SafeGuard LAN Crypt 3.61 E.book
Contents
1. ID Event 1001 Administration started 1002 Administration closed 1100 Certificate created 1101 Certificate assigned to User 1102 Certificate assigned to Security Officer 1103 Certificate assigned to Master Security Officer 1104 Certificate wizard started 1105 Certificate assignment cleared 1106 Certificate assignment failed 1107 SO certificate recovered 1108 Recovery key created 1109 Settings for additional authorization changed 1111 Key created 1112 Key changed 1113 Key deleted 1114 Key moved 1115 Security Officer logged on 1116 Security Officer logon failed 1117 Security Officer logged on to grant additional authorization 1118 Profile generation started for group 1119 Profile generated for user 1120 Rule created 1121 Rule changed 1122 Rule deleted 1123 Security Officer logged off 1124 Logging configured 1125 Logging events archived 1126 Logging events deleted 142 SafeGuard LAN Crypt 3 61 Administration 143 ID Event 1127 Logging events exported 1128 Checksum MAC error in Logging table 1129 Database synchronization started 1130 Database synchronization ended 1131 Key value displayed 1132 Global Setting changed 1133 Setting changed 1134 Checksum MAC recalculated 1135 Checksum recalculat2. 3 16 4Generating encryption rules 1 Right click Encryption Rules under the relevant group node and click New rule in the context menu You can also access the New rule command in a context menu which you display by right clicking in the right hand console pane In the right hand console pane you can see all the encryption rules that have been generated Enter a relative or absolute path in the input field under Encryption path You can use jokers and wildcards in file names but not in the rest of the path for 100 SafeGuard LAN Crypt 3 61 Administration example doc Click the Browse button to select a path Relative paths and programs supporting file or path specifications in 8 3 notation only If you use programs which only support file or path specifications in 8 3 notation and you want to access encrypted files with file names longer than 8 characters or files in directories with names longer than 8 characters you must use 8 3 notation to specify the encryption paths You have to define these encryption rules additionaly If you do not 32 bit programs will no longer work Use the dir x command to display the correct 8 3 name of long file names 3 Three options appear under Encryption path m Include subdirectories m Exclude path m Ignore path Include subdirectories Subdirectories are not included in encryption unless specified To include all subdirectories in encr
3. Create SOs 0x000001 Generating profiles 0x000002 Generating keys 0x000004 Copy Keys 0x000008 Delete Keys 0x000010 Reading keys 0x000020 Generating certificates 0x000040 Assign Certificates 0x000080 Change Groups 0x000200 Logon to Database 0x000400 Authorize Operations 0x000800 Change Users 0x001000 Generating rules 0x002000 Change global rights 0x004000 Change ACLs 0x008000 Use specific Keys 0x010000 Change Configuration 0x020000 Read Logging Entries 0x040000 Manage Logging 0x080000 Import Directory Objects 0x100000 140 SafeGuard LAN Crypt 3 61 Administration ACL for a group Permissions Values Create Key 0x00000001 Copy Keys 0x00000002 Delete Key 0x00000004 Create Rules 0x00000008 Assign Certificates 0x00000010 Add User 0x00000020 Delete User 0x00000040 Add Group 0x00000080 Delete Subgroups 0x00000100 Move Groups 0x00000200 Change Properties 0x00000400 Delete Group 0x00000800 Create Profiles 0x00001000 Change ACL 0x00002000 Read 0x00004000 Visible 0x00008000 ACL for a SO Permissions Values Change Name 0x01000000 Change Certificate 0x02000000 Change Region 0x04000000 Assign Configuration 0x08000000 Delete SO 0x 10000000 Change Global Permissions 0x20000000 Change ACL 0x40000000 Read 0x80000000 SafeGuard LAN Crypt 3 61 Administration 6 2 Logged events
4. Confirmations In the SafeGuard LAN Crypt Administration Console you can specify actions that are required to be confirmed prior to execution To do this click Properties in the context menu for the SafeGuard LAN Crypt Administration root node A dialog displays these options If you select an action you must confirm that you want to perform it before it is carried out The action is not carried out until you have confirmed it SafeGuard LAN Crypt Administration Properties mR a General Settings Confirmations Select the actions requiring confirmation before execution Confirm add groups J K Confirm move group to other group Confirm delete group from database Confirm remove shortcut from group Confirm remove all shortcuts from group Confirm remove keys from group Confirm attaching key to group Confirm creating key reference in group EHH SHAW Confirm remove key reference from group Current Security Officer is Master Security Officer UTIMACO Confirm add groups Adding a group reference to a different group has to be confirmed Select group gt right hand mouse button gt Copy gt select different group gt right hand mouse button gt Paste gt Confirmation 34 SafeGuard LAN Crypt 3 61 Administration 3 4 2 35 Note All Copy Cut and Paste operations can either be done by using the context menu or by using the Drag amp Drop or Drag amp Drop CTRL functionality Con
5. Note When files that have only been opened with the available key are stored no encryption rules for these files they may be saved as unencrypted data This happens with applications that create a temporary file delete the source file and then rename the temporary file when they save it As there is no encryption rule for the new file it is saved as unencrypted data Renaming or moving directories For performance reasons SafeGuard LAN Crypt does not change the encryption status when complete directories are moved using Windows Explorer This means that no encryption decryption or re encryption is carried out when a directory is moved If files were encrypted they remain encrypted in the new directory or in the new storage location If the user owns the appropriate key they can work with these files as usual Moving files and directories securely SafeGuard LAN Crypt can also move files and directories securely In this case the files and directories are encrypted decrypted or re encrypted as required in accordance with the current encryption rules The source files are securely deleted wiped after they have been moved You access this function via the Secure Moving command in the Windows Explorer context menu In a dialog you select the location to which the files are to be moved SafeGuard LAN Crypt 3 61 Administration 1 3 3 1 3 4 1 3 5 1 4 Explicit file decryption To decrypt a file simply copy or
6. Owning this permission is a prerequisite for assigning values to keys A user with the permission Create Keys on its own can only generate keys without values SafeGuard LAN Crypt 3 61 Administration Permissions Description Create Keys The SO can generate keys in the individual groups A user with the permission Create Keys on its own can only generate keys without values Within the Administration Console keys without a value can be assigned to encryption rules The value itself is generated when policy files are generated To generate keys with values manually the SO must have the Create Profiles permission Copy Keys The SO is allowed to copy keys Delete Keys The SO can delete keys from individual groups Read Keys The SO can see the data for the individual keys for a group Create Certificates The SO can generate certificates for users Assign Certificates The SO is allowed to assign certificates to the users The SO is allowed run the wizard used to assign certificates Administer Groups The SO can make changes in the groups Adding sub groups moving groups synchronizing groups deleting groups Log in Database The SO can log on to the SafeGuard LAN Crypt database The default setting is for this permission is active With this permission an SO can easily make changes to the database without too much effort for example if staff leave the company T
7. red means the certificate has expired yellow means the certificate is running within the configured expiration warning period green means everything is OK no icon means either no certificate was assigned to the user or that user was missed out when the system assigned certificates To provide the policy files select the required users and then click the blue gear icon in the tool bar or on Build Profile in the selected user s context menu 3 18 3Clearing profiles 115 You can use the Certificate snap in to clear the profiles of one or more users Clearing a profile means generating an empty profile The user has to log on once to an empty policy file to overwrite the settings of the current policy file cached on their machine After that they can no longer access encrypted data To clear a profile select the user in the Certificate snap in and click the To clear a profile select the user in the Certificate snap in and click the Clear profile for selected user icon ss or click Clear profile in the context menu You can select several users select the users with the left mouse button while holding down the SHIFT key and clear their profiles by clicking the ZE icon SafeGuard LAN Crypt 3 61 Administration Note The settings in the SafeGuard LAN Crypt Configuration define how profiles are cleared The process for deleting profiles is similar to the one for creating profiles If the Novell name is use
8. 3 3 Creatorname For the database to be adressed correctly the database creator has to be specified for Oracle databases The creator has to be specified in CAPITALS SQL Dialect m Microsoft SQL Server o8 Oracle 8 o9 Oracle 9 or higher Actions C Create all tables Example 1 CreateTables SGLCSQLServer m c Example 2 CreateTables SGLCSQLServer SGLC 09 c Master Security Officers SafeGuard LAN Crypt uses the concept of Security Officers Initially there is one Master Security Officer who can delegate tasks later on by creating additional Security Officers and assigning them specific rights for the administration of SafeGuard LAN Crypt The first Master Security Officer may even create additional Master Security Officers ACLs are used to define the rights assigned to the Security Officers created by a Master Security Officer Individual Security Officers can then be assigned to different organizational units in central Administration Their rights then apply exclusively to the organizational unit to which they have been assigned These rights are inherited downwards in the organizational hierarchy until other rights are assigned After you have set up the database system and the data source the next step when SafeGuard LAN Crypt Administration Console runs for the first time is to create an initial Master Security Officer A Master Security Officer always has all existing rights Notice When
9. 2 for a limited amount of time for example so that Team 1 can support Team 2 in a project you simply add a shortcut to Team 1 s group in Team 2 s group Then generate new policy files Next time the members of Team 1 log on they have access to Team 2 s data When Team 1 no longer requires the extra rights you can remove the shortcut from Team 2 s group and generate new policy files again The members of Team 1 then no longer have access to Team 2 s data 3 10 5Deleting groups You can delete individual groups OUs and shortcuts to groups OUs in the SafeGuard LAN Crypt Administration console To delete a group select Delete in that group s context menu All sub group and user memberships will be deleted The users themselves will only be deleted if an OU is deleted in the SafeGuard LAN Crypt Administration console In this case any memberships of users that might exist in other OUs are also deleted Keys are NEVER deleted They remain in the SafeGuard LAN Crypt database Before the group is deleted a dialog is displayed in which you must confirm that you want to delete the group To delete a shortcut to a group click Delete in the shortcut s context menu Only the shortcut is deleted The group itself is not affected Before you delete a shortcut a dialog appears that asks you to confirm that you want to do so The context menu of the parent group contains the entry Remove links that you use to delete a shortcut Click
10. This dialog will be displayed every time you initialize the generation of policy files If you click Yes and SafeGuard LAN Crypt does not detect any changes requiring new profiles the system will not generate any new policy files A corresponding message will be displayed SafeGuard LAN Crypt 3 61 Administration If you make any changes on the Antivirus tab or if you change the Use existing encryption format until this date in Central Settings this will always result in a change in the policy files of all users After a change of this type new policy files for all users will be created Users without certificates When the system generates policy files and finds users to whom no certificate has been assigned or whose certificate will soon expire or has already expired it displays a dialog to inform you about these users It lists the certificates involved in this dialog and displays their status as a color next to the user name m red means the certificate has expired m yellow means the certificate is running within the configured expiration warning period E green means everything is OK E no icon means either no certificate was assigned to the user or that user was missed out when the system assigned certificates You can use two options to specify what SafeGuard LAN Crypt does next m Do not warn me again for the users shown in the list If you select this option the system does not display a warning fo
11. To create relationships between groups you can copy a group and insert it in a different group A group inserted this way is displayed as a shortcut Bhin the parent group As a result the members of the inserted group inherit all keys and encryption rules of the parent group The prerequisite for inheriting keys is that these keys are defined as inheritable in the parent group Rights for editing the group are NOT inherited Since this group is only inserted in the new place as a shortcut encryption rules members certificates and keys are not shown there These values are only visible in the real group in the hierarchy The inherited keys can also be used there to create encryption rules To add a group to another group via a shortcut 1 Select the relevant group open its context menu and select Copy 2 Select the target group into which you want to insert the group and click Insert in the target group s context menu You can also create the shortcut by pressing CTRL and dragging and dropping the group onto the target group 3 The system will prompt you to confirm that you want to add the group Click OK to confirm this 4 The group is now displayed as a shortcut under the other group In this way you can easily grant all members of one group all the rights of a different group 78 SafeGuard LAN Crypt 3 61 Administration For example if you want to grant the members of Team 1 the same rights as the members of Team
12. click Next The system imports and assigns the certificates automatically It displays a message to confirm that it has successfully assigned the certificates Click Finish to close the wizard 3 17 3 3 Assigning certificates from a directory 109 If you select the Assign certificates from a directory option you must enter the address of the directory from which you want to import the certificates in step 2 Certificate Assignment Wizard Step 2 5 E x Assign certificates from a directory assigned to users JDASGLC Certificates 5x6 Specify which directory contains the certificate files that are to be lt Back Cancel Help After you specify the directory you see a dialog in which you define the method that SafeGuard LAN Crypt is to use to assign certificates to the users SafeGuard LAN Crypt 3 61 Administration Certificate Assignment Wizard Step 3 5 E x Method for matching Select which method the wizard uses to find certificates that match Users C Usemame equals filename Usemame is in DN requires search pattern JCN OU SafeGuard Default Match as specified in a file I coc e m Username equals filename Select this option if the file names of the certificate files are identical to the user name All users that correspond to a file name are assigned to the appropriate certificate m User name is in DN If the user name is contained in the certificate
13. that can be stored on a file server or in the Netlogon folder on a Windows Domain Controller The Security Officer can create a tailored policy for each individual user at the click of a button This policy contains all the keys and rules that apply to that user The SO uses the SafeGuard LAN Crypt Administration graphical user interface to generate and administer these policy files In turn this uses the Microsoft Management Console MMC as its interface The Snap Ins provide the Security Officer with a range of tools to make their tasks easier The policy files are encrypted separately by means of certificates for every single user This process involves the Public Key Infrastructure PKI already present in the organization Alternatively the SO can also create the certificates themselves by using SafeGuard LAN Crypt The SafeGuard LAN Crypt administration data is then stored in an SQL database Of course all important data records and especially the key data are encrypted in the SQL database Because the database used here is not dependent on the system administration functionality the security and system administration functions can be kept strictly separate SafeGuard LAN Crypt can also be used to configure different SO roles whose permissions can be restricted to suit specific tasks in specific areas The Master Security Officer MSO is the only person who always has every permission In addition an SO is also able to delegate the p
14. to be able to generate keys with values manually Copy Keys The SO can copy keys Delete Keys The SO can delete keys from the individual groups Read Keys The SO can see the data for the individual keys for a group Create Certificates The SO can generate certificates for the users Assign Certificates The SO can assign certificates to the users The SO can run the wizard for assigning certificates Administer Groups The SO can make changes in the groups Adding sub groups moving groups synchronizing groups deleting groups 144 SafeGuard LAN Crypt 3 61 Administration Permissions Log in Database Description The SO can logon to the SafeGuard LAN Crypt Database By default this permission is always activated This permission is an easy way for an SO to make changes to the database without a lot of effort for example if staff leave the company This right is not granted to people who are exclusively permitted to act when someone else authorizes their actions This ensures that these people can only authorize actions that require confirmation and have no way to make changes in SafeGuard LAN Crypt Authorize Operations The SO can participate in actions that require confirmation Administer Users The SO can add users to a group or remove them and synchronize groups Create Rules The SO can generate encryption rules for the users Change
15. whether a user has logged on using a smartcard a PIN has been changed or a certificate has expired Additionally it has a product specific section which logs events that occur within SafeGuard LAN Crypt You configure SafeGuard Auditing in the Auditing section in the SafeGuard LAN Crypt Configuration Console For detailed information please refer to your SafeGuard Auditing manual You will find it in your installation CD SGLOG_eng pdf 138 SafeGuard LAN Crypt 3 61 Administration 6 1 139 APPENDIX Logging Database Logging and Event Logging SafeGuard Auditing logs rights as numeric values To interpret these values you can use the following tables An event in the log file may look like this W CWA 1 17 49 01 10 2004 cwa Information 1178 Admin messages SGLANCrypt ACL on SO changed Rights for SO_Sophos Linz added Allowed 0x86000000 Denied 0x0 Action in Chris Executed by Master Security Officer The bold lines describe the permissions rights which have been changed for SO_Sophos Linz The numbers after Allowed and Denied show which rights have actually been modified Allowed 0x86000000 ACL for SO Read 0x80000000 ACL for SO Change 0x02000000 Certificate ACL for SO Change Region 0x04000000 Allowed 0x86000000 SafeGuard LAN Crypt 3 61 Administration Global rights of a Security Officer Rights Values
16. 5 In the Server field select the server you want to use to establish the connection and click Next 6 Accept the default settings in the next dialog If you accept the option With Windows NT authentication using the network login ID you specify that Windows user data is to be used to log on to the database system You do not need to enter a password Click Next 7 Accept the default settings in the next dialog As a result the existing master database is used However if you have generated your own database select it here 8 In the next dialog accept the default settings and click Finish Creating tables in the SafeGuard database Using the command line tool createTables exe you create the required tables in your SafeGuard LAN Crypt database The tool is available in the Install directory on your installation CD To create the table in your database do as follows 1 Enter the following on the command line CreateTables SGLCSQLServer m c If you have used the defaults during installation configuration of the database system is now complete You can now start SafeGuard LAN Crypt Administration CreateTables command line syntac CreateTables lt ODBCName Creator gt lt SQL dialect gt lt Action gt CreateTables exe offers the following parameters for creating the tables in different configurations ODBCName The name used for the ODBC data source 26 SafeGuard LAN Crypt 3 61 Administration 27
17. GUID and ob ject GUID are evaluated If you want to use another LDAP attribute to identify the objects select lt ot her gt under Object GUID and enter the name of the LDAP attribute in the entry field beside it This attribute must contain data that will unambiguously identify the object m GUID attribute has a binary value This option only affects how the GUID appears in the object Properties dialogs To display these correctly activate this option if the GUID you use has a binary value If you are not sure what to do activate this option Attributes for Users m Username Attribute This setting only affects how users are displayed in the SafeGuard LAN Crypt Administration 42 SafeGuard LAN Crypt 3 61 Administration 43 Console The users are displayed in a group s Properties dialog and in the User and Certificates snap in You can select one of the existing attributes or enter an LDAP attribute by selecting lt other gt lt standard gt evaluates cn and sn Logonname attribute Special meaning that is attached to the attribute for the logon name SafeGuard LAN Crypt names the policy files after the user logon name A user can only logon if their logon name and policy file name are identical Here you can specify which LDAP attribute is used to define the user s logon name lt Standard gt evaluates SAMAccountName userPrincipalName and UID If two or three of these attributes are already present in the directory
18. Global The SO can change the global rights granted to Permissions another SO Change ACLs The SO can change the ACL for a group Use specific Keys The SO can change user keys or group keys Change Configuration The SO can change the configuration paths This permission is the prerequisite for the Configuration tab page to be displayed in the Central settings and for the SO to be able to make changes in the Directories tab page if they are logged on to the database Read Logging Entries The SO can see the settings for logging and the logged events Manage Logging The SO can change the settings for logging and is allowed to archive delete and check entries SafeGuard LAN Crypt 3 61 Administration Permissions Import Directory Objects Description The SO can import OUs groups and users from a directory service and can add them to the SafeGuard LAN Crypt database To be able to import Directory Objects the SO also needs to have the Administer Groups permission and the Administer Users permission They are set automatically when the Importing Directory Objects permission is selected If an SO does not have this permission the Directory Objects node which is used to import OUs groups and users is not visible in the Administration Console 6 3 2 Permissions for changing the settings for a Security Officer Permissions Description Change Name Allows changes to the name of
19. J7 Add third condition display name should be z All conditions must be met AND At least one of the conditions must be met OR cot eeo The following user information will be retrieved from the SafeGuard LAN Crypt database m Logon name m User name m Assignment between user and certificate m Requestor of the certificate m Serial number of the certificate m Date from which the certificate is valid m Date up to which the certificate is valid m Name of the parent group You can define search criteria based on these attributes SafeGuard LAN Crypt searches for defined character strings in the user attributes retrieved In the first drop down list you can select the attribute s on which the search process is to be applied In addition you can define whether the selected attribute should correspond to the character string entered should be or if only users are to be displayed for whom the selected attribute does not correspond to the character string entered must not be In the drop down list on the right hand side you can enter the character string SafeGuard LAN Crypt searches for in the defined attribute You can use the following SQL wildcards for entering the character string 56 SafeGuard LAN Crypt 3 61 Administration 57 3 8 any character sequence single character e g a__ means search for all names containing three characters and starting with a single charact
20. Members Assigned permissions to Security Officers on this object B Security Officers S0 Utimaco Linz Add F Permissions for SO Utimaco Linz Create Key Copy Keys Delete Key Create Rules Assign Certificates Add User Delete User Add Group Delete Subgroups Move Groups Change Properties Delete Group Create Profiles 000000008000 F ao0ro000r0000 F 2 lt vo Note Click Allow Deny to allow or deny all the permissions Click this again to deselect all global permissions If all rights are selected you can select deselect them later on as required The global permission settings define that disabled rights cannot be granted to the Security Officer You can assign the following permissions Permissions Description Create Key The SO is allowed to generate keys in the group Copy Keys The SO is allowed to copy keys Delete Key The SO is allowed to delete keys Create Rules The SO is allowed to generate encryption rules for the users Assign Certificates The SO is allowed to assign certificates to the users The SO is allowed run the wizard used to assign certificates Add User The SO is allowed to add users to the group manually This permission is a prerequisite for importing synchronizing groups and users 84 SafeGuard LAN Crypt 3 61 Administration Permissions Description Delete User SOs is allowed to use the Members and c
21. SO can manually add users to the group This permission is a prerequisite for importing synchronizing groups and users Delete User SOs can use the Members and certificates for group snap in to delete users This permission is a prerequisite for importing synchronizing groups and users Add Group The SO can use the context menu for a group to add new groups This permission is a prerequisite for importing synchronizing groups and users Delete Subgroups The SO can delete the sub groups for this group This permission is a prerequisite for importing synchronizing groups and users Move Groups The SO can move manually created groups in Administration with drag and drop Imported groups cannot be moved This permission is a prerequisite for importing synchronizing groups and users Change Properties The SO can change the properties for the group Delete Group The SO can delete groups This assumes that the SO has removed the Delete Subgroups permission in the group above This permission is a prerequisite for importing synchronizing groups and users Create Profiles The SO has permission to run the Profile Resolver and generate policy files for individual users Change ACL The SO can change the ACL for the group for example by adding another SO SafeGuard LAN Crypt 3 61 Administration Permissions Description Read The SO has read rights for
22. Signature certificate optional and click Search to select new signature certificate for the SO Note You can only change SO signature certificates in variant 1 and not in variant 2 Variant 2 Using the restoration key 1 Start SafeGuard LAN Crypt Administration 2 In the SO dialog window select the M SO you require 3 Click the Change certificate button and follow the instructions in the Restoration key wizard Usually you should use variant 1 Variant 2 is primarily intended to be an alternative method and should be used if no SO with the appropriate rights is able to log on to SafeGuard LAN Crypt Administration Note A prerequisite for variant 2 is that a restoration key exists No matter which method you use you must ensure that the profile generated by the SO is regenerated before the old certificate reaches its expiration date If not the clients will no longer be able to load the profile However you can allow certificates to be assigned with only additional authorization You must remember that this type of assignment will have an effect when SO certificates are changed 66 SafeGuard LAN Crypt 3 61 Administration 67 3 9 Logging on to Administration For logging on to the SafeGuard LAN Crypt Administration Console a Security Officer must have the right to log on Master Security Officers always have this right since they are automatically granted all available rights When you run Administration Start Pro
23. and click Delete in its context menu right click In the Configured column no will be displayed besides the relevant option Here you can specify for how long the cached policy will be valid on the client computers Within the time period defined here the policy file is valid on the client and the user can access encrypted data even if there is no connection to the file location on the policy share The time period during which policy files are cached and are therefore valid can be defined in days or weeks When the specified time period expires SafeGuard LAN Crypt tries to load the policy file from the network drive to update it again If this is not possible the policy file will be unloaded The user can no longer access encrypted data The policy file will only be updated and loaded again when a valid policy file is available for example at the next logon with a connection to the client location for policy files The user can access encrypted data again The counter for the duration of cache storage is reset By specifying the duration of cache storage you can on the one hand ensure that the client computers are provided with up to date policy files in regular intervals and that users use up to date policies at all times On the other hand you can prevent users from working with the same policy files for an unlimited time period since a user can continue working with a cached version of the policy file for an unlimited time period if t
24. archived remain in the database and can be deleted Their state is set to Archived Deleting archived entries To delete archived entries select Delete archived entries and click Next In the next dialog specify m Date and time of the last entry that is to be deleted All entries from that time to the present will be deleted Note The last possible time depends on the minimum age for logged entries which was specified in the basic settings m The location if available from which entries are to be deleted Click Next In the next dialog you can see how many entries have been selected Click Next When all entries have been deleted the wizard s last dialog is displayed Click Finish to close the wizard SafeGuard LAN Crypt 3 61 Administration Checking archive integrity To check the integrity of logged events select Check archive integrity and click Next In the next dialog select which data you want to check You can select the entries in the database or archived entries to be checked To check entries in a distributed database select which location s entries are to be checked If you want to check an archive select a file by clicking the Browse button Click Next In the next dialog you can see how many entries have been selected Click Next When all entries have been checked the wizard s last dialog is displayed The result of the integrity check is displayed If the data has been manipulated an appropriate
25. benefits to using this database approach instead of just Windows tools such as Active Directory m System administration and security administration can be kept strictly separate This is because SafeGuard LAN Crypt uses a dedicated database and is totally independent of system administration The SafeGuard LAN Crypt database is encrypted and therefore protected against unauthorized access In addition this database prevents the SafeGuard LAN Crypt SafeGuard LAN Crypt 3 61 Administration system from being changed unintentionally e g if the system administrator deletes a required security object On the other hand it is often not a good idea to allow people who are not system administrators to change the system configuration It is obvious that assigning permission to write data for system administration is a real problem This is another good reason for storing SafeGuard LAN Crypt specific data in a separate database To provide the best possible protection SafeGuard LAN Crypt s functions are divided into two parts SafeGuard LAN Crypt User functions SafeGuard LAN Crypt user functions include the encryption and decryption information for data This information is required for everyday tasks using SafeGuard LAN Crypt As soon as a user is permitted to access the encryption information the files are encrypted and decrypted transparently No further user interaction is required In addition SafeGuard LAN Crypt has a range of
26. but cannot be edited If the Security Officer logs on to SafeGuard LAN Crypt Administration they can only see the part of the organizational structure for which they are responsible 80 SafeGuard LAN Crypt 3 61 Administration 3 11 1Allowing a Security Officer to see and edit groups 81 1 To permit a Security Officer to see a node in Administration you must first set the Visible right in the base node in the organization structure To do this select the base node in the structure and click Properties in the context menu to open the Properties dialog for this node Toggle to the Security tab and click Add Here you can select the Security Officer you want to assign to process the groups Note Several Security Officers can be assigned to the same group 4 6 rA Click Next to display the Permissions dialog for this SO Here select the Visible permission and then click Finish This permission is inherited downwards through the group hierarchy which means the SO can now view all groups If the SO logs on to the database with these settings they can see the entire Administration structure but cannot edit it In the next step you can now hide suppress the groups in the Administration Console you do not want the SO to see because they have no rights to access them To do this select these groups open their Properties dialogs and select the Security tab Here set Visible to Deny for the groups th
27. can be displayed under Central Settings All SafeGuard LAN Crypt Keys Show Specific Keys Re assigning specific keys In certain situations you may need to re assign a user or group specific key to a user or a group Example A user is imported from Active Directory into the SafeGuard LAN Crypt Administration Console A user specific key is generated for this user If you delete the group of which the user is a member in the SafeGuard LAN Crypt Administration Console and re import it SafeGuard LAN Crypt automatically generates a new user specific key when it generates the user s policy files The user can then no longer access data that was encrypted with the old user specific key To overcome situations like this you can configure SafeGuard LAN Crypt so that specific keys from deleted users groups can be reassigned To do this add the DwoRD Value ShowUserKeyPage to the Windows registry with the Data Value 1 under the key HKEY_LOCAL_ MACHINE SOFTWARE Policies Sophos SGLANCrypt You can also make this entry in the Windows registry for a specific user under HKEY_CURRENT_USER If this value is found in the Windows registry the tab Specific key is added to the Properties dialogs lt user group gt Context menu Properties for users and groups SafeGuard LAN Crypt 3 61 Administration In this tab you can assign specific keys which are present the database and are not assigned to a user or
28. creates a new placeholder to allow other keys without a path to be generated 5 Select the relevant options 6 Under Comment you can enter a description or information for the encryption rule created 7 Click OK The new encryption rule is displayed in the SafeGuard LAN Crypt Administration To edit existing encryption keys select them and click Properties in the context menu You can also double click the relevant entry 3 17 Assigning certificates 103 Each profile is protected by its owner s public key This public key must be assigned to the user in SafeGuard LAN Crypt Administration via their certificate Note You do not have to perform this step in the sequence described below You can also do this at an earlier point in time We recommend you check that the certificates are already available for use in the certificate store or a directory for example LDAP before you begin assigning them You can use standard Windows tools to import the certificates into the relevant certificate store SafeGuard LAN Crypt has a Certificate Assignment Wizard that assigns certificates automatically SafeGuard LAN Crypt 3 61 Administration Note If a Windows user who assigns a certificate has no right to change the password log file in the file system no SafeGuard LAN Crypt certificates can be generated 3 17 1Assigning a certificate to a user To assign a certificate proceed as follows 1 Select Members and certifica
29. display functions that allow the user to view their encryption profile Safe Guard LAN Crypt Security Officer functions SafeGuard LAN Crypt Administration has functions that are reserved for security officers A Security Officer certificate is a prerequisite for creating encryption profiles and administering existing encryption profiles The SafeGuard LAN Crypt Administration component can be installed separately from the user application since only a security officer should be able to access it When you install SafeGuard LAN Crypt you can select the components you require only Administration only the User application or both 1 3 Transparent encryption For the user transparent encryption means that all data stored in an encrypted form in encrypted directories or drives is automatically decrypted in RAM when opened by an application When the file is saved it is automatically encrypted again Every file for which there is an encryption rule is encrypted automatically If files are copied or moved to an encrypted directory they are encrypted in accordance with the encryption rule that applies to that directory You can of course also define different encryption rules for different file extensions or names in the same directory Encryption is not specific to directories It depends entirely on encryption rules When encrypted files are renamed they remain encrypted provided there is not a different encryption rule or
30. employees do not comply with the organization s security policy If you need to protect your intellectual property which is stored in files from unauthorized access over the LAN on file servers on local hard disks or even on removable media SafeGuard LAN Crypt is your product of choice The Security Officer SO can specify which files and folders are to be protected by SafeGuard LAN Crypt centrally by defining one or more encryption rules For example to ensure that all Word documents are protected the SO would define the rule doc As soon as this rule was rolled out across a client system as part of a policy file all Word documents would be encrypted no matter where they are stored If required more than one encryption rule can be combined to form an encryption profile SafeGuard LAN Crypt 3 61 Administration 1 2 In this example three different rules have been brought together in one encryption profile Rule Key Description doc Keyl This encrypts all Word documents with keyl no matter where they are stored D Data Key2 This encrypts all the files in the specified folder with key2 Server1 Sharel Personal Key3 This encrypts all the Excel files in the xls specified server folder with key3 With SafeGuard LAN Crypt the SO can define very complex rules to ensure that only the actual data they require is encrypted in very specific locations These rules are rolled out in policy files
31. first time to prevent a user from accessing this data 3 15 5Removing keys from a group You can only delete a key from the group in which it was generated You must deactivate the key before deleting it If you delete keys that are in use they are removed from the group but remain in the database as unassigned keys and are displayed in Central settings All SafeGuard LAN Crypt keys Adding keys again If you need this key again later for example to access an encrypted backup of old data you can simply drag it from the list of all SafeGuard LAN Crypt keys into the relevant group where you can use it again A Security Officer can add a key to any group for which they have the Create Keys right The key is actually added to group it is not a shortcut Note If you delete a key which has been never used in an encryption rule it is actually deleted from the database The key is no longer displayed under All SafeGuard LAN Crypt keys 3 15 6Deleting keys from the database Under the following conditions keys can be actually deleted under the node All SafeGuard LAN Crypt keys from the database m You must be logged on as a Master Security Officer m The keys must not be used in any encryption rule m The key must not be present in any group The key must not be a user specific key or a group specific key The key must be deactivated 96 SafeGuard LAN Crypt 3 61 Administration 3 15 7Editing keys After you have ge
32. group to specific users and groups If a specific key is assigned to a user or a group it is displayed in the Specific key tab If no specific key is displayed you can replace the current key with a different specific key or assign a new key You can use any keys that are present in the database and have not yet been assigned to a user or a group Note To make changes a SO must have the Use specific Keys permission If they do not they have only read access Click the Browse button to display a list of all available keys Select a key and click OK In the Specific key tab click OK If the current specific key was replaced by a different one it remains in the database as a non assigned key 3 15 2Importing Keys You can still use the keys produced in versions 2 x in this version of SafeGuard LAN Crypt To do this simply import the keys produced in versions 2 x from version 2 x key files You can only import keys that are marked as exportable in the key files if you know the Master ID and the Master Password for the key file and have the corresponding rights to do so The file may not be write protected To import a key select the Group keys node under the relevant group and click Import keys from key file in the context menu SafeGuard LAN Crypt f x Choose the SafeGuard LAN Crypt 2 x keyfile from which you want to import keys C Skeyfiles master_keyfile tre pi Enter username and password to unlock th
33. group objects in this pane To transfer them to the database click Add to database or Synchronize 3 10 4 1 Defining data transfer settings To optimize performance you can define transfer settings These transfer settings only affect transfers in the bottom view pane to let you prepare for transferring the data to the database Click the transfer settings icon to open a dialog that has three options Transfer settings After import Calculate status of objects in the database Calculate memberships Sort objects I Cancel Help m Calculate status of objects in the database Only applies if entries are already present in the database i e when the database is being synchronized If this option is selected you can see the following in the lower view for each object whether it is already present in the database in the Status column whether the logged on SO has the right to modify a group in the Add group column A red cross shows that the SO does not have the right to add the group A green tick means that the SO has the right to add the group whether the logged on SO has the right to add users in the Add users column A red cross shows that the SO does not have the right to add users A green tick means that the SO has the right to add users m Calculate memberships 74 SafeGuard LAN Crypt 3 61 Administration If this option is selected the system also displays the group memberships groups and users
34. have to create a new group add the users of both groups to the new one and create new keys and encryption rules to make this simple data exchange possible A shortcut to a key provides a fast and easy way of exchanging data To add a key to another group via a shortcut drag it from the Keys for Group node of one group into the node of the relevant group You also can copy the key in the source group and paste it into the target group A key imported this way is displayed as a shortcut aye A Security Officer must have these global permissions before they can insert shortcuts to keys m Create Keys m Copy Keys In the source group they must also have the group specific right m Copy Keys and m Create Keys in the target group SafeGuard LAN Crypt 3 61 Administration To delete a shortcut the Security Officer must have the global and group specific Delete Keys right Keys inserted as shortcuts have the following properties m They will NOT be inherited and are therefore only available in the group in which they have been created NOT in sub groups m Ifthe original key is deleted all shortcuts are also removed Note In the same way as for normal group keys if you remove a reference it does not mean that the rule in which they have been used is no longer valid To remove access to data you must delete the corresponding encryption rule and generate a new policy file The client must load the new policy file for the
35. here again Note Novell eDirectory If this input field is empty the entire LDAP structure is searched for a suitable certificate To restrict the scope of this search you can enter a path in which the structure will be searched for Example OU marketing Microsoft AD The input field must not remain blank Here you must enter at least the domain and the country Example 1 DC mydomain DC De Example 2 OU marketing DC mydomain DC DE If you click Use Defaults the system applies the address of the Domain Controller to which you are currently logged on To assign the certificates the system matches the properties of the LDAP user with the SafeGuard LAN Crypt user The following LDAP user properties can be used m E mail address Common Name m Full name m NT 4 0 account name m User Principal Name m user defined attribute You can specify that these properties match the following SafeGuard LAN Crypt user properties m E mail address m User name 108 SafeGuard LAN Crypt 3 61 Administration m Logon name m Comment Select the LDAP user property you want each SafeGuard LAN Crypt user property to correspond to If these properties match the system imports the LDAP user s certificate and automatically assigns it to the appropriate SafeGuard LAN Crypt user Note To prevent inconsistencies we recommend that you use the e mail address as an assignment criterion as it is always unique To start the wizard
36. is 136 Sophos SafeGuard LAN Crypt 3 61 Administration 137 saved However due to the specific behavior of the program when saving the file creating temporary file renaming the file gt changing the encryption status SafeGuard LAN Crypt cannot encrypt the file To solve this problem you can specify these programs here Using the information specified here SafeGuard LAN Crypt can also encrypt files of this type correctly To add a program of this type 1 Select Programs with specific behavior when saving files and click Add program with specific behavior when saving files in the context menu 2 Enter the name of the executable of the program Example WINWORD EXE 3 Click OK 4 Repeat these steps for each program you want to add The programs requiring special handling by SafeGuard LAN Crypt due to their special behavior when saving files are displayed in the view on the right hand side Note This problem only occurs when saving a file which was unencrypted when it was opened and has to be encrypted due to an encryption rule applying to it change of the encryption status Ifyou are using Microsoft Office 2007 we strongly recommend specifying the executables of this software here Sophos SafeGuard LAN Crypt 3 61 Administration Event logging Event logging is performed by SafeGuard Auditing SafeGuard Auditing logs events that are triggered by installed SafeGuard products Examples
37. is also available for the group key tab in every group To adda key to a group you also need the right Copy key for the group the key is in as well as the right Create key for the group the key is to be added to This starts a wizard which will help you find the key you want In step 1 you can specify whether you want to search for the key using its GUID or its name 54 SafeGuard LAN Crypt 3 61 Administration 55 3 7 Example 56 returns all the keys whose GUIDs start with 5 or 6 SafeGuard LAN Crypt Find Key Wizard Step 1 3 x 9 Enter the GUID or name of the key C GUID Name AES256 Hint you can use the Following SQL wildcards Yo any character sequence any single character e g a__all three letter names starting with a oO single character From a list e g a cg all names beginning with a b c or g 7 single character that is not in the list e a al all names that do not start with a Cancel Help Then click Next to search the database for the key you require If the key is found step 2 shows you the key s name its GUID and the group in which it was generated If you called the Find key function from a group key node in a group activate the Assign keys in the current group option to create a link to the key you found You can then use a key that was generated in another group in the group that you have currently selected If you activate this option click Next and the
38. key reference from group Removing a link to a key from a group has to be confirmed Which Security Officer is logged on This dialog also shows which Security Officer is currently logged on The Security Officer s name is displayed at the bottom of the dialog The status bar of the SafeGuard LAN Crypt Administration also shows which Security Officer is currently logged on User settings The User Settings tab is where you can influence how information is displayed in SafeGuard LAN Crypt Administration SafeGuard LAN Crypt 3 61 Administration SafeGuard LAN Crypt Administration Properties 2 xi Confirmations User Settings Pvc Select the options to adjust the display to suit your needs IV Show Selected users and certificates M Show parents of users I Disable caching of user lists Activate m Add domain name to each group name to display the relationship between SafeGuard LAN Crypt groups and domains in SafeGuard LAN Crypt Administration This option is especially useful if SafeGuard LAN Crypt is to be used for several different domains Gruppen ga Training ga Company Training 4 Board Training 9 DEY Training fa HR Training f4 MSO Training DRE F m Show Selected users and certificates to display all users and their certificates that have been imported into SafeGuard LAN Crypt under the Central Settings node You should be a
39. no encryption rule for the new file name file extension SafeGuard LAN Crypt 3 61 Administration 1 3 1 1 3 2 m Ifyou copy or move encrypted files to a location where the current encryption rule is no longer valid they remain encrypted as persistent encryption is enabled by default m Ifyou copy or move encrypted files to a location where the current encryption rule is no longer valid but a different encryption rule is valid these files are first decrypted and then encrypted again according to the new encryption rule m Transparent encryption is applied to all file operations The user remains completely unaware of these processes while working with encrypted data because they all run in the background m Persistent encryption can prevent a user decrypting files by mistake when they copy or move them to a different folder for which no encryption rule has been defined with Explorer However this mechanism does not come into play if the file is copied or moved with another function instead of Explorer Accessing encrypted data If the user does not own the appropriate key they are not permitted to access the encrypted data in a directory The user cannot read copy move rename or in any other way interact with the encrypted files in this directory However the user can access such files if they own the key used to encrypt them even if their user s encryption profile does not contain an encryption rule for these files
40. only person who can access the encryption information 14 SafeGuard LAN Crypt 3 61 Administration 2 1 2 2 1 3 15 We recommend that you have the certificates available and ready to use before you start installing SafeGuard LAN Crypt The certificates then appear in the Certificates dialog immediately after SafeGuard LAN Crypt has been installed and can be used right away Note SafeGuard LAN Crypt does not administer certificates However you can do so using your company s own PKI infrastructure or by using trust centers Certificate verification SafeGuard LAN Crypt carries out extended certificate verification This means that certificates are not accepted until their entire certificate chain evaluation of a C ertificate R evocation L ist has been checked Extended certificate verification is carried out for these certificates m For certificates which are provided when a Master Security Officer is created Only certificates which pass the entire check are displayed m For certificates which are created after a recovery key has been used to assign a new certificate to a Security Officer Only certificates which pass the entire check are displayed m For certificates which are used by Security Officers to log on to the SafeGuard LAN Crypt database If the certificates cannot be checked access is denied m For certificates which are used for additional authorizations These are the preconditions for extended certi
41. parallel SafeGuard LAN Crypt administrators terminal servers this may sometimes lead to increased memory requirements To prevent this simply activate this option As a result the lists are not buffered and the list will not continue being created when the user leaves the node or changes to a different one We recommend you only use this option if you are actually experiencing problems with memory capacity Changes to the database made in the same session are not automatically transferred to a list You can update the changes at any time by pressing F5 Note Any changes to settings mentioned above are not stored in the database They are personal settings which are saved for every user in the Microsoft Management Console snap in Central settings In the Central settings tab you can define different properties for SafeGuard LAN Crypt Administration centrally To do so click Properties in the context menu for the Central settings node Alternatively select this and click the Properties icon in the SGLC Administration Tool bar You can then view these properties in a number of tabs and modify them if necessary Note The Additional Authorization tab the Recovery Key tab and the Regions tab can only be displayed by Master Security Officers The Server tab and the Configuration tab can only be displayed by Security Officers who do have the global right Change Configuration The global right Change Configuration is also required for cha
42. s Distinguished Name SafeGuard LAN Crypt can find it and assign the certificate to the appropriate user SafeGuard LAN Crypt uses a search pattern to identify the user name in the DN You can specify this search pattern in the input field under the User name is in DN option The system searches for the user name that appears between the two specified character strings in the DN Example In the certificate the user name is always present under CN e g CN JSmith OU SafeGuard LAN Crypt If you enter CN in the first input field and OU SafeGuard in the second input field SafeGuard LAN Crypt will find the user name that is located between these two character strings in our example JSmith The certificate is automatically assigned to the user m Match as specified in a file You can also take the required assignment from a file For example the public part of the certificate generated with the SafeGuard Smartcard Administration Console is saved in a file in a pre defined directory SafeGuard Smartcard Administration uses these files to generate a file that records which certificate is assigned to each user Other PKIs can also generate lists of this kind This list can of course even generate itself 110 SafeGuard LAN Crypt 3 61 Administration It must use the following format User name file nam Example Guest Guestcer cer HansMeier Meier cer The system assigns the certificates in accordance with the assignment
43. the Encryption Rules snap in Starts the creation of policy files for the current user users or the current group via the Encryption Rules snap in Starts the Certificate Assignment Wizard Generates a SafeGuard LAN Crypt certificate for all users who have no certificate assigned to them Opens the dialog for creating a new encryption rule Opens the dialog for creating new Security Officers Opens the Global Permissions tab which displays the global rights of all Security Officers The global rights of a particular Security Officer can also be edited here Cancels all additional authorizations in the current session An additional authorization for an action usually applies for the entire duration of one SafeGuard LAN Crypt Administration session Click this button in the Administration tool bar to delete the relevant information so that an additional authorization is required the next time the action is performed in the same session SafeGuard LAN Crypt 3 61 Administration 3 4 1 a Opens the dialog for manually adding a group pa Discards the cached user lists for all groups In addition running background processes will be aborted You can also select all the functions that appear as these icons from the relevant context menu Right click the SafeGuard LAN Crypt Administration tab to display the node s properties and modify them if required You will find a description of these properties in the following sections
44. the character sets check If the edit field is left blank no check is performed and it is always possible to log on to the Administration Console Please be aware that this may lead to errors when the checksum MAC is calculated To prevent errors occurring when a character set is specified for example typing errors which may lead to the situation in which the Master Security Officer who made the setting can no longer log on to the Administration Console SafeGuard LAN Crypt checks the data that was entered when you press Apply or OK If the specified character set does not match the one currently used on this machine a message is appears and the character set that is currently valid is added to the edit field The Database tab remains on the screen to check the data that was entered If necessary change the settings and press Apply or OK again 3 5 12The Anti virus software tab 53 For virus scanners to be able to scan files encrypted with SafeGuard LAN Crypt you have to specify the scanners here The antivirus software will be granted access to all SafeGuard LAN Crypt keys and will therefore be able to recognize virus signatures in encrypted files This is not possible without the SafeGuard LAN Crypt keys To add a virus scanner click Add Enter the following data in the dialog displayed m A name for the antivirus software this name is displayed on the Anti virus Software tab under Product SafeGuard LAN Crypt 3 61 Administ
45. the public part of Security Administrator certificates or user certificates are not loaded automatically until the Security Officer has specified the paths SafeGuard LAN Crypt Administration stores both the p12 files for users and the public part of Security Officer certificates in the same directory However from the client view these paths can be configured separately so that either of these functions can be deactivated if necessary Despite this these paths are usually the same If you want the Security Officer certificate and user certificates to be loaded automatically from different directories you must copy them manually into the relevant directories 126 Sophos SafeGuard LAN Crypt 3 61 Administration 4 1 9 Policyfile Client Location To specify the storage location select Client Settings and in the right hand console pane double click Policyfile Client Location Enter the path for the location of the user specific policy files in the master policy file usually NTconfig pol Whenever clients log on to the server they download the contents of this file Information about the location of user specific policy files is downloaded from this file and entered in the client s registration To ensure that clients can access their policy files for example on a shared network drive the path must be entered from the clients point of view This is usually the directory in which they were generated by SafeGuard LAN Crypt
46. this group and can see the contents for the snap ins Is set automatically if edit permissions are granted Visible The SO can see the group Is set in the base node and inherited downwards If this has been refused for a particular SO the group is hidden Read must also be denied 148 SafeGuard LAN Crypt 3 61 Administration 149 Copyright Copyright 1996 2010 Sophos Group and Utimaco Safeware AG All rights reserved No part of this publication may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical photocopying recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner Sophos is a registered trademark of Sophos Plc and the Sophos Group SafeGuard is a registered trademark of Utimaco Safeware AG a member of the Sophos Group All other product and company names mentioned are trademarks or registered trademarks of their respective owners All SafeGuard products are copyright of Utimaco Safeware AG a member of the Sophos Group or as applicable its licensors All other Sophos products are copyright of Sophos plc or as applicable its licensors You will find copyright information on third party suppliers in the file entitled Disclaimer and Copyright for 3rd Party Software rtf in your
47. to the Management Console s normal view File Add Remove Snap In SafeGuard LAN Crypt Administration Even when you add the snap in you still need the password for the SafeGuard LAN Crypt administration database Who is logged on The status bar shows which Security Officer is currently logged on You can also see whether they are a Master Security Officer or a Security Officer Administration Console tool bar Many of SafeGuard LAN Crypt s functions appear as icons in the Administration Console Tool bar The function and number of icons in the tool bar depend on which tab is selected at any particular time Opens the dialog for creating new keys 32 SafeGuard LAN Crypt 3 61 Administration 33 p mi amp gt o p i Be E Opens a dialog for searching for existing keys Keys can be searched by key GUID or key name Toggles a selected key between active and inactive Opens the dialog for importing keys from SafeGuard LAN Crypt 2 x key file Starts the creation of policy files for one or more selected users via the Certificates snap in Clears deletes the profiles for one or more selected users via the Certificates snap in Clearing a profile means generating an empty profile which has to be loaded from the client Once this empty profile has been loaded the client can no longer access encrypted data Starts the creation of policy files for all users in this group and below via
48. warning is displayed Click Finish to close the wizard 122 Sophos SafeGuard LAN Crypt 3 61 Administration 4 1 4 1 1 4 1 2 123 SafeGuard LAN Crypt Configuration The following settings are machine specific or user specific settings To edit these settings you need administrator rights in the domains or in Active Directory These settings should only be made by a system administrator You select configuration settings in the LAN Crypt Configuration node This node is displayed when you work with system policies in every computer user node in the Management Console In the Active Directory environment the LAN Crypt Configuration node appears in the GPO Computer Configuration or User Configuration Windows settings SafeGuard Usually the configuration settings are intended for machines However you can make user specific settings to assign specific rights to selected users If a user specific setting is made it overrules a machine specific setting If you want to undo a user specific setting so that a machine specific setting applies you must set the status of that setting to Not Configured To do so select a setting and press the DEL key In the Management Console No is then displayed in the Configured column Client settings If the Client Settings node is selected the configurable settings are displayed in the right hand console pane Double click an entry to open a dialog in which you can make the settings yo
49. who are not direct members of the individual groups To distinguish them from direct members they appear as grayed icons Note The system can only calculate the memberships until they are transferred to the database m Sort objects Sorting the entries alphabetically in large groups can be very time consuming so the entries are usually not sorted If you want to sort the objects alphabetically select this option Updating the view If no options were set for transfer you can perform these actions after the transfer by clicking the Update button Click Update to open a dialog with the same options The update only affects the data in the bottom view pane 3 10 4 2 Transferring objects into bottom pane 75 If you double click a node or select the node and click the Transfer button you transfer the objects in the import source structure into the lower view pane Before the objects are transferred a dialog appears in which you can specify how the individual containers and objects are to be transferred Transfer Only transfer this object O Transfer direct bi Transfer objects that exist in this container and objects that are indirectly referenced to Cancel Help m Only transfer this object Adds the selected object without its contents m Transfer direct members as well Adds all objects present in the selected container Transfer members recursively Adds all objects that are present in this container
50. you have a program for accessing data in an SQL database OBDC lets you use the same program to access data in another different database To do this you must add drivers to the system OBDC supports you when you are adding and configuring these drivers To add a data source 1 Select Start Settings Control Panel Administrative Tools Data Sources OBDC The OBDC Data Source Administrator opens 2 Select the System DSN tab and click Add A list now appears to which you can add data sources each with its own System DSN system data source name These data sources are saved locally on a computer but are not assigned to any particular user any user who has the appropriate rights can use a System DSN 3 Select SQL Server as the driver for which you want to create the data source and click Finish 4 A dialog now appears in which you enter the SGLCSQLServer name to reference the data source SafeGuard LAN Crypt 3 61 Administration 3 2 3 3 2 3 1 You configure the data source reference name in SafeGuard LAN Crypt configuration The default setting is SGLCSQLServer If you want to use a different name enter it in the configuration Note The name of the OBDC source is case sensitive Here you must enter names in exactly the same way as they were specified in SafeGuard LAN Crypt configuration You must enter the names in the configuration before running the SafeGuard LAN Crypt Administration Console for the first time
51. 3 19 3Viewing and exporting entries Note To view and export entries a Security Officer must have the global permission Read Logging Entries A Security Officer who has the Read Logging Entries global permission can display entries and export them to a file To display the entries click View and export entries in the Logging node s context menu or click the icon in the tool bar 118 SafeGuard LAN Crypt 3 61 Administration pa This opens the dialog where you can view and export the logged entries This dialog displays all the events that have been selected for logging Click the column headers to sort the entries Double click an entry to display details for that entry SafeGuard LAN Crypt also has a filter in which you can specify conditions for the displayed entries 3 19 4Filtering events Click the Filter button in this dialog to open a second dialog where you can specify a filter for the displayed events SafeGuard LAN Crypt Filter eventview Enter constraints for the entries that should be displayed C Only show entries of a specified event C Only show entries from a specified Security Officer Only show entries of a specified severity Only show entries from a specified time interval After 3 6 2005 iv 12 00 00 Barore 4 6 2005 v 11 59 59 C Only show entries that have specified archive state You can filter events using these constraints m Only sh
52. 8Persistent Encryption Files usually only remain encrypted for as long as they are subject to an encryption rule For example if a user copies an encrypted file into a folder for which no encryption rule has been Sophos SafeGuard LAN Crypt 3 61 Administration 4 2 4 2 1 4 2 2 defined the file will be decrypted in the target folder By activating persistent encryption the Security Officer can ensure that files remain encrypted even when they are moved or copied To deactivate this function double click Persistent encryption and select No in the list field of Activate Persist Encryption Note Persistent encryption only works if the user copies or moves files with Explorer If they use different tools for example xopy the file will be decrypted if no encryption rule has been defined for the target folder If persistent encryption is deactivated the rules defined in the user s profile will be applied Server Settings Note You must make these settings for the server They have no effect on client computers However it is vital that you make these server settings before you start the Administration function for the first time SQL Dialect Here you specify the SQL dialect that is to be used for communication with the OBDC data source Select m MS SQL Server m Oracle v9 v10 m Standard SQL This will then be used in your system configuration Note If different versions of Oracle ODBC driver and Oracle dat
53. AN Crypt database can be accessed SafeGuard LAN Crypt uses the concept of Security Officers Initially there is one Master Security Officer who installs the Administration Console During installation the Master Security Officer must specify where the certificates and key files the public part of the Security Officer s certificate and p12 files containing the user certificates which have to be imported on the client machines generated for users are to be saved After installation you must specify where the policy files generated for the users are to be saved Policy files containing the encryption rules are generated for each user Certificates p12 files and policy files are automatically imported by the clients from the specified storage location at a later point in time The clients must therefore be able to access these directories The Master Security Officer and the System Administrator must work together to define these directories usually shared network folders Clients can use group policies when they log on to a domain controller to find out how to access these files The System Administrator specifies the storage locations in the SafeGuard LAN Crypt Configuration Console SafeGuard LAN Crypt is configured in the group policy object that is valid for the users SafeGuard LAN Crypt 3 61 Administration Group Policies Policyfile Client Location Keyfile Client Location resp SGLC Client SG LAN Crypt Adminin
54. ER name JFU G_COMPANY type GROUP name Company members G_QA G_Scranton G_PDM G_ my comment G_QA type GRO name QA members U _JB1 U_PW1 G_PDM type GRO name JG1 members U_NGR Empty U_JFU 70 SafeGuard LAN Crypt 3 61 Administration 71 3 10 2Icons in the Administration system DB Bl e 3 Updates the view in the current window Shows the users in particular groups Also displays the memberships of groups and users in particular groups Memberships whose object is not directly contained in the group are grayed out Moves the selected object into the bottom pane Has the same effect as double clicking on the selected object Use as new path You can use this setting to restrict how the structure is displayed If a node is selected and you then click this button the system only displays the structure below the selected node In addition the path is added to the drop down list so that you can quickly toggle to this display again Displays the tree structure Closes the tree structure Deletes a selected object from the view Adds the objects displayed in the bottom right hand pane to the SafeGuard LAN Crypt Database Synchronizes the objects displayed in the bottom right hand pane with the ones already present in the SafeGuard LAN Crypt Database Opens the dialog in which you specify the transfer options You must specify the transfer options before the obj
55. ID is also used to synchronize the database and directory service because for example the names of individual single objects can change to ensure that updates in the Active Directory are mirrored in the database and that no new object is generated in the database because of a new name in the Active Directory However the Novell directory service does not use this type of ID In this case SafeGuard LAN Crypt provides another way of unambiguously identifying objects SafeGuard LAN Crypt can be configured so that certain LDAP attributes are used to uniquely identify the objects You configure these attributes in SafeGuard LAN Crypt administration The settings lt st andard gt and lt other gt are always available Usually the lt st andard gt setting will be sufficient for the server to which the setting refers The attributes evaluated by the lt standard gt setting always appear below lt st andard gt In this way you can show which attributes are evaluated in the default setting You can also assign a specific attribute if all these attributes are already present in the directory service concerned Use lt other gt to specify an attribute other than those that are already displayed Notice If you enter an attribute here make sure that it contains data that will unambiguously identify the object m Object GUID Here you specify which attribute is used for identification If you leave the setting at lt st andard gt both attributes
56. LAN Crypt finds the correct file it displays a PIN dialog You must send a PIN letter to tell the user this PIN which is in the password log file The certificate and associated key are automatically imported after the user enters the PIN If SafeGuard LAN Crypt finds a cer file that contains the public part of the Security Officer s certificate it automatically imports it Note You must set the appropriate paths in SafeGuard LAN Crypt Configuration before you can use this functionality Alternatively you can distribute the key files for the users and the public part of the Administrator certificate manually If you do this make sure that the clients import both of them Note The clients have to import the public part of the certificate of the particular Security Officer who generated the policy files If you change the path on which the cer files of the Security Officers and the p12 files of the users are stored after you have created Security Officers you must copy their cer files to the new location Otherwise the public parts of the Security Officers certificates will not be found Default password for user key files In SafeGuard LAN Crypt you can define a uniform password for all user key files To do this copy a file that contains the password you want up to 32 characters to the same directory that contains the password log file see File for password log on page 46 The file containing the password has to have the s
57. Officer In the top part of the dialog you can see the SOs that have the right to change the settings for this SO 1 Click Add to run a wizard for adding a Security Officer On the first page of the wizard select the SO you require from the list of existing SOs SafeGuard LAN Crypt 3 61 Administration 2 Click Next to display the page on which you specify the current SO s right to change this object the SO whose settings are currently being processed Add Security Officer Wizard B Set some permissions Change Name Change Certificate Change Region Assign Configuration Delete SO Change Global Permissions Change ACL Read pa OKKA K Note Click Allow to select all permissions at once Click again to deselect all global permissions The global permission settings specify that disabled rights cannot be granted to the Security Officer Permissions Description Change Name Allows changes to the name of the SO to whom the permission s owner is assigned Change Certificate Allows changes to the certificate of the SO to whom the owner of the right is assigned Change Region Allows changes to the region prefix of the SO to whom the owner of the right is assigned Assign Configuration Allows changes to the configuration of the SO to whom the owner of the right is assigned Delete SO Allows the SO to whom the owner of the pe
58. Remove links to delete the all shortcuts to this group The group itself is not affected 3 10 6Group icons 79 The OUs and groups are represented by different icons in the SafeGuard LAN Crypt Administration console depending on their import source EE The server icon shows the source from which the OUs and groups have been lt lt imported EE Icons for the shortcut to the server a link created by copying it E ga Icon for an OU imported from a server SafeGuard LAN Crypt 3 61 Administration Shortcut to an imported OU Icon for a group imported from a server Shortcut to the imported group Icon for a file from which users and groups have been imported Shortcut to the imported file ce Icon for a group imported from a file Shortcut to the imported group Group that was added manually Shortcut to a group that was added manually aoe 3 11 Assigning SOs to organizational units After OUs groups and users have been imported into SafeGuard LAN Crypt Administration Master Security Officers can assign individual SOs to the various organizational units The SO can then use the rights they have been given to process the organizational units to which they have been assigned To ensure that a Security Officer can only edit the organizational unit for which they are responsible the Master Security Officer can hide the other nodes from this Security Officer This means that the node is visible
59. SOPHOS SafeGuard LAN Crypt 3 61 Administration user manual Document date July 2010 Contents UR 160 19 oh epee L PERE PEER SCTE BPN PRE A SE FECOCEDY FEIN POE TOE Br PESLE CEE TSE SEUY SPORT ICEPEET SANTEE OY 2 Di Getme startede sr rre e esaerea aerer obs ae eae taa aa iaa a anA 12 3 Administration gu c acu auawereowera eee aaa iii a aii 21 4 SafeGuard LAN Crypt Configuration essessscesesceseesecesesesseeesesesecseeeeseseeacseasscessseesasseesscaees 123 Sis TEvent Loge AEAEE E van cabpsisconseaatanaveaione 138 G APPEND IX EE E E E aesuiebeddubssthasUnesstnacdeatae Gaeseicbceschestensaye 139 TZ COpyarig ats E E E E vigor shaslieeg he 149 8 Technical Support ss 23 sci czeitsicgeceqasdzscetanvsces sastechechancdassesndZacsseeduscnshadcuststedasaens ddscesnbedbesereshudtiversutaees 150 SafeGuard LAN Crypt 3 61 Administration 1 1 Overview What is SafeGuard LAN Crypt SafeGuard LAN Crypt provides transparent file encryption It was developed to enable users within large organizations to exchange data confidentially In this situation encrypted files can be stored locally on the user s hard disk or on a removable medium or even on network drives The encryption process is completely transparent for users It takes place automatically when the files are created or saved These files are also decrypted transparently when their data is read This process is performed by a filter driver that is integrated in the f
60. You must follow the UNC Universal Naming Convention capitalization rules because no disk drives are associated with these files at this point In this setting you can use the LOGONSERVER environment variable for load balancing etc 4 1 10Policyfile Cache Directory 127 To specify the cache storage location select Client Settings and in the right hand console pane double click Policyfile Cache Directory A local copy of the policy file is saved in this directory This copy is usually loaded from a network directory The user must have authorization to write data in this local directory This guarantees that a user s encryption profile is available even if there is no connection to a network You can either use one of the storage locations shown in the list or select lt other gt and enter a different one in the input field Note The storage locations shown in the list are default Windows directories that depend on which operating system you are using lt Local Application Data gt always refers to a directory on the local machine whereas any other directories for example Roaming Users may also be present on network drives If you enter a storage location manually you must make sure that this directory actually exists on the client computer Note If you want to remove a user from your SafeGuard LAN Crypt environment please remember that the local copy will still be present on the computer This user can then use the p
61. abase server are used specify the version of the Oracle ODBC driver here Database Owner Here you enter the Database Owner to ensure that the database you are using can be addressed correctly For the MS SQL server the default value dbo for the generator must not be changed This only needs to be changed if you are using an Oracle database Notice If you are using an Oracle database you must enter the Database Owner here in CAPITAL LETTERS 132 Sophos SafeGuard LAN Crypt 3 61 Administration 4 2 3 4 2 4 4 2 5 133 OBDC Data Source Here you enter the name that is to be used to access the OBDC data source SafeGuard LAN Crypt uses SGLCSQLServer as the default name for the OBDC data source If you want to use a different name enter it here before you run SafeGuard LAN Crypt Administration for the first time Note The name for the ODBC data source is case sensitive The name you enter here must be identical to the name that was entered when the ODBC data source was created Note The name for the ODBC data source is case sensitive The name you enter here must be identical to the name that was entered when the ODBC data source was created Use Novell Name If you want to generate policy files with Novell names SafeGuard LAN Crypt generates two policy files for each user One file has the Novell logon name and the other has the Windows user name The contents of these files are identical The Novell name m
62. al Security Officers required to 0 For details see below 3 5 10The Recovery Keys tab In SafeGuard LAN Crypt you can generate a recovery key You can use this key to assign a new certificate to a Security Officer when they log on to the SafeGuard LAN Crypt Database click the Assign certificate button if their certificate is for example damaged and can no longer be used 50 SafeGuard LAN Crypt 3 61 Administration 51 Using the recovery key you can also reset the number of additional Security Officers required for changing the settings for additional authorisation to 0 A recovery key can be split into several parts and you can specify how many parts are necessary to assign a new certificate The individual parts of the recovery key can be distributed to different Security Officers The owners of the individual parts must be present when the recovery key is used and use a wizard to present the parts of the key The parts of the recovery key can be entered manually or loaded from a file To generate a recovery key click the Generate recovery key button on the Recovery Keys tab This runs the wizard used to generate the recovery key Using the drop down menus select how many parts the key is to contain and how many of them are necessary for using the recovery key In our example the key is to have three parts of which at least two are needed to assign a new Security Officer certificate during logon Click Next SafeGua
63. all certificates available in the certificate stores This list contains placeholders for the user names to which the certificate is to be assigned Example He My OU SafeGuard LAN Crypt Certificate CN LAN Crypt Admin 0010 ae671e47 He Root CN Microsoft Root Certificate Authority DC microsoft DC com 0010 4cad The placeholders can be replaced by the user names If the certificate contains the user name you can use the following option m Try to insert names SafeGuard LAN Crypt can try to recognize a user if the certificate s Distinguished Name contains the user name SafeGuard LAN Crypt can find it and assign the certificate to the appropriate user SafeGuard LAN Crypt uses a search pattern to identify the user name in the DN You specify the search pattern in the input field under the User name is in DN option The system searches for the user name that is found between the two specified character strings in the DN Example In the certificate the user name is always present under CN e g CN JSmith OU SafeGuard LAN Crypt If you enter CN in the first input field and enter OU SafeGuard in the second input field SafeGuard LAN Crypt will find the user name that is located between these two character strings in our example JSmith The system replaces the placeholder with the user name and automatically assigns the certificate to the user m Open output file for editing with Notepad when finished If
64. ame name as the corresponding password log file default name p12pwlog csv but has to have the file extension pwd similar to the default name of the password log file p12pwlog pwd If the system finds this type of file all generated user key files will have this password In this file if you enter logonname as the keyword instead of the default password the current logon name will be used as the password Note p12 files for Security Officers are ALWAYS given a random password because they have higher security Storage location for generated Security Officer certificates SafeGuard LAN Crypt stores Security Officer certificates in p12 files for example as backups Here you can specify the folder to which they are saved SafeGuard LAN Crypt 3 61 Administration 3 5 6 2 3 5 7 Note Because they involve sensitive data it is vital that you protect them against unauthorized access File for password log Here you can specify the storage location and name for the log file for the generated PKCS 12 files default name p12pwlog csv This file contains the passwords for the generated PKCS 12 files and can be used for example to create a PIN letter The csv file contains the following information the keywords in brackets represent the column headers in the csv file m Date of generation CreateDate m Time of generation CreateTime m Expiration Date ExpirationDate m Exact time when validity ends Exp
65. and also all objects that are members and are present in another container The members are transferred with their entire hierarchy Select the option you require and click OK to transfer the objects to the bottom view pane so they are ready to add to the SafeGuard LAN Crypt Database SafeGuard LAN Crypt 3 61 Administration Before transferring them to the database you can add more groups to this view for example from other sources and then add everything to the database in one step 3 10 4 3 Adding data to the database or synchronizing data Objects are not added to the SafeGuard LAN Crypt Database until they have been grouped in the lower view pane and you click the Add to database or Synchronize button there Note If you add objects to an existing structure you must always start by adding them to the database To do this click the Add to database button Synchronization is only used if the only change is in the relationships between the objects When you click Add to database the system adds the objects and then starts the synchronization process This begins with a dialog that has three options m Synchronize complete database If you select this option the system synchronizes all the entries present in the SafeGuard LAN Crypt Database with the ones in the import source Changes are displayed in another screen that is shown next Select this option if objects were deleted from the AD and they should also be deleted from
66. at are to be hidden for the SO Note If an SO has been explicitly refused a right to a hierarchically superior group this right cannot be assigned to a subordinate group We therefore recommend that you only assign an SO Read and View permissions to a hierarchically superior group so that they can assign rights to subordinate groups without causing any problems Example SafeGuard LAN Crypt 3 61 Administration SafeGuard LAN Crypt Administration File Action View Help e om ARBER ERA td Ic Properties General Settings Member of Security Members 2 SafeGuard LAN Crypt Administration ye Central Settings amp All SafeGuard LAN Crypt keys B Security Officers Administration Assigned permissions to Security Officers on this object E Groups amp Keys for Group B Encryption Rules A td le lt a B g3 Utimaco E64 Linz Security Officers Add Security Officer Wizard El Development Manager B Set some permissions Allow Deny E Quality Assurance Create K amp amp Keys for Group SENI O E e Encryoti Copy Keys oO oO yption Rules a Delete Key Bi El rs and certificates of group 9 Munich 3 Create Rules i Oo i 4 Development Assign Certificates o o 3 Manager Add User oO o Quality Assurance Delete User o o Add Group Oo Oo nich Properties Delete Subgroups m oO Move Grou
67. ation 4 2 6 4 3 The bz2 format is used to compress the file This has the benefit that compressed files can be extracted using any standard tool You can select one of the following options m normal only System creates only non compressed policy files compressed only System creates only compressed policy files m both formats System generates one compressed and one non compressed policy file Note If you have specified that the system is to use the Novell name for logging on SafeGuard LAN Crypt always generates two policy files for each user If compression is activated both files are compressed If you select both formats the system creates four policy files Check certificate extensions By default when SafeGuard LAN Crypt assigns certificates from the certificate store it only uses certificates that have the values Key Encipherment and or Data Encipherment set for the keyusage property However in Check certificate extensions you can specify that this check is not carried out which enables SafeGuard LAN Crypt to use certificates with other properties Check extensions no permits the use of certificates with other properties Note However whether or not these types of certificates can be used with SafeGuard LAN Crypt depends on which CSP you are using If you decide to switch off this check ensure that the type of certificate you want to use can actually be used with SafeGuard LAN Crypt Un
68. authentication Click the Browse button to select an existing certificate or to have SafeGuard LAN Crypt generate a new one Note If you want to use an existing certificate this certificate must be available If you are using a software certificate it must be loaded into the certificate store If the certificate is saved on a token the token must be attached to the system To import a certificate click Import Certificate In the next dialog click New Certificate Select the new certificate from the list and click OK 30 SafeGuard LAN Crypt 3 61 Administration 31 SafeGuard LAN Crypt E x Choose a certificate Choose a certificate that will be used to secure data for this security officer Import Certificate Refresh List Subject Valid from CN Master Security Officer Utimaco OU SafeG 2004 10 01 2005 10 01 Gk Cancel Help Click Next In the wizard s fourth dialog you can enter a region with the appropriate prefix When SafeGuard LAN Crypt generates the key it attaches this prefix at the beginning of the key name It always uses the prefix of the region assigned to the Security Officer who generated the key This prefix makes it clear which administrative unit the key is to be used for In the central options for the Administration Console you can create additional regions and then assign them to the different Security Officers This procedure is particularly useful in distributed
69. ble click to go up one level up in the hierarchy Select a certificate and click OK The certificate is now assigned to the Security Officer Note If the LDAP server does not allow anonymous logon the logon credentials for the server must be entered as the distinguished name example CN John Doe O Marketing on the Server tab in the Central settings SafeGuard LAN Crypt 3 61 Administration Note If you have a certificate that was assigned from an LDAP directory the private key belonging to this certificate must be available on the user s workstation 4 Use one of the options described to select a certificate and click OK The system displays the certificate in the console pane on the right hand side next to the user In the console pane the system displays information about the certificate used period of validity serial number issuer Note The Certificate snap in is available under each user group node Here the system only displays the users that are members of the relevant group You can also use the Certificate snap in to provide the policy files 3 17 2Generating and assigning SafeGuard LAN Crypt certificates You use this wizard to generate certificates for all users to whom no certificate has yet been assigned and then automatically assign these certificates to the users To open this wizard click Generate certificates in the context menu for each Members and certificates for group node or on the ap
70. cation of policy file is accessible If it is not accessible or an error occurs when loading the profile the user cannot access encrypted files Clients from version 3 12 This functionality is not available for older client versions However clients from version 3 12 can be operated with this Administration version Clients of this type show the following behavior when loading policy files The client will always try to load the policy file from the specified file location If this location is not accessible a cached version of the policy file will be loaded This cached policy file does not have an expiry date and will not be updated until a newer version has been loaded successfully Furthermore it is not possible to define an update interval for the policies see Profile Update Interval on page 131 Cached policy files remain valid until the file location specified for policy files is accessible and the cached policy file is replaced by a policy file from this location 4 1 14NTFS Decompress Files This setting enables the Initial Encryption Wizard to process NTFS compressed files If you set the NTFS Decompress Files option to yes the wizard decompresses NTFS compressed files and encrypts them if an encryption rules applies If you set the NTFS Decompress Files option to no the Initial Encryption Wizard will ignore NTFS compressed files They will not be encrypted even if an encryption rule has been specified for them After configu
71. console display Allows you to define a user name that is not identical to the logon optional name This appears as the Username in the SafeGuard LAN Crypt Administration console If no name is specified here the logon name entered under name is displayed under Username in the SafeGuard LAN Crypt Administration console mail Allows you to enter the user s e mail address This is displayed on optional the Details tab in the user s properties HINT The e mail address is added to the password log file for certificates generated by SafeGuard LAN Crypt For example it can be used to create a PIN letter via e mail 69 SafeGuard LAN Crypt 3 61 Administration members next When groups are used this defines which users and other groups are members of a particular group To add a member enter the section name which identifies the user or the group e g U_ Enter commas to separate each group member s name from the BKA G_Sophos the import file If you type at the beginning of a line you can type a comment on that line anywhere in Note Entries in the import file are NOT case sensitive do not distinguish between capitals and lower case letters Example U_JB1 type USER name JB1 Display Jesse Black Mail jbl company com my comment U_PW1 type USER name PW1 Mail pwl company com U_JG1 type USER name JG1 U_JFU type US
72. creating the initial Master Security Officer you must also define the storage location for the certificates and key files generated by SafeGuard LAN Crypt The public part of the Security Officer s certificate which is needed by the clients is also stored there User certificates p12 files are also imported from this directory later on The directory you defined with the System Administrator should already be available network share All settings made when creating the initial Master Security officer can be changed at a later point in time under Central Settings in the SafeGuard LAN Crypt Administration Console SafeGuard LAN Crypt 3 61 Administration 3 3 1 Initial Master Security Officer After the Administration function runs for the first time Start Programs Sophos SafeGuard LAN Crypt SGLC Administration and you log on to the database you see the wizard for creating the initial Master Security officer in four steps Master Security Officer Wizard Step 1 4 Identification of the first Security Officer This will be a Master Security Officer with all possible rights You can add other Security Officers with restricted rights later Name Master Security Officer UTIMACO E Mail Address mso utimaco com Comments I Cancel Help Enter the data for the initial Master Security Officer The name you enter here is used as a Common Name in the certificate if you use certificates generated by SafeGua
73. cy file contains the same encryption profile are members of a trusted group They do not need to worry about encryption or key exchange They only have to be able to access the policy files to have their data encrypted or decrypted transparently as soon as they open or close it As the encryption profiles are distributed via policy files all organizational forms can be mapped from a centralized LAN model in which users are administered centrally to a remote model in which users work on notebooks SafeGuard LAN Crypt Administration and Windows Administration A separate administration computer is used to configure SafeGuard LAN Crypt and administer encryption profiles To draw a clear distinction between Windows administration and SafeGuard LAN Crypt administration the role of a security officer must be established The security officer defines encryption profiles in policy files to specify which encrypted data is to be stored in particular directories and who is allowed to access this data After creating the policy files on the administration station the security officer deploys them A standard Windows tool the Microsoft Management Console MMC is used to administer SafeGuard LAN Crypt The SafeGuard LAN Crypt Administration user interface consists of snap ins for the MMC SafeGuard LAN Crypt Administration stores most of the objects to be administered user data keys encryption paths etc in their own databases There are two major
74. d all existing Security Officers are displayed in the right hand console pane Double click a Security Officer to open the tabs containing the properties assigned to them 60 SafeGuard LAN Crypt 3 61 Administration 61 On the Global Permissions tab you grant the Security Officer the basic rights needed to administer SafeGuard LAN Crypt If when they were created the SO was already granted the right to perform some actions these necessary rights are already active Note A Master Security Officer always has all existing global permissions A Security Officer can be granted the following global permissions SO Linz Properties General Advanced Global Permissions Security Assigned global permissions to this Security Officer Permissions Create SOs Create Profiles Create Keys Copy Keys Delete Keys Read Key Create Certificates Assign Certificates Administer Groups Log in Database Authorize Operations Administer Users Create Rules Change Global Permissions Change ACLs Use specific Keys Change Configuration Read Logging Entries Manage Logging OOOOOOOOOs8OOOOoOoOo0o00 Note Click Allow to select all global permissions at once Click again to deselect all global permissions Permissions Description Create SOs The SO has permission to create more SOs Create Profiles The SO has permission to run the Profile Resolver and generate policy files for individual users
75. d or memberships changed on the server Note The synchronization run only evaluates those objects that have been imported at least once from an import source to the database If objects are deleted in an import source these changes are only implemented in the database if the Synchronize complete database option is selected Groups and users added manually in the Administration Console are not evaluated during synchronization and therefore do not appear on these pages SafeGuard LAN Crypt 3 61 Administration You can cancel the action for each object listed in this view by clicking on that action remove the tick Only the selected actions the ones with a tick are performed Click OK to complete the data synchronization run Once the OUs organizational units groups and users have been imported the Security Officers responsible for them can be assigned to each OU 3 10 4 4 Adding groups manually To add a new group manually select the node group to which you want to add the new group and click New Group in the context menu Enter a name for the new group in the Group Name field and click OK The system now displays the group in the SafeGuard LAN Crypt Administration console In the group s Properties dialog you can add existing users to the group or create new users Unlike imported groups you can use drag and drop to move manually created groups within the groups hierarchy 3 10 4 5 Relationships between groups
76. d two policy files are created both profiles will then be deleted if this setting is not changed If this setting is changed at runtime situations may arise in which two policy files have been created but only the one with the Windows user name is deleted since the setting here has been changed to Use Novell Name no and therefore only the policy file with the Windows user name is deleted The Novell policy file remains in the defined storage location and theoretically can be used for logging on The system behaves in a similar way if Compress policy files is activated In this case up to four policy files are generated for each user Please keep this in mind and if necessary coordinate with the system administrator 3 19 Database logging SafeGuard LAN Crypt logs events that are triggered by the SafeGuard LAN Crypt Administration Console in the SafeGuard LAN Crypt database With SafeGuard LAN Crypt s logging functions you can specify which events are to be logged archive events and check log entries The global permissions Read Logging Entries and Manage Logging control how Security Officers access the logging module These rights can be granted to Security Officers by the Master Security Officer Read Logging Entries The SO can see the settings for logging and the logged events Manage Logging The SO can change the settings for logging They are allowed to archive delete and check entries Basic settings for loggin
77. d or copied from it when the user logs on Notice You must also specify the storage location for the policy files from the client s point of view You will find this setting under SafeGuard LAN Crypt Configuration Notice You must also specify the storage location for the policy files from the client s point of view You will find this setting under SafeGuard LAN Crypt Configuration Storage location for generated certificates and key files p12 If required SafeGuard LAN Crypt can generate self signed certificates These certificates p12 files are generated when the certificates are assigned to users The location to which these files are to be saved has to be specified in the Directories tab The public part of the Security Officer s certificate cer which is used to secure the administration database is also saved here The key files p12 and the public part of the Security Officer s certificate must be made available to the users 44 SafeGuard LAN Crypt 3 61 Administration 45 To do this in SafeGuard LAN Crypt Configuration specify the folder in which SafeGuard LAN Crypt is to search for a p12 file for the user if the private key for the policy file is not present The same applies to the public part of the Security Officer s certificate So that SafeGuard LAN Crypt automatically recognizes the user key files the file names must match the user s logon name Logonname p12 When SafeGuard
78. d to individual organizational units Initially they are granted global rights that define precisely which tasks they can perform Once Security Officers have been assigned to an organizational unit an object in SafeGuard LAN Crypt Administration ACLs can be used to restrict their rights again to suit this particular object Note If a Security Officer s global rights do not permit them to perform a particular action an ACL cannot be used to grant them the right for this action 1 To create a new Security Officer SO select the Central settings Security Officers Administration tab To open the initial dialog for creating an SO click Add new SO in the SafeGuard LAN Crypt 3 61 Administration context menu for this node or click Add new SO in the Action menu SafeGuard LAN Crypt B Name S0 Utimaco Oberursel Email S0_OU utimaco de Comments Security Officer Oberursel Deutschland Nest gt J Cancel Help 2 In this dialog enter a Name and if necessary an e mail address and a comment Then click Next Note The e mail address is added to the password log file for certificates generated by SafeGuard LAN Crypt It can for example be used to create a PIN letter via e mail SafeGuard LAN Crypt curity Officer B I Assign Master Security Officer rights Encryption Certificate E MASTER br sophos at OU SafeGuard LAN Crypt Certificate CN Master Security Officer B
79. displayed Texts in square brackets e g Sub_OU_1 represent the OUs in the LDAP source To display the certificates of an OU double click it Double click to go up one level up in the hierarchy Select a certificate and click OK The certificate is now assigned to the Security Officer Note If the LDAP server does not allow an anonymous logon you must enter the server s logon credentials in the Server tab in the Central settings Note If you use SafeGuard LAN Crypt to generate an encryption certificate this Security Officer must import the private key to their workstation from the generated p12 file If the encryption certificate was assigned from an LDAP directory the relevant private key must be present on the Security Officer s workstation The encryption certificate is used for cryptographic access to the symmetrical database key 4 Alternatively you can click the second Search button to select an existing signature certificate or have SafeGuard LAN Crypt generate a new one for you Note If you use SafeGuard LAN Crypt to generate a signature certificate this Security Officer must import the private key to their workstation from the generated p12 file If the signature certificate was assigned from an LDAP directory the relevant private key must already be present on the Security Officer s workstation The signature certificate is used for signature in the generated profiles and for authentication dur
80. dministration Console Here you can also specify an attribute which contains the user s certificate Note Certificates assigned this way are not checked expiration time on a CRL etc Activate the Automatically passing certificates when importing users SafeGuard LAN Crypt 3 61 Administration 3 5 6 3 5 6 1 option if certificates from the LDAP directory are to be automatically imported and assigned to the user when they are imported to the SafeGuard LAN Crypt database lt Standard gt evaluates userCertificate and userCertificate binary Click lt other gt to specify another attribute that contains the certificate When you click OK SafeGuard LAN Crypt transfers the logon information to the servers list You can also edit or delete these details in this list The Directories tab Note The settings you make here are always saved in the current configuration record for the SO If no configuration records have yet been created the system uses the lt STANDARD KONFIGURATION gt default configuration configuration record Storage locations Storage location for generated policy files You must specify where the policy files generated for the users are to be saved Enter the storage location usually a network drive that has been shared with the user in the input field The folder you enter here must already be present Note Check that the user can access this folder as the generated POL policy files are loade
81. down list under LDAP with SSL 3 Click OK The server is shown in the table on the Server tab Error message upon logon failure If SafeGuard LAN Crypt cannot perform the logon to the server successfully an error message will be displayed in the SafeGuard LAN Crypt Administration Server details Anonymous logon 1 Enter the Server Name To prevent duplicate entries please also enter an alternative name as an Alias for the server in case several names can be used to access the same server 2 You can either use LDAP only or LDAP with SSL for accessing the server a To use LDAP only Select Anonymous LDAP and select the API you intend to use lt Microsoft gt or lt other gt from the dropdown list under LDAP The placeholder lt other gt stands for all non Microsoft APIs b To use LDAP with SSL Select Anonymous LDAP with SSL and select the API you intend to use lt Microsoft gt or lt other gt from the dropdown list under LDAP with SSL 3 Click OK The server is shown in the table on the Server tab 41 SafeGuard LAN Crypt 3 61 Administration Error message upon logon failure If SafeGuard LAN Crypt cannot perform the logon to the server successfully an error message will be displayed in the SafeGuard LAN Crypt Administration Preferences Identification of an Object SafeGuard LAN Crypt uses a precise unchanging GUID Global Unique ID to identify imported objects in the Active Directory This GU
82. e SafeGuard LAN Crypt installation folder Click this entry via the Windows Start menu Start Programs to open a window in the Management Console that displays only those snap ins required for the SafeGuard LAN Crypt Administration Console SafeGuard LAN Crypt Administration lol x Fie Action View Help e Am ArRe ABA SafeGuard LAN Crypt Administration Keyname Long keyname Algorithm Enabled Creator inherit Defined in Used Central Setting ee n E amp All SafeGuard LAN Crypt kels There are no items to show in this view B Security Officers Administratidn ES Groups Keys for Group 6B Encryption Rules Eg td Commer All generated keys are displayed here overview They are created under each particular group node E 4f3 Utimaco All central settings are specified here using properties in the FE Linz Context menu GL Munich 4 4 Project Groups id Security OFffcers amp Keys for Grqup B Encryption Hules Members antlcertifi Keys for Group eS Encryption Rules Members and certificates of group te Directory Objects All imported groups are displayed here Keys and rules for each specific group are shown under that group New SOs are created here and the SO s global permissions are managed via items in the Context menu 4 gt is gt You can also add the snap in for the SafeGuard LAN Crypt Administration Console
83. e Security Officer Larger organizations often have several Security Officers who usually work at departmental or site level and are organized into a hierarchy SafeGuard LAN Crypt can also represent and reflect the various hierarchy levels involved in this situation At the top of the hierarchy stands one or more Master Security Officers they must be present when the SafeGuard LAN Crypt database is generated These officers define the first policies and decide whether the two person rule two people necessary for authentication is to be used for actions that impact security issues Each Security Officer is assigned particular administrative permissions which define their fundamental rights Their area of responsibility can also be limited to a few user groups by Access Control Lists ACLs SafeGuard LAN Crypt uses Key Encryption Keys KEKs to administer access rights for users These are encrypted and stored in the SQL database and like all database contents are protected from being changed with MAC and hash values Administration tasks are arranged in such a way that a Security Officer can only ever know the name of a key and not its actual value This means they can work with key objects and create encryption rules The flexibility of permission control procedures mean that a wide range of scenarios can be covered For example a Section Head can define keys and assign folders In the next work step a central Security Officer can generate the encry
84. e configured path because at this point no SO specific configuration is effective SafeGuard LAN Crypt 3 61 Administration 3 10 Importing groups and users With SafeGuard LAN Crypt you can import groups and users from directory services that can be accessed via LDAP such as Active Directory Novell from domains or import them from a manually created file that contains the groups and users with the particular dependencies Click Directory Objects to display the dialogs for importing and assembling groups for import into the database in the right hand console pane SafeGuard LAN Crypt Administration File Action View Help e am e SafeGuard LAN Cryp 3 The URL of the import source Active Directory 08 central Settings 8 38 y Novell Server Win NT Domain file is displayed here S Groups K Directory Objects Import source LDAP Tdlc de tdlc de utimaco dc at Pm Ez Clicking this button opens the Treeview OUs Groups Users Import source dialog Name Path A 4 Utimaco LDAP Td Ic OU Utimaco DC td Ic DC utimaca n 4 Munich LDAP Td lc OU Munich OU Utimaco bC td Ic C Lavon Doble Fard 4 Quality Assurance LDAP Td Ic OU Quality Assurance OU Munich the view for importing 4 Manager LDAP Td lc OU Manager OU Munich OU Utime lusers and groups in the ga Development LDAP Td lc OU Development OU Munich OU L D admi
85. e group is hidden Read must also be denied 3 Select the permissions you want to assign to the SO Click Transfer to store the settings in the database 4 If you have assigned other SOs to this group you can now also set up their permissions To display the permissions set for the SOs select them under Security Officers 85 SafeGuard LAN Crypt 3 61 Administration 3 12 Properties of groups The Properties dialog for a group lt Group gt Context menu Properties consists of four tabs in which you can edit the properties for a group 3 12 1The Properties tab The Properties tab displays the m Name m DNS Name m GUID Comment for the group 3 12 2The Member of tab In the Member of tab you see the groups that include the current group as a member 3 12 3 Adding deleting members In the Members tab you can add members to the current group This list displays all existing users and groups that are members of this group You can only change the users in this list not the groups Add Opens a dialog in which you can select users and then add them to the group Displays either all users or you can select specific user groups or individual users with the help of SQL placeholders As displaying all users can be very time consuming SafeGuard LAN Crypt allows you to define search criteria to filter the search process Select option Display matching users to activate the input fields for defining
86. e keyfile Username Password SecuityOfficer ye OK Cancel Help Select the key file and enter the key file s Master ID in the Username field and its Master Password in the Password field Click OK The keys are displayed in the right hand console pane 94 SafeGuard LAN Crypt 3 61 Administration 3 15 3Making Keys Active inactive In SafeGuard LAN Crypt you can toggle an existing key to make it inactive If you do this this key is no longer available when you define encryption rules However you can still use this key in encryption rules that are already in use It remains saved in the Administration Database and you can also activate it again if required To toggle a key from inactive to active and vice versa select it and click Passive Active in the context menu You can recognize a passive key because it has a red key icon at the start of the line 3 15 4Relations between keys 95 In addition to generating keys for the group in which they are to be used keys can also be made available for the users in a group by creating a relationship shortcut to a key in a different group Example For example If you want to grant the members of a team the same rights as the members of a different team for a limited amount of time simply add a shortcut to one group s key to the other group The shortcut to the key can then be used to create encryption rules If you could not use a shortcut to a key you would
87. e side effects For example if you change the logon name in this tab the user may no longer be able to access their policy file because the client uses a different the old logon name to search for a policy file 3 14 Security environment design SafeGuard LAN Crypt s high degree of flexibility means it can easily be adapted to meet any company s security requirements Even so it is very important that a company wide security strategy has been defined before you create the SafeGuard LAN Crypt environment We usually recommend that you start out with a fairly restrictive security policy because it is easier to liberalize this policy than to make a policy stricter later on in the SafeGuard LAN Crypt system Making a liberal policy more restrictive could cause security problems that are not easy to solve To avoid this it is crucial that a company wide security policy has been defined before you generate and distribute encryption profiles 3 15 Generating keys New keys are generated under the group node for the group in which they are to be used For each key you can specify whether it is to be inherited downwards in the group hierarchy Note All existing keys are displayed in General settings SafeGuard LAN Crypt keys However they cannot be processed there This view is an overview of the keys used in SafeGuard LAN Crypt Note An SO who only has Create keys permission and not Create profile permissions cannot add a value when ge
88. ecise path information To specify the path most precisely absolute paths have to be used SafeGuard LAN Crypt 3 61 Administration The remaining encryption rules follow They are sorted in descending sequence depending on how precisely their paths are specified absolute paths relative paths It processes the encryption rules in this sequence If overlapping encryption rules have been defined the system always uses the rule that is closest to the beginning of this hierarchy You should take special note of the sequence of encryption rules if for example a user s encryption profile consists of rules from different trusted groups Example Assuming you have defined these rules 1 2 3 4 Encrypt files in the path crypt include subdirectories Exclude files in the path crypt exclude from the encryption process Encrypt files in the path C sglctest Encrypt files in the path server work everybody In this case the sequence in which data is evaluated on the client is as follows Sequence Path Note 1 server work everybody Encrypts all files in ss server work everybody 2 C sglctest Encrypts all files in C sglctest 3 crypt exclude The encryption rule for crypt is ignored for files in the exclude subfolder However the encryption rule applies again for folders below crypt exclude e g crypt exclude include 4 crypt Encrypts all files in crypt
89. ects are transferred from the import source SafeGuard LAN Crypt 3 61 Administration 3 10 3Selecting import source You can enter the URL of the server from which the data is to be imported directly in the Import source input field for example LDAP usw scranton dc usw scranton dc company dc us for the Active Directory directory service on the Domain controller usw scranton Click the Search button and SafeGuard LAN Crypt displays a dialog in which you select the import source Search import source a LDAP Hi Domain Search container Wi Search Novellserver ig WinNT amp Computer H Domain i FILE G Search file Path FILE Z ev rbr utimaco leg LDAP Domain If the computer is a member of an Active Directory domain click this button to display the entire structure of the domain as stored on the domain controller Note You cannot import built in groups from the Active Directory We therefore recommend that you organize users into OUs organizational units or groups and import them instead Search container If the computer is a member of an Active Directory domain and you select Search container the system displays the Browse button that you can click to display another dialog In this dialog you can then select a particular node in the Active Directory structure m Find Novell Server Lists the Novell servers present You can select a Novell server from this
90. ed If you suppress a menu option here it is not displayed on the client computer This means that this functionality is also not available on this client This enables you for example to prevent decryption from being switched off deactivated on a client computer Default Ignore Rules As the SafeGuard LAN Crypt driver is always loaded when you boot a workstation all the files have already been checked to see if they are encrypted and therefore also that they have the appropriate access rights even if no user specific encryption profile has yet been loaded This may slow down performance in this phase However if you make a machine specific setting in SafeGuard LAN Crypt s configuration you can configure the SafeGuard LAN Crypt driver to ignore specific directories until the user s encryption profile has been loaded Double click Default Ignore Rules in the Client Settings to open a dialog in which you can specify the directories for example c d that SafeGuard LAN Crypt s driver is to ignore If you enter more than one path separate each path by a hyphen Sophos SafeGuard LAN Crypt 3 61 Administration 4 1 7 4 1 8 However if you use this rule you must take into account that SafeGuard LAN Crypt s specific access check will not be carried out until the user s encryption profile is loaded Example Ifyou enter c d as the Default Ignore Rules the driver will ignore all directories on
91. ed attribute should correspond to the character string entered should be or if only users are to be displayed for whom the selected attribute does not correspond to the character string entered must not be In the drop down list on the right hand side you can enter the character string SafeGuard LAN Crypt searches for in the defined attribute SafeGuard LAN Crypt 3 61 Administration You can use the following SQL wildcards for entering the character string any character sequence single character e g a__ means search for all names containing three characters and starting with a single character from a list e g a cg means search for all names starting with a b c or g A single character not contained in a list e g a search for all names not starting with a Note You can cancel the running search process by clicking the icon BA in the toolbar This can be helpful if the conditions defined would yield a large volume of results and need to be defined more exactly to narrow the search process down If you cancel the process you can press F5 to enter new criteria without any delay You do not have to wait for the previous search process to complete You can specify up to three conditions for the search process If you enter more than one condition you can define how these conditions are to be combined AND OR If you click OK all users whose names are selected in the li
92. ed from a smartcard Notice Windows XP Service Pack 2 Microsoft caches PINs for 24 hours by default Using software certificates may cause security problems when you log on to SafeGuard LAN Crypt Administration and when additional authorization is provided We strongly recommend that you deactivate this feature To do so set these values PrivKeyCacheMaxItems dword 00000000 PrivKeyCachePurgelIntervalSeconds dword 00000000 under the key HKEY_LOCAL_MACHINE SOFTWARE Policies Microsoft Cryptography If you do this the PINs will not be cached Preconditions for using certificates with SafeGuard LAN Crypt m The certificate must include a public key m The private key for the assigned certificate must be available before a user can access the encryption profile m Only certificates stored in User Configuration in the Personal Certificates Other People and Active Directory User Object certificate stores and in Local Computers in the Personal Certificates certificate store are listed by SafeGuard LAN Crypt SafeGuard LAN Crypt ignores certificates that are stored in other locations You can use the Certificate Management Console snap in to import and organize certificates m Only the public key is used to associate a certificate with SafeGuard LAN Crypt s encryption information You do not need to know the private key The private key remains the property of the certificate s owner who is the
93. ed under ADDLOCAL when you run an unattended installation Component names are case sensitive ADDLOCAL ALL installs all available components SafeGuard LAN Crypt Administration MMC Snap In for SGUTI scuTI_MMCSNAPIN User Settings UserSnapins Computer Settings ConfigSnapin Event Logging S6 LC_Auditing SafeGuard LAN Crypt 3 61 Administration 2 3 2 2 4 2 4 1 Database Logging LogSnapin Scripting API ScriptingAPI Command Line Syntax To perform an unattended installation you must run msiexec with specific parameters Mandatory parameters I Specifies which installation package is to be installed QN Installation without user interaction unattended setup Name of the msi file sglcadm msi Syntax msiexec i lt path gt sglcadm msi qn Optional parameter Lx v path lt filename gt Logs all warnings and all error messages in the location specified at lt path filename gt Example msiexec i C Install sglcadm msi qn This carries out a complete installation of SafeGuard LAN Crypt The program is installed in the default installation directory lt System drive gt Program Files Sophos The msi file is located in the Install directory on the C drive Upgrading to version 3 61 To upgrade an older version to this version of SafeGuard LAN Crypt Administration do the following Upgrading the existing SafeGuard LAN Crypt database structure Using the command line tool Tool c
94. efore can be selected independently Auditing Event Logging SafeGuard Auditing logs events triggered by SafeGuard products that have been installed for example whether a user has logged on using a smartcard a PIN has been changed or a 16 SafeGuard LAN Crypt 3 61 Administration 2 3 2 3 1 17 certificate has expired Database Logging Logs product specific events This is administered as part of SafeGuard LAN Crypt Administration m Scripting API Installs the SafeGuard LAN Crypt Scripting API required for using scripts to administer the product 5 Select which components are to be installed and click Next 6 After having checked your settings click Next in the Ready to Install the Application dialog The installation process starts 7 Ifthe installation is successful a dialog box appears In it click Finish to complete the installation Hint To accept all the settings reboot the computer This loads the drivers Unattended installation Unattended installation means you can install SafeGuard LAN Crypt automatically on a large number of computers The Instal1 directory on your installation CD contains the sglcadm msi file required for an unattended installation Components to install The following list shows which components must be installed and the way in which you specify them for an unattended installation The keywords Courier bold represent the way the components have to be specifi
95. em You can use the Read permission to give an SO information about other groups without allowing them to edit these groups the system simply includes that information in the SO s view Note If the SO has also been granted the Read permission you must specifically deny it again to hide the groups again It is not enough to simply deny the Visible permission 3 11 2Granting the SO permissions to process the groups 83 Once you have set up the SO so that they see the groups they are to edit you can assign them the appropriate permissions These permissions are inherited downwards in the organizational hierarchy and you can deny them in another place lower down the hierarchy 1 Select the group for which you want grant rights to the SO open the Properties dialog and select the Security tab 2 Under Security Officers you see all the SOs who are assigned to this group When you select an SO the system displays their valid authorizations in the lower part of the dialog Permissions inherited from another group are shown by a gray tick Permissions that cannot be granted due to the settings in the global rights have a checkbox that is completely grayed out SafeGuard LAN Crypt 3 61 Administration Note The global permissions settings define which permissions can be assigned to a particular SO Global rights are set when the SO is generated Utimaco Properties ee ae e General Settings Member of Security
96. encies The imported groups and user are created in the Groups node in the SafeGuard LAN Crypt Administration console 68 SafeGuard LAN Crypt 3 61 Administration To import users and groups from a file click Search file in the Import source dialog Click the Search button and SafeGuard LAN Crypt displays a dialog in which you select the file from which the users and groups are to be imported see Selecting import source on page 72 The import file is a simple text file with no specific file extension we suggest you use lcg as the default extension The contents of this file have to meet certain requirements Import file format An import file consists of several sections The sections are separated by an arbitrary number of blank lines Each section represents a user or a group Each section consists of a header and a fixed number of lines each starting with a keyword Lines must end with a new line character There may be no other new lines between the lines in a section The header is the section name in square brackets The section name is used to define the membership of users and groups The keywords define the users and groups data as it appears in their Properties dialog Keywords Description type USER GROUP Defines whether the imported object represents a user USER or a group GROUP name Defines a user s logon name This is displayed under Logonname in the SafeGuard LAN Crypt Administration
97. end to let the user define this setting themselves in the Initial Encryption Wizard leave the setting at not configured If you specified file types here and you intend to let the user make a selection later set the setting back to not configured again Note This setting only applies to the Initial Encryption Wizard If initial encryption is started via the Explorer extension the setting does not have any effect Specify the file types in a list separated by semicolons Example doc xls txt 4 1 13Cached Policyfile lifetime SafeGuard LAN Crypt standard behavior When a user logs on to Windows their cached profile will be loaded first SafeGuard LAN Crypt then checks whether a new policy file is available for the user by establishing a connection to the specified location of the policy file network drive If a new policy file is found there the cached user profile will be updated This approach has the advantage that the user can start working with encrypted files while SafeGuard LAN Crypt checks whether a new version of the policy file exists If the network drive is not accessible the user works with the cached user profile until it can be updated If this option is set to not configured the behavior of SafeGuard LAN Crypt is as described 128 Sophos SafeGuard LAN Crypt 3 61 Administration 129 Using this setting you can change the standard behavior Note You can set an option to not configured by selecting it
98. environments You must specify a location In distributed databases the location is used to clearly assign logged events within SafeGuard LAN Crypt database logging You must specify the location even if you are not using a distributed database This ensures that the entries can be clearly assigned when the database is distributed at a later point in time When you click Finish SafeGuard LAN Crypt creates the initial Master Security Officer and displays the logon dialog for SafeGuard LAN Crypt Administration Later all Security Officers that have the right to log on to the SafeGuard LAN Crypt administration database will be displayed in this dialog In this dialog select the newly created Master Security Officer and click OK SafeGuard LAN Crypt Administration opens Note After you log on a dialog appears to tell you that a recovery Key has not yet been generated If you do not have a recovery key there is the risk that all your administrative data and all encrypted data will be lost in case of an emergency for example if you lose a certificate This dialog appears every time a Master Security Officer logs on until a recovery key has been generated If you activate the Don t warn me again option you can prevent this dialog from appearing even if no recovery key has been generated SafeGuard LAN Crypt 3 61 Administration 3 4 Administration overview When SafeGuard LAN Crypt is installed the SGLCAdmin msc file is saved to th
99. er from a list e g a cg means search for all names starting with a b c or g single character not contained in a list e g a search for all names not starting with a Note You can cancel the running search process by clicking the icon A in the toolbar This can be helpful if the conditions defined would yield a large volume of results and need to be defined more exactly to narrow down the search process If you cancel the process you can press F5 to enter new criteria without any delay You do not have to wait for the previous search process to complete You can specify up to three conditions for the search process If you enter more than one condition you can define how these conditions are to be combined AND OR Right click Show selected users and certificates to use all functions of the certificate snap in that are available for each individual group see Assigning certificates on page 103 At this point the certificate assignment wizard is only available to Master Security Officers If a Security Officer has the appropriate permissions they can use the Properties menu to assign a certificate to one specific user However if the Security Officer does not have any permissions for this user the corresponding icon is displayed Creating a Security Officer Master Security Officers and entitled Security Officers can create additional Security Officers These Security Officers can then be assigne
100. er they load the new policy files onto their machines 3 18 1Providing resolving policy files for an entire group 113 You can also provide resolve policy files for an entire group When you do so SafeGuard LAN Crypt generates policies for all members of the selected group s You can generate the policy files for the members of an individual group or for the members of a group with all its sub groups m To resolve the encryption rules for an individual group select Encryption rules under the appropriate group and click Build Profiles in the context menu m To resolve the encryption rules for a group and all its sub groups select Encryption rules under the appropriate group and click Build Profiles recursively in the context menu Accelerating the generation of policy files SafeGuard LAN Crypt offers to restrict the generation of policy files to the users for whom new policy files are required due to modifications made Thereby the generation of policy files can be accelerated in large organizations When you initialize the provision of encryption profiles a dialog asking you whether you want to generate new policy files only for users whose profile has changed since the last provision will be displayed m Ifyou click Yes new policy files will only be generated for users with a changed profile m Ifyou click No new policy files will be generated for all users whether profile changes require a new policy file or not Note
101. ermissions in this local copy to access data for as long as this copy remains on the computer To prevent this you should create an empty policy file for this user To do this delete all the keys from this user s encryption rules in SafeGuard LAN Crypt Administration Remove the user from all groups of which they are a member Then create a new policy file for this user The next time this user logs on the file stored on their local computer will be overwritten by the new empty policy file The user can now no longer access encrypted data Sophos SafeGuard LAN Crypt 3 61 Administration 4 1 11Delay when loading profiles Here you can specifcy a period of time in seconds that will pass before the user profile is loaded This delay is for example important if a certificate on a token is use The delay in loading the profile ensures that the token can be accessed when the certficate is required Typical value 20 seconds 4 1 12File types for the Initial Encryption Wizard If you define specific file types here only the files of the specified type will be processed by the Initial Encryption Wizard The user cannot change this setting in the initial encryption wizard This setting only affects files for which an encryption rule exists Ifa directory contains also other files of a file type specified here they will not be included in initial encryption They will only be encrypted when the user opens and saves them again If you int
102. ermissions required to administer SafeGuard LAN Crypt and therefore build up an administrative hierarchy to suit the organizational structure of their own company Data protection using SafeGuard LAN Crypt SafeGuard LAN Crypt guarantees that sensitive files can be stored securely on file servers and workstations The data is transmitted securely over LAN or WAN networks as encryption and SafeGuard LAN Crypt 3 61 Administration decryption are performed in RAM on the client workstation There is no need to install special security software on the file server itself The policy files include all the rules access rights and keys required for transparent encryption Before a user can encrypt decrypt data using the SafeGuard LAN Crypt software installed on the client workstation they need to be able to access the policy file The policy file is secured via a certificate For accessing the policy file a user has to own the private key of the appropriate certificate All encryption decryption tasks run transparently on the client workstation with minimal user interaction SafeGuard LAN Crypt allows trusted users to be organized into different trusted groups by defining different rights for directories and files These rights are grouped into encryption profiles for the users The user can access the policy file containing the encryption profile by owning the private key assigned to the certificate All SafeGuard LAN Crypt users whose poli
103. ertificates for group snap in to delete users This permission is a prerequisite for importing synchronizing groups and users Add Group The SO is allowed to use a group s context menu to add new groups This permission is a prerequisite for importing synchronizing groups and users Delete Subgroups The SO is allowed to delete the sub groups for this group This permission is a prerequisite for importing synchronizing groups and users Move Groups The SO is allowed to move manually created groups in Administration with drag and drop Imported groups cannot be moved This permission is a prerequisite for importing synchronizing groups and users Change Properties The SO is allowed to change a group s properties Delete Group The SO is allowed to delete groups This assumes that the SO has removed the Delete Subgroups permission in the group above This permission is a prerequisite for importing synchronizing groups and users Create Profiles The SO has permission to run the Profile Resolver and generate policy files for individual users Change ACL The SO is allowed to change the ACL for the group for example by adding another SO Read The SO has read rights for this group and can see the contents for the snap ins Is set automatically if edit permissions are granted Visible The SO can see the group Is set in the base node and inherited downwards If it is refused for the SO th
104. es The SafeGuard LAN Crypt encryption rules define precisely which data can be encrypted with each key An encryption rule consists of an encryption path and a key The encryption rules defined for a group make up one SafeGuard LAN Crypt encryption profile The encryption profile for a group can contain different encryption rules each one used to encrypt a specific type of data SafeGuard LAN Crypt 3 61 Administration You can encrypt entire directories including sub directories particular file types identified by their file extension and individual files identified by their file name or parts of a file name When you generate the individual encryption rules the system displays all the keys that are present in the group The SafeGuard LAN Crypt Security Officer can now assign the appropriate keys to define what data a user should be able to access Encryption rules are always generated per group They consist of a path and a key and are created in the Encryption Rules node It is easy to generate an encryption rule because you enter the path details choose a key and select different options in the same dialog Encryption rules are always inherited by subordinate groups Note Do not define an encryption rule for the folder Temporary Internet Files 3 16 1 Encryption paths The encryption paths define which data is to be encrypted You define them in the Encryption Rules node under the relevant group node They then ap
105. ess their encryption profile even if this option is selected Ignore time invalidity Even if the validity period of a certificate has expired the user can continue to access their encryption profile if this option is selected m Ignore bad certificate chain The user can continue to access their encryption profile even if the public part of the issuer s certificate is not available on the client machine or is kept in the wrong certificate store Ignore unknown revocation When PKIs from some vendors write reasons for the revocation of a certificate to a CRL they do not comply with common standards You cannot usually use a certificate if the reason for revocation is not known However if this option is selected the user can continue to access their encryption profile Note Please note that ignoring errors found when checking user certificates usually means compromising the company s security policy These settings can also be made under Server Settings In this case they do not affect the client machines but certificate verification is carried out both when a Security Officer logs on to the SafeGuard LAN Crypt Administration Console and when an additional authorization is performed Use Novell Name Here you specify whether or not the system uses the Novell logon name to find policy files If you specify that policy files are to be generated with Novell names in the Server Settings SafeGuard LAN Crypt generates two polic
106. fferent value would be generated for the key As a result you would have one key with two different values If the Do not allow the creation of keys by security officers that do not have the right to create profiles no keys without a value option is activated keys without a value are not permitted only Security Officers who have the Generate key and Generate profile right can generate keys They can no longer generate keys that do not have a value If the Security Officer does not assign a value to a key when it is created this value is generated automatically when the key is saved For group keys whose values are generated when policy files are generated the values are also generated immediately when they are used to create an encryption rule If this option is active Security Officers who do not have the Create Profiles right cannot generate keys They are also unable to use group keys lt GROUPKEY gt in encryption rules Note Only Security Officers with the Generate profile right can generate keys option keys without a value are not permitted does not influence how user specific keys lt USERKEY gt are used in encryption rules The Certificates tab Here you can specify key length 1024 2048 4096 Bit and validity for new certificates generated by SafeGuard LAN Crypt You can also specify a warning period in days within which the system displays a warning if the rules are canceled or by marking certificates yello
107. ficate verification m The certificate being used must include a CRL Some PKIs allow you to define a CRL in the certificate itself Ifa CRL has been defined the list is evaluated You may need to download a CRL from the issuer via the network for this purpose If the certificate cannot be verified the encryption profile is not loaded m A CRL has been loaded into the local certificate store Note You may need a network connection before you can evaluate a CRL If this connection cannot be established access will be denied even though the certificate itself may be valid Smartcard readers As the use of certificates is handled by using Cryptographic Service Providers CSPs smartcards are supported automatically when a smartcard CSP is used You can therefore handle access to encryption information by using certificates on smartcards If you want to use certificates on smartcards ensure that the smartcard reader and an appropriate Cryptographic Service Provider are installed correctly SafeGuard LAN Crypt 3 61 Administration 2 2 Installation Note You can only install SafeGuard LAN Crypt if you have Windows Administrator privileges 1 Installation starts automatically when you insert the CD into the CD ROM drive Ifit does not go to the Install directory on your installation CD and double click on the msi file there An installation wizard guides you as you install SafeGuard LAN Crypt which is a very simple p
108. firm move group to other group Moving of a group to a different group has to be confirmed Confirm delete group from database Deleting of a group has to be confirmed Confirm remove shortcut from group Deleting of a group referenz has to be confirmed Confirm remove all shortcuts from group If there is a referenz to a group in a different group e g in group and group2 there is a link to group3 deleting this referenz has to be confirmed select group3 gt right hand mouse button gt select Remove Links Confirm remove keys from group Deleting of keys which was used in an encryption rule and have been deactivated afterwards has to be confirmed Used keys are marked in the Administration and reside in the database also if they have been removed from a group Keys which have not been used yet will also be deleted from the database if they are removed from a group Confirm attaching key to group Keys which was used in an encryption rule and have been removed from all groups reside in the database and are displayed under Central Settings gt All SafeGuard LAN Crypt Keys From there they can be re assigned to a group via Drag amp Drop This action has to be confirmed Confirm creating key reference in group Inserting a link to a key in a group e g by dragging and dropping it from one group to a different group has to be confirmed Keys are always copied or a link to them is inserted Cutting keys is not possible Confirm remove
109. g can be made in the SafeGuard LAN Crypt Administration Console under the Logging node in the Central Settings This node can only be viewed by Security Officers who have at least the Read Logging Entries right The basic settings can only be made by a Master Security Officer They can be given additional security by adding a second level of authorization scenario Manage Logging requires the global permissions Read Logging Entries and Manage Logging The basic settings also specify which events are to be logged Only a Master Security Officer can specify this Note Events which occur before a SO logs on cannot be logged directly to the database They are cached and written to the database after the next successful logon 116 SafeGuard LAN Crypt 3 61 Administration 3 19 1Settings Click Properties in the context menu of the Logging node to display a dialog in which you make the basic settings Settings tab On this page you specify the period of time after which log entries can be deleted When using distributed databases this setting guarantees that entries can be copied to headquarters before they are deleted at individual sites State tab The State tab displays information about the current state of the logging module 3 19 2Logged events 117 If the Logging node is selected all events which can be logged are displayed in the right hand console pane Here you can select which event is to be logged Note O
110. grams Sophos SafeGuard LAN Crypt Administration you see the logon dialog SafeGuard LAN Crypt t xj Choose a Security Officer Choose one of the available Security Officers The private key corresponding to the assigned certificate must be accessible Click on an entry to search again for the private key Name MSO_ Region Cettiicate SO Utimaco no CN SO Utimaco Linz OU SafeG S0 Utimaco yes CN SO Utimaco Oberursel OU S Master Securi yes CN Master Security Officer Utima IV Show only security officers from a specified region lt all gt z Assign Certificate All the authorized Security Officers are displayed in the list If you select the Show only security officers from a specified region option and select that region only those Security Officers in that region are displayed To enable logon the system must access the private key that belongs to the certificate software key or a key on a token After you select the required Security Officer click OK to open the SafeGuard LAN Crypt Administration Console Recovery Key If the key belonging to a Security Officer s certificate has expired or has been damaged or lost enter a recovery key to renew the certificate Notice If a new certificate is generated during the recovery process that certificate and its associated password are saved to the default path C Documents and Settings All Users Documents Sophos Admin instead of th
111. handled Drives Unhandled Application Unhandled Devices In SafeGuard LAN Crypt you can specify that drives applications and devices network file systems are to be unhandled ignored by SafeGuard LAN Crypt s filter driver and therefore excluded from transparent encryption decryption 134 Sophos SafeGuard LAN Crypt 3 61 Administration 4 3 1 4 3 2 135 A backup program is an example of an application that might not be handled known as unhandled If you want backup data to remain encrypted you can exclude this application from the encryption decryption process The data then remains encrypted when it is backed up You can significantly improve performance by excluding entire disk drives If for example no encryption is to be performed on the E drive it can simply be defined as an ignored drive Alternatively you could define a rule for this disk drive using the Ignore encryption rule option When you mark a drive as unhandled the filter driver does not process the profile so file operations are performed more quickly You will find these settings in the LAN Crypt configuration node Note As these are machine specific settings they do not come into effect until you restart the client computer Adding ignored disk drives Select Unhandled Drives and click Add unhandled drive s in the context menu Select the disk drives you want SafeGuard LAN Crypt to ignore and click OK Adding ignored applicati
112. he compatibility of other CSPs please contact the support team Security levels As SafeGuard LAN Crypt aims to provide the highest possible security it is necessary to use strong CSPs such as the Microsoft Strong Cryptographic Service Provider These CSPs allow the use of keys that are up to 16384 bits long and provide strong encryption algorithms such as 3DES 12 SafeGuard LAN Crypt 3 61 Administration 13 You will also need to activate the following option when importing a certificate using the certificate import wizard Enable strong private key protection You will be prompted to enter the password every time the private key is used by an application After you click Finish in the certificate import wizard the Importing a new private exchange key dialog is displayed Click on Set Security Level to set the security level again m High If you select High you will need to enter a password to confirm that you are using a private key In the next dialog box enter a new password m Medium If you select Medium the system displays a prompt in which you are asked to confirm the use of a private key by clicking OK Highest Security Level with Automatically Imported Private Exchange Keys p12 pfx SafeGuard LAN Crypt allows you to import certificates automatically To use the medium or high security level with the private keys belonging to these certificates you must configure a specific setting in the SafeGuard LAN C
113. he prerequisite for this right is Read authorization Allows the SO to change their own certificate Assign Configuration Allows the SO to assign a different configuration to themselves Note Permissions whose checkbox is grayed out cannot be granted because the selected SO does not have the global permissions necessary to do so 3 Grant the Security Officer the appropriate rights by clicking the checkboxes and then click SafeGuard LAN Crypt 3 61 Administration Finish The system now displays the Security Officer in the top pane of the Security page In the bottom pane of the page an ACL shows the rights of the selected SO 3 8 3 Changing or renewing MSO or SO certificates The different ways in which you can change or renew an M SO certificate are described below Variant 1 Via Security Officer Administration 1 Start SafeGuard LAN Crypt Administration and log on as the MSO You can also log on as an SO if this SO has the right to change the certificate for the SOs concerned This can also include the SO themselves if they have the appropriate rights and their certificate is still valid 2 Switch to the Central settings tab and from there go to the Security Officer Administration node 3 Right click the SO concerned and select the Properties entry from the context menu 4 Go to the Extended tab 5 In Encryption certificate click the Search button to select a new encryption certificate for the SO 6 You can also go to
114. hem if necessary For updating policy files SafeGuard LAN Crypt needs access to the network drive on which the policy files are stored SafeGuard LAN Crypt checks whether a new version of the policy file exists on the network drive and updates the policy file on the client computer if required SafeGuard LAN Crypt automatically carries out all steps required for successfully loading the user profile if necessary searching for new certificates verifying new certificates etc The old profile will only be replaced by the new profile and the new profile will only be loaded if no errors occur during the process Afterwards the counter for the duration of cache storage will be reset If the policy files are identical the counter will also be reset If this option is set to not configured SafeGuard LAN Crypt shows the standard behavior described for Cached Policyfile lifetime The update interval can be specified in minutes hours days and weeks Note SafeGuard LAN Crypt does not allow any update intervals shorter than 15 minutes If the option is set to 0 the update interval will be disabled 4 1 17Silent mode if user profile is missing Ifthe default setting applies SafeGuard LAN Crypt shows an error message if the system does not find a user profile Here you can specify that this error message is to be suppressed if no user profile is found If you set Hide error message to yes the error message will not be displayed 4 1 1
115. hey can import Directory Objects the SO also needs the Administer Groups permission and the Administer Users permission These are set automatically when the Importing Directory Objects permission is selected If an SO does not have this permission the Directory Objects node used to import OUs groups and users is not displayed in the Administration Console When granting global permissions please note the following points m A Security Officer does not have a global permission unless they have been specifically granted it m A Security Officer can only change those permissions that they personally possess m A Security Officer cannot change an ACL that describes their own permissions m Some rights can only be granted if you have another right When you select this type of permission the other permission is set automatically Select the global permissions you want to grant to the Security Officer and click Apply Permissions for changing the settings for a Security Officer The rights for changing the settings for a Security Officer can be transferred to other Security Officers A Master Security Officer can always change these settings This right must be specifically granted to a Security Officer The global permissions a particular Security Officer has determine which permissions they can change for other Security Officers On the Security tab you can define which rights other SOs have for this object Security
116. his is particularly useful in larger environments and especially where sites are distributed to different geographical locations In such situations SGLC Administration is accessed via the Remote Desktop RDP or Independent Computing Architecture ICA protocol As the maximum level of security and confidentiality of the data you want to protect can only be guaranteed if SGLC Administration and the system administration operate independently of each other SGLC has separate user and group administration functionality To make everyday tasks easier the users and groups managed by SafeGuard LAN Crypt can be imported from existing SafeGuard LAN Crypt 3 61 Administration Windows NT Active Directory or Novell eDirectory directory services or from another LDAP based Directory SafeGuard LAN Crypt Administration requires an SQL database so that it can store configuration data and manage SGLC users and groups This database can be installed locally on the administration system if the Microsoft Desktop Engine MSDE is being used In larger installations that have a number of Security Officers we recommend that you use a central database system with a structure similar to a Microsoft SQL or Oracle Server Security Officers are responsible for defining the security policy used in their organization They specify the policies and ensure that they are implemented modified and adhered to correctly Smaller companies will usually manage with just on
117. his option is set to not configured The counter for the permitted duration of cache storage will be reset in the following situations m The storage location of the policy files is accessible and a valid policy file was transferred to the client e g at user logon or triggered by a specified update interval however the policy file is not new compared to the existing one m Anew policy file is available and has been loaded successfully The counter for the permitted duration of cache storage will NOT be reset in the following situations m The client computer tries to receive a new policy file However the storage location of the policy files is not accessible m Anew policy file was transferred However it could not be loaded due to an error m A new policy file is available However it requires a new certificate The user does not have this certificate or is not able to load it If updating the policy file fails the expiry time of the cached policy file will be displayed in a balloon tooltip on the client computer The user can then initiate a manual update via the SafeGuard LAN Crypt Tray Icon An automatic update will also be carried out according to the update interval settings for the user profile Sophos SafeGuard LAN Crypt 3 61 Administration Policy files are not cached If this option is set to 0 the policy file will not be cached This means that users receive their user profiles when logging on if the file lo
118. his right is not granted to people who are only permitted to act if someone else authorizes their actions This ensures that these people can only authorize actions that require confirmation and have no way to make changes in SafeGuard LAN Crypt Authorize Operations The SO can participate in actions that require confirmation Administer Users The SO can add users to a group remove them from a group and synchronize groups Create Rules The SO is allowed to generate encryption rules for the users Change Global The SO can change the global rights granted to another SO Permissions Change ACLs The SO can change the ACL for a group User specific Keys The SO can change user keys or group keys Change Configuration The SO can change the configuration paths This permission is required to display the Configuration tab in the Central settings and for the SO to be able to make changes in the Directories tab if they are logged on to the database 62 SafeGuard LAN Crypt 3 61 Administration 3 8 2 63 Permissions Description Read Logging Entries The SO can view the settings used for logging and the logged events Manage Logging The SO can change the logging settings They are permitted to archive delete and check entries Import Directory The SO can import OUs groups and users from a directory Objects service and add them to the SafeGuard LAN Crypt database Before t
119. ich is in the password log file The certificate and associated key are automatically imported after the user enters the PIN 106 SafeGuard LAN Crypt 3 61 Administration If SafeGuard LAN Crypt finds a cer file that contains the public part of the Security Officer s certificate it automatically imports it Alternatively you can distribute the key files for the users and the public part of the Administrator certificate manually If you do this make sure that the clients import both of them 3 17 3Certificate Assignment Wizard SafeGuard LAN Crypt has a wizard that performs most of the tasks involved in assigning certificates to users To run the wizard select Certificate Assignment Wizard in the context menu for Members and certificates for group In the wizard s first dialog specify whether you assign the certificates to members in this group only or in this group and all subgroups or for selected users only For selected users only This option is only displayed if one or more users are selected When you click Members and certificates of group under the desired group node in the left hand console pane the members of the group are displayed in the right hand console pane Selecting the users works the same way as in Windows Explorer select the users with the left hand mouse button while pressing the SHIFT or Ctrl key The wizard supports the assignment of certificates from the following sources m Assign certificates fr
120. ile system on a Windows computer The SafeGuard LAN Crypt filter driver works in a similar fashion to a virus scanner it identifies which files are to be accessed and performs the appropriate encryption or decryption operation on them Whenever a user moves a file into a trusted directory the file is encrypted on that user s computer and each time another trusted user who is a member of the same group reads the file from this directory it is transferred to this user in encrypted form The file is not decrypted until it reaches the target computer where the user can change it Then it is encrypted again before being returned to the encrypted directory Encrypted files are not assigned to individual users Any user who has the right key can access the encrypted file This allows administrators to create logical user groups whose members can share encrypted files This process can be compared with a bunch of keys just like you use in daily life SafeGuard LAN Crypt provides users and user groups with a bunch of keys and the individual keys can be used to open different doors or safes Unauthorized users may be able to physically access these encrypted files but only from workstations without SafeGuard LAN Crypt However without SafeGuard LAN Crypt authorization they will not be able to read them As a result a file is always protected even if no access protection is defined for the file system itself if the network is attacked or the
121. in this file Click Next and then specify how SafeGuard LAN Crypt is to handle existing assignments Disable the Do not overwrite existing assignments option if the system is to ignore an existing assignment m Click Next to start the wizard and automatically assign the certificates 3 17 3 4 Assigning certificates from certificate stores 111 If you have selected the Assign certificates from certificate stores option the second step of the wizard prompts you to specify whether it is to generate a list of all available certificates and import them or whether an existing list is to be imported SafeGuard LAN Crypt uses this list to assign the certificates You can for example use the Import a previously created list option if assignment has already been started once but the process was interrupted after the list was generated The system can then reuse the file that was created here If you select the Create and import a list of all available certificates option the system displays this dialog Certificate Assignment Wizard Step 3 7 4 x Create list of certificates We RN Choose a file to write the list to C Certist txt a IV Try to insert names requires search pattem JCN OU SafeGuard Default J Open outputfile for editing with notepad when finished cot e Select a name for the list output file SafeGuard LAN Crypt 3 61 Administration SafeGuard LAN Crypt creates a list of
122. ing extended API logon SafeGuard LAN Crypt 3 61 Administration 5 If you have defined regions for your Security Officers you can now select a region 6 If you have created individual configuration records for the regions you can now select one Note The system only displays configurations that have been generated for the selected region 7 Click Next SafeGuard LAN Crypt Add new Security Officer B Select actions the new Security Officer should be able to perform C Administrate Security Officer C Administrate users and groups C Administrate keys C Administrate rules O Build profiles for users C Grant additional authorization O Select all lt Back Finish Cancel Help 8 In the Wizard s last dialog you can specify which actions the Security Officer is to be able to carry out All the global rights required for the selected actions will be set automatically These rights are displayed in the SO s properties double click an SO to display them on the Global Permissions tab The global rights can be edited on this page In this dialog if you allow an SO to perform a specific action they will be automatically granted all the necessary rights for this action 9 Click Finish The new Security Officer is displayed in SafeGuard LAN Crypt Administration 3 8 1 Granting editing global rights The Security Officer must be granted global rights If the Security Officer Administration node is selecte
123. ing to the certificate and can therefore use this certificate to access the relevant encryption information If self signed certificates are being used these are also stored on a fileserver and the user will require read access rights to enable them to use the certificates SafeGuard LAN Crypt also supports the use of certificates stored on smartcards USB tokens or suitable hardware boards Note You can use SafeGuard LAN Crypt without having to use smartcards or tokens to store certificates The paths to the policy files from the user s viewpoint and other SGLC settings are identified by mechanisms in the operating system for example Active Directory or the central configuration file ntconfig pol A SafeGuard LAN Crypt trusted group consists of a number of users with the same encryption profile Policy files for every single user are generated in Administration All SafeGuard LAN Crypt users who have the same profile stored in their policy file are members of an authorization group They do not need to worry about encryption or key exchange They only have to be able to access the policy file to have their data encrypted or decrypted transparently as soon as they close or open it SafeGuard LAN Crypt Client The SafeGuard LAN Crypt Client is installed on the Windows systems PCs workstations notebooks terminal servers on which you want encryption to be performed In addition to the filter driver required for encryption and decrypt
124. inistrator privileges 1 Select Start Control Panel Add or Remove Programs 2 Select SafeGuard LAN Crypt Administration 3 61 from the list of installed programs 3 Click Remove to uninstall the SafeGuard LAN Crypt Administration SafeGuard LAN Crypt 3 61 Administration 4 Ifyou really want to uninstall the SafeGuard LAN Crypt Administration confirm the warning message displayed by clicking OK 5 Restart the system to complete the uninstallation process Note When uninstalling SafeGuard LAN Crypt the contents of the SafeGuard LAN Crypt Database is preserved If required the database has to be deleted separately by using operating system tools or the database administration tool 20 SafeGuard LAN Crypt 3 61 Administration 21 Administration SafeGuard LAN Crypt Administration integrates seamlessly in Microsoft s Management Console MMC and offers a Security Officer a trustworthy user interface with typical MMC functionality The Administration Console was developed to enable users to benefit from existing Windows replication tools This not only helps to achieve high levels of efficiency but also reduces the total costs of ownership TCO since customers who have a large number of workstations usually only want to implement one system for administering them The SafeGuard LAN Crypt Administration Console is usually installed on a separate machine from where the required directory services and the SafeGuard L
125. ion the client component has a range of other optional components m Explorer extensions for initial and explicit encryption m A user application for loading and deleting encryption rules as well as activating and deactivating encryption m A user application for displaying all the settings and rules that are active on the client A user application for initial encryption m Token support so that token based certificates can be used to access stored encryption information The client component first loads the profile created by the Security Officer It then decrypts this profile and derives from it the encryption rules that apply to the user who is currently logged on These are then applied by the installed filter driver Before a user can access their encryption profile the certificate assigned to them must either already be present on their computer or be 10 SafeGuard LAN Crypt 3 61 Administration 1 5 1 5 1 1 5 2 1 5 3 11 loadable from a file server or a Netlogon share These certificates must first be provided by a Security Officer and then imported by the user who requires them SafeGuard LAN Crypt also has an option that imports certificates automatically the first time a user profile is loaded In this situation the user is prompted to enter a PIN before this certificate is imported They must first be given this PIN by the Security Administrator The certificate is checked every time the encryption profile
126. ion failed 1168 Create Change Delete group 1169 Failed to create change delete group 1170 Create Change Delete user 1171 Failed to create change delete user 1172 Create Delete Security Officers 1173 Failed to create delete Security Officers 1174 Properties of Security Officer changed 1175 Failed to change properties of Security Officer 1176 Global Permissions changed 1177 Failed to change Global Permissions 1178 ACL of Security Officer changed 1179 Failed to change ACL of Security Officer 1180 ACL of group changed 1181 Failed to change ACL of group 1182 Checksum MAC error in database SafeGuard LAN Crypt 3 61 Administration 6 3 Permissions 6 3 1 Global permissions Permissions Description Create SOs The SO has permission to create more SOs Generate Profiles The SO has permission to run the Profile Resolver and generate policy files for the individual users Owning this permission is a prerequisite for assigning values to keys A user with the permission Generate Keys on its own can only generate keys without values Generate Keys The SO can generate keys in the individual groups A user with the permission Generate Keys on its own can only generate keys without values Within the Administration Console keys without a value can be assigned to encryption rules The value itself is generated when policy files are generated The SO needs the Generate Profiles permission
127. irationTime m User name Name m Logon name Logonname m E mail address EMail m Generation mode Mode Possible values are lt GUI gt certificate was generated in the user s Properties dialog lt SO gt certificate of an SO Was generated when the SO was created lt WIZARD gt certificate was generated using the Certificate Assignment Wizard m File name FileName m Password Password Note You should protect this file and under no circumstances save it in the same folder as the POL files Note If the user who is assigning certificates has no file system right to change the password log file SafeGuard LAN Crypt will not be able to generate certificates The Regions tab In SafeGuard LAN Crypt you can set up regions to make key administration easier and less complex Each region is assigned to a specific Security Officer who is then responsible for it When this Security Officer generates keys the system automatically adds the prefix for this region at the beginning of the key names As a result you can always see the administrative unit for which each key was generated This approach is particularly useful in distributed environments 46 SafeGuard LAN Crypt 3 61 Administration 3 5 8 3 5 8 1 47 Enter the name and prefix for the regions in the appropriate input fields Click Add to add a new region to the list of existing regions You can select the regions displayed here when you create a Securit
128. is loaded If the certificate is valid the user can log on to SafeGuard LAN Crypt If no valid certificate is present the user cannot access the encrypted data If the certificate is stored on an SGLC Client supported hardware based token the user does not need to take any further actions once the token is unblocked encryption and decryption are performed automatically System requirements Platforms SafeGuard LAN Crypt is available for the following operating systems m Windows XP Professional SP3 m Windows Vista SP2 m Windows 7 m Windows Server 2003 SP2 Cryptographic Service Providers SafeGuard LAN Crypt needs strong CSPs such as the Microsoft Strong Cryptographic Service Provider These CSPs allow the use of keys that are up to 16384 bits long and provide strong encryption algorithms such as 3DES Unicode SafeGuard LAN Crypt supports Unicode characters in file names path names user IDs etc In particular Japanese characters can be displayed SafeGuard LAN Crypt 3 61 Administration 2 1 2 1 1 Getting started Certificates SafeGuard LAN Crypt uses certificates and public private key pairs to secure encryption information stored in the Windows registry Only the owner of a certificate can access the private key that belongs to that certificate and is therefore able to use it to access the encryption information Which certificates can be used and where do they come from A company either has its own Pub
129. is the only way of ensuring that a file encrypted with for example the CRYPTOKEY key from company A can be decrypted by company B Before this can happen company B must also generate a key called CRYPTOKEY which has the same settings as the key from company A This also contains the key s GUID To handle this situation SafeGuard LAN Crypt has an option which allows you to enter the GUID manually when you generate a new key To enable this simply activate the Allow Security Officers to define the GUID for newly created keys default is a random GUID option 38 SafeGuard LAN Crypt 3 61 Administration 3 5 2 1 Key value 3 5 3 39 If you activate the Do not allow the creation of keys by security officers that do not have the right to create profiles no keys without a value you can ensure that only Security Officers who have the Create key and Generate profile rights are able to generate keys name and value SafeGuard LAN Crypt allows you to generate keys that do not have a value These keys can be used without any restrictions in the Administration console Their values are generated when you generate the policy files for users However this may cause problems if you use a distributed database system For example If policy files which contain keys without a value generated manually without a value lt GROUPKEY gt are generated in a replication time window in different sites If policy files are generated in each site a di
130. istration To avoid these errors make sure that the same code page character set is used on all machines that access the database over the Oracle client In the Database tab you can specify a character set which has to be used on all the machines from which the database is accessed When starting the Administration Console SafeGuard LAN Crypt checks whether or not the settings of the Oracle client match the settings in the database If not a warning is displayed and the Administration Console will not start up In the edit field enter the character set to be used on the Oracle clients to allow a logon to the database On an Oracle client this setting is in the registry under the value NLS_Lang Language Territory CharacterSet example GERMAN_GERMANY WE8MSWIN1252 The character set of the current machine is displayed under INFO in the Database tab Usually this character set must also to be used by all other clients which access the database Note We recommend that you use only one character set If you use more than one character set errors may occur when calculating the checksum MAC However in general it is possible to use more than one character set Despite this you should only use more than one if the character sets are largely identical and differ only bya few characters You should identify these characters and not use them for database entries Deactivating this check SafeGuard LAN Crypt allows you to deactivate
131. ity Officer s certificate it automatically imports it Note Before you can use this functionality you must set the appropriate paths in the SafeGuard LAN Crypt Configuration Alternatively you can distribute the key files for the users and the public part of the Administrator certificate manually If you do this make sure that the clients import both of them Note The clients have to import the public part of the particular Security Officer who generated the policy files If you change the path on which the cer files of the Security Officers and the p12 files of the users are stored after you have created Security Officers you must copy their cer files to the new location Otherwise the public parts of the Security Officers certificates will not be found The p12 files for users must also be generated under the new path Storage location for generated Security Officer certificates SafeGuard LAN Crypt stores Security Officer certificates in p12 files for example as backups Here you can specify the folder to which they are saved Note Because they involve sensitive data it is vital that you protect them against unauthorized access File for password log Here you specify the storage location and name of the log file for generated PKCS 12 files This file contains the passwords for the generated PKCS 12 files and can be used for example to create a PIN letter Note You should protect this file and under no circumstances sa
132. lic Key Infrastructure PKI or uses a Trust Center to create certificates for the users In this case existing certificates can be used m Alternatively the SafeGuard LAN Crypt Administration component can generate self signed certificates These certificates can only be used by SafeGuard LAN Crypt The certificates also have a Critical Extension to show applications that they must not be used These are simple certificates comparable to Class 1 certificates which comply with the X 509 standard Note In certain situations other applications will ignore these Critical Extensions on SafeGuard LAN Crypt certificates This will then cause problems with these self signed certificates In such cases you must explicitly deactivate all the areas of use for SafeGuard LAN Crypt certificates with the Microsoft Management Console s certificate snap in to prevent these certificates from being used in other applications The certificates are assigned to the users within the SafeGuard Administration component Important information about how to use certificates m SafeGuard LAN Crypt only uses the Microsoft Crypto API for certificate functionality m SafeGuard LAN Crypt supports all Cryptographic Service Providers CSPs that comply with certain standards e g RSA key length at least 1024 bits They include among others the Microsoft Enhanced CSP Note The Microsoft Standard CSP Microsoft Base CSP cannot be used If you have any questions about t
133. list so that data can be imported from it The prerequisites for this are that a Novell client is installed on the Administrator PC and that the logon data for the Novell server is stored in Central settings 72 SafeGuard LAN Crypt 3 61 Administration 73 Note If groups and users are imported from a Novell directory service you must be logged on to the Novell server with a user name and password to obtain the necessary information You can only select the Novell Server by clicking the Search button if you log on using the Novell Client and your credentials are entered on the Servers page in the Central Settings WinNT Computer Displays the local groups and users of the computer you are currently logged onto Usually these groups and users are only used for test purposes m Domain If the computer is a member of a Windows NT domain click this button to display the entire structure of the domain as stored on the domain controller Note When using the WinNT protocol the system cannot distinguish between renamed and new users during synchronisation as the WinNT protocol does not assign unique GUIDs to user objects FILE m Search file To import users and groups from a file click Search file in the Import source dialog Click the Search button to select the file from which the users and groups are to be imported The import file must be of a specific format to enable you to import the users and groups For inf
134. member of 492Z ev rbr utimaco eka is member of 92Z ev rbr utimaco Fu is member of A z evirbr utimaco SB oa is member of Q Utimaco cwa is member of AJ z evirbr utimaco Ba cwa is member of S04 8 Pom is member of Q Utimaco d ner is member of grom B Utimaco is member of igj z evirbr utimaco 8 Pom is member of G92 ev rbr utimaco Bka is member of goa e oa is member of AJ z evirbr utimaco Q Oberursel is member of QR Utimaco Q Oberursel is member of J z evirbr utimaco Fu is member of Q Utimaco Christian Wagner Remove membership to Q2 aT office AIRIRSIESIERIESRIRSERIRIKAIRIKSKEKRIKE OK Cancel Help m All entries Displays all changes in a list Corresponds to the total number of entries on the other pages m Deleted objects Displays objects that have been deleted in the import source server since the last synchronization but are still present in the SafeGuard LAN Crypt Database m New relationships in the directory Displays the objects and memberships that have been added to the SafeGuard LAN Crypt Database or new ones that have been created in the import source server since the last synchronization and have not yet been transferred into the database m Old relationships in the database Displays objects and memberships that are still present in the database but are no longer in the import source For example groups may have been delete
135. move it to a directory without encryption rules The file is decrypted automatically However this is only the case if m an appropriate encryption profile has been loaded m the user has the right key m no encryption rule for the new location exists in the active encryption profile m persistent encryption is switched off Deleting encrypted files Windows Recycle Bin If your encryption profile is loaded you can delete any encrypted file for which you own the key Note When you delete a file you actually move it to the Windows Recycle Bin To provide the highest level of security files encrypted by SafeGuard LAN Crypt remain encrypted in the Recycle Bin Before you can delete files permanently the key used to encrypt them must be present in the active profile If the key is not available an error message appears and you will be unable to remove these files from your system In some situations encryption rules may have been modified after a file was moved to the Recycle Bin If this is the case the old key must be present in the active profile before you can permanently delete that file Excluding files directories from encryption The following files and directories are automatically excluded from encryption even if an encryption rule has been defined for these files m Files in the SafeGuard LAN Crypt installation directory m Files in the Windows installation directory m Local cache Architecture SafeGuard LAN Crypt c
136. mple An example of how lt USERKEY gt could be used all users work on the same network drive U which contains one directory per user Only the appropriate user should be able to access that directory An encryption rule to specify this could look like this Weir lt USERKEY gt Another example would be to use lt USERKEY gt to encrypt local temporary directories 102 SafeGuard LAN Crypt 3 61 Administration User and group specific keys are not displayed in the default view under Central Settings All SafeGuard LAN Crypt keys since they usually are not needed If necessary a Security Officer with the corresponding rights can display these keys To display these specific keys activate the Show Specific Keys option Now the specific keys are also displayed The same applies to created keys To display those keys enable option Show Keys In addition to the placeholders the keys created are displayed Assign a key without path The list of defined encryption paths also includes a placeholder called Assign a key without a path This is used to give users a key that they can use to encrypted data for which there is no encryption path This may happen for example if encrypted files are copied to a location for which no encryption rules have been defined with encryption deactivated They can then use this key to access these files with the appropriate key If a key is created without a path the system automatically
137. n 4 Here the OUs groups and user are displayed in 9 Project Groups the way they do exist in the import source B Security Officers LDAP Td Ic CN Security Officers OU Utimaco C y gt 5 If you double click on 8 x amp 7 Adds the selected objects to the database an object it is tranferred 2e into the lower view pane Object Status Path ad td LDAP Td Ic DC td lc DC utimaco 3 3 Utimaco a LDAP Td Ic OU Utimaco DC td le a 3 Munich LDAP Td lc OU Munich OU Utime aga Quality Assurance LDAP Td Ic OU Quality Assurance 4 Manager LDAP Td Ic OU Manager OU Mu f Development LDAP Td Ilc OU Development OU Team ad 6 Here the selected OUs groups and users are displayed michael pa before they can be added to the databse 2 Team SGAS a LDAP Td Ic CN Team SGA5 OUSI Q Helmut Fengel LDAP Td Ic CN Helmut Fengel OL a admin LDAP Td Ic CN admin OU Utimac 5j 3 Project Groups LDAP Td Ic OU Project Groups O lt j gt Note If an SO who is logged on cannot display the Directory Objects node it means that they do not have the global permission Import Directory Objects This node only appears in the Administration Console if this SO has this right 3 10 1Importing groups and users from a file Users and groups can be imported from a manually created file that contains the groups and users with specific depend
138. n click Close in step 3 you will see a special key icon in the node group key of the appropriate current group You can now use this key in encryption rules Long keyname i AES256 Note If you select the Assign keys from the current group option it is only effective if you called the Find key function from the Group key tab in a group and not from the Display all SafeGuard LAN Crypt keys tab Showing selected users and certificates The Selected users and certificates node is only available if the Show Selected users and certificates option is active in the SafeGuard LAN Crypt Administration user settings see User settings on page 35 Upon clicking node Show selected users and certificates a dialog will be displayed for selecting the users to be shown As displaying all users can be very time consuming SafeGuard LAN Crypt allows you to define search criteria to filter the search process SafeGuard LAN Crypt 3 61 Administration Note If the system is set to cache user lists you have to update the display either via the icon shown in the toolbar or by pressing F5 first to be able to enter new search criteria Select option Display matching users to activate the input fields for defining your search criteria E SafeGuard LAN Crypt x Which users should be displayed e2 C Display all users fany user attribute x shouid be x Yona Yo x IV Add second condition parent OU of user 7 must not be z radmin x
139. n which you can edit the properties for a user The Certificates tab The Certificates tab displays all the certificates that are assigned to a user In this tab you can also create a new SafeGuard LAN Crypt certificate for the user add a certificate from the certificate store and import a certificate from a file see Assigning a certificate to a user on page 104 The Groups tab The Groups tab displays the groups in which the current user is a member The Rules tab The Rules tab displays all the encryption rules for the user This is a convenient overview of all the encryption rules that are currently valid for a particular user even if they originate from different groups Columns S X I show which kind of rule it is m S sub directories sub directories are included in encryption m X exclude path the path is excluded from encryption m I ignore path the folder is ignored by SafeGuard LAN Crypt For further information see Generating encryption rules on page 100 Under Inherited from you see the group from which a particular rule has been inherited The Details tab User data is displayed and can be edited in the Details tab The e mail address is added to the password log file for certificates generated by SafeGuard LAN Crypt It can for example be used to create a PIN letter via e mail SafeGuard LAN Crypt 3 61 Administration Note Please be careful when you edit user data Your changes may have undesirabl
140. ncryption of user specific folders SafeGuard LAN Crypt supports the default directories predefined by Windows for example My Documents Common Files etc The security officer therefore does not have to consider system specific variations in client configuration SafeGuard LAN Crypt determines the correct user specific path in the correct language from the relevant default directory and encrypts the files that are stored in that directory To specify further directories in LAN Crypt enter the relevant ID Example lt 0x002f gt This is the directory that contains the administration tools for all users of the computer CSIDL_COMMON_ADMINTOOLS For a list of all possible IDs refer to http msdn2 microsoft com en us library ms649274 aspx 3 16 2Keys You create the keys used to encrypt data before you generate the encryption rules All available keys for the relevant group are displayed in the dialog in which you create an encryption rule and you can select them from a list there 3 16 3The sequence of encryption rules 99 When you load the policy files into the client SafeGuard LAN Crypt sorts the encryption rules in accordance with a particular set of rules m The data is sorted according to how precisely you enter the path i e the more precisely you define the rule the higher it will be in the hierarchy For example rules that exclude data from encryption are always placed at the beginning as they usually require more pr
141. nerated a key you can change its name the type of inheritance specified for it and the comment You can see whether a key is already in use in the used column in the console To change a key go to the group in which the key was generated and double click the relevant key name You see a dialog in which you can change the key 3 15 7 1 The Properties dialog 97 The Properties dialog displays information about the selected key In this dialog you can change the long key name and the settings that define whether or not the key can be inherited You cannot change the 16 character unique key name for internal use that was generated by SafeGuard LAN Crypt Note To edit a key the Security Officer must have the group specific Create Keys right for the groups in which the key was generated Keys that do not belong to a particular group cannot be changed Double click a key to display its properties The Properties dialog consists of three tabs m The Key tab displays a key s data In this tab you can change the long key name and the settings that define whether or not the key can be inherited Click Display keyvalue to display the key s value m The Groups tab displays all the groups in which the key is available and can be used to create encryption rules m The Rules tab displays all the encryption rules in which the key is used The Groups and Rules tabs are for information only No changes can be made here 3 16 Encryption rul
142. nerating keys The value is generated automatically when a key is transmitted to a profile A SafeGuard LAN Crypt key consists of the following components E aname For the sake of clarity we recommend that the name of the user group is part of the key name The names you define are especially important because SafeGuard LAN Crypt can also sort keys SafeGuard LAN Crypt uses specific key names to generate a 16 character key name for internal use It attaches the prefix for the appropriate region to the beginning of this key name m akey value The length of the key depends on which algorithm is used The key value can be specified either in ANSI characters or in hexadecimal notation permitted numbers and characters 0123456789abcdef The other associated value is updated automatically You do not need to enter a key value In this case the value is generated randomly the first time 90 SafeGuard LAN Crypt 3 61 Administration 91 the key is used in a user profile m an encryption algorithm AES AES256 DES 3DES IDEA XOR m acomment optional m Key GUID optional This allows you to enter a key GUID manually so that encrypted files can be exchanged between two different SafeGuard LAN Crypt installations see The Key tab on page 38 If this field is empty the GUID is created automatically To generate a new key 1 Select Group keys under the group for which you want to generate a key 2 Click the yellow key icon in the
143. nfigured 4 Warning ACL of group changed 4 Warning act of Security Officer changed 4 Warning Global Permissions changed 4 Warning create Delete Security Officers 4 Warning ix Assigned Certificate to Master Security Officer 5 Notice Assigned Certificate to Security Officer 5 Notice Assigned Certificate to User 5 Notice Okey moved 5 Notice key deleted 5 Notice Okey created 5 Notice Setting changed 5 Notice keyvalue displayed 5 Notice Logging events archived 5 Notice Rule deleted 5 Notice Rule changed 5 Notice rule created 5 Notice Properties of Security Officer changed 5 Notice ix Create Change Delete of user 5 Notice create Change Delete of group 5 Notice certificate created 6 Info Security Officer logged on to grant additional authorization 6 Info Security Officer logged on 6 Info key has changed 6 Info cettificateassignment cleared 6 Info certificate wizard started 6 Info Logging events exported 6 Info Database synchronization ended 6 Info database synchronization started 6 Info security Officer logged off 6 Info Administration closed 6 Info Administration started 6 Info You can select several events at the same time mouse click SHIFT or Ctrl After you have selected the events click the diskette icon in the tool bar to save the settings However in each case you will be asked whether you want to save the settings or not when you leave this view without saving
144. ng SafeGuard LAN Crypt To cover this eventuality SafeGuard LAN Crypt has its own freely usable database system that you can use for administration This is the Microsoft SQL Server 2005 Express Edition In addition SafeGuard LAN Crypt supports the following database systems Microsoft SQL Server 2005 m Microsoft SQL Server 2005 Express Microsoft SQL Server 2008 a Oracle Oraclel0g a Oraclell Note If you are using an Oracle database you must install the Oracle client before you can use SafeGuard LAN Crypt Administration If you select the runtime variant of the Oracle client you must also install the Oracle OBDC driver SafeGuard LAN Crypt does not support Microsoft ODBC for Oracle Make sure that you do not use any of the manufacturer s reserved key words when you generate database objects m Specifying a data source OBDC If you want to use your own database system you must know the access data for the database you want to use so that you can specify the data source m Creating database tables After specifying the data source you have to create the SafeGuard LAN Crypt tables in the database using the tool provided with your software CreateTables exe Installing the supplied database system The following description refers to the Microsoft SQL Server 2005 Express Edition For this example description the defaults of this version have been used as far as possible To install the database system do as follo
145. nging the paths on the Directories tab Only Master Security Officers can make changes in the Algorithm tab and the Certificates tab SafeGuard LAN Crypt 3 61 Administration 3 9 1 3 5 1 1 3 5 2 The Algorithms tab SafeGuard LAN Crypt has these encryption algorithms m AES m AES256 m 3DES m DES not recommended m IDEA m XOR not recommended Select the algorithms you want to use The algorithms you select here can be used later on when you generate different keys Note If these settings are changed later for example if DES is removed from the list of available algorithms none of the keys that have already been generated or the data encrypted with them is affected If an algorithm is affected it is simply not available when you generate a new key later on Default algorithm Here you select which default algorithm is to be used to automatically generate user and group keys The Key tab Problems with duplicated internal key names may occur when several SafeGuard LAN Crypt installations are combined into one for example due to a company or departmental merger For this reason every key is identified by its own Global Unique ID GUID The GUID is usually generated randomly by SafeGuard LAN Crypt and cannot be changed afterwards However if files that have been encrypted with SafeGuard LAN Crypt are to be exchanged between two companies you will need a method that allows you to generate a common key This
146. nly Master Security Officers can select which events are to be logged Click the Severity column header to sort the events according to the categories Emergency Alert Error Warning Notice Info To select an event to be logged double click it or select it and click the appropriate symbol in the tool bar re Enables the selected event s for logging g3 Disables the selected event s for logging SafeGuard LAN Crypt 3 61 Administration File Action View Help SafeGuard LAN Crypt Administration DER gt GB 2 9oReue 2s SafeGuard LAN Crypt Administration Event Severity Ja Central Settings Checksum MAC error in database 0 Emergency amp Al SafeGuard LAN Crypt key checksum MAC error in Logging table 1 Alert B Security Officer Administration Failed Certificate Assignment 3 Error E Logging Fail to change ACL of Group 3 Error stacey cues Fail to change ACL of Security Officer 3 Error Fail to change Global Permissions 3 Error Fail to change properties of Security Officer 3 Error Fail to create delete Security Officers 3 Error railed to create change delete user 3 Error Failed to create change delete group 3 Error Security Officer logon failed 4 Warning Settings for additional authorization changed 4 Warning Recoverykey created 4 Warning 50 certificate recovered 4 Warning Global Setting changed 4 Warning Logging events deleted 4 Warning Logging co
147. om the Active Directory m Assign certificates from an LDAP directory m Assign certificates from a file system directory Assign certificates from certificate stores 3 17 3 1 Assigning certificates from the Active Directory 107 To select the Assign Certificates option from the Active Directory enter the DNS address of the Active Directory Server in step 2 Usually this is the domain controller If you click Use Defaults the system applies the address of the Domain Controller to which you are currently logged on To start the wizard click Next The system imports and assigns the certificates automatically It displays a message to confirm that it has successfully assigned the certificates Click Finish to close the wizard SafeGuard LAN Crypt 3 61 Administration 3 17 3 2 Assigning certificates from an LDAP directory If you select the Assign Certificates from an LDAP directory option you must enter the address of the LDAP directory from which you want to import the certificates in step 2 In Address enter the complete computer name of the LDAP server for example Server MyDomain com and specify the relevant port The standard port for the LDAP server is set by default In DN Distinguished Name enter the node in the LDAP structure from which the system is to search through the directory Enter the node in the LDAP directory using its Distinguished Name DN You must not enter the computer name dc computername
148. on can be required for the following actions Actions Necessary permissions Change Additional Can only be performed by a Master Security Officer Authorization Settings Change Recovery Key Can only be performed by a Master Security Officer The following actions can only be performed by SOs who have the global right to authorize operations and have the right to perform the action IMPORTANT Please note that having only the global right to provide an additional authorization may not be enough in some situations The Security Officer providing the additional authorization must have the corresponding right for this specific object Changing Global Settings Requires the global right Change Configuration The system prompts for authorization when you make changes on the Algorithms Certificate Regions Directories Keys Antivirus software Resolving rules Server and Configuration tabs Only Master Security Officers can authorize changes to the Algorithms Certificates Keys Resolving rules and Regions tabs Create Security Officer Requires the global right Create SOs Change Access Control Lists Requires the global right Change global rights and the corresponding group or SO specific rights 48 SafeGuard LAN Crypt 3 61 Administration Actions Necessary permissions Change Permissions Requires the global right Change ACLs Assign Certificate Requires the global righ
149. only use the selected paths If an SO changes an existing configuration record they also change the configuration for all the SOs who are also assigned to this configuration Generating a configuration record To generate a configuration record proceed as follows 1 Select an existing region for which you want to create the configuration record or select lt no region gt to create a configuration record to which SOs who are not in a region can be assigned 2 In New Name enter a name for the new configuration record SafeGuard LAN Crypt 3 61 Administration 3 5 9 3 Select an existing configuration record in the list The system copies this configuration record and saves it with the new name Click Copy 4 If you want to edit the configuration record select it and click Edit 5 You see a dialog which is the same as the Directories dialog in Properties Here enter the appropriate paths and click OK 6 The system now displays the new configuration record in the list in the appropriate region and you can use it to create more SOs To change the configuration and the region of an existing configuration record select the Properties tab for the particular SO 7 You can create as many additional configuration records as you require The Additional Authorization tab In SafeGuard LAN Crypt you can define that particular actions require additional authorization by least one more Security Officer Additional authorizati
150. ons Select Unhandled applications and click Add unhandled application in the context menu Typical use m Backup programs can be defined as unhandled to ensure that they always read and save encrypted data m Applications that may cause errors when used simultaneously with SafeGuard LAN Crypt but which do not require encryption can usually be excluded from the encryption process Windows NT 4 0 To specify which applications are unhandled you must use their 15 byte process name as displayed in the Windows Task Manager Windows 2000 and Windows XP To specify an unhandled application you must enter the entire name of its executable file including path information if necessary Enter the application s name and path if required and click OK Sophos SafeGuard LAN Crypt 3 61 Administration 4 3 3 Adding ignored devices 4 4 Select Unhandled Devices and click Add unhandled device in the context menu The Unhandled Devices dialog displays network file systems that you can exclude from the SafeGuard LAN Crypt encryption process For technical reasons you cannot exclude single network drives here You can only exclude entire network file systems The pre defined devices listed here are m Citrix Client Drive Mapping Client for Microsoft networks Microsoft Client for NetWare Multiple UNC Provider m Novell Client for NetWare Note Security officers can exclude individual network disk drives from the encryption
151. onsists of two components SafeGuard LAN Crypt Administration and SafeGuard LAN Crypt Client These two components are usually installed on a regular workstation computer with an operating system such as Windows XP Windows Vista or Windows 7 Security Officers use SafeGuard LAN Crypt Administration to define and distribute SafeGuard LAN Crypt 3 61 Administration encryption profiles This figure shows how individual components interact with each other and how SafeGuard LAN Crypt is integrated in a corporate network Keys Certificates Users SQL Groups Rules datab Storage of Certificate policy files and import certificates Policy files policy da SO certificates cer and user key files 12 pl2 SO key files p12 Log file for autom generated passwords Certificates Import of user and group information Reading the policy upon start user Groups logon Active Directory eDirectory LDAP Directory 1 4 1 SafeGuard LAN Crypt Administration The administration components contain the tools required for the central administration of SafeGuard LAN Crypt and are used by one or more Security Officers They are usually installed on one or more workstation computers running Windows XP Windows Vista or Windows 7 as their operating system They can also be installed on a Windows 2003 server system if you want to perform central administration tasks with Windows Terminal Services or Citrix MetaFrame T
152. ormation on how to create the import file see Importing groups and users from a file on page 68 Once you have selected an import source click the Transfer button to display the URL to the source under Path When you click OK SafeGuard LAN Crypt displays the selected data in the top right hand pane of the console In this view you can display the selected data in a tree structure arranged in OUs groups and users Only for LDAP Server If the administration computer is not a member of a domain use this procedure to import the groups and users from a server 1 On the Server page in the Central Settings enter the server s name and the user name and password 2 For LDAP or SSL specify whether the lt Microsoft gt or lt Novell gt implementation is in use 3 In the Import Source input field enter the address of the server from which the data is to be SafeGuard LAN Crypt 3 61 Administration imported 3 10 4Preparing for transfer into the SafeGuard LAN Crypt Database In the top right hand console pane you can see the OUs groups and users as stored in the import source Here you can select which of these displayed OUs groups or users are to be imported into the SafeGuard LAN Crypt Database First move the selected objects into the bottom view pane where you can then process them again Note If you add an object node to the bottom view pane this does not mean you have added it to the database You can only
153. ow entries of a specified event Ifyou select this option only the entries for the event you selected from the drop down list are displayed The list contains all events that can be logged m Only show entries of a specified Security Officer If you select this option you can select a Security Officer from the drop down list Then only 119 SafeGuard LAN Crypt 3 61 Administration these events which were logged when the specified Security Officer was logged on are displayed m Only show entries of a specified severity If you select this option you can select a particular level of severity or a range of severity for which entries should be displayed Is less or equal and is greater or equal refers to the number before the severity level m Only show entries from a specified time interval If you select this option you can define a period of time in which the entries were logged m Only show entries that have specified archive state If you select this option you can specify whether archived entries only or not yet archived entries only are displayed entries that have already been archived remain in the database until they are deleted If this option is not selected both type of entries are displayed m Only show entries from a specified location Select this option to specify a location from which entries are to be displayed If you are using a distributed database there may be several locations involved The way in
154. ply to all users who are present in that group Note Paths to zip files or compressed folders cannot be used as encryption paths Relative paths SafeGuard LAN Crypt supports relative path definitions A relative path definition specifies a path to a directory or a file that does not identify the disk drive involved or the next highest directory in the hierarchy If you select a relative path definition the system encrypts each directory that matches that path definition You can use relative paths in two ways m Entry my_data encrypts every my_data directory in the ROOT directories EXAMPLE C my_data D my_data Z my_data m Entry my_data encrypts EVERY my_data directory EXAMPLE C company my_data Z Departments development Teaml my_data In both cases all files in the my_data directory are encrypted 98 SafeGuard LAN Crypt 3 61 Administration If a directory path begins with a backslash the relative path definition only applies to root directories USERNAME SafeGuard LAN Crypt supports the use of the local environment variable USERNAME in path definitions The local environment variable Y USERNAME in path definition is resolved automatically by SafeGuard LAN Crypt If you also want other environment variables to be resolved you must define this in SafeGuard LAN Crypt Configuration see chapter Resolve all environment variables Default directory To facilitate the e
155. ppear For example a Security Officer s rights may have been changed afterwards or a Security Officer may have been deleted Notice If you are informed that the required Security Officers are not available and you specify that at least one additional Security Officer is required when defining the number of required Security Officers and you confirm your setting with OK and close the dialog the setting will nevertheless be adopted due to technical reasons This will lead to a situation where actions requiring additional authorization can no longer be carried out as the necessary Security Officers are not available If this setting is specified for the Change additional authorization settings option the settings in this dialog can no longer be 49 SafeGuard LAN Crypt 3 61 Administration modified The setting can only be changed by generating a recovery key see Cancelling additional authorization A similar situation can be caused by deleting Security Officers as the system does not check whether the required number of Security Officers for additional authorization is still available after deleting a Security Officer SafeGuard LAN Crypt only ensures that a Master Security Officer exists in the system Providing additional authorization If additional authorization has been specified for an action the additional authorization wizard runs when that action is selected This wizard prompts for authorization by at least one more Maste
156. process by creating an encryption rule for this purpose In addition to these standard network file systems you can also exclude specific devices by entering their device names This may be useful if file systems from third party suppliers are being used and you want to exclude them from the encryption process Administrators can use tools such as OSR s Device Tree to display the names of file systems currently being used on the system Windows Vista For Windows Vista only option Multiple UNC Provider only Vista is available Under Windows Vista the individual redirectors were replaced by the Multiple UNC Provider This results in the fact that it is no longer possible to exclude individual network file systems from encryption Under Windows Vista either all network file systems can be excluded from encryption or encryption can be enabled for all network file systems If option Multiple UNC Provider only Vista is used network drives will not be encrypted All remaining settings will be ignored under Windows Vista Programs with specific behavior when saving files Some programs e g Microsoft Office 2007 use a special approach when saving files In this case problems may occur when opening an unencrypted file to which an encryption rule applies for example due to the fact that no initial encryption has been performed and saving the file again Due to the encryption rule applying to the file it would have to be encrypted when it
157. product directory SafeGuard LAN Crypt 3 71 Client Technical Support You can find technical support for Sophos products in any of these ways m Visit the SophosTalk forum at http community sophos com and search for other users who are experiencing the same problem m Visit the Sophos support knowledgebase at http www sophos com support m Download the product documentation at http www sophos com support docs m Send an email to support sophos com including your Sophos software version number s operating system s and patch level s and the text of any error messages 150
158. propriate icon in the tool bar In the next dialog you specify whether you generate and assign the certificates in this group only or in this group and all subgroups or for selected users only For selected users only This option is only displayed if one or more users are selected When you click Members and certificates of group under the desired group node in the left hand console pane the members of the group are displayed in the right hand console pane Selecting the users works the same way as in Windows Explorer select the users with the left hand mouse button while pressing the SHIFT or CTRL key The system generates and assigns the certificates automatically Click Finish to close the wizard Note The key files p12 generated here and the public part of the Security Officer s certificate are saved in the directory specified in the central settings and must be made available to the users To set this up in SafeGuard LAN Crypt Configuration you specify the folder in which SafeGuard LAN Crypt is to search for a p12 file for the user if the private key for the policy file is not present The same applies to the public part of the Security Officer s certificate The file names must match the user s logon name Logon p12 so that SafeGuard LAN Crypt can automatically recognize the user key files When SafeGuard LAN Crypt finds the correct file it displays a PIN dialog You must send a PIN letter to tell the user this PIN wh
159. ps E oO Change Properties EJ E ete Group Hj o Create Profiles o oO Security Officers ange ACL oO oO B S0 Utimaco Line q The numbering corresponds to the steps in the description z Permissions for S0 Utimaco Linz Al Delete User Add Group Delete Subgroups Move Groups Change Properties Delete Group Create Profiles Change ACL Read y gt Is grayed out since it is an ar Renn an poNoooood F When a SO logs on with these settings in place they see 82 SafeGuard LAN Crypt 3 61 Administration SafeGuard LAN Crypt Administrator File Action View Help e mm EE e SafeGuard LAN Crypt Administration Central Settings rl G There are no items to show in this view 5 roups A td lc 4 Utimaco 4 9 Linz 9 Development amp Dom nen Gruppe 1 Team Shared Components Linz A fa Quality Assurance Se Directory Objects Only the groups for which the SO has the Visible permission are displayed These groups are grayed out because as yet the SO has no rights to process them If both the Visible permission and the Read permission have been assigned to the SO at the same time the system would also display the snap ins for Encryption rules Members and certificates for group and Group keys under the groups The SO can see the contents of the snap ins but cannot change th
160. ption profile As a result the keys remain under central control SafeGuard LAN Crypt recognizes two automatically generated key types user keys and group keys User keys are generated for individual users and can be used for generic encryption rules such as the encryption of home directories or local or temporary folders Each user has precisely one user key If data protected by a user key has to be recovered in an emergency the Security Officer must assign this specific key to another user This type of recovery requires a special administrative permission and can be linked with a two person rule approval by a second person to ensure that it is not misused A similar concept is also available for user groups this is the group key The policy files include all the rules access rights and keys required for transparent encryption Before a user is able to encrypt decrypt data using the SafeGuard LAN Crypt software installed on the client workstation they first need to access the encryption information stored in a policy file In this situation the policy files are stored either on a file server or in a domain controller s Netlogon share SafeGuard LAN Crypt 3 61 Administration 1 4 2 Note You do not need to install SafeGuard LAN Crypt components on file servers or domain controllers The policy file is protected against unauthorized access by a certificate Only the owner of the certificate has access to the private key belong
161. r Security Officer You can select the relevant Master Security Officer in a dialog If SafeGuard LAN Crypt uses this Security Officer s certificate to authenticate them successfully the required action can be performed If several Security Officers have the same certificate this certificate can only be used once in one authorization run Any other SO to whom this certificate is assigned is removed from the list of SOs Note The dialog in which you select a Security Officer has an option that allows you to restrict the display to SOs in one particular region Security Officers who are not assigned to any region are always displayed in the list Cancelling additional authorization An additional authorization for an action usually applies for the entire duration of one SafeGuard LAN Crypt Administration session Click the Cancel authorization button in the Administration tool bar to delete the relevant information so that an additional authorization is required the next time the action is performed in the same session Waiving additional authorization If the configuration causes a situation where too few Security Officers are present to provide additional authorization for an action you can use the recovery key to reset the number of Security Officers required to change the additional authorization settings to 0 To do this click Assign Certificate in the logon dialog This runs a wizard that allows you to reset the number of addition
162. r this user next time it resolves the policy file However if it displays a warning for another user it still displays the user that has already been ignored for your information m Always skip users that have no valid certificate assigned If you select this option the system always ignores users without a certificate This is a global option that applies not only to the users displayed in the list To reset this option select Always skip users that have no valid certificate assigned in the Certificates tab in Central settings When you click OK SafeGuard LAN Crypt groups the individual encryption profiles and saves the policy files in the path specified in Central settings 114 SafeGuard LAN Crypt 3 61 Administration 3 18 2Selected provision via the Certificate snap in You can also use the Certificate snap in to provide policy files You can access it under the Members and certificates for groups node and under each group node If you use the Certificate snap in to generate policy files you can also use these additional functions m Select users to whom a certificate is to be assigned You do not have to generate new policy files for all users Like in Windows Explorer you can select several users at the same time mouse click SHIFT or Ctrl m The Security Officer immediately sees which users are present in the group m The system displays certificate icons next to the user name to show the certificates status
163. ration 3 6 3 6 1 m The name of the executable of the software performing the scan Enable the Use Authenticode Verification option Note We recommend using an Authenticode signed virus scanner by all means to specify the scanner here and to enable Authenticode verification Only this verification ensures that the executable is truly the required executable of the virus scanner and that thus only trustworthy applications have access to the SafeGuard LAN Crypt keys After clicking OK the antivirus software is displayed in the list You can add further virus scanners Displaying all SafeGuard LAN Crypt keys By selecting the In All SafeGuard LAN Crypt keys node you can display an overview of all the keys that are currently being managed by SafeGuard LAN Crypt You can view the following information here m Long key name The algorithm used for the key m Tells you if the key is active m The person who generated the key generator m Tells you if the key should be inherited m Tells you for which group the key was generated m Tells you if the key is in use Comment field Click a column header to sort the table contents in ascending or descending sequence to find the information you require Finding keys In addition to sorting key information you can also search for a particular key To do this right click Display all SafeGuard LAN Crypt keys tab and then select Find key from the context menu Note The Find key function
164. rd LAN Crypt x Recovery Key Wizard Part 1 Do you want to the screen lt Back Cancel Help For each part of the key the Wizard displays a dialog in which you can specify whether the partial key is saved in a file or displayed on screen so you can write it down Once all parts have been processed the Wizard closes On the Recovery Key page next to Default Recovery Key you can see how many parts the key contains in our example 3 and how many of these parts are necessary when they are used in our example 2 Note When you generate and distribute the parts of the recovery key remember that they involve extremely sensitive data It is essential that you protect the Recovery Key against unauthorized access Notice You can only ever use the most recently generated recovery key Previously generated recovery keys are no longer valid and cannot be used to assign a certificate SafeGuard LAN Crypt 3 61 Administration Using the recovery key If it is no longer possible to log on to the database e g because a certificate has expired click Assign certificate in the logon dialog to start the Recovery Key Wizard If a dialog informs you that the certificate cannot be used after you have selected a Security Officer you can start the wizard from there Follow the instructions on the screen This wizard contains a dialog in which you can reset to 0 the number of Security Officers needed
165. rd LAN Crypt E Mail Address and Comments are optional Click Next Note The e mail address is added to the password log file for certificates generated by SafeGuard LAN Crypt It can for example be used to create a PIN letter via e mail In the Wizard s second dialog specify the storage locations for m generated certificates and key files p12 m generated Security Officer certificates and m the log file for the automatically generated passwords of generated key files Storage location for generated certificates and key files If necessary SafeGuard LAN Crypt can also generate self signed certificates These certificates p12 files are generated when the certificates are assigned to users Specify the location at which these files are to be saved here The public part of the Security Officer s certificate cer which is used to secure the administration database is also saved here The key files p12 and the public part of the Security Officer s certificate must be made available to the users 28 SafeGuard LAN Crypt 3 61 Administration 29 To do this in SafeGuard LAN Crypt Configuration specify the folder in which SafeGuard LAN Crypt is to search for a p12 file for the user if the private key for the policy file is not present The same applies to the public part of the Security Officer s certificate If SafeGuard LAN Crypt finds an appropriate cer file that contains the public part of the Secur
166. reateTables exe you can adjust the structure of the tables in your SafeGuard LAN Crypt database The tool is available in the Install directory of your installation CD Command line syntax CretaeTables lt ODBCName creatorname gt lt SQL dialect gt lt action gt 18 SafeGuard LAN Crypt 3 61 Administration 2 4 2 19 2 5 CreateTables exe offers the following parameters for creating tables in other configurations ODBCname The name used for the ODBC data source Creatorname For the database to be adressed correctly the database creator has to be specified for Oracle databases The creator has to be specified in CAPITALS SQL dialect m Microsoft SQL Server o8 Oracle 8 o9 Oracle 9 or higher Actions u Update of the database structure Example 1 CreateTables SGLCSQLServer mu Example 2 CreateTables SGLCSQLServer SGLC 09 u Server logon credentials For importing the groups and users from a server SafeGuard LAN Crypt needs the logon credentials for this server Server logon has been enhanced for this version After the upgrade the logon credentials have to be entered again under Central settings on the Server page If you use a Microsoft directory service do as follows m Enter the domain name under Domain or Server Name m Enter the User Nameasuser name domain name Uninstallation Note You can only uninstall SafeGuard LAN Crypt if you have Windows Adm
167. red certificate Then click OK and the system assigns the certificate to the user The import certificate is automatically imported into the certificate store called Other people Note Only certificate files whose format is cer crt or der can be imported p12 or pfx files cannot be imported m Add Opens a dialog in which you can assign an existing certificate to a user In this dialog you see a list of all the certificates present in the certificate store Assigning Certificates using an LDAP source SafeGuard LAN Crypt allows you to assign certificates from an LDAP source To do this select LDAP from the drop down list in the Choose a certificate dialog SafeGuard LAN Crypt Choose a certificate Choose a source for the certificate that will be added to the list of certificates for this k user f LDAP A LDAP URL LDAP novell_50 ou T est_Unit_1 o Netware_50 Subject Valid from VaidTo Sub_OU_1 Sub_OU_2 CN azu OU SafeGuard LAN Crypt Certificate 2003 05 06 2005 05 06 CN Gast OU SafeGuard LAN Crypt Certificate 2003 05 05 2003 05 06 CN Security Officer OU SafeGuard LAN Crypt 2003 10 08 2010 12 08 An edit field appears in which you can enter the URL of the LDAP source After you click Refresh the content of the LDAP source is displayed Terms in square brackets e g Sub_OU_1 represent the OUs in the LDAP source To display an OU s certificates simply double click it Dou
168. ring this option users cannot change it in the Initial Encryption Wizard Users can only configure this option themselves in the Initial Encryption Wizard if it has been set to not configured here Note You can set an option to not configured by selecting it and click Delete in its context menu right click In the Configured column no will be displayed besides the relevant option 4 1 15EFS Decrypt Files This setting enables the Initial Encryption Wizard to process EFS encrypted files If you set the EFS Decrypt Files option to yes the wizard decrypts EFS encrypted files and encrypts them again if a SafeGuard LAN Crypt encryption rule applies If you set the EFS Decrypt Files option to no the Initial Encryption Wizard will ignore EFS encrypted files They will not be re encrypted by SafeGuard LAN Crypt even ifan encryption rule has been specified for them 130 Sophos SafeGuard LAN Crypt 3 61 Administration After configuring this option users cannot change it in the Initial Encryption Wizard Users can only configure this option themselves in the Initial Encryption Wizard if it has been set to not configured here Note You can set an option to not configured by selecting it and click Delete in its context menu right click In the Configured column no will be displayed besides the relevant option 4 1 16Profile Update Interval This setting defines how often SafeGuard LAN Crypt checks for new policy files and updates t
169. rmat is used This change becomes effective next time the encryption rules are resolved The Server tab To import groups and users from a server SafeGuard LAN Crypt requires the logon information for that server You must enter this information in the Server tab Click Add to open another dialog which has three tabs Details Preferences and Certificates Server details Password logon 1 Enter the Domain or Server Name User Name and the appropriate Password To prevent duplicate entries please also enter an alternative name as an Alias for the server in case several names can be used to access the same server Note If you use a Microsoft directory service do as follows a Enter the domain name under Domain or Server Name a Enter the user name as user name domain 40 SafeGuard LAN Crypt 3 61 Administration Note The user name must be entered in LDAP syntax canonical name to import objects from anon Microsoft directory service e g Novell eDirectory Example cn admin O techops 2 You can either use LDAP only or LDAP with SSL for accessing the server a To use LDAP only Select Password LDAP and select the API you intend to use lt Microsoft gt or lt other gt from the dropdown list under LDAP The placeholder lt other gt stands for all non Microsoft APIs b To use LDAP with SSL Select Password LDAP with SSL and select the API you intend to use lt Microsoft gt or lt other gt from the drop
170. rmission is assigned to be deleted Change Global Allows changes to the global permissions of the SO to whom the Permissions owner of the permission is assigned Change ACL Allows changes to the global rights of the ACL to whom the owner of the right is assigned 64 SafeGuard LAN Crypt 3 61 Administration 65 Permissions Description Read Displays the SO to whom the owner of the permission is assigned in Central settings Security Officer Administration This is the prerequisite for all rights that allow this SO to be processed This is set automatically when a right of that type is selected You can also grant the Permissions Change Certificate Assign Configuration and Read to the SO whose properties are defined here Before this can happen that SO must be present in the list of SOs that have rights for this object in this case that particular SO SO Linz Properties General Advanced Global Permissions Security Assigned permissions to Security Officers on this object Security Officers BSOLin lt Permissions for SO Linz Change Name Change Certificate Change Region Assign Configuration Delete SO Change Global Permissions Change ACL Read Read Displays the SO specified in Central Settings Security Officer Administration The SO can see the permissions that have been given to them Change Certificate T
171. rocess Click Next The License Agreement dialog is displayed Select I accept the license agreement in the License Agreement dialog If you do not do this you will not be able to install SafeGuard LAN Crypt Click Next The Destination Folder dialog appears Select where you want to install SafeGuard LAN Crypt Click Next The Select Installation Type dialog is displayed In this dialog you can select which SafeGuard LAN Crypt components are to be installed Select Custom and then click Next The following components can be installed m MMC Snap in for SGUTI Installs the MMC snap in to configure the token support Note If you use the SGUTI component you must also set the security level to high for the private key We recommend that you set this option to high before starting SafeGuard LAN Crypt Administration for the first time If you do not do this the initial Master Security Officer s certificate is used without security level high when it is created by SafeGuard LAN Crypt and not for example imported from a smartcard m User Settings Computer Settings Installs the SafeGuard LAN Crypt Administration component The SafeGuard LAN Crypt Administration component includes the User Settings that should be defined by a security officer and Computer Settings which should be defined by the Windows system administrator These two administration components should be installed on different computers and ther
172. rowse Details Signatue Certificate optional E MASTER rbr sophos at 0U SafeGuard LAN Crypt Certificate CN Master Security Officer Details Region LINZ i Configuration lt Default Configuration gt el x 3 Now in the dialog specify whether the new Security Officer is to be granted the rights for a Master Security Officer A Master Security Officer always has all existing global rights Click the Browse button to select an existing certificate or have one generated by SafeGuard LAN Crypt 58 SafeGuard LAN Crypt 3 61 Administration 59 Assigning Certificates using an LDAP source SafeGuard LAN Crypt allows certificates to be assigned from an Novell eDirectory LDAP source To do so select LDAP from the drop down list in the Choose a certificate dialog SafeGuard LAN Crypt Choose a certificate Choose a source for the certificate that will be used for this security officer LDAP z LDAP URL LDAP novell_50 ou Test_Unit_1 0 Netware_50 Refresh Subject Valid from Valid To Sub_OU_1 Sub_OU_2 CN azu OU SafeGuard LAN Crypt Certificate 2003 05 06 2005 05 06 CN Gast OU SafeGuard LAN Crypt Certificate 2003 05 05 2003 05 06 CN Security Officer OU SafeGuard LAN Crypt 2003 10 08 2010 12 08 Cancel Help An edit field is displayed in which you can enter the URL of the LDAP source After you click Refresh the content of the LDAP source is
173. rypt Administration component Note This setting is only available when group policies are used Group policies After you have added the Group policy snap in to the Management Console you will see the setting Private Key Option under Computer Configuration Windows Settings SafeGuard Universal Token Interface Select this option if you want to use medium or high security for the private key belonging to the certificates If this option is not activated the security level low is automatically used for the imported certificates In this way you can ensure that certificates with a high security level are compulsory and can be implemented within a company wide security policy SafeGuard LAN Crypt 3 61 Administration Note If the highest security level is being used SafeGuard LAN Crypt users must enter the password for the private key once at the Windows logon prompt and again manually each time an encryption rule is loaded Smartcard If certificates stored on smartcards are used the password only has to be entered once As long as the smartcard remains in the card reader there is no need to enter the password again Notice We recommend that you set this option to high before starting SafeGuard LAN Crypt Administration for the first time If not the initial Master Security Officer s certificate is used without security level high when it is created by SafeGuard LAN Crypt and not for example import
174. service you can select the one which defines the user s logon name Select lt other gt to specify another directory service attribute that contains the logon name Notice If the name in the attribute contains the character SafeGuard LAN Crypt cuts off the name at this point This may cause problems for example if e mail addresses are used m Attribute for E Mail Address This attribute is added to self generated certificates m Attribute for comment Like the e mail address this attribute can be used to identify user objects This is especially useful if the user name and the logon name cannot be used by the wizard to identify objects when certificates are being assigned At this point you can enter the name of the attribute that the wizard is to use to identify the correct user when certificates are being assigned Note If empty attributes are imported during synchronisation for example due to the fact that an attribute was deleted in the AD SafeGuard LAN Crypt comments are not affected Existing entries are maintained New attribute contents overwrite exisiting comments If you select lt Standard gt comments are not imported Certificates On the Certificates tab specify whether the certificates that were assigned to the user in the LDAP directory are to be transferred when the user is imported into the SafeGuard LAN Crypt database You then no longer need to assign certificates for these users in the SafeGuard LAN Crypt A
175. st are transferred to the current group New Opens a dialog in which you can create a new user Delete Deletes the selected user their membership from the current group A user is only deleted from the SafeGuard LAN Crypt database if they are not a member of any other group Ifa user is deleted from their parent group in this way they are deleted completely including all group memberships from the system This process is the same as Active Directory and Novell Properties Displays the properties of the selected user Note A user can only exist once in a particular container If you try to create add a user to a container in which they are already present a message is displayed informing you that this is not possible However more than one user with the same name can be present in the system as long as they are not in the same container 88 SafeGuard LAN Crypt 3 61 Administration 3 12 4Adding SOs 89 On the Security tab an SO can also add SOs to the current group and assign them rights to the group The prerequisite for this action is that the SO who wants to add another SO has the Change ACL permission Note If the SO adds SOs to the group the SO can assign their own permissions and only those permissions to those SOs A SO cannot add themselves to an ACL or edit their rights in an ACL 3 13 Properties of users The Properties dialog for a user lt user gt Context menu Properties consists of four tabs i
176. stration Company_DC Policies Security Officer Certificate Client Location Company_DC Certificates SGLC Client Central Settings Storage location for generated certificates and keyfiles Company_DC Certificates Storage location for generated policy files Company_DC Policies Controller a Company_DC Certificates Ceritone E SGLC Client SafeGuard LAN Crypt clients do not need to connect to the SafeGuard LAN Crypt database The information required for finding certificates p12 files and policy files can be found at logon in group policies These files are then automatically transferred to the clients To import a certificate a user must have a password In the case of certificates generated by SafeGuard LAN Crypt the p12pwlog csv file contains the passwords and can be used for example to create a PIN letter 22 SafeGuard LAN Crypt 3 61 Administration 23 3 1 Required steps m Preparations Optional install the supplied database system a Add data source ODBC Create database tables CreateTables exe m System Administrator Define settings in the SafeGuard LAN Crypt Configuration console m Create initial Master Security Officer Define storage locations for certificates and key files generated by SafeGuard LAN Crypt Notice The user certificates p12 files and the public part of the Security Officer s certificate are imported from
177. t No The key is not inherited and is therefore only available in the current group m Once The key is inherited in the group s in the next hierarchy level below the current group m Yes The key is inherited in all groups in the hierarchy levels below the current group and is available there for generating encryption rules 6 Enter a comment for this key in the next input field 7 If necessary click the Enter key GUID manually in 88888888 4444 4444 4444 format check box and enter the GUID you require this is only possible if the Security officers can define the GUID for new keys option is active in Central settings The predefined GUID 88888888 4444 4444 4444 CCCCCCCCCCCC cannot simply be accepted for use here You must change it in every case 8 Enter a hexadecimal value letters A F numbers 0 9 or a character string in the ANSI input field for the key value The other associated value is updated automatically Alternatively click Random recommended to have SafeGuard LAN Crypt calculate a value 9 Click OK The new key is displayed in the Administration Console 3 15 1Specific keys In addition to generating keys manually user and group specific keys can also be used in SafeGuard LAN Crypt When keys are assigned to encryption paths in the list of keys one lt USERKEY gt key is also always displayed This is a placeholder for a user specific key which the system generates automatically for each indi
178. t Assign Certificate and the corresponding group specific rights Use user or group specific Requires the global right Use specific keys keys Administer Groups Requires the global right Change Groups and the corresponding group specific rights Administer Users Requires the global right Change Users and the corresponding group specific rights Manage Logging Requires the global right Read Logging Entries and Manage Logging Generating rules This requires the global Generate rule right along with the corresponding group specific right Generating keys Requires the global Create key right along with the corresponding group specific right Generating profiles Requires the global Generate profiles right as well as the corresponding group specific right If an additional authorization is necessary for one of these actions you must specify how many Security Officers are required for that action To do this select that action When you double click the selected action a dialog opens in which you can specify how many Security Officers are required When you click OK SafeGuard LAN Crypt updates the list on the Additional Authorization tab A message is displayed if the system recognizes that the required number of Security Officers is not available Note The system cannot precisely find out how many Security Officers are actually available The number you require may not actually be available even though the message does not a
179. tes for group in the relevant group node In the right hand console pane you see a list of all users 2 Double click a user or right click the user and then on Properties in the context menu You see the Properties dialog rtu Usw Linz utimaco at Properties Certificates Groups Details Change the assigned certificates for this user Subject Valid from Valid To CN rtu Usw Linz utimac 2004 08 26 83 Assign or remove certificates to be used to encrypt administrative data Cancel Apply Help 3 In this dialog you select one of the following options to assign one or more certificates to the user m New Click New if you want SafeGuard LAN Crypt to generate a new certificate for the user If no certificates are available the SafeGuard LAN Crypt Administration Console can even generate certificates itself However only SafeGuard LAN Crypt should use these certificates The certificate it generates is saved as a PKCS 12 file in the default directory Note Any certificate generated in this way must then be distributed to the appropriate user Otherwise the user will not be able to access their encryption profiles 104 SafeGuard LAN Crypt 3 61 Administration 105 Import If the certificate you require is not yet present in the certificate store it does not appear in the list of available certificates In this case click Import The system opens a dialog in which you can select the requi
180. the C and D drives until the user s encryption profile is loaded Even if you use SafeGuard LAN Crypt on a terminal server you can speed up performance by using the Default Ignore Rules setting If for example several users are working on the same terminal server but only one of them uses SafeGuard LAN Crypt you can tell the driver to ignore all the other users sessions Because no encryption profile has been loaded for them only the Default Ignore Rules apply to them Security Officer Certificate Client Location To specify the storage location select Client Settings and in the right hand console pane double click Security Officer Certificate Client Location After you specify a path SafeGuard LAN Crypt automatically attempts to import the Security Officer certificate from this directory if the certificate for the relevant user policy file is not present As a result it imports all cer files from the directory you have specified Keyfile Client Location To specify the storage location select Client Settings and in the right hand console pane double click Keyfile Client Location After you specify a path SafeGuard LAN Crypt automatically attempts to import a p12 key file for the user if the private key for the policy file is not present This file must be called user_logon name p12 so that the system can recognize that it belongs to that particular user The two paths described above are not default settings i e
181. the SO to whom the owner of the permission is assigned Change Certificate Allows changes to the certificate of the SO to whom the owner of the right is assigned Change Region Allows changes to the region prefix of the SO to whom the owner of the right is assigned Assign Configuration Allows changes to the configuration of the SO to whom the owner of the right is assigned Delete SO Allows the SO to whom the owner of the permission is assigned to be deleted Change Global Allows changes to the global permissions of the SO to Permissions whom the owner of the permission is assigned Change ACL Allows changes to the global rights of the ACL to whom the owner of the right is assigned Read Displays the SO to whom the owner of the permission is assigned in Central settings Security Officer Administration This is the prerequisite for all rights that allow the processing of this SO Is set automatically if a right of that type is selected 146 SafeGuard LAN Crypt 3 61 Administration 6 3 3 SO permissions for processing the groups Permissions Description Create Key The SO can generate keys in the group Copy Keys The SO can copy keys Delete Key The SO can delete keys Create Rules The SO can generate encryption rules for the users Assign Certificates The SO can assign certificates to the users The SO can run the wizard for assigning certificates Add User The
182. the database Note If a complex structure is involved complete synchronization may take a long time m Synchronize only visible entries Refers to the selection in the bottom right hand pane in the Administration Console Recalculate all relationships If you select this option the system recalculates all memberships according to their import source and adds them to the database again Memberships are even added if they have been switched off in the display in the bottom right hand console pane the Calculate memberships option in the transfer settings has been switched off a Use visible relationships If you select this option only the relations displayed in the bottom right hand console pane are added to the database Hidden memberships are not added to the database Calculate memberships is deactivated in the transfer settings Note If this option is used during synchronization and memberships for objects present in the database are not displayed in the bottom right hand console pane any memberships present in the database are deleted When you select an option and click OK the system displays a dialog that documents synchronization You must confirm the changes in this dialog 76 SafeGuard LAN Crypt 3 61 Administration 77 Transfer changes Allentries 16 Deleted objects New relationships in the directory 15 Old relationships in the database 1 Object Object Action Group ner is
183. this directory by the Clients A directory that has been defined together with the System Administrator should therefore already be available network share for SO certificates generated by SafeGuard LAN Crypt for the password log file which contains the passwords that were automatically generated for the key files m Define central core settings Here you define where the policy files generated for users are to be stored Work together with the System Administrator to do this Note If you are using an Oracle database and access the database from Administration Consoles on different machines you should now also specify the code page settings see The Database tab on page 52 m Create additional Master Security Officers m Define rights for Security Officers m Import objects Organizational Units groups users from the directory service e g Active Directory m Assign Security Officers to the organizational units and define their rights m Create keys m Create encryption rules m Generate or assign certificates m Generate policy files SafeGuard LAN Crypt 3 61 Administration 3 2 3 2 1 Preparations for administering SafeGuard LAN Crypt After installation you must work through the following steps before you can start administering SafeGuard LAN Crypt m Optional install database management system This is only necessary if your database system does not include a database you want to use for administeri
184. this option is selected the system opens the list of certificates after it has been generated You can now edit this list You can replace the placeholder with the user name in the relevant certificates When you save the list the system uses the edited version to assign certificates Click Next and then specify how SafeGuard LAN Crypt is to handle existing assignments Disable the Do not overwrite existing assignments option if the system is to ignore an existing assignment Click Next to start the wizard and automatically assign the certificates 112 SafeGuard LAN Crypt 3 61 Administration 3 18 Providing encryption rules generating policy files SafeGuard LAN Crypt saves every profile that has been generated or changed in its Administration Database Here they do not yet have any effect on individual users To resolve individual profiles and generate the policy files a SafeGuard LAN Crypt Security Officer must run the SafeGuard LAN Crypt Profile Resolver This generates policy files for each user in accordance with the settings made in the Administration Console You can use standard Windows tools to assign policy files to customers The next time a user logs on the system loads the new encryption profile Note Please note you must always generate new policy files after you change settings in the SafeGuard LAN Crypt Administration console added new keys added new rules The changes become effective for users aft
185. to change the settings for additional authorization This ensures that no situation can arise in which additional authorization is no longer possible because there are no Security Officers who can perform it SafeGuard LAN Crypt q x Recovery Key Wizard e2 All required steps successfully carried out You can now reset the number of additional Security Officers required to change settings for additional authorization to 0 J Reset protection for Additional Authorization Settings Cancel Help If you activate this option a single Security Officer can change the settings for additional authorization afterwards 3 5 11The Database tab Note This setting is only necessary if you use an Oracle database which is accessed over Administration Consoles on different machines The setting can only be made by a Master Security Officer Oracle s National Language Support NLS converts text for the user so that it is always displayed in the same way no matter which character set is used even if the characters numeric encoding is different because of the different character sets example WE8MSWIN1252 FC00 ALI6UTF16 ti 7C00 If text is added to the database and extracted using a different character set this could lead to errors when calculating the checksum MAC as for example if characters were converted to binary the binary data would cause problems for the MAC 52 SafeGuard LAN Crypt 3 61 Admin
186. tool bar or right click in the right hand console pane to display the context menu and then click New key in this menu SafeGuard LAN Crypt 4 2 Enter a name for the key Choose an algorithm for the key Internal name of the key up to sixteen characters AES256 7 NEW KEY This key can be inherited no X You may add a comment to this key Enter the keyvalue as text or click on the button to generate a random value Random Or enter the keyvalue as a hexadecimal value IV Display keyvalue Cancel Help 3 Enter a name for the new key in the top input field Backslashes slash inverted commas and the amp character are not allowed in key names SafeGuard LAN Crypt generates a unique 16 character key name from this name that is used for internal purposes It also puts the region prefix if it was specified in the Security Officer properties at the start of this unique name The internal name is displayed on the right next to the drop down list from which you select the algorithm You can change the key name at a later point in time but not the internal name that was generated from it 4 Select an encryption algorithm from the drop down list AES AES256 DES 3DES IDEA SafeGuard LAN Crypt 3 61 Administration XOR Here you can only see the algorithms that you have made available in the Central settings 5 Specify whether the key can be inherited in the group or no
187. u require for it Allow Encrypt Decrypt Any user of SafeGuard LAN Crypt can encrypt or decrypt files by selecting a menu item in the context menu for those files This means that users can even encrypt files for which no rule has been defined If you want to prevent this you can specify here that this option is not displayed in the context menu for those files Allow Encrypt Decrypt no Prevents files for which no encryption rule has been defined from being encrypted or decrypted via their context menu Ignore during Certificate Verification In SafeGuard LAN Crypt you can specify whether any errors found when checking user certificates are to be ignored Sophos SafeGuard LAN Crypt 3 61 Administration 4 1 3 This procedure is useful if the validity period of a certificate has expired and no new certificate is yet available To ensure that a user can continue to access their encryption profile the period of validity check can be ignored until a new certificate is issued As a result the same certificate which has actually expired can still be used Once a new certificate is available you can cancel Ignore time invalidity again Note Ignoring errors that occur during certificate checks always means a reduction in security m Ignore certificate revoked If a certificate is on a Certificate Revocations List which is evaluated during logon it may not actually be used for logging on Nevertheless a user can continue to acc
188. ust be specified in Client Settings before you can use it to log on Note This setting affects the way in which profiles are deleted in the SafeGuard LAN Crypt Administration Console The process for deleting profiles is similar to the one for creating profiles If the Novell name is to be used here two policy files are created both profiles are deleted if this setting is not changed deleting means to generate empty policy files If this setting is changed at runtime the situation may arise that although two policy files have been created only the one with the Windows user name is deleted because the setting here has been changed to Use Novell Name no and therefore only the policy file with the Windows user name is deleted The Novell policy file remains in the defined storage location and theoretically can be used for logging on The system acts in a similar way if Compress policy files is activated In this case up to four policy files are generated for each user Please keep this in mind and if necessary coordinate with the system administrator Compress policy files Note This feature can only be used if SafeGuard LAN Crypt version 3 12 1 or higher is installed on the client machines SafeGuard LAN Crypt is able to generate compressed policy files A non compressed policy file is 256 kB in size The generated compressed policy files are automatically extracted on the client machines Sophos SafeGuard LAN Crypt 3 61 Administr
189. ve it in the same folder as the POL files Note If the user who is assigning certificates has no file system right to change the password log file SafeGuard LAN Crypt will not be able to generate certificates Click Next SafeGuard LAN Crypt 3 61 Administration Master Security Officer Wizard Step 3 4 Validity of certificates ES Validity time for newly created certificates 2 years v Certificate that will be used to secure data for this Security Officer CN Master Security Officer UTIMACO OU SafeGuard LAN Crypt Certificate E mso utimaco com Browse Details Cancel Help Certificate validity In the Wizard s third dialog specify the period of validity for the certificates generated by SafeGuard LAN Crypt and assign an existing certificate or one generated by SafeGuard LAN Crypt to the Security Officer If you use a certificate generated by SafeGuard LAN Crypt it is valid for the specified period All certificates generated after this one also have this period of validity The initial Security Officer s certificate You must select an encryption certificate that will be used to secure the Security Officer s data Alternatively you can also select a signature certificate that the Security Officer can use to authenticate themselves to SafeGuard LAN Crypt Administration If you do not specify a signature certificate the encryption certificate will also be used as a means of
190. vidual user when it resolves the encryption rules lt GROUPKEY gt You can use lt GROUPKEY gt in a similar way to the lt USERKEY gt to generate a common key for all members of a group The system generates the group key automatically when it resolves the encryption rules Example An example of how lt USERKEY gt could be used is if all users use one network drive U which contains one directory per user and only the appropriate user can access that directory 92 SafeGuard LAN Crypt 3 61 Administration 93 The encryption rule used to specify this would look like this U lt USERKEY gt Another example would be to use lt USERKEY gt to encrypt local temporary directories User and group specific keys do not appear in the default view under Central Settings All SafeGuard LAN Crypt keys since they usually are not needed However if necessary a Master Security Officer can display these keys so that the data for them becomes visible If required the values of these specific keys can also be displayed in the Properties dialog context menu Properties of the respective keys To display these specific keys click Show Specific Keys in the context menu of the key list Now only these specific keys are displayed To return to the default view click Show Specific Keys again Note Specific keys are not removed from the database when the user group they belong to is deleted They remain in the database and
191. w in the list SafeGuard LAN Crypt 3 61 Administration 3 5 4 Resolving rules 3 5 5 Skip users that have no valid certificate when resolving In this section cancellation means ignoring when referring to rules Select this option if you want the system to ignore users to whom no certificate has been assigned when generating policy files As a result no policy files are generated for these users Note If a user is created and this option is selected and no certificate has yet been assigned to the user the system does not display a warning if it is unable to create policy files for this user when resolving applying the encryption rules Use existing encryption format until this date This setting is important when the new version of SafeGuard LAN Crypt is rolled out If this option is selected this ensures that older clients can also still access files that have been encrypted with this version of SafeGuard LAN Crypt e g on shared network drives You must specify the date until which the old format is used to encrypt files After this date or if the option is deselected the files are written using the new encryption format Any changes to this option are only effective on the clients after new profiles have been generated and distributed After all clients have been updated we recommend that you perform initial encryption with the initial encryption tool to ensure that only the new SafeGuard LAN Crypt encryption fo
192. ware that it will take several minutes to display all the users and certificates in larger installations You must then restart SafeGuard LAN Crypt Administration so that the changes you made in the Show Selected users and certificates option become effective SafeGuard LAN Crypt Administration ibis Central Settings amp All SafeGuard LAN Crypt keys Selected users and certificates Security Officer Administration E Logging m Show parents of users to display a particular user s parent group under the node Members and certificates for group This enables you to see at a glance whether the SafeGuard LAN Crypt database contains any users that are not assigned to any group You must then restart 36 SafeGuard LAN Crypt 3 61 Administration 37 3 5 SafeGuard LAN Crypt Administration so that the changes you made in the Display user parent option become effective Assigned Subject Emax max Assigned OU SafeGuard 2016 03 09 cwa Christian Wagner Assigned OU SafeGuard 2008 07 08 m Disable caching of user lists To improve performance SafeGuard LAN Crypt usually creates user lists in the background and also continues creating them when a user toggles to a different node in Administration The results of these lists are buffered so that no database access is required when the list is called again This saves a lot of time if large lists are involved However in environments with several
193. whether files in directories of this kind are encrypted or not You cannot access encrypted data SafeGuard LAN Crypt simply ignores files in directories for which the Ignore path option has been selected SafeGuard LAN Crypt does not check them and users can access encrypted files This option is primarily used for files that are accessed very frequently and that there is no particular reason to encrypt This improves system performance 4 Select a key from the list Note In the default view only the placeholders for lt USERKEY gt and lt GROUPKEY gt and the keys created by an SO are displayed Using option Display specific keys you can display the specific keys Using option Display keys you can display the keys you created yourself Encryption path and key form a SafeGuard LAN Crypt encryption rule The encryption rules you define for the user group in total form the user s group s encryption profile lt USERKEY gt One lt USERKEY gt key is also always included in the key list This is a placeholder for a user specific key which the system generates automatically for each individual user when it resolves the encryption rules lt GROUPKEY gt In the same way as for lt USERKEY gt you can use lt GROUPKEY gt to generate a common key for all members of the group Note When you use lt USERKEY gt ensure that only the user to whom this key has been assigned accesses the data Other users cannot decrypt this data Exa
194. which the database is replicated determines which locations can be displayed 3 19 5Archiving deleting checking entries Note A Security Officer needs the global permission Manage Logging before they can archive delete and check entries A Security Officer who has the global permission Manage Logging can archive delete and check logged entries Click Archive delete and check entries in the Logging node s context menu or click the symbol in the task bar to launch a wizard for carrying out these tasks g Launches the wizard to archive delete and check logged entries 120 SafeGuard LAN Crypt 3 61 Administration 121 pa Manage Logging Wizard Step 1 5 This wizard will guide you through operations to manage the SafeGuard LAN Crypt logging database O Archive entries O Delete entries O Check integrity Archiving entries To archive entries select Archive entries and click Next In the next dialog enter m Date and time of the last entry that is to be archived All entries from that time to the present will be archived m The location if available to which entries should be archived m The name of the file the entries should be written to Click Next In the next dialog you can see how many entries have been selected Click Next When all the entries have been archived the wizard s last dialog is displayed Click Finish to close the wizard Entries that have already been
195. ws 1 Inthe INSTALL directory of your installation CD double click the file SQLEXPR EXE 24 SafeGuard LAN Crypt 3 61 Administration 3 2 2 25 2 Accept the license agreement and click Next 3 The installation files are extracted and the installation wizard starts 4 Follow the installation wizard instructions and accept all defaults Defaults The following descriptions of preparatory steps refer to these defaults If you make any changes authentication method database instance you have to take them into account when specifying the data source and creating the database tables Database authentication By default the Express Edition uses Windows authentication A prerequisite for using Windows authentication is that the user who logs on to the database has Windows administrator rights Master database By default the existing master database is used when specifiying the data source You can create a separate database for SafeGuard LAN Crypt and specify it when adding the data source In the next step a data source has to be specified so that SafeGuard LAN Crypt can use the database system Adding a data source ODBC Specify a data source so that SafeGuard LAN Crypt can use the database via the data management system To do so use the OBDC data source administrator OBDC Open Database Connectivity allows data to be accessed on a wide variety of database management systems For example if
196. y Officer To change or delete an existing region select it and then click Edit or Delete Note You can only delete a region if it is not assigned to a Security Officer The Configurations tab On this tab you can generate particular configuration records for the individual regions and then assign them to a Security Officer The configuration records contain all the details that can be entered on the Directories tab m the storage location for generated policy files m the storage location for generated certificates and key files m the storage location for generated Security Officer certificates m the storage location and name of the password log file The configuration records are always assigned to an existing region Usually an SO assigned to a region can only ever use the configuration records that have been generated for this region The exception is the lt STANDARD KONFIGURATION gt configuration record which can be used in every region By using one particular configuration for one organizational unit region you easily ensure that the correct paths can be set for one or more Security Officers and that all SOs always use the same paths to save the generated files Changes on the Directories tab are always saved in the currently assigned configuration record Note The global right Change Configuration specifies whether an SO is permitted to change their own configuration settings Ifan SO does not have this right they can
197. y files for each user One file has the Novell logon name and the other has the Windows user name The contents of these files are identical If you log on to a Novell server you must always use the Novell logon name 124 Sophos SafeGuard LAN Crypt 3 61 Administration 4 1 4 4 1 5 4 1 6 125 If the system settings specify that the Windows user name must be used as the logon name set Use Novell Logon Name to no Note If a client cannot log on to a Novell server for example because the link to the server fails and the user logs themselves on locally with their Windows user name the encryption profile is still loaded correctly from the policy file because SafeGuard LAN Crypt can also use the Windows user name to identify the appropriate policy file In this situation the file is read from the cache The cache is as up to date as the last Novell network logon Resolve all environment variables SafeGuard LAN Crypt resolves the environment variable USERNAME for paths Here you can specify whether other environment variables are to be resolved in paths However using other environment variables in paths may create problems if users are able to change them This may result in the path data no longer functioning correctly in the encryption profile Enabled Menu Entries Here you can specify which menu options are visible in the SafeGuard LAN Crypt user menu on a client computer By default all menu options are display
198. your search criteria 86 SafeGuard LAN Crypt 3 61 Administration 87 E SafeGuard LAN Crypt x e2 C Display all users Display matching users fany user attribute x shouid be 7 Yona Yo x IV Add second condition parent OU of user x must not be 7 admin x J Add third condition display name should be na T All conditions must be met AND At least one of the conditions must be met OR Select all users for addition to this group Logon Name UserName Subject Christian Hofer CN Christian Hofer OU Software Architecture OU De Renate Lamets CN Renate Lametschwandtner OU Q4 OU Developm willi Almer CN Willi Almer OU HDE Clients Easy OU Development Wolfgang Ahorner CN Wolfgang Ahorner OU Mobile Media Mgt OU Deve Cancel Help The following user information will be retrieved from the SafeGuard LAN Crypt database m Logon name m User name m Assignment between user and certificate m Requestor of the certificate m Serial number of the certificate m Date from which the certificate is valid m Date up to which the certificate is valid m Name of the parent group You can define search criteria based on these attributes SafeGuard LAN Crypt searches for defined character string in the user attributes retrieved In the first drop down list you can select the attribute s on which the search process is to be applied In addition you can define whether the select
199. yption select the Include subdirectories option Example Entry my_data Include subdirectories This encryption rule encrypts all the files in C company my_data C company my_data project NT C company my_data project 2000 demo Exclude path Here you must define an encryption rule that excludes this data from encryption To do this select the Exclude path option in the File encryption dialog As a result the files specified in the encryption rule are not encrypted By default this option is not selected Example All files with the file extension TXT are to be excluded from encryption First line Entry c MYDIR TXT Exclude path no key excludes all files with the file extension TXT in the myDIR directory from encryption Second line SafeGuard LAN Crypt 3 61 Administration Entry c MYDIR Exclude path not selected encrypts all files in the yD IR except TXT file with the specified key Ignore path SafeGuard LAN Crypt includes the Ignore path option SafeGuard LAN Crypt simply ignores files affected by this type of encryption rule In contrast to the Exclude path option this also means there is no access control for these files You can open them the encrypted contents are displayed move and delete them etc Despite this the system checks files in directories that are excluded from encryption to see whether or not they are actually encrypted In this way SafeGuard LAN Crypt can discover
Download Pdf Manuals
Related Search