define a maximum number of log entries in a policy
of the type General Settings. The log file will be submitted to the transport queue of the
SafeGuard Enterprise Server when the number of entries specified has been reached. The events
logged in the central database can be displayed in the SafeGuard Enterprise Event Viewer. As a
security officer you will need the relevant rights to view, analyze and manage the events logged in
the database.
260
SafeGuard® Enterprise 5.50, Administrator help
26.4 Defining settings for logging
Report settings are defined via two policies:

General Settings policy
In a General Settings policy, you can specify a maximum number of logged entries after which
the log file containing the events destined for the central database is to be transferred to the
SafeGuard Enterprise Database. This reduces the size of the individual log files to be
transferred. This setting is optional.

Logging policy
The events to be logged are specified in a logging policy. In this policy, a security officer with
the required policy rights defines which events will be logged to which output destination.
The following two sections describe how to define these two policies for logging.
26.4.1 Defining the number of events for feedback
To define the maximum number of logged entries for a log file, proceed as follows:
You are in the Policies area of the Management Center.
1. Create a new General Settings policy or select an existing one.
2. In the Feedback after number of events field, specify the maximum number of events for a
log file.
3. Save your settings.
After assigning the policy the number of events specified applies to logging.
261
SafeGuard® Enterprise 5.50, Administrator help
26.4.2 Selecting events
To select the events to be logged, proceed as follows:
You are in the Policies area of the Management Center.
1. Create a new Logging policy or select an existing one.
2. In the action area on the right-hand side, all predefined events which can be logged are
displayed under Logging. By clicking on the column headers you can sort the events by ID,
Category etc.
3. To specify that an event is to be logged in the SafeGuard Enterprise Database, select the event
by clicking in the column showing database icon Log events in database. For events to be
logged in the Windows Event Viewer, click in the column showing event log icon Log in event
log. By clicking repeatedly you can uncheck the event or set it to null. If you do not define a
setting for an event, the relevant default value applies. To display the valid default values, click
the default value magnifier icon Show default values for not configured settings in the
SafeGuard Management Center toolbar.
Note: You can also specify these settings via the context menu for the individual events.
4. For all events selected for logging a green tick symbol is displayed in the relevant column.
Save your settings.
After assigning the policy the selected events are logged in the relevant output destination.
262
SafeGuard® Enterprise 5.50, Administrator help
Available events
For a list of all events available for logging, see Events available for reports on page 280.
26.5 Viewing logged events
If you have the required rights as a security officer, you can view the events logged in the central
database in the SafeGuard Management Center Event Viewer.
To retrieve the entries logged in the central database, proceed as follows:
1. In the navigation area of the SafeGuard Management Center, click Reports.
2. In the action area Event Viewer on the right-hand side, click the magnifier icon.
All events logged in the central database are shown in the Event Viewer.
263
SafeGuard® Enterprise 5.50, Administrator help
The individual columns show the following information concerning the events logged:
Column
Description
Level (icon)
Shows an icon indicating the event classification, e.g.
warning, error.
Event ID
Shows a number identifying the event.
Event
Shows an event text, i.e. a description of the event.
Category
Classification of the event by the source, e.g. Encryption,
Authentication, System.
Application
Shows the software area the event originated from, e.g.
SGMAuth, SGBaseENc, SGMAS.
Computer
Shows the name of the computer on which the logged
event occurred.
Computer domain
Shows the domain of the computer on which the logged
event occurred.
User
Shows the user who was logged on at the time of the event.
User domain
Shows the domain of the user who was logged on at the
time of the event.
Log time
Shows the system date and system time at which the event
was logged on the endpoint computer.
By clicking the relevant column headers you can sort the events by Level, Category etc.
In addition, the context menu of the relevant columns offers a number of functions for sorting,
grouping and customizing the Event Viewer.
By double-clicking an entry in the Event Viewer you can display event details concerning the
logged event.
264
SafeGuard® Enterprise 5.50, Administrator help
26.5.1 Applying filters to the SafeGuard Enterprise Event Viewer
The SafeGuard Management Center offers comprehensive filter functions. Using these functions
you can quickly retrieve the relevant events from the events displayed.
The Filter area of the Event Viewer offers the following fields for defining filters:
Field
Description
Categories
Using this field you can filter the Event Viewer according
to the source classification (e.g. Encryption,
Authentication, System) shown in the Category column.
Select the required categories from the drop-down list of
the field.
Error level
Using this field you can filter the Event Viewer according
to the Windows event classification (e.g. warning, error)
shown in the Level column. Select the required levels from
the drop-down list of the field.
Show last
In this field, you can define the number of events to be
displayed. The events logged last will be displayed (by
default the last 100 events).
In addition, you can create user-defined filters using the Filter Editor. You can display the Filter
Editor via the context menu of the individual report columns. In the Filter Builder window you
can define filters and apply them to the relevant column.
265
SafeGuard® Enterprise 5.50, Administrator help
26.6 Printing reports
You can print the event reports displayed in the SafeGuard Management Center Event Viewer via
the File menu in the menu bar of the SafeGuard Management Center.
To display a print preview prior to printing the report, select File > Print Preview. The print
preview offers different functions, for example for exporting the relevant document into a
number of output formats (e.g. .PDF) or editing the page layout (e.g. header and footer).
To print the document without a print preview, select File > Print.
26.7 Concatenation of logged events
The events destined for the central database are logged in the EVENT table of the SafeGuard
Enterprise Database. For this table, special integrity protection can be applied, the events can be
logged as a concatenated list in the EVENT table. Due to the concatenation, each entry in the list
is dependent on the previous entry. If an entry is removed from the list, this is evident and can be
verified via an integrity check.
To enhance performance, the concatenation of events in the EVENT table is deactivated by
default. However, you can also activate the concatenation of logged events for integrity checking
purposes (see Checking the integrity of logged events on page 267).
Note: When the concatenation of logged events is deactivated, special integrity protection does
not apply to the EVENT table.
26.7.1 Activating the concatenation of logged events
To activate event concatenation, proceed as follows:
1. Stop web service SGNSRV at the Web Server.
2. Delete all events from the database and create a backup during deletion (see Deleting selected
or all events on page 267).
Note: If you do not delete all old events from the database, the concatenation will not work
correctly as the remaining old events did not have concatenation activated.
3. Set the following registry key to 0 or delete it:
HKEY_LOCAL_MACHINE\SOFTWARE\Utimaco\SafeGuard Enterprise
DWORD: DisableLogEventChaining = 0
4. Restart the web service.
266
SafeGuard® Enterprise 5.50, Administrator help
The concatenation of logged events is activated.
To deactivate the concatenation of events again, set the registry key to 1 .
26.8 Checking the integrity of logged events
Prerequisite: For checking the integrity of logged events the concatenation of events in the
EVENT table has to be activated.
To check the integrity of the events shown in the SafeGuard Enterprise Event Viewer, proceed as
follows:
You are in the Reports area of the Management Center.
In the SafeGuard Management Center menu bar, select Actions > Check integrity. You can also
click the Check integrity of log events icon in the toolbar.
A message is displayed informing you about the integrity of the events logged.
Note: If event concatenation is deactivated, an error will be returned when checking the integrity
of logged events in the SafeGuard Management Center.
26.9 Deleting selected or all events
To delete selected events from the event log, proceed as follows:
You are in the Reports area of the Management Center.
1. In the Event Viewer, select the events to be deleted.
2. To delete selected events, select Actions > Delete events or click the Delete events icon in the
toolbar.
To delete all events, select Actions > Delete all events or click the Delete all events icon in the
toolbar.
3. Prior to deleting the selected events, the system displays the Back up events as window for
creating a backup file (see Creating a backup file on page 268).
The events selected are now deleted from the event log.
267
SafeGuard® Enterprise 5.50, Administrator help
26.10 Creating a backup file
When you are deleting events, you can create a backup file of the report displayed in the
SafeGuard Management Center Event Viewer.
Upon selecting Actions > Delete events or Actions > Delete all events the Back up events as
window for creating a backup file will be displayed prior to deleting the events. To create an .XML
backup file of the event log, enter a file name and a file location and click OK.
26.11 Opening a backup file
To open the .XML backup file created during a deletion process, proceed as follows:
You are in the Reports area of the Management Center.
1. In the SafeGuard Management Center menu bar, select Actions > Open backup file. You can
also click the Open backup file icon in the tool bar.
2. The Open Event Backup window is displayed. Select the backup file to be opened and click
Open.
The backup file has been opened and the events are shown in the SafeGuard Management Center
Event Viewer. To return to the regular view of the Event Viewer, click the Open backup file icon
in the toolbar again.
26.12 Scheduled event cleanup via script
For automatic and efficient cleanup of the EVENT table four SQL scripts are available in the
\tools directory on your SafeGuard Enterprise Product CD:
 spShrinkEventTable_install.sql
 ScheduledShrinkEventTable_install.sql
 spShrinkEventTable_uninstall.sql
 ScheduledShrinkEventTable_uninstall.sql
The two scripts spShrinkEventTable_install.sql and
ScheduledShrinkEventTable_install.sql install a stored procedure at the database server
as well as a scheduled job which runs the stored procedure at defined regular intervals. The stored
procedure moves events from the EVENT table to the backup log table EVENT_BACKUP
leaving a defined number of latest events in the EVENT table.
The two scripts spShrinkEventTable_uninstall.sql and
ScheduledShrinkEventTable_uninstall.sql uninstall the stored procedure as well as the
scheduled job and delete the EVENT_BACKUP table.
268
SafeGuard® Enterprise 5.50, Administrator help
Note: If you use the stored procedure to move events from the EVENT table to the backup log
table, event concatenation no longer applies. Therefore, to activate concatenation while also using
the stored procedure for event cleanup does not make sense. For further details concerning
concatenation, see Concatenation of logged events on page 266.
26.12.1 Creating the stored procedure
The script spShrinkEventTable_install.sql creates a stored procedure which moves data
from the EVENT table to a backup log table EVENT_BACKUP. If the EVENT_BACKUP table
does not exist, it will be created automatically.
The first line is “USE SafeGuard“. If you have selected a different name for your SafeGuard
Enterprise database, modify the name accordingly.
The stored procedure will leave the <n> latest events in the EVENT table und move the rest of the
events to the EVENT_BACKUP table. The number of events to be left in the EVENT table is
specified via a parameter.
To execute the stored procedure, initiate the following command in SQL Server Management
Studio (New Query):
exec spShrinkEventTable 1000
The command example above moves all events except for the latest 1000 events.
269
SafeGuard® Enterprise 5.50, Administrator help
26.12.2 Creating a scheduled job for running the stored procedure
To automatically clean up the EVENT table at regular intervals, you can create a job at the SQL
server. The job can be created via the script ScheduledShrinkEventTable_install.sql or
using the SQL Enterprise Manager.
Note: The scheduled job does not work on SQL Express databases. For the job to be executed, the
SQL Server Agent has to be running. As there is no SQL Server Agent on SQL Server Express
installations jobs are in this case not supported.

The script has to be executed in the msdb. If you have selected a different name for your
SafeGuard Enterprise database than SafeGuard, modify the name accordingly.
/* Default: Database name 'SafeGuard' change if required*/
SELECT @SafeGuardDataBase='SafeGuard'

You can also specify the number of events to be left in the EVENT table. The default is 100.000.
/* Default: keep the latest 100000 events, change if required*/
SELECT @ShrinkCommand='exec spShrinkEventTable 100000'

You can specify whether a job run is to be logged in the NT Event Log.
exec sp_add_job
@job_name='AutoShrinkEventTable',
@enabled=1,
@notify_level_eventlog=3
The following values are available for parameter notify_level_eventlog :
Value
Result
3
Log every time the job runs.
2
Log, if the job fails.
1
Log, if the job was carried out
successfully.
0
Do not log job run in NT Event Log.
270
SafeGuard® Enterprise 5.50, Administrator help

You can specify how often the job run should be repeated in case it fails.
exec sp_add_jobstep

@retry_attempts=3
This example defines 3 job run attempts in case of failure.

@retry_interval=60
This example defines a retry interval of 60 minutes.

You can specify time schedule for running the job.
exec sp_add_jobschedule

@freq_type=4
This example defines that the job is run daily.

@freq_interval=1
This example defines that the job is run once per day.

@active_start_time=010000
This example defines that the job is run at 1 a.m.
Note: The syntax for parameter @active_start_time stated above works with SQL Server
2005. The correct syntax for SQL Server 2000 is: @active_start_time='1:00:00' .
Note: Besides the example values stated above, you can define a number of different schedule
options with sp_add-jobschedule . For example, the job can be run every two minutes or only
once per week. For detailed information refer to the Microsoft Transact SQL Documentation.
26.12.3 Cleaning up stored procedures, jobs and tables
The script spShrinkEventTable_uninstall.sql deletes the stored procedure as well as the
EVENT_BACKUP table. The script ScheduledShrinkEventTable_uninstall.sql
deregisters the scheduled job.
Note: When executing spShrinkEventTable_uninstall.sql , the EVENT_BACKUP table
will be deleted with all data contained in it.
271
SafeGuard® Enterprise 5.50, Administrator help
26.13 Report Messages Templates
Events are not logged with their complete event texts in the SafeGuard Enterprise Database. Only
ID and the relevant parameter values are written to the database table. When retrieving the logged
events in the SafeGuard Management Center Event Viewer, the parameter values and the text
templates contained in the .dll are converted into the complete event text in the current
SafeGuard Management Center system language.
The templates used for event text can be edited and processed, for example using SQL queries.
For this purpose, you can generate a table containing all text templates for event messages.
Afterwards you can customize the templates according to your specific requirements.
To create a table containing the text templates for the individual event IDs, proceed as follows:
1. In the menu bar of the SafeGuard Management Center, select Tools > Options.
2. In the Options window, go to tab Database.
3. In the Report Message Templates area click Create Table.
The table containing the templates for the event IDs has been created in the current system
language and can be customized.
Note: Prior to generating the templates the table is cleared. If the templates have been generated
for a language as described and a user generates the templates for a different language, the
templates for the first language will be deleted.
272
SafeGuard® Enterprise 5.50, Administrator help
27 SafeGuard Enterprise and BitLocker Drive Encryption
BitLocker Drive Encryption is a full disk encryption feature with pre-boot authentication
included with Microsoft's Windows Vista and Windows 7 operating systems. It is designed to
protect data by providing encryption for the boot volume.
27.1 How does SafeGuard Enterprise integrate BitLocker?
SafeGuard Enterprise enables BitLocker Drive Encryption provided in a Windows Vista or
Windows 7 Enterprise or Ultimate installation to be managed from the SafeGuard Management
Center, like a native SafeGuard Enterprise Client.
During installation of the SafeGuard Enterprise Client the feature BitLocker support needs to be
explicitly selected to enable BitLocker integration.
SafeGuard Enterprise’s central and fully transparent management of BitLocker thus allows for the
use in heterogeneous IT environments. SafeGuard Enterprise not only integrates BitLocker Drive
Encryption seamlessly, but even enhances it significantly. Security policies for BitLocker can be
centrally rolled out thanks to SafeGuard Enterprise. Even critical processes such as key
management and key recovery are available when BitLocker is managed with SafeGuard
Enterprise.
For SafeGuard Enterprise support of the BitLocker To Go enhancement in Windows 7 see
SafeGuard Enterprise and BitLocker To Go on page 278.
27.2 Enhancement of BitLocker capabilities with SafeGuard
Enterprise
When BitLocker is managed with SafeGuard Enterprise, customers benefit in the following ways:
273

Besides the boot partition additional volumes of the local disk may be encrypted by BitLocker.

SafeGuard Enterprise file-based encryption can be additionally applied to all volumes,
including removable media.

In the SafeGuard Management Center BitLocker computers can be easily managed: Security
policies can be updated, distributed and automatically applied.

The BitLocker encryption status is displayed.

The BitLocker logon mode can be defined.

BitLocker activation and key backup is simplified compared to native Vista environments.

A BitLocker recovery mechanism for passwords and key files is enabled for boot as well as
non-boot volumes.
SafeGuard® Enterprise 5.50, Administrator help
27.3 When to use SafeGuard Enterprise without BitLocker
Drive Encryption
The SafeGuard Enterprise volume based encryption method offers some benefits over BitLocker
Drive Encryption, such as:

It additionally supports Windows XP and Vista Business
(BitLocker only supports Vista Enterprise and Ultimate)

It requires no special hard disk partition for installation
(BitLocker requires its own partition)

It supports different smartcards and tokens for pre-boot authentication
(BitLocker supports no smartcards, only memory sticks that contain a copyable key file)

It supports and differentiates between different users during pre-boot authentication
(BitLocker does not differentiate between different users)

It provides a way for forgotten passwords to be reset via the secure, dynamic challenge/
response mechanism
(BitLocker uses a fixed 48-digit recovery key)

It has a graphical user interface in pre-boot authentication
(BitLocker has only text)

It accepts complex passwords and password rules that are synchronized with Windows
(BitLocker only permits a TPM PIN)

It also allows sector-based encryption for removable media
(Vista BitLocker encrypts no removable media. When a BitLocker client is used with
SafeGuard Enterprise, file-based removable media encryption is possible.)
27.4 Managing BitLocker clients with SafeGuard Enterprise
In the SafeGuard Enterprise Management Center BitLocker endpoint computers can be managed
just like any native SafeGuard endpoint computers. As a security officer you can set encryption
and authentication policies for the BitLocker endpoint computers and distribute them.
Once a BitLocker endpoint computer is registered at SafeGuard Enterprise, information on user,
computer, logon mode and encryption status is displayed. Events are logged for BitLocker clients
as well.
274
SafeGuard® Enterprise 5.50, Administrator help
Management of the BitLocker clients in SafeGuard Enterprise is transparent, which means that
management functions work in general the same for BitLocker and native SafeGuard Enterprise
clients. You can find out on the type of a computer in the Inventory of a container in Users &
Computers. The column POA Type tells you, if the respective computer is a BitLocker client or
a native SafeGuard Enterprise Client.
27.5 Encrypting with BitLocker via SafeGuard Enterprise
With BitLocker Drive Encryption support in SafeGuard Enterprise you can encrypt the following:

boot volume with BitLocker encryption and BitLocker keys

other volumes with BitLocker encryption and BitLocker keys

any data, for example of removable media with SafeGuard Enterprise file based encryption
and SafeGuard Enterprise keys.
Please note that with SafeGuard Enterprise BitLocker support external hard disks are handled as
other volumes and not as removable media. Thus, they can be volume encrypted.
27.5.1 BitLocker encryption keys
When encrypting the boot volume or other volumes with BitLocker via SafeGuard Enterprise the
encryption keys are always generated by BitLocker. A key is generated by BitLocker for each
volume and cannot be reused for any other purpose. It needs to be stored in a safe place.
The advantage when using BitLocker with SafeGuard Enterprise is that for each BitLocker
generated key a backup key is stored in the SafeGuard Enterprise database. This allows for setting
up a help desk and recovery mechanism similar to the SafeGuard Enterprise Challenge/Response
otherwise not available.
However, it is not possible to select keys globally or reuse them as with SafeGuard Enterprise
native clients. The keys are not displayed in the SafeGuard Management Center either.
In case a volume is already encrypted with BitLocker before installing the BitLocker support of
SafeGuard Enterprise, the administrator needs to backup the keys of the formerly encrypted
volume by using the backup mechanisms offered by Microsoft.
Note: In case a volume is encrypted when SafeGuard Enterprise BitLocker support is already
installed, the administrator may save the backup keys (secured with a recovery password) in the
Active Directory, in addition to the storage in the SafeGuard database. The administrator needs
do so manually via the Windows Manage BDE tool and by saving them to a group policy. For
Windows 2003 Server however, this requires to extend the Active Directory schema used,
furthermore Domain Administrator rights are needed to recover the stored information.
275
SafeGuard® Enterprise 5.50, Administrator help
27.5.2 BitLocker algorithms in SafeGuard Enterprise
BitLocker supports the following Advanced Encryption Standard (AES) algorithms:

AES-128

AES-256

AES-128 with diffuser

AES-256 with diffuser
The diffuser is BitLocker specific and is not used for the SafeGuard Enterprise volume based
encryption mode. If an algorithm with diffuser is selected for encryption, any non-BitLocker
modules of SafeGuard Enterprise will automatically use the algorithm without diffuser. When a
policy is assigned to both BitLocker enabled computers and native SafeGuard Enterprise
computers, the SafeGuard Enterprise native computers will use the algorithm without diffuser
and BitLocker computers will use the algorithm with diffuser.
27.5.3 Encryption policies for BitLocker Drive Encryption
The security officer can create a policy for (initial) encryption in the SafeGuard Management
Center and distribute it to the BitLocker endpoint computers where it is executed.
As the BitLocker clients are managed transparently in the Management Center, the security
officer does not have to make any special BitLocker settings for encryption. SafeGuard Enterprise
knows of the status of the clients and selects the BitLocker encryption accordingly. When a
BitLocker client is installed with SafeGuard Enterprise and volumes encryption is activated, the
volumes are encrypted by BitLocker Drive Encryption.
276
SafeGuard® Enterprise 5.50, Administrator help
27.6 Authentication with BitLocker Drive Encryption
BitLocker Drive Encryption offers a range of authentication options. BitLocker users can either
authenticate via a Trusted Platform Module (TPM) or USB stick or a combination of both.
The security officer can set the various logon modes in a policy in the SafeGuard Management
Center and distribute it to the BitLocker user PCs.
The following logon modes exist for SafeGuard Enterprise BitLocker users:

TPM only

TPM + PIN

TPM + USB Stick

USB Stick only (TPM-less)
Trusted Platform module (TPM)
TPM is a smartcard-like module on the motherboard performing cryptographic functions and
digital signature operations. It can create, store and manage user keys. It is protected against
attacks.
USB-Stick
The external keys can be stored on an unprotected USB-Stick.
27.7 Logging
Events reported by the BitLocker Client are logged, just as for any other SafeGuard Enterprise
client. It is not especially mentioned that the event refers to a BitLocker client. The events
reported are the same as for any SafeGuard Enterprise client.
277
SafeGuard® Enterprise 5.50, Administrator help
28 SafeGuard Enterprise and BitLocker To Go
With BitLocker To Go the BitLocker Drive Encryption functionality has been extended in
Microsoft Windows 7 enabling users to encrypt internal volumes as well as volumes on
removable media on endpoint computers. via the Windows Explorer context menu.

When the SafeGuard Enterprise Device Encryption Client has been deployed with “BitLocker
support” enabled, BitLocker To Go is supported.

When the SafeGuard Enterprise Device Encryption Client has been deployed without
activating “BitLocker support” or when the SafeGuard Data Exchange Client has been
deployed, encryption via BitLocker To Go is not compatible and needs to be disabled in this
case. However, encryption of internal volumes and removable media can be centrally and
conveniently configured via SafeGuard Enterprise security policies. Volumes and removable
media already encrypted via BitLocker To Go before SafeGuard Enterprise deployment will
remain readable.
To deactivate BitLocker To Go encryption, do the following:
1. In the Windows Group Policy Editor, select Default Domain Policy > Computer
configuration > Policies > Administrative Templates (local computer)> Windows
components > BitLocker drive encryption > Removable media.
2. Under Removable media, select the following policy: Manage the use of BitLocker on
removable media. Set the options as follows:

Select Enabled.

Under Options, deselect: Users may apply BitLocker protection to removable media.

Under Options, select: Users may stop and decrypt BitLocker protection on removable
media.
3. Confirm with OK.
BitLocker To Go encryption is deactivated on the endpoint computers. Users cannot encrypt new
volumes via BitLocker To Go anymore. Volumes encrypted via BitLocker To Go before the
deployment of the native SafeGuard Enterprise Device Encryption Client remain readable.
The resulting Registry settings on the Client side are as follows:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"RDVConfigureBDE"=dword:00000001
"RDVAllowBDE"=dword:00000000
278
SafeGuard® Enterprise 5.50, Administrator help
"RDVDisableBDE"=dword:00000001
These Registry keys will also be set during the installation of the SafeGuard Enterprise Device
Encryption Client so that Bitlocker To Go is also deactivated on computers without domain
management like workgroup or standalone computers.
279
SafeGuard® Enterprise 5.50, Administrator help
29 Events available for reports
The following table provides an overview on all events which can be selected for logging.
Category
Event
ID
Description
System
1005
Service started.
System
1006
Service start failed.
System
1007
Service stopped.
System
1016
Integrity test of data files failed.
System
1017
Logging destination not available.
System
1018
Unauthorized attempt to uninstall SafeGuard Enterprise
Authentication
2001
External GINA identified and integrated successfully.
Authentication
2002
External GINA identified, integration failed.
Authentication
2003
Power-on Authentication active.
Authentication
2004
Power-on Authentication deactivated.
Authentication
2005
Wake on LAN activated.
Authentication
2006
Wake on LAN deactivated.
Authentication
2007
Challenge created.
Authentication
2008
Response created.
Authentication
2009
Log on successful.
Authentication
2010
Log on failed.
Authentication
2011
User imported during log on and marked as owner.
Authentication
2012
User imported by owner and marked as non-owner.
Authentication
2013
User imported by non-owner and marked as non-owner.
Authentication
2014
User removed as owner.
Authentication
2015
Import of user during log on failed.
Authentication
2016
User logged off.
Authentication
2017
User was forced to log off.
Authentication
2018
Action performed on device.
Authentication
2019
User started a Password/PIN change.
Authentication
2020
User changed their Password/PIN after logon.
280
SafeGuard® Enterprise 5.50, Administrator help
281
Category
Event
ID
Description
Authentication
2021
Password/PIN Quality.
Authentication
2022
The Password/PIN-change could not be performed.
Authentication
2023
LocalCache was corrupted and has been restored
Authentication
2024
Invalid Password Black List Configuration
Authentication
2025
Response Code received that allows the user to display the
password.
Authentication
2030
Logged on user is a Service Account
Authentication
2035
Service Account List imported.
Authentication
2036
Service Account List deleted.
Authentication
2071
Kernel initialization was successfully completed.
Authentication
2071
Kernel initialization has failed.
Authentication
2073
Machine keys were successfully sent to the server.
Authentication
2074
Machine keys could not be sent successfully to the server.
Authentication
2079
Importing user into the kernel was successfully completed.
Authentication
2080
Removing user from the kernel was successfully completed.
Authentication
2081
Importing user into the kernel has failed.
Authentication
2082
Removing user from the kernel has failed.
Authentication
2083
Response with "display user password" created.
Authentication
2084
Response for virtual client created.
Authentication
2085
Response for standalone client created.
Authentication
2095
Wake on LAN could not be activated.
Authentication
2096
Wake on LAN could not be deactivated.
Administration
2500
SafeGuard Enterprise Administration started.
Administration
2501
Log on to SafeGuard Enterprise Administration failed.
Administration
2502
Authorization for SafeGuard Enterprise Administration failed.
Administration
2504
Additional authorization for action granted.
Administration
2505
Additional authorization failed.
Administration
2506
Data import from directory successful.
Administration
2507
Data import from directory cancelled.
Administration
2508
Failed to import data from directory.
SafeGuard® Enterprise 5.50, Administrator help
Category
Event
ID
Description
Administration
2511
User created.
Administration
2513
User changed.
Administration
2515
User deleted.
Administration
2518
Application of user failed
Administration
2522
Failed to delete user.
Administration
2525
Machine applied.
Administration
2529
Machine deleted.
Administration
2532
Application of machine failed.
Administration
2536
Failed to delete machine.
Administration
2539
OU applied.
Administration
2543
OU deleted.
Administration
2546
Application of OU failed.
Administration
2547
Import of OU failed.
Administration
2550
Failed to delete OU.
Administration
2553
Group applied.
Administration
2555
Group modified.
Administration
2556
Group renamed.
Administration
2557
Group deleted.
Administration
2560
Application of group failed.
Administration
2562
Failed to change group.
Administration
2563
Failed to rename group.
Administration
2564
Failed to delete group.
Administration
2573
Members added to group.
Administration
2575
Members deleted from group.
Administration
2576
Failed to add members to group.
Administration
2578
Failed to delete members from group.
Administration
2580
Group switched from OU to OU.
Administration
2583
Failed to switch group from OU to OU.
Administration
2591
Objects added to group.
282
SafeGuard® Enterprise 5.50, Administrator help
283
Category
Event
ID
Description
Administration
2593
Objects deleted from group.
Administration
2594
Failed to add objects to group.
Administration
2596
Failed to delete objects from group.
Administration
2603
Key generated. Algorithm.
Administration
2607
Key assigned.
Administration
2608
Key assignment cancelled.
Administration
2609
Failed to generate key.
Administration
2613
Failed to assign key.
Administration
2614
Failed to delete assignment of key.
Administration
2615
Certificate generated.
Administration
2616
Certificate imported.
Administration
2619
Certificate deleted.
Administration
2621
Certificate assigned to user.
Administration
2622
Certificate assignment to user cancelled.
Administration
2623
Failed to create certificate.
Administration
2624
Failed to import certificate.
Administration
2627
Failed to delete certificate.
Administration
2628
Extension of certificate failed.
Administration
2629
Failed to assign certificate to user.
Administration
2630
Failed to delete assignment of certificate to user.
Administration
2631
Token plugged in.
Administration
2632
Token removed.
Administration
2633
Token issued to user.
Administration
2634
Change user PIN on token.
Administration
2635
Change SO PIN on token.
Administration
2636
Token locked.
Administration
2637
Token unlocked.
Administration
2638
Token deleted.
Administration
2639
Token assignment for user removed.
SafeGuard® Enterprise 5.50, Administrator help
Category
Event
ID
Description
Administration
2640
Failed to issue token for user.
Administration
2641
Failed to change user PIN on token.
Administration
2642
Failed to change SO PIN on token.
Administration
2643
Failed to lock token
Administration
2644
Failed to unlock token.
Administration
2645
Failed to delete token.
Administration
2647
Policy created.
Administration
2648
Policy changed.
Administration
2650
Policy deleted.
Administration
2651
Policy assigned and activated to OU.
Administration
2652
Assigned policy removed from OU.
Administration
2653
Failed to create policy.
Administration
2654
Failed to change policy.
Administration
2657
Failed to assign and activate a policy to OU.
Administration
2658
Removing of assigned policy from OU failed.
Administration
2659
Policy group created.
Administration
2660
Policy group changed.
Administration
2661
Policy group deleted.
Administration
2662
Failed to create policy group.
Administration
2663
Failed to change policy group.
Administration
2665
Following policy has been added to policy group.
Administration
2667
Following policy has been deleted from policy group.
Administration
2668
Failed to add policy to policy group.
Administration
2670
Failed to delete policy from policy group.
Administration
2678
Recorded event exported.
Administration
2679
Export of recorded events failed.
Administration
2680
Recorded events deleted.
Administration
2681
Failed to delete recorded events.
Administration
2684
Security Officer allows renewal of certificate
284
SafeGuard® Enterprise 5.50, Administrator help
285
Category
Event
ID
Description
Administration
2685
Security Officer denies renewal of certificate
Administration
2686
Failed to alter renewal settings for certificate
Administration
2687
Officer certificate changed
Administration
2688
Failed to change officer certificate
Administration
2692
Creation of workgroups.
Administration
2693
Failed creation of workgroups
Administration
2694
Deletion of workgroups.
Administration
2695
Failed deletion of workgroups
Administration
2696
Creation of users.
Administration
2697
Failed creation of users.
Administration
2698
Creation of machines.
Administration
2699
Failed creation of machines.
Administration
2700
License is violated
Administration
2701
Key file has been created.
Administration
2702
Key for key file has been deleted.
Administration
2703
Security Officer disabled Power-on Authentication in policy.
Administration
2704
LSH Question Theme created.
Administration
2705
LSH Question Theme changed.
Administration
2706
LSH Question Theme deleted.
Administration
2707
Question changed.
Administration
2810
POA access account "%1" created.
Administration
2811
POA access account "%1" modified.
Administration
2812
POA access account "%1" deleted.
Administration
2815
Creation of POA access account "%1" failed.
Administration
2816
Modification of POA access account "%1" failed.
Administration
2817
Deletion of POA access account "%1" failed.
Administration
2820
POA access account group "%1" created.
Administration
2821
POA access account group "%1" modified.
Administration
2822
POA access account group "%1" deleted.
SafeGuard® Enterprise 5.50, Administrator help
Category
Event
ID
Description
Administration
2825
Creation of POA access account group "%1" failed.
Administration
2826
Modification of POA access account group "%1" failed.
Administration
2827
Deletion of POA access account group "%1" failed.
Client
3003
Kernel backup succeeded
Client
3005
Kernel restore first chance succeeded
Client
3006
Kernel restore second chance succeeded
Client
3007
Kernel backup failed
Client
3008
Kernel restore failed
Client
3030
User has changed his LSH secrets after login.
Client
3035
LSH was activated.
Client
3040
LSH was deactivated
Client
3045
LSH is available - Enterprise Client
Client
3046
LSH is available - Standalone Client
Client
3050
LSH is disabled - Enterprise Client
Client
3051
LSH is not avalailabel - Standalone Client
Client
3055
The QST list (LSH questions) was changed.
Client
3405
Configuration Protection client failed to uninstall.
Client
3070
Key backup was saved to the specified network share.
Client
3071
Key backup could not be saved to the specified network share.
Client
3110
POA access account "%1" imported into POA
Client
3111
POA access account "%1" deleted from POA
Client
3115
POA access account "%1" changed password via 'F8'
Client
3116
Import of POA access account "%1" into POA failed
Client
3117
Deletion of POA access account "%1" from POA failed
Client
3118
POA access account "%1" - change of password via 'F8' failed
Client
3406
Configuration Protection client experienced an internal error
Client
3407
Configuration Protection client detected a possible tampering
event
Client
3408
Configuration Protection client detected a possible tampering
of event logs.
286
SafeGuard® Enterprise 5.50, Administrator help
287
Category
Event
ID
Description
Encryption
3501
Access denied to medium on drive.
Encryption
3502
Access denied to data file.
Encryption
3503
Sector-based initial encryption of drive started.
Encryption
3504
Sector-based initial encryption of drive started. (quick mode).
Encryption
3505
Sector-based initial encryption of drive completed successfully.
Encryption
3506
Sector-based initial encryption of drive failed and closed.
Encryption
3507
Sector-based initial encryption of drive cancelled.
Encryption
3508
Sector-based initial encryption of drive failed.
Encryption
3509
Sector-based decryption of drive started.
Encryption
3510
Sector-based decryption of drive closed successfully.
Encryption
3511
Sector-based decryption of drive failed and closed.
Encryption
3512
Sector-based decryption of drive cancelled.
Encryption
3513
Sector-based decryption of drive failed.
Encryption
3514
F&F initial encryption on a drive started.
Encryption
3515
F&F initial encryption on a drive completed successfully.
Encryption
3516
F&F initial encryption on a drive failed and closed.
Encryption
3517
F&F decryption on a drive cancelled.
Encryption
3519
F&F encryption of a file started.
Encryption
3520
F&F encryption of a file closed successfully.
Encryption
3521
F&F decryption on a drive failed and closed.
Encryption
3522
F&F decryption on a drive cancelled.
Encryption
3524
F&F encryption of a file started.
Encryption
3525
F&F encryption of a file completed successfully.
Encryption
3526
F&F encryption of a file failed.
Encryption
3540
F&F decryption of a file started.
Encryption
3541
F&F decryption of a file completed successfully.
Encryption
3542
F&F decryption of a file failed.
Encryption
3543
Backup of boot key successful
Encryption
3544
Maximum count of boot algorithms exceeded.
SafeGuard® Enterprise 5.50, Administrator help
Category
Event
ID
Description
Encryption
3545
Read errors on KSA
Encryption
3546
Disabling volumes according to the defined policies.
Encryption
3560
Access Protection
Encryption
3600
General encryption error
Encryption
3601
Encryption error - Engine: Volume missing.
Encryption
3602
Encryption error - Engine: Volume offline.
Encryption
3603
Encryption error - Engine: Volume removed.
Encryption
3604
Encryption error - Engine: Volume bad.
Encryption
3607
Encryption error - Encryption key missing.
Encryption
3610
Encryption error - Origin KSA area corrupt.
Encryption
3611
Encryption error - Backup KSA area corrupt.
Encryption
3612
Encryption error - Origin ESA area corrupt.
Access Control
4400
Port successfully approved
Access Control
4401
Device successfully approved
Access Control
4402
Storage successfully approved
Access Control
4403
WLAN successfully approved
Access Control
4404
Port removed successfully
Access Control
4405
Device removed successfully
Access Control
4406
Storage device removed successfully
Access Control
4407
WLAN disconnected successfully
Access Control
4408
Port restricted
Access Control
4409
Device restricted
Access Control
4410
Storage device restricted
Access Control
4411
WLAN restricted
Access Control
4412
Port blocked
Access Control
4413
Device blocked
Access Control
4414
Storage device blocked
Access Control
4415
WLAN blocked
288
SafeGuard® Enterprise 5.50, Administrator help
30 Definitions of the SGMERR codes in Windows event log
You will see the following message in the Windows event log:
“Authorization for SafeGuard Enterprise Administration failed for user... Reason:
SGMERR[536870951]”
See the table below for the definition of number “536870951”. Number “536870951” means for
example “Incorrect PIN entered. Unable to authenticate user”.
289
Error ID:
Display
0
OK
1
Error in parameter 1
2
Error in parameter 2
3
Error in parameter 3
4
Error in parameter 4
5
Error in parameter 5
6
Error in parameter 6
7
Error in parameter 7
8
Error in parameter 8
9
Error in parameter 9
10
Error in parameter 10
11
Error in parameter 11
12
Error in parameter 12
13
Error in parameter 13
14
Error in parameter 14
15
Error in parameter 15
16
Error in parameter 16
17
Error in parameter 17
18
Error in parameter 18
19
Error in parameter 19
20
Function not executed
21
Internal error found
22
Module not initialized
23
File I/O Error detected
SafeGuard® Enterprise 5.50, Administrator help
24
Cache cannot be assigned
25
File I/O Read error
26
File I/O Write error
50
No operation carried out
101
General error
102
Access denied
103
File already exists
1201
Registry entry could not be opened.
1202
Registry entry could not be read.
1203
Registry entry could not be written.
1204
Registry entry could not be removed.
1205
Registry entry could not be created.
1206
Access to a system service or driver was not possible.
1207
A system service or driver could not be added in the registry.
1208
A system service or driver could not be removed from the registry.
1209
An entry for a system service or driver already exists in the registry.
1210
No access to the Service Control Manager.
1211
An entry in the registry for a session could not be found.
1212
A registry entry is invalid or wrong
1301
Access to a drive has failed.
1302
No information about a volume available.
1303
Access to a volume failed.
1304
Invalid option defined.
1305
Invalid file system type.
1306
Existing file system on a volume and the defined file system differ.
1307
Existing cluster size used by a file system and the defined cluster size differ.
1308
Invalid sector size used by a file system defined.
1309
Invalid start sector defined.
1310
Invalid partition type defined.
1311
An unfragmented, unused area of required size could not be found on a
volume.
1312
File system cluster could not be marked as used.
290
SafeGuard® Enterprise 5.50, Administrator help
291
1313
File system cluster could not be marked as used.
1314
File system cluster could not be marked as GOOD.
1315
File system cluster could not be marked as BAD.
1316
No information about clusters of a file system available.
1317
Area marked as BAD could not be found on a volume.
1318
Invalid size of an area on a volume defined.
1319
MBR sector of a hard disk could not be replaced.
1330
Wrong command for an allocation or deallocation defined.
1351
Invalid algorithm defined.
1352
Access to system kernel has failed.
1353
No system kernel is installed.
1354
An error occurred accessing the system kernel.
1355
Invalid change of system settings.
1401
Writing data to a drive has failed
1402
Reading data from a drive has failed.
1403
Access to a drive has failed.
1404
Invalid drive defined.
1405
Changing position on a drive has failed.
1406
Drive is not ready.
1407
Unmount of a drive has failed.
1451
File could not be opened.
1452
File could not be found.
1453
Invalid file path defined.
1454
File could not be created.
1455
File could not be copied.
1456
No information about a volume available.
1457
Position in a file could not be changed.
1458
Reading data from a file has failed.
1459
Writing data to a file has failed.
1460
A file could not be removed.
1461
Invalid file system
SafeGuard® Enterprise 5.50, Administrator help
1462
File could not be closed.
1463
Access to a file is not allowed.
1501
Not enough memory available.
1502
Invalid or wrong parameter defined.
1503
Data buffer size exceeded
1504
A DLL module could not be loaded.
1505
A function or process was aborted.
1506
No access allowed.
1510
No system kernel installed.
1511
A program could not be started.
1512
A function, an object or data are not available.
1513
Invalid entry detected.
1514
An object already exists.
1515
Invalid function call.
1516
An internal error has occurred.
1517
An access violation has occurred.
1518
Function or mode is not supported.
1519
Uninstallation has failed.
1520
Un exception error has occurred.
1550
The MBR sector of the hard disk could not be replaced.
20001
Unknown
20002
Process terminated
20003
File not verified
20004
Invalid policy
30050
Failed to open command.
30051
Not enough memory
30052
General failure of process communication
30053
A resource is temporarily unavailable. This is a temporary condition and
later attempts to access it may complete normally.
30054
General communication failure
30055
Unexpected return value
30056
No card reader attached
292
SafeGuard® Enterprise 5.50, Administrator help
293
30057
Buffer overflow
30058
Card has no power
30059
A timeout has occurred
30060
Invalid card type
30061
The requested functionality is not supported at this time / under this OS /
in this situation etc
30062
Invalid driver
30063
This software cannot use the firmware of the connected hardware.
30064
Failed to open file
30065
File not found
30066
Card not inserted
30067
Invalid argument
30068
The semaphore is currently in use
30069
Semaphore is temporarily in use
30070
General failure.
30071
You currently do not have the rights to perform the requested action.
Usually a password has to be presented in advance
30072
The service is currently not available
30073
An item (e.g. a key with a specific name) could not be found
30074
The password presented is incorrect.
30075
The password has been presented incorrectly several times, and is therefore
locked. Usually use a suitable administrator tool to unblock it.
30076
The identity does not match a defined cross-check identity
30077
Multiple errors have occurred. Use this error code if it is the only way of
obtaining an error code when various different errors have occurred.
30078
There are still items left, therefore e.g. the directory structure etc. cannot be
deleted.
30079
Error during consistency check
30080
The ID is on a blacklist, so the requested action is not allowed.
30081
Invalid handle
30082
Invalid configuration file
30083
Sector not found.
30084
Entry not found.
SafeGuard® Enterprise 5.50, Administrator help
30085
No more sections
30086
End of file reached.
30087
The specified item already exists.
30088
The password is too short.
30089
The password is too long.
30090
An item (e.g. a certificate) has expired.
30091
The password is not locked.
30092
Path not be found.
30093
The directory is not empty.
30094
No more data
30095
The disk is full
30096
An operation has been aborted.
30097
Read only data; a write operation failed
12451840
The key is unavailable.
12451842
The key is not defined.
12451842
Access to unencrypted medium denied.
12451843
Access to unencrypted medium denied unless it is empty.
352321637
The file is not encrypted.
352321638
The key is unavailable.
352321639
The correct key is unavailable.
352321640
Checksum error in file header
352321641
Error in CBI function.
352321642
Invalid file name.
352321643
Error when reading/writing temporary file.
352321644
Access to unencrypted data is not allowed.
352321645
Key Storage Area (KSA) full.
352321646
The file has already been encrypted with another algorithm.
352321647
The file has been compressed with NTFS and so cannot be encrypted.
352321648
File is encrypted with EFS!
352321649
Invalid file owner!
352321650
Invalid file encryption mode!
294
SafeGuard® Enterprise 5.50, Administrator help
295
352321651
Error in CBC operation!
385875969
Integrity breached.
402653185
The token contains no credentials.
402653186
Credentials cannot be written to the token.
402653187
TDF tag could not be created.
402653188
TDF tag does not contain the required data.
402653189
The object already exists on the token.
402653190
No valid slot found.
402653191
Unable to read serial number
402653192
Token encryption has failed.
402653193
Token decryption has failed.
536870913
The key file contains no valid data.
536870914
Parts of the RSA key pair are invalid.
536870915
Failed to import the key pair.
536870916
The key file format is invalid.
536870917
No data available.
536870918
Certificate import failed.
536870919
The module has already been initialized.
536870920
The module has not been initialized.
536870921
The ASN.1 encryption is corrupt.
536870922
Incorrect data length.
536870923
Incorrect signature.
536870924
Incorrect encryption mechanism applied.
536870925
This version is not supported.
536870926
Padding error.
536870927
Invalid flags.
536870928
The certificate has expired and is no longer valid.
536870929
Incorrect time entered. Certificate not yet valid.
536870930
The certificate has been withdrawn.
536870931
The certificate chain is invalid.
536870932
Unable to create the certificate chain.
SafeGuard® Enterprise 5.50, Administrator help
536870933
Unable to contact CDP.
536870934
A certificate which can be used only as the final data unit has been used as
CA or vice versa.
536870935
Problems with validity of certificate length in the chain.
536870936
Error opening file.
536870937
Error reading a file.
536870938
Error or several parameters which have been assigned to the function are
incorrect.
536870939
Function output exceeds cache.
536870940
Token problem and/or slot breached.
536870941
Token has insufficient memory to perform the required function.
536870942
Token was removed from slot while function being performed.
536870943
The required function could be performed but information on the cause of
this error is not available.
536870945
The computer on which the CBI compilation is taking place has
insufficient memory to perform the required function. This function may
be only partly completed.
536870946
A required function is not supported by the CBI compilation.
536870947
An attempt has been made to set a value for an object which cannot be set
or altered.
536870948
Invalid value for object.
536870949
An attempt to obtain the value of an object has failed because the object is
either sensitive or inaccessible.
536870950
The PIN entered has expired. (Whether a normal user's PIN runs on an
issued token varies from one to another).
536870951
The PIN entered is incorrect. Unable to authenticate user.
536870952
The PIN entered contains invalid characters. This response code is applied
only for those attempting to set up a PIN.
536870953
The PIN entered is too long/short. This response code is applied only for
those attempting to set up a PIN.
536870954
The selected PIN is blocked and cannot be used. This happens when a
certain number of attempts are made to authenticate a user and the token
refuses any further attempts.
536870955
Invalid Slot ID.
536870956
The token was not in the slot at the time of the request.
296
SafeGuard® Enterprise 5.50, Administrator help
297
536870957
The CBI archive/slot failed to recognize the token in the slot.
536870958
The requested action cannot be carried out because the token is writeprotected.
536870959
The entered user cannot be logged on because this user is already logged
onto a session.
536870960
The entered user cannot be logged on because another user is already
logged onto the session.
536870961
The required action cannot be performed because there is no matching
user logged on. One example is that a session cannot be logged off while
one is still logged on.
536870962
The normal user PIN has not been initialized with CBIInitPin.
536870963
An attempt made by several different users to log on to the same token
simultaneously has been allowed.
536870964
Invalid value entered as CBIUser. Valid types are defined in user types.
536870965
An object with the designated ID could not be found on the token.
536870966
Operation has timed out.
536870967
This version of IE is not supported.
536870968
Authentication failed.
536870969
The basic certificate is secured.
536870970
No CRL found.
536870971
No active internet connection.
536870972
Certificate time-value error.
536870973
Unable to verify the selected certificate.
536870974
Certificate expiry status unknown.
536870975
The module has exited. No further requests.
536870976
An error has occurred during request for network function.
536870977
An invalid request for a function has been received.
536870978
Unable to find an object.
536870979
A terminal server session has been interrupted.
536870980
Invalid operation.
536870981
The object is in use.
536870982
The random number generator has not been initialized. (CBIRNDInit ( )
not requested.)
536870983
Unknown command (see CBIControl ( ) ).
SafeGuard® Enterprise 5.50, Administrator help
536870984
UNICODE is not supported.
536870985
More seed needed for random number generator.
536870986
Object already exists
536870987
Incorrect algorithm combination. (See CBIRecrypt ( ) ).
536870988
The Cryptoki module (PKCS#11) has not been initialized.
536870989
The Cryptoki module (PKCS#11) has been initialized.
536870990
Unable to load Cryptoki module (PKCS#11).
536870991
Certificate not found.
536870992
Not trusted.
536870993
Invalid key.
536870994
The key cannot be exported.
536870995
The algorithm entered is temporarily not supported.
536870996
The decryption mode entered is not supported.
536870997
GSENC compilation error.
536870998
Data request format not recognized.
536870999
The certificate has no private key.
536871000
Bad system setting.
536871001
There's an operation active
536871002
A certificate in the chain is not properly time nested.
536871003
The CRL could not be replaced
536871004
The USER pin has already been initialized
805306369
You do not have sufficient rights to perform this action. Access denied!
805306370
Invalid operation
805306371
Invalid parameter in use
805306372
Object already exists
805306373
The object could not be found.
805306374
Database Exception
805306375
The action has been cancelled by the user.
805306376
The token is not assigned to a specific user.
805306377
The token is assigned to more than one user.
805306378
The token could not be found in the database.
298
SafeGuard® Enterprise 5.50, Administrator help
299
805306379
The token has been successfully deleted and removed from the database.
805306380
Unable to identify the token in the database.
805306381
The policy is assigned to a policy group. Remove assignment before
deleting policy.
805306382
The policy is assigned to an OU. Please remove assignment first.
805306383
The certificate is invalid for this Officer.
805306384
The certificate has expired for this Officer.
805306385
The Officer could not be found in the database.
805306386
The selected Officer is not unique.
805306387
The Officer is blocked and cannot be authenticated.
805306388
The Officer is no longer or not yet valid.
805306389
Unable to authorize Officer - request outside office hours.
805306390
Responsible party cannot delete self.
805306391
The Master Security Officer cannot be deleted because a second Master
Security Officer is needed for additional authentication.
805306392
The Security Officer cannot be deleted because a second Security Officer is
required for additional authentication.
805306393
The checking Officer cannot be deleted because a second checking Officer
is required for additional authentication.
805306394
The recovery Officer cannot be deleted because a second recovery Officer is
required for additional authentication.
805306395
The advisory Officer cannot be deleted because a second advisory Officer is
required for additional authentication.
805306396
The Master Security Officer function cannot be deleted because a second
Master Security Officer is needed for additional authentication.
805306397
The Security Officer function cannot be deleted because a second Security
Officer is needed for additional authentication.
805306398
The checking Officer function cannot be deleted because a second checking
Officer is needed for additional authentication.
805306399
The recovery Officer function cannot be deleted because a second recovery
Officer is needed for additional authentication.
805306400
The advisory Officer function cannot be deleted because a second advisory
Officer is needed for additional authentication.
805306401
There is no additional Officer with the required function available for
additional authentication.
SafeGuard® Enterprise 5.50, Administrator help
805306402
Event log
805306403
Integrity of central event log successfully verified.
805306404
Integrity breached! One or more events have been removed from the start
of the chain.
805306405
Integrity breached! One or more events have been removed from the chain.
The message at the point at which the break in the chain was discovered has
been highlighted.
805306406
Integrity breached! One or more events have been removed from the end of
the chain.
805306407
Failed to export events to file. Reason:
805306408
The current view contains unsaved data. Do you want to save changes
before exiting this view?
805306409
The file could not be loaded or the file is damaged. Reason:
805306410
The integrity of the log has been breached! One or more events have been
removed.
805306411
Save events to a file before deleting?
805306412
Job display
805306413
Several CRL found in database: Unable to delete CRL.
805306414
CRL not found in database:
805306415
Unable to find the user to whom the certificate should have been assigned
to in the database.
805306416
A P7 Blob is urgently required for a certificate assignment.
805306417
The user to whom the certificate should have been assigned is not uniquely
named.
805306418
Unfortunately unable to find certificate assignment.
805306419
Certificate assignment not unique. Unclear which certificate to remove.
805306420
Unable to find the user for whom the certificate is to be produced in the
database.
805306421
The user to whom the certificate is to be assigned cannot be uniquely
named.
805306422
The certificate has already been assigned to another user. A certificate can
only be assigned to one user.
805306423
Unable to find the machine to which the certificate is to be assigned in the
database.
805306424
The machine to whom the certificate is to be assigned could not be
uniquely identified.
300
SafeGuard® Enterprise 5.50, Administrator help
301
805306425
Imported certificates cannot be extended by SGN.
805306426
Inconsistent certificate data
805306427
The extension of the certificate has not been approved by a Security Officer.
805306428
Error deleting token
805306429
Certificate cannot be deleted by the token because it has been used to
authorize the present user.
805306430
System access already exists with this name. Please select another name.
805306431
The Security Officer does not have any roles assigned. Logon not possible.
805306432
The license is violated.
805306433
No license was found.
2415919104
No policy found.
2415919105
No configuration file available!
2415919106
No connection to server.
2415919107
No more data.
2415919108
Invalid priority used for sending to server!
2415919109
More data pending.
2415919110
Auto registration pending.
2415919111
Database authentication failed!
2415919112
Wrong session ID!
2415919113
Data packet dropped!
3674210305
Domain not found.
3674210306
Machine not found.
3674210307
User not found.
3758096385
The password does not contain enough letters
3758096386
The password does not contain enough numbers
3758096387
The password does not contain enough special characters
3758096388
The password is the same as the user name
3758096389
The password contains consecutive characters
3758096390
The password is too similar to the user name
3758096391
The password has been found in a list of prohibited passwords
3758096392
The password is too similar to the old password
3758096393
The password includes a keyboard sequence with more than two characters
SafeGuard® Enterprise 5.50, Administrator help
3758096394
The password includes a keyboard column with more than two characters
3758096395
The password is not yet valid
3758096396
A password has expired
3758096397
The password has not yet reached its minimum validity period
3758096398
The password has exceeded its maximum validity period
3758096399
Information must be displayed about an impending change to the
password
3758096400
Must be changed at first log on
3758096401
The password has been found in the history
3758096402
Error when verifying against specified blacklist.
4026531840
No "platform" found.
4026531841
No document.
4026531842
XML Parse Error.
4026531843
Document Object Model (XML) Error
4026531844
No <DATAROOT> tag found.
4026531845
XML tag not found.
4026531846
"nostream" error.
4026531847
"printtree" error.
302
SafeGuard® Enterprise 5.50, Administrator help
31 Technical Support
You can find technical support for Sophos products in any of these ways:
303

Visit the SophosTalk forum at http://community.sophos.com/ and search for other users who
are experiencing the same problem.

Visit the Sophos support knowledgebase at http://www.sophos.com/support/

Download the product documentation at http://www.sophos.com/support/docs/

Send an email to [email protected], including your Sophos software version number(s),
operating system(s) and patch level(s), and the text of any error messages.
SafeGuard® Enterprise 5.50, Administrator help
32 Copyright
Copyright © 1996 - 2010 Sophos Group and Utimaco Safeware AG. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any
form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you
are either a valid licensee where the documentation can be reproduced in accordance with the
licence terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos is a registered trademark of Sophos Plc and the Sophos Group. SafeGuard is a registered
trademark of Utimaco Safeware AG - a member of the Sophos Group. All other product and
company names mentioned are trademarks or registered trademarks of their respective owners.
All SafeGuard products are copyright of Utimaco Safeware AG - a member of the Sophos Group,
or, as applicable, its licensors. All other Sophos products are copyright of Sophos plc., or, as
applicable, its licensors.
You will find copyright information on third party suppliers in the file entitled Disclaimer and
Copyright for 3rd Party Software.rtf in your product directory.
304
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement