SafeGuard Enterprise Installation
Contents
1. Hard drives and removable media encryption is being maintained so there is no need to decrypt and re encrypt them It is not necessary either to uninstall SafeGuard Easy The migrated user PCs can be migrated as follows as SafeGuard Enterprise Clients managed centrally m as SafeGuard Standalone Clients managed locally When migrating SafeGuard Easy to SafeGuard Enterprise only the client installation package SGNClient msi can be installed on the user PC The SafeGuard Client installation package without volume based encryption SGNClient_withoutDE msi is not supported for migration of SafeGuard Easy This chapter describes how to migrate SafeGuard Easy to SafeGuard Enterprise and explains which features can be migrated and details the limitations Requirements The following requirements must be met Direct migration is supported for SafeGuard Easy from version 4 20 Older versions must be updated to SafeGuard Easy 4 20 beforehand SafeGuard Easy must be running on one of the following operating systems Windows 2000 Professional Workstation Service Pack 4 with Internet Explorer 6 x m Windows XP Professional Workstation Service Pack 2 The SafeGuard Easy hardware must meet the system requirements for SafeGuard Enterprise see the Release Notes Migration may only take place if the hard disks are encrypted with the following algorithms AES128 AES256 3DES IDEA SafeGuard Enterprise CHAPTER 19 Migrating Safe2. CHAPTER 5 Setting up SafeGuard Management Center 0 cee ceeeeeeeeeeeeeeeeeeeeeeeeeeees 30 SA Prerequisites sisie ninen io tn a a eea desis hea sacesagateseseeecrassedessdtereed lunes be 32 5 2 Installing SafeGuard Management Center eeccceeeeeeeeeeeeeeeneeeeeeeeenneeeeenteeenaaes 32 5 3 Configuring SafeGuard Management Center 00 0 eee eeeeeeeeereeeeeeeeeeeeeeeeeeeeteeeeaaes 34 5 4 Carrying out initial COMFIQUrATION ee eee eeeee cece ee cenaeeeteeaeeeaeeeeeaeeesesaeeesneeeensaeeeeeas 35 5 5 Configuring for multiple databases Multi Tenancy ceeeeceeeseeeceeeeeeeeeeeeesneeeeeaas 41 5 5 1 Creating further database configurations 200 0 cece eeeeeeeeeeeteeeeenteeeeneeeeneeeees 41 5 5 2 Connecting to an existing database configuration eseeesneenereeenn 42 5 5 3 Exporting a configuration to a file 0 eee eeeeee center eens eeeneeeeeaeeeeeeaeeenneeeee 42 5 5 4 Importing a configuration 000 eee ee enneeeeeee ee eneeeeeeaeeeseeeeeeaeeeeeaeeeseeaeeeeneeeen 43 5 5 5 Importing a configuration via the SafeGuard Management Center 43 5 5 6 Importing a configuration by double clicking the configuration file Single and Multi Tenancy 0 eee eee eeeeeeeeeneeeeseeeseeeeeeeaeeeeeaeeseneeeeenaeeeeeaes 44 5 5 7 Fast switching of database configurations cc ceeecceeeeeeeeeeeenneeeeeneeeeneeeee 45 5 6 Logon to the SafeGuard Management Center eee ceeeeeceeeeeeeneeeeeeeeeneeeeeeeneeeeeaas 46 5 6 1 Logon in
3. DBAuth gt SafeGuard Enterprise 7 8 1 8 2 CHAPTER 8 Replicating the SafeGuard Enterprise Database Replicating the SafeGuard Enterprise Database To enhance performance the SafeGuard Enterprise Database may be replicated to several SQL servers SafeGuard Enterprise supports replications of type Merge Replication for Microsoft SQL Server 2000 and 2005 This chapter describes how to set up replication for the SafeGuard Enterprise Database in a distributed environment It is assumed that you already have some experience in working with the replication mechanism in Microsoft SQL Server HINT Administration should only be carried out on the master database not on the replicated databases Merge replication Merge replication is the process of distributing data from Publisher to Subscribers allowing the Publisher and Subscribers to make updates independently and then merging the updates between sites Merge replication allows various sites to work autonomously and at a later time merge updates into a single uniform result The initial snapshot is applied to Subscribers and then Microsoft SQL Server tracks changes to published data at the Publisher and at the Subscribers The data is synchronized between servers continuously at a scheduled time or on demand Because updates are made at more than one server the same data may have been updated by the Publisher or by more than one Subscriber Therefore conf
4. SafeGuard Enterprise 5 4x and the stand alone products SafeGuard PrivateCrypto from Version 2 30 as well as SafeGuard Private Disk from Version 2 30 can coexist on the same computer Both SafeGuard PrivateCrypto and SafeGuard Private Disk can then share the SafeGuard Enterprise key management SafeGuard Enterprise 3 6 3 6 1 CHAPTER 3 Preparing for installation Securing transport connections with SSL To enhance security SafeGuard Enterprise supports encrypting the transport connections between its components with SSL m The connection between the database server and the web server as well as the connection between the database server and the computer on which either SafeGuard Management Center or SafeGuard Policy Editor reside may be encrypted with SSL SafeGuard Enterprise supports configuring a specific database connection for any registered web server m The connection between the SafeGuard Enterprise Server and the SafeGuard Enterprise Client may either be secured by SSL or by SafeGuard specific encryption The advantage of SSL is that it is a standard protocol and that a faster connection can be achieved as with using SafeGuard transport encryption SSL encryption for SafeGuard Enterprise can be set during configuration of the SafeGuard Enterprise components directly after installation It is also possible to enable it afterwards at any point in time There is no need to reinstall the components if SSL is enabled later o
5. Common Files m Internet Information Services IIS Manager World Wide Web Services Enabling only essential Web Service Extensions Ensure that only essential Web Service Extensions are enabled as this will reduce the chance that the IIS server might be attacked Disable all unnecessary settings The required settings for the IIS server to run with SafeGuard Enterprise Server are m Web Service Extension ASP NET v 1 1 4322 Prohibited ASP NET v 2 50727 Allowed Placing Web site content on a dedicated disk volume IIS stores the files for its default Web site in the following folder lt systemroot gt inetpub wwwroot lt systemroot gt is the drive on which the Windows Server 2003 operating system is installed Move all files and folders that make up Web sites and applications on dedicated disk volumes that are separate from the operating system This helps to prevent attacks in which an attacker sends requests for a file that is located outside the directory structure of an IIS server For the sample configuration these may be moved as follows m IIS web files E inetpub SafeGuard Enterprise Server Web files F mycompany web SafeGuard Enterprise CHAPTER 6 Setting up SafeGuard Enterprise Server HINT After moving the Web files you need to update the path information in the IIS Manager accordingly Setting NTFS permissions Computers that run Windows Server 2003 with SP1 examine NTFS file system permissions t
6. Todo this open Control Panel and depending on the operating system either select Add Remove Programs or Administrative Tools The program and version are shown there 2 If necessary install the correct version of the program SafeGuard Enterprise CHAPTER 6 Setting up SafeGuard Enterprise Server 6 2 4 Checking ASP NET registration During SafeGuard Enterprise Server installation it is checked whether the required ASP NET Version 2 0 50727 is set If itis not set the correct version will automatically be enabled during installation You can check the setting manually as follows HINT You will find a detailed description on how to carry out this task in our knowledge database www utimaco com myutimaco Search for keyword ASP 1 Open the Internet Information Services Manager on the IIS server 2 In IIS Manager click Server local computer gt Web Sites 3 Right click Default Web Site gt Properties gt ASP NET Version 2 0 50727 should show under ASP NET Version If appropriate select this version If this is not possible you must re install ASP Net 2 050727 4 Confirm with Apply and OK Internet Information Services 15 Manager Default web Site Properties i 2x Lr ind E ee a Be te Web Site Performance ISAPI Filters Home Directory Documents tothe alm E a gt Directory Security HTTP Headers Custom Errors ASP NET amp Internet Information Services Name 8 SGNSRY local c
7. lv Use SSL r Authentication O Use Windows NT Authentication SQL Logon ca SQL Password l poeeme Check connection In Database Connections configure the connection between database and server a Select the required database server the selected SafeGuard Enterprise Server is to be connected to b Activate Use SSL to secure the connection between this database and the selected server with SSL c In Authentication define the database credentials to be used for the selected database Windows authentication SQL authentication NOTICE Use SQL authentication for computers that are not part of a domain otherwise use Windows authentication This however requires additional configuration If you use SQL authentication we strongly recommend to secure the connection to the database with SSL to encrypt the transport of the SQL credentials d Check the connection to the database Even if the check is not successful a new server configuration package can be created HINT You can change the properties and settings for any registered server and its database connection at any point in time You do not have to rerun the Management Center Configuration Wizard to update the database configuration Simply ensure to create a new server package afterwards and distribute it to the respective server After the updated server package is installed on the server the new database connection can be used S
8. the only way to authenticate against the SafeGuard Management Center Please store the key file in a secure place and create a backup ras contre 9 Save the certificate in a directory NOTICE Create a backup of the private key p12 file for the MSO as in case of PC failure the key will be lost and SafeGuard Enterprise will have to be reinstalled This applies to all SafeGuard generated security officer certificates Save As 71x Save in SGN x e ck My Recent Documents Desktop aN a My Documents d PE My Computer 7 Miia File name fiso p12 X Places Save as type p12 files p12 E P gi Ns gt The MSO certificate has now been created SafeGuard Enterprise CHAPTER 5 Setting up SafeGuard Management Center i r CN M50 OU SafeGuard Enterprise Office 10 Click Next 11 Create the company certificate This certificate is used to differentiate between different SafeGuard Enterprise installations Any name can be used here SafeGuard Management Center Wizard Company Certificate Create the global certificate for your company 12 Click Next then Finish A configuration file is automatically created and stored in the following folder lt CSIDL_LOCAL_APPDATA gt Utimaco SafeGuard Enterprise Configuration gt The initial configuration of the SafeGuard Management Center is now complete The SafeGuard Management Center opens automatically SafeGu
9. you also need to add all the feature parents to the command line ADDLOCAL ALL Installs all the available features REBOOT Force Forces or suppresses a reboot after installation If nothing is ReallySuppress specified the reboot is forced after installation L lt path filename gt Logs all warnings and error messages in the specified log file The parameter Le lt path filename gt only logs error messages Installdir lt directory gt Specifies the directory in which the SafeGuard Enterprise Client is to be installed If no value is specified the default installation directory will be lt SYSTEM gt PROGRAM FILES UTIMACO SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally 12 5 2 SafeGuard Client Features ADDLOCAL For a central install you must define in advance which SafeGuard Enterprise features are to be installed on the user PCs The features are listed after stating the option ADDLOCAL in the command You should decide before the install whether you want to use SafeGuard Enterprise in association with BitLocker volume encryption or SafeGuard Enterprise encryption in its entirety NOTICE If you wish to install SafeGuard Enterprise s volume based encryption you should make sure that no volumes have yet been encrypted with BitLocker Otherwise the system may be harmed The following table lists the SafeGuard Enterprise client features that can be installed centrally on the user PCs If y
10. 5 30 or above SafeGuard Enterprise 1 SafeGuard Enterprise Database 2 SafeGuard Enterprise Server 3 SafeGuard Management Center 4 SafeGuard Enterprise Client SafeGuard Enterprise Standalone Updating SafeGuard Enterprise Standalone is supported for SafeGuard Enterprise version 5 30 or higher 1 SafeGuard Enterprise Database 2 SafeGuard Policy Editor 3 SafeGuard Standalone Client SafeGuard Enterprise CHAPTER 17 Updating SafeGuard Enterprise 17 1 Updating SafeGuard Enterprise Database On the product CD several SQL scripts are provided for updating the SafeGuard Enterprise database Prerequisites m There must be a SafeGuard Enterprise database version 5 20 or higher installed The SQL scripts that are to be run must be present on the database computer You need Windows administrator rights for the database server Backup the SafeGuard Enterprise database before starting the update Updating the database 1 Take all SafeGuard Enterprise Servers IIS servers offline and close all open SafeGuard Management Centers 2 Set the SafeGuard Enterprise database to SINGLE_USER mode for running the SQL scripts 3 If you do not know which database version is installed find out by running CheckNeedForMigration sql from the Tools folder on your product CD 4 The database must be converted version by version to the current version Depending on the version installed start the following SQL scripts in seque
11. Center have already been updated to the latest version m You need Windows administrator rights Updating SafeGuard Enterprise Client The update of the SafeGuard Enterprise Client is carried out in several steps Older versions of SafeGuard Enterprise Client must be updated version by version until version 5 30 has been reached You can then update from version 5 30 to version 5 40 To update install the respective Client installation package afresh see Setting up user PCs centrally page 102 or see Setting up user PCs locally page 121 Windows Installer recognizes the modules that are already installed and only installs these modules afresh You do not have to create a new Enterprise Client configuration package Generating a new configuration package is only required if for example the SafeGuard Enterprise Server might have changed If Power on Authentication is installed an updated POA kernel will also be available after a successful update policies keys etc The SafeGuard Enterprise Client will be automatically restarted SafeGuard Enterprise 17 6 17 6 1 CHAPTER 17 Updating SafeGuard Enterprise Updating SafeGuard Enterprise Standalone An update of SafeGuard Enterprise Standalone comprises the following components which must be carried out in the order mentioned 1 SafeGuard Enterprise Database For an update of the SafeGuard Enterprise Database see Updating SafeGuard Enterprise Database page 1
12. Installation manual 1 Start the SafeGuard Management Center via the product folder of the Start menu 2 Select Options from Tools menu and select the tab Database Connection 3 Enter or confirm the credentials for the SQL Database Server connection SafeGuard Enterprise 5 5 7 CHAPTER 5 Setting up SafeGuard Management Center 4 Click Export configuration to export this configuration to a file 5 Enter and confirm a password for the configuration file 6 Enter a file name and select a storage location 7 Distribute this configuration file to the security officers computers Let them know the password for this file as well as the certificate store password needed to authenticate at the SafeGuard Management Center 8 The security officers just need to double click the configuration file 9 They are prompted to enter the password for the configuration file 10 To authenticate to the SafeGuard Management Center they are prompted to enter their certificate store password gt The SafeGuard Management Center starts with the imported configuration and this configuration will be made the new default configuration Fast switching of database configurations To ease administrative task for several tenants SafeGuard Management Center allows for fast switching of database configurations To switch to another database configuration 1 In the Management Center select Change configuration form the File menu 2 Select
13. Management Center is installed If necessary restart your computer SafeGuard Enterprise 5 3 CHAPTER 5 Setting up SafeGuard Management Center Configuring SafeGuard Management Center After installation you need to configure the SafeGuard Management Center The SafeGuard Management Center Wizard provides comfortable assistance for initial configuration by helping to specify the basic settings for the Management Center and the connection to the database This wizard opens automatically when you start the SafeGuard Management Center for the first time after installation Multi Tenancy configurations You are able to configure different SafeGuard Enterprise Databases and maintain them for one instance of the SafeGuard Management Center This is particularly useful when you want to have different database configurations for different domains organizational units or company locations To ease configuration previously created configurations can also be imported from files or newly created database configurations can be exported to be reused at a later point in time To configure SafeGuard Management for Multi Tenancy first carry out initial configuration and then proceed with further specific configuration steps for Multi Tenancy Prerequisites You should have the following information ready Where necessary you can obtain this information from your SQL administrator SQL credentials The name of the SQL Server which the SafeGuar
14. credentials SafeGuard Enterprise CHAPTER 5 Setting up SafeGuard Management Center 5 Determine whether an existing or a new database will be used to store administration data m fa database does not yet exist select Create a new database named Enter a name for the new database here SafeGuard To do this you need the relevant SQL access rights see Rights to access the database page 21 Ifa database has already been created or if you have already installed the Management Center on another administrator PC click Select an available database and select the relevant database from the list SafeGuard Management Center Wizard Database Settings SafeGuard Management Center requires a database that is usually named SafeGuard SafeGuard Enterprise CHAPTER 5 Setting up SafeGuard Management Center 6 Create a Master Security Officer MSO a Entera name for the MSO Initially we recommend setting Token logon to no token Logon with token or smartcard requires separate configuration which must be carried out within the Management Center See the Administrator s manual chapter Token and Smartcards b Once you have entered a name for the MSO click Create SafeGuard Management Center Wizard Security Officer Data Selection of mandatory Security Officer for logon utimaco T Create MSO Certificat 7 x Please enter the credentials for the Master Security Officer to be created in the dat
15. during initial configuration of the SafeGuard Policy Editor and store it on the network 4 Click OK to finish configuration SafeGuard Enterprise 10 3 5 CHAPTER 10 Setting up SafeGuard Policy Editor A default Standalone client configuration package will be created including the previously defined settings for the client The SafeGuard Policy Editor will then start automatically and display the Default Policy group in the left hand navigation area The automatically created Standalone Client configuration package msi containing the default policy group will be shown for selection in the Configuration Package Tool dialog You may manually change the policies or create new ones if required Then distribute the Standalone Client configuration package s to the respective clients Logging on to the SafeGuard Policy Editor To log on to the SafeGuard Policy Editor do as follows 1 You will see the logon screen 2 Enter the security officer password specified during configuration and confirm with OK T SafeGuard Policy Editor x Please select the Security Officer for authentication mso Policy Editor password OK Cancel gt The SafeGuard Policy Editor opens gt For an introduction to the SafeGuard Policy Editor see the SafeGuard Enterprise Administrator s Manual chapter SafeGuard Policy Editor SafeGuard Enterprise CHAPTER 11 SafeGuard Client Configurations 11 SafeGuard Client C
16. guide you through the necessary steps of creating a new database configuration see Carrying out initial configuration page 35 Make your settings as required The new database SafeGuard Enterprise 5 5 2 5 3 CHAPTER 5 Setting up SafeGuard Management Center configuration will be generated To authenticate to the SafeGuard Management Center you are prompted to select the Security Officer name for this configuration and to enter their certificate store password Confirm with OK The SafeGuard Management Center will be opened and connected to the new database configuration When the SafeGuard Management Center is started for the next time you can select the new database from the list Connecting to an existing database configuration To work on an existing database configuration proceed as follows 1 2 Start the SafeGuard Management Center The Select Configuration dialog will be displayed Select the required database configuration from the drop down list and click OK The selected database configuration is connected to the Managment Center and will become active To authenticate to the SafeGuard Management Center you are prompted to select the Security Officer name for this configuration and to enter their certificate store password Confirm with OK The SafeGuard Management Center will be opened and connected to the selected database configuration Exporting a configuration to a file To save a database
17. have not been found or cannot be accessed 7 To import the data click Yes Y Import Authentication Keyfile x Please locate the keyfile required For authentication enter the password for the keyfile and the password for your certificate store Key File F icerts SO_MUC p12 eo Cert store password or token PIN ee Gopy to token Import to certificate store 8 Click OK This will start the import process 9 Click to select the key file 10 Now enter the password for keyfile 11 Enter the password for the certificate store previously defined in Cert store password or token PIN 12 Click Import to certificate store Click Copy to token to store the certificate on a token 13 You need to enter the password once more to initialize the certificate store SafeGuard Enterprise CHAPTER 5 Setting up SafeGuard Management Center gt Certificates and private keys are now contained in the certificate store Logging on to the SafeGuard Management Center then requires the password to the certificate store SafeGuard Enterprise CHAPTER 6 Setting up SafeGuard Enterprise Server Setting up SafeGuard Enterprise Server The SafeGuard Enterprise Server acts as the interface to the SafeGuard Enterprise Clients Like the SafeGuard Management Center it accesses the database It runs as an application on an IIS based web server We recommend to use a dedicated IIS server for the SafeGuard Enterpri
18. i Authenticated Computers D Authenticated Users of Auto registered asesnn Beth SafeGuard Enterprise CHAPTER 9 Setting up an organizational structure 7 Select the required directory from the DSN list Click the magnifier icon top right 1 A graphical representation of the Active Directory Structure of the organizational units OU in your company will appear 1 SafeGuard Management Center MSO on SGNSR SafeGuard 5 x File Edit Wew GoTo Actions Tools Help Drese raksa Users amp Computers RESE gt Authenticated Computers Key Policies Inventory Synchronize Licenses f Authenticated Users X 8 Auto registered Y DSN DC Utimaco DC edu E Ca mS UTIMACO EDU Y Synchronize memberships Synchronize user enabled state H Root present O EDU IM Builtin present DY Computers present 2 i V Domain Controllers present i V ForeignSecurityPrincipals present HZ Headquarter present of BY Users present Policies SY Keys amp Certificates a Tokens EF Security Officers Reports 3 i ER 8 You do not need to import the entire contents of the Active Directory Highlight the organizational units OU to be synchronized 2 9 Click Synchronize 3 SafeGuard Enterprise CHAPTER 9 Setting up an organizational structure 10 Confirm synchronization with OK P SafeGuard Manageme
19. installation of the SafeGuard Configuration Protection module a separate installation package must be added by specifying an additional msiexec command A log file is created Finally the Client configuration package SGNEnterpriseClientConfig msi is run EXAMPLE msiexec i F SGNClient withoutDE msi qn log I Temp SGNClient log ADDLOCAL Client Authentication SecureDataExchange ConfigurationProtection Installdir C Program Files Utimaco SafeGuard Enterprise msiexec i SGN _CP_PortProtectorClient msi quiet norestart msiexec i F SGNEnterpriseClientConfig msi qn log I Temp SGN EnterpriseClientConfig log SafeGuard Enterprise CHAPTER 15 Installing SafeGuard Configuration Protection 15 5 Local installation To successfully install SafeGuard Configuration Protection please stick to the following installation sequence 1 Install one of the following SafeGuard Enterprise Client installation packages on the user computer m SGNClient msi SGNClient_withoutDE msi 2 When you are prompted to select the required features make sure to activate the feature Configuration Protection 3 Then install SGN_CP_PortProtectorClient msi NOTICE To ensure that the Configuration Protection module is installed in the SafeGuard Enterprise directory you need to change it to C Program Files Utimaco SafeGuard Enterprise 4 We recommend restarting the user computer However if the Client config
20. on the selected volume 4 Confirm the defaults in the next dialog of the installer No special feature selection is necessary 5 Select an installation folder for the runtime installation 6 Confirm to finish the runtime installation 7 Select the primary volume of the hard disk you want to install SafeGuard Enterprise Client on 8 Boot the primary Windows installation on the selected volume SafeGuard Enterprise 14 4 CHAPTER 14 Installing SafeGuard Enterprise Client on computers with multiple operating systems 9 Install the required SafeGuard Enterprise Client installation package on the selected volume 10 Create and deploy the client configuration packages for Enterprise or Standalone Clients as required 11 Encrypt both volumes with the defined machine key Booting from a secondary volume via a boot manager 1 Start the computer 2 Log on at the Power on Authentication with your credentials 3 Start the boot manager and select the required secondary volume as boot volume 4 Reboot the computer from this volume gt Each volume encrypted with the defined machine key can be accessed SafeGuard Enterprise 15 15 1 CHAPTER 15 Installing SafeGuard Configuration Protection Installing SafeGuard Configuration Protection With SafeGuard Configuration Protection the interfaces and peripheral devices to be allowed on user computers can be defined This prevents malware from being introduced as well as dat
21. package Further details about the features see SafeGuard Client Features ADDLOCAL page 115 1 Click the features to select them 2 Disable the features you do not want to install 3 Continue the installation Client features for Windows XP The picture shows the selection of features for of the SGNClient msi installation package S Client amp v Data Exchange G Device Encryption E v Base Encryption Configuration Protection m SafeGuard Data Exchange with file based encryption Data Exchange activated Volume based encryption Device Encryption gt Base Encryption activated Configuration protection Configuration Protection activated Further steps are required for installing this module see Installing SafeGuard Configuration Protection page 129 This feature cannot be installed for Standalone Clients SafeGuard Enterprise CHAPTER 13 Setting up user PCs locally Client features for Windows Vista without BitLocker support The picture shows the selection of features for the SGNClient msi installation package B Client S amp S M L ata Exchange B r Device Encryption X BitLocker Suppor E v Base Encryption M Configuration Protection m SafeGuard Data Exchange with file based encryption Data Exchange activated Volume based encryption based on SafeGuard Enterprise Device Encryption gt Base Encryption activated Device Encryption gt BitLocker Support dea
22. secure encryption for removable media Data can securely and easily be shared with other users All encryption and decryption processes run transparently and with minimal user interaction If you have installed SafeGuard Data Exchange to your computer you can also use SafeGuard Portable The SGNClient _withoutDE msi package also includes SafeGuard Portable SafeGuard Portable enables data to be securely shared with clients that do not have SafeGuard Data Exchange installed SafeGuard Data Exchange can be installed parallel to the BitLocker Client Client ConfigurationProtection Port protection and management of peripheral devices To use SafeGuard Configuration Protection you need to list this feature in the msiexec command for the Client installation package AND carry out additional installation steps see Installing SafeGuard Configuration Protection page 129 Not available for SafeGuard Standalone Clients SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally 12 5 3 Sample command for volume and file based encryption The command given below installs the following SafeGuard Enterprise Power on Authentication for authentication at SafeGuard Enterprise user computers SafeGuard Data Exchange with file based encryption is installed by specifying SecureDataExchange m SafeGuard Enterprise volume based encryption is installed Alog file is created Afterwards the SafeGuard Enterpr
23. the user PCs see Restrictions for initial encryption of SafeGuard Enterprise Clients page 104 e Select the Transport Encryption mode defining how the connection between SafeGuard Enterprise Client and SafeGuard Enterprise Server is to be encrypted SafeGuard encryption SSL encryption The advantage of SSL is that it is a standard protocol and that a faster connection can be achieved as with using SafeGuard transport encryption SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally HINT If you use SSL transport encryption between server and client you have to set up the IIS for it in advance Certificate Authority must be installed for issuing certificates used by SSL encryption A certificate must be issued and the IIS server configured to use SSL and point to the certificate m The server name specified when configuring the SafeGuard Enterprise Server must be the same as the one specified in the SSL certificate Otherwise client and server cannot communicate For each SafeGuard Enterprise Server a separate certificate is needed m f you use Network Load Balancer make sure that the port range includes the SSL port For further information see Securing transport connections with SSL page 13 f Specify the output path and click Create Client MSI The SGNClientConfig msi will be created in the specified directory SafeGuard Management Center x 1 Installation package s successfully c
24. the SafeGuard Enterprise Server Restrictions for SafeGuard Standalone Clients m The following modules are not supported for the SafeGuard Standalone Client SafeGuard Enterprise BitLocker support Configuration Protection Restrictions for BitLocker support m The following installation package is not available for SafeGuard Enterprise Clients with BitLocker support m SGNClient_withoutDE msi SafeGuard Enterprise CHAPTER 11 SafeGuard Client Configurations NOTICE Either SafeGuard Enterprise or BitLocker volume based encryption can be used on Windows Vista but not both encryption methods simultaneously If you want to change the encryption type you must first decrypt all the partitions uninstall the SafeGuard Enterprise client package and then reinstall it with the features you want SafeGuard Enterprise CHAPTER 11 SafeGuard Client Configurations 11 2 SafeGuard Enterprise Clients SafeGuard Enterprise Clients are managed centrally in the SafeGuard Management Center For SafeGuard Enterprise Clients a connection to the SafeGuard Enterprise Server exists The connection may temporarily be disabled for example during a business trip but even so the user computer is still defined as a SafeGuard Enterprise Client The required Enterprise Client configuration package is created in the SafeGuard Management Center SafeGuard Enterprise Components Tal Microsoft Active Directory optional 2e A SafeGu
25. the database you want to switch to from the drop down list 3 Select OK gt The Management Center is automatically restarted with the selected configuration NOTICE Note that this task is only possible in Multi Tenancy mode SafeGuard Enterprise 5 6 5 6 1 5 6 2 CHAPTER 5 Setting up SafeGuard Management Center Logon to the SafeGuard Management Center Logon to the SafeGuard Management Center depends on whether you run it in Single Tenancy or in Multi Tenancy mode Logon in Single Tenancy mode 1 Start the SafeGuard Management Center via the Start menu 2 You will see a logon dialog SafeGuard Management Center Authenti Eq Please select the security officer for authentication so z Certificate Store password Token PIN 3 Log on as an MSO and enter the certificate store password specified during initial configuration Click OK HINT If you enter an incorrect password an error message will be displayed and a delay will be imposed for the next logon attempt The delay period will be increased with each failed logon attempt Failed attempts will be logged gt The SafeGuard Management Center is opened Logon in Multi Tenancy mode The Logon process to the Management Center is extended when you have configured several databases Multi Tenancy 1 Start the SafeGuard Management Center via product folder of the Start menu The Select Configurations dialog will be displayed
26. to SafeGuard Enterprise only the client installation package SGNClient msi can be installed on the user PC The SafeGuard Enterprise Client installation package without volume based encryption SGNClient_withoutDE msi is not supported for migration of SafeGuard Easy SafeGuard Enterprise CHAPTER 19 Migrating SafeGuard Easy to SafeGuard Enterprise 19 3 Which functionality is migrated The table below shows which SafeGuard Easy functionality is migrated and how it is mapped in SafeGuard Enterprise SafeGuard Easy Encrypted hard disks Migration Yes SafeGuard Enterprise Encrypted hard disks can continue to be used in exactly the same way as when updating from an older to a new version of SafeGuard Easy Here the hard disk keys are protected by SafeGuard Enterprise Power on Authentication So the hard disk key is at no time exposed If Boot Protection mode has been selected the previous SafeGuard Easy version has to be uninstalled The hard disk s encryption algorithm is not changed by the migration Therefore the actual algorithm for this type of migrated hard disk may differ from the general SafeGuard Enterprise policy The actual algorithm is shown in the Management Center s Inventory view for the user PC Encrypted removable media Yes Encrypted SafeGuard Easy data media e g USB memory sticks can be converted to the SafeGuard Enterprise format After conversion an encrypted data medium can only be re
27. 36 2 SafeGuard Policy Editor 3 SafeGuard Standalone Client Updating SafeGuard Policy Editor Prerequisites SafeGuard Policy Editor does not need to be uninstalled m The SafeGuard Enterprise database has already been updated to the latest version m NET Framework 3 0 Service Pack 1 must be installed for successfully updating to the latest version ASP NET must be converted to version 2 0 m You need Windows administrator rights Updating the Policy Editor Reinstall the latest version of SafeGuard Policy Editor see Setting up SafeGuard Policy Editor page 85 The updated SafeGuard Policy Editor will be available afterwards SafeGuard Enterprise CHAPTER 17 Updating SafeGuard Enterprise 17 6 2 17 6 3 Updating SafeGuard Standalone Client SafeGuard Policy Editor version 5 40 can manage SafeGuard Standalone Clients version 5 30 or above Prerequisites There must be a SafeGuard Standalone Client version 5 30 or higher installed Versions below 5 30 must be uninstalled The SafeGuard Enterprise database and the SafeGuard Policy Editor have already been updated to the latest version m You need Windows administrator rights Updating SafeGuard Standalone Client You can update SafeGuard Standalone Client from version 5 3x to version 5 40 To update install the latest version of the respective Client installation package afresh see Setting up user PCs centrally page 102 or see Setting up
28. Guard Easy to SafeGuard Enterprise 19 2 Limitations The migration is subject to the following limitations m The following SafeGuard Easy installations cannot be migrated to SafeGuard Enterprise Twin Boot installations m Installations with active Compaq Switch m Lenovo Computrace installations Hard disks that are partially encrypted e g only have boot sector encryption Hard disks with hidden partitions Hard disks that have been encrypted with one of the following algorithms XOR STEALTH DES RIJANDAEL Blowfish 8 Blowfish 16 Multi boot scenarios with a second Windows or Linux partition In the above cases the SafeGuard Enterprise installation should not be attempted HINT If you start a migration from SafeGuard Easy to SafeGuard Enterprise in the above mentioned cases an error message will be displayed error number 5006 m Removable media that have been encrypted with one of the following algorithms XOR STEALTH DES RIJANDAEL Blowfish 8 Blowfish 16 cannot be migrated NOTICE There is a risk of data being lost if a removable device has been encrypted with one of the algorithms XOR STEALTH DES RIJANDAEL Blowfish 8 Blowfish 16 in SafeGuard Easy and is to be migrated to SafeGuard Enterprise The data on the removable medium cannot be accessed with SafeGuard Enterprise after the migration Removable media with Super Floppy volumes cannot be transformed after migration m When migrating SafeGuard Easy
29. Guard Enterprise Clients SSL encryption can be enabled when creating the Enterprise Client configuration package via the Management Center Configuration Package Tool For details see Creating an Enterprise Client configuration package page 106 SafeGuard Enterprise 3 7 CHAPTER 3 Preparing for installation Installation steps for SafeGuard Enterprise To install SafeGuard Enterprise with central management via SafeGuard Management Center follow these installation steps Description Installation Configuration Chapter package 1 Preparatory measures Preparations on client and server 3 1 2 Set up SQL The user account is created on 4 4 authentication for the the Microsoft SQL Server SafeGuard Enterprise Security Officer 3 Generating database Generate the SafeGuard SQL scripts on product CD in 4 5 2 via script optional Enterprise Database s with a Tools directory script 4 Set up SafeGuard Install SafeGuard Management SGNManagement 52 Management Center Center on the administrator PC Center msi 5 Basic configuration Configure the database SafeGuard Management 5 3 generate database via Connections generate the Center Configuration Wizard Wizard SafeGuard Enterprise Database s and the Master Security Officer 6 Set up IIS Server for Set up Internet Information 6 2 SafeGuard Enterprise Services IIS with NET Framework 3 0 and ASP NET2 0 7 Set up SafeGuard Install SafeGua
30. Management Center 5 Setting up SafeGuard Management Center This chapter describes how to install and configure the SafeGuard Management Center The SafeGuard Management Center is the central administrative tool for SafeGuard Enterprise You install it on the administrator PCs that you intend to use for managing SafeGuard Enterprise The SafeGuard Enterprise Management Center does not necessarily need to be installed on one computer only It can be installed on any computer on the network from which the databases can be accessed The SafeGuard Management Center provides for serving multiple databases by way of tenant specific database configurations Multi Tenancy You are able to set up and maintain different SafeGuard Enterprise Databases for different tenants such as company locations organizational units or domains To ease management efforts these database configurations can also be exported to and imported from files SafeGuard Enterprise CHAPTER 5 Setting up SafeGuard Management Center SafeGuard Enterprise Components Microsoft Active Directory 8 amp SafeGuard optional Management Center Administrator MSO SafeGuard Enterprise Database Microsoft SQL Server Web Server MS Internet Information Services IIS fo User PC SafeGuard Enterprise Server SafeGuard Enterprise Client SafeGuard Enterprise 5 1 5 2 CHAPTER 5 Setting up SafeGuard Management Center Prerequisites The following prerequisites mu
31. SafeGuard Enterprise 13 13 1 CHAPTER 13 Setting up user PCs locally Setting up user PCs locally This chapter describes how to set up SafeGuard Enterprise Clients and SafeGuard Standalone Clients locally at the user computer Steps required for SafeGuard Enterprise Clients with Windows Vista BitLocker are described as well For information on the different Client installation and configuration packages see SafeGuard Client Configurations page 93 You should decide before the install whether you want to use SafeGuard Enterprise in combination with BitLocker volume encryption or SafeGuard Enterprise encryption NOTICE If you wish to install SafeGuard Enterprise volume based encryption you should make sure that no volumes have already been encrypted with BitLocker Otherwise the system may be harmed Prerequisites For general prerequisites see General prerequisites page 103 and for special prerequisites for Windows Vista BitLocker support see Prerequisites for Windows Vista BitLocker page 103 SafeGuard Enterprise CHAPTER 13 Setting up user PCs locally 13 2 Installing SafeGuard Enterprise or Standalone Client This chapter is both valid for SafeGuard Enterprise Clients and SafeGuard Standalone Clients The installation procedure is identical except that you create a different configuration package for each of them Before installation decide which SafeGuard Enterprise features you want to use Ins
32. SafeGuard Enterprise CHAPTER 5 Setting up SafeGuard Management Center W Select Configuration X Please select the configuration you would like to use or select New to create a new configuration New Delete 2 Select the database configuration you want to use from the drop down list and click OK The selected database configuration is connected to the Management Center and will become active SafeGuard Enterprise 5 7 CHAPTER 5 Setting up SafeGuard Management Center 3 To authenticate to the SafeGuard Management Center you are prompted to select the Security Officer name for this configuration and to enter their certificate store password Confirm with OK Y SafeGuard Management Center X Configuration MyCompany2 SGNSRV SafeGuard 1 Please select the Security Officer for authentication mso z Certificate store password Token PIN ee Cancel gt The SafeGuard Management Center will be opened and connected to the selected database configuration HINT If you enter an incorrect password an error message will be displayed and a delay will be imposed for the next logon attempt The delay period will be increased with each failed logon attempt Failed attempts will be logged gt For first steps in the SafeGuard Management Center refer to the SafeGuard Enterprise Administration Manual Installing SafeGuard Management Center on further computers The SafeGuard Enterprise Mana
33. Server Authentication with the following credentials SQL Logon sa SQL password lt Back Next gt Cancel Help Select the SQL database server from the list All computers on a network on which a Microsoft SQL Server is installed are listed If you cannot select the server enter the server name or IP address with the SQL instance name manually 4 For the SafeGuard Management Center to be able to communicate with the database you must specify an authentication method for the database access either Windows NT authentication or SQL authentication NOTICE Use SQL authentication for computers that are not part of a domain otherwise use Windows authentication This however requires additional configuration If you use SQL authentication we strongly recommend to secure the connection to the database with SSL to encrypt the transport of the SQL credentials SSL encryption requires a working SSL environment on the SQL database server which you have to set up in advance see Securing transport connections with SSL page 13 a Activate Use SQL Server Authentication Enter the credentials for the SQL user account that your SQL administrator has created in this example sa is used b Activate Use SSL to secure the connection between SafeGuard Management Center and SQL database server If you have selected SQL Server Authentication this is strongly recommended in order to encrypt the transport of the SQL
34. Single Tenancy mode 0 0 0 eee ceeeeee eects eneeseeeeeeeneeeeeaeeeeeeeeeeneeeee 46 5 6 2 Logon in Multi Tenancy Mode eee eeeeeeeceeeee ener eeeeneeceeeeeeeneeeeeaaeeseeeeeeeneeeee 46 5 7 Installing SafeGuard Management Center on further computers seee 48 CHAPTER 6 Setting up SafeGuard Enterprise Server 0eeeeeeeeeeeeeeeeerteetseenteeees 51 GA Prerequisites css sc cigs soessiidi esis havior tases caddy chown sadeeed da paaien e a aiia Eiin 52 6 2 Configuring Microsoft Internet Information Services eee eeeeeeeeeeeeeeneeeeeteeeeeneeeeeaas 53 6 21 Hardening the WS SCVe leis csi cecstceiseceepnchisescescens sacecoassistosesteasicesadert inina nistas 53 62 2 IS rollout MAME iin ee a neh oe a a a eee 56 6 2 3 Testing NET Framework registration ceeecceesseeeeeeeeeenneeeeeeeeeeneeeeeaeeeeenees 56 6 2 4 Checking ASP NET registration cc cecceeeeeecesneeeseeeeeeeeeeeeeaeeeseeeennaeeteeaaes 57 6 2 5 Enabling recycling for the IS server ee eeceeesseeeeeeeeeeneeeseaeeeeneeeensaeeeenaaees 58 6 3 Installing SafeGuard Enterprise Server ou eee ceeseceeeeeeeeeeeeeereeeeeneeeeeeeeeeeeeeeeneeeenaaes 60 6 4 Registering and configuring SafeGuard Enterprise Server 60 CHAPTER 7 Testing communication 3 s5 ccccarih xan siceliecte emecevadtantdvecdenntdunaoetbavarecreateladunceeete 66 TA UPMOREQUISNCS bacon citte2i ta cesiairbe dees a e crates 66 7 2 Performing Connection test ccc ccccceeeseeeeeeeeeeeeeee cesses seee
35. Start the Management Center and select Tools gt Configuration Package Tool Y SafeGuard Management Center MSO on SGNSR SafeGuard File Edit View GoTo Actions Tools Help Fogj WE Recovery atabase integrity Users amp Computers p Sidi R Root Filter is active ie Authenticated Computers ie Authenticated Users j Auto registered H UTIMACO EDU Options Configuration Package Tool 2 Select Register Server and then one of the following options m Make this computer an SGN Server SafeGuard Management Center and SafeGuard Enterprise Server are installed on the PC that you are currently working on This option is not available if Multi Tenancy is enabled Add The SafeGuard Enterprise Server is installed on a different PC than the SafeGuard Management Center Add server role add further security officer roles for the selected server if required Remove The selected SafeGuard Enterprise Server is removed from the list Y Configuration Package Tool xj Register Server Create Server Package Create Enterprise Client Package Create Standalone Client Package Add at least one server to the list to begin with Server Subject Scripting all Server r Database connection Make this computer an SGN server Add Add server role Remove Close SafeGuard Enterprise CHAPTER 6 Setting up SafeGuard Enterprise Se
36. a exports via unwanted channels such as WLAN This module can also detect and block harmful hardware such as key loggers To install SafeGuard Configuration Protection on the user computers you need to run a separate installation package after having installed the SafeGuard Enterprise Client installation package You will find the required installation packages on your product CD Configuration Protection is only available for SafeGuard Enterprise Clients It is not supported for SafeGuard Standalone Clients 1 Install the SafeGuard Enterprise Client Both Client installation packages can be used together with the SafeGuard Configuration Protection module m SGNClient msi m SGNClient_withoutDE msi 2 Install SafeGuard Configuration Protection SGN_CP_PortProtectorClient msi 3 Generate and install the SafeGuard Enterprise Client configuration package Prerequisites and Restrictions This module is not supported for SafeGuard Standalone Clients NET Version 2 0 has to be installed SafeGuard Enterprise 15 2 15 3 CHAPTER 15 Installing SafeGuard Configuration Protection Command for central installation When centrally installing SafeGuard Configuration Protection on the user PCs use the Windows Installer component msiexec Command line syntax msiexec i SGN CP PortProtectorClient msi quiet norestart Sample command for SafeGuard Configuration Protection with SGNClient msi The msiexec commands mus
37. abase ad Please verify the ID of the Master Security Officer which is displayed here Then please select where the certificate will be saved m Master Security Officer ID mso Master Security Officer ID m Token logon MSO No token O Optional O Mandatory Create in persistent certificate store MY certificate store z Cr aten TV D Confirm new password eE eral i O Create by token Token PIN Token slot x 7 Now enter the password for the certificate store twice Provided the two passwords match confirm with OK The new MSO certificate is saved locally as a backup NOTICE Make a note of this password It is your private key for the SafeGuard Management certificate store You will need it later to log on to the Management Center A certificate cannot be imported from a Microsoft PKI An imported certificate must have a minimum of 1024 bits and a maximum of 4096 bits SafeGuard Enterprise CHAPTER 5 Setting up SafeGuard Management Center 8 The file in which the MSO certificate is stored the so called p12 file is secured by a password This means that the MSO certificate has additional protection Enter the password for the p12 file twice Y Export certificate x The certificate will be exported to a file Please define the password with which the file will be secured After the initial configuration possession of the generated private key is
38. ad with SafeGuard Enterprise The conversion needs to be confirmed in each case About exceptions see Limitations page 148 Encryption algorithms To some degree The algorithms AES128 AES256 3DES IDEA can be migrated AES 128 and 3 DES however are not available for selection in the Management Center for media that is to be newly encrypted About non migratable algorithms see Limitations page 148 Challenge Response To some degree The Challenge Response procedure is maintained SafeGuard Enterprise SafeGuard Easy SafeGuard Easy user names CHAPTER 19 Migrating SafeGuard Easy to SafeGuard Enterprise Migration No SafeGuard Enterprise As the Windows user names are used In SafeGuard Enterprise there is no need to reuse the SafeGuard Easy specific user names So registering the migrated SafeGuard Easy user PCs is done in the same way as with a new SafeGuard Enterprise installation by centrally assigning or locally registering the computer s users SafeGuard Easy passwords No As the Windows passwords are used In SafeGuard Enterprise there is no need to reuse the SafeGuard Easy specific passwords SafeGuard Easy passwords will therefore not be migrated Policies settings e g minimum password length No To ensure that all the settings are consistent no automatic migration is executed The settings have to be re done in the SafeGuard Management Cen
39. aded to the SafeGuard Management Center at a later point in time When using SQL authentication it is highly recommended to secure the connection to and from the database serve with SQL Note that SSL encryption requires a working SSL environment on the computer on which the selected SQL database resides which you have to set up in advance see Securing transport connections with SSL page 13 Y SafeGuard Policy Editor Database Ca r Connection settings Database Server SGNSRY x V Use SSL r Authentication O Use Windows NT Authentication Ouse SQL Server Authentication with the following credentials SQL Logon pa SQL Password paana Check connection Cancel 3 Click Check Connection If the connection to the SQL database has been established a corresponding success message will be displayed Confirm with OK SafeGuard Enterprise 10 3 2 10 3 3 10 3 4 CHAPTER 10 Setting up SafeGuard Policy Editor Setting up a password for the security officer There is only one security officer for the SafeGuard Policy Editor 1 Enter a password that the security officer will later use to log on to the SafeGuard Policy Editor 2 Repeat your entry Creating a certificate store Select a location to save the user and company certificate that will be generated NOTICE Save the certificates to a secure location Create a backup A PC failure could cause the loss of the c
40. afeGuard Enterprise CHAPTER 6 Setting up SafeGuard Enterprise Server 8 You have selected Add a Switch to the Create Server Package tab b Select the server required c Specify the output path d Click Create Server MSI A server configuration file msi file named lt Server gt msi is created under the output path in this example server utimaco edu msi Configuration Package Tool Register Server Create Enterprise Client Package Create Standalone Client Package a Cc CAProgram Fi iles Utimaco SafeGuard Enterprise e Run this new msi file on the SafeGuard Enterprise Server gt You have finished registering and configuring SafeGuard Enterprise Server Deploy the Server configuration package to the SafeGuard Enterprise Server SafeGuard Enterprise CHAPTER 7 Testing communication 7 Testing communication After the SafeGuard Enterprise Server the database and the SafeGuard Management Center have been set up you should run a connection test This chapter describes the steps required 7 1 Prerequisites Make or check the following settings prior to the connection test Ports connections The user PCs must create the following connections Connection to via Port SafeGuard Enterprise Server Port 80 TCP The SafeGuard Management Center needs to create the following connections Connection to via Port SQL database Port 1433 TCP and Port 1434 TCP for SQL 2000 amp 2005 Ex
41. als are an ideal way to learn about SafeGuard Enterprise You can find them on the product CD under Tutorials They describe how SafeGuard Enterprise is installed and how to use the SafeGuard Management Center SafeGuard Enterprise CHAPTER 2 SafeGuard Enterprise components 2 SafeGuard Enterprise components In this chapter you will learn about the SafeGuard Enterprise components and how the individual components work with each other SafeGuard Enterprise can be administered centrally or run in standalone mode SafeGuard Enterprise 2 1 CHAPTER 2 SafeGuard Enterprise components SafeGuard Enterprise with central management One or several Microsoft SQL databases store information about the user PCs on the company network The administrator known in SafeGuard Enterprise as the Master Security Officer MSO uses the SafeGuard Management Center to manage the database contents and to create new security instructions policies The users PCs notebooks read the policies from the database and report successful execution to the database The communication between the database and the user PCs is done by Internet Information Services IIS based web server which has the SafeGuard Enterprise Server installed on it SafeGuard Enterprise CHAPTER 2 SafeGuard Enterprise components SafeGuard Enterprise Components Microsoft Active Directory optional SafeGuard Management Center Administrator MSO SafeGuard Enter
42. ard Management Center Administrator MSO SafeGuard Enterprise Database Microsoft SQL Server Web Server MS Internet Information Services IS fol User PC SafeGuard Enterprise Server SafeGuard Enterprise Client SafeGuard Enterprise CHAPTER 11 SafeGuard Client Configurations Available installation packages for SafeGuard Enterprise Clients The following table shows the available installation packages for the Enterprise Client and states how the configuration package needs to be created Package Description SGNClient msi For native SafeGuard Enterprise Clients and for Enterprise Clients with BitLocker Support SafeGuard Enterprise Device Encryption Volume based encryption with Power on Authentication SafeGuard Data Exchange Easy data exchange with removable media on all platforms without re encryption File based encryption SGNClient_withoutDE msi For SafeGuard Enterprise Clients with BitLocker support this package is not available SafeGuard Data Exchange Easy data exchange with removable media on all platforms without re encryption File based encryption without Power on Authentication SGN_CP_PortProtectorClient msi For native SafeGuard Enterprise Clients and for Enterprise Clients with BitLocker Support Configuration Protection Port protection and management of peripheral devices SGNClientRuntime msi Runtime Client enabling booting from a secondary boot volume when multiple operating systems ar
43. ard Enterprise CHAPTER 5 Setting up SafeGuard Management Center 5 5 Configuring for multiple databases Multi Tenancy To configure further database configurations to make use of Multi Tenancy proceed as follows Prerequisite The feature Multi Tenancy must have been installed via a Custom installation Initial configuration must have been carried out see Carrying out initial configuration page 35 1 Start the SafeGuard Management Center 2 The existing database configuration created during initial configuration is displayed Select the task you would like to carry out Select Configuration x Please select the configuration you would like to use or select New to create a new configuration New Delete Import Export To create a further SafeGuard Enterprise Database configuration click New Tochoose to work on an existing database select it from the drop down list and click OK Toimport an existing database configuration from a file click Import m To save a database configuration to a file click Export 3 Continue with the selected task 5 5 1 Creating further database configurations To create a further SafeGuard Enterprise Database configuration after initial configuration proceed as follows 1 Start the SafeGuard Managment Center The Select Configuration dialog will be displayed 2 Click New The SafeGuard Management Center Configuration Wizard opens automatically 3 The Wizard will
44. ase 2 Install the Linz Client configuration package on clients to be connected to the Linz server WS_2 For information on updating replicated SafeGuard Enterprise databases see Updating SafeGuard Enterprise replicated databases page 137 SafeGuard Enterprise CHAPTER 9 Setting up an organizational structure Setting up an organizational structure There are two ways of mapping your organization in SafeGuard Enterprise by creating the company structure manually by importing a directory service e g an Active Directory You can use either one of these two options or a mixture of them both For example you can import an Active Directory AD either partially or entirely and create other organizational units OUs manually Note that in this case the organizational units created manually are not mapped in the AD If organizational units that you have created in SafeGuard Enterprise are also to be mapped in the AD you must add these to the AD SafeGuard Enterprise Components Microsoft Active Directory optional 2 2 Management Center Administrator MSO SafeGuard Enterprise Database Microsoft SQL Server Web Server MS Internet Information Services IS User PC SafeGuard Enterprise Server oJ SafeGuard Enterprise Client SafeGuard Enterprise 9 1 CHAPTER 9 Setting up an organizational structure Creating an organizational structure manually If you do not want to import your organizational str
45. ave to inform the SafeGuard Management Center security officer of the authentication method and the credentials E Login New Mapped to Mapped to asymmetric key Server SERVER SGLEXPRESS Connection sa a View connection properties ae Ready gt s tan SafeGuard Enterprise CHAPTER 4 Setting up SafeGuard Enterprise Database 4 Now assign the access rights roles by clicking Server Roles on the left To generate the SafeGuard Enterprise database select dbcreator Once SafeGuard Enterprise has been installed the database role can be reset to dbowner Ifthe SafeGuard Enterprise database has already been created and has been selected as the default database select db_datareader db_datawriter and public 210 x1 EPPA S soi Gh Help LAA General A Server Roles P P P PAR User Mapping k Server role is used to grant server wide security privileges to a user 2 Securables 2 Status Server roles bulkadmin diskadmin processadmin securityadmin serveradmin setupadmin sysadmin Server SERVER SGLEXPRESS gt The SQL user account and the access rights are now set up for the SafeGuard Enterprise security officer SafeGuard Enterprise 4 5 4 5 1 4 5 2 CHAPTER 4 Setting up SafeGuard Enterprise Database Generating the SafeGuard Enterprise database After setting up the SQL user account you need to generate t
46. ciieesebuchestenesaccectsdcrecespenbesateese 103 12 2 Prerequisites for Windows Vista BitLocker 0 ee eecceeeeeeeeeeeeeeneeeeeeeeenneeeeeneeeeeeaees 103 12 F IROSUICHONS seirinin aa aira ao tae spackes teectieesiteadscecistvereiaaazees 104 12 4 Tasks for centralized install ees eeeeeeeeeeeeeeeeeeaeeeeeeeeeesaeeeeeaaeeeeeeeeesaeeenaeeeeenaees 105 12 4 1 Creating an Enterprise Client configuration package essescreree 106 12 4 2 Creating a Standalone Client configuration package secscecceeen 109 12 5 Command for centralized install eee ceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaeeeeeaeeeneeeeeenaeeeeeaes 113 12 5 1 COMMANA OptiONS sisisi aieea aapea Eaa 114 12 5 2 SafeGuard Client Features ADDLOCAL eeeseeierererierrenrrnnenrne 115 12 5 3 Sample command for volume and file based encryption eeeeece 119 12 5 4 Sample command for Windows Vista with BitLocker support 120 CHAPTER 13 Setting up user PCs locally siciietiecentieicieien nie ieeesinee 121 I A PRELEQUISITES seriene ienr ea anaa aae anar EE E cduazedssbocnds aap EPEa Eiere E NEEDE 121 13 2 Installing SafeGuard Enterprise or Standalone Client ennenen 122 13 3 Selecting feat S 2s coecs edited se eskecedandesues iaa i aia 123 CHAPTER 14 Installing SafeGuard Enterprise Client on computers with multiple operating SyStemS acccieitssarhasatemrcteathandeadacs ctatedantniinatiaiedeeeearcbasmeunzwtiaatatanss 126 14 1 Requirements and restrictions 2 0 00 eee ce e
47. component msiexec Msiexec is already part of Windows 2000 and Windows XP and Vista and it automatically carries out a pre configured SafeGuard Enterprise client installation As the source and the destination for the install can also be specified there is the option of a standard install to multiple user PCs Command line syntax msiexec i lt path tmsi package name gt qn ADDLOCAL ALL lt SGN Features gt lt SGN parameter gt The command line syntax consists of m Windows Installer parameters which e g log warnings and error messages to a file during the install SafeGuard Enterprise features which are to be installed e g file based encryption SafeGuard Enterprise parameters e g to specify the install directory SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally 12 5 1 Command options You can select all the available options using msiexec exe in the prompt The main options are described below Option Description i Specifies the fact that this is an installation qn Installs with no user interaction and does not display a user interface ADDLOCAL Lists the features that are to be installed If the option is not specified all features intended for a standard installation are installed When listing the features under ADDLOCAL note the following only separate the features by a comma not by a space respect upper and lower case If you select a feature
48. configuration in order to reuse it later on you may export it to a file To do so proceed as follows Start the SafeGuard Managment Center The Select Configuration dialog will be displayed Click Export To secure the configuration file you are prompted to enter and confirm a password that will encrypt the parts configuration file Click OK SafeGuard Enterprise CHAPTER 5 Setting up SafeGuard Management Center Y Enter password Please enter the password for the configuration file Password Retype password 4 Specify a file name and storage location for the exported configuration file SGNConfig 5 In case this configuration already exists you are asked if you want to overwrite the existing configuration gt The database configuration is saved to the specified storage location 5 5 4 Importing a configuration To use or change a database configuration you may import a previously created configuration into the SafeGuard Management Center There are two ways to do so m via the SafeGuard Management Center for Multi Tenancy by double clicking the configuration file for Single and Multi Tenancy 5 5 5 Importing a configuration via the SafeGuard Management Center 1 Start the SafeGuard Managment Center The Select Configuration dialog will be displayed 2 Click Import locate the required configuration file and click Open 3 Enter the password for the configuration file defined during the expo
49. ctivated Configuration protection Configuration Protection activated Further steps are required for installing this module see Installing SafeGuard Configuration Protection page 129 This feature cannot be installed for Standalone Clients SafeGuard Enterprise CHAPTER 13 Setting up user PCs locally Client features for Windows Vista with BitLocker support The picture shows the selection of features for the SGNClient msi installation package For Standalone Clients BitLocker support and Configuration Protection cannot be installed B Client Data Exchange Device Encryption e BitLocker Suppor x Base Encryption N Configuration Protection f SafeGuard Data Exchange with file based encryption Data Exchange activated Volume based encryption based on BitLocker Device Encryption gt BitLocker Support activated Device Encryption gt Base Encryption deactivated Configuration protection Configuration Protection activated Further steps are required for installing this module see Installing SafeGuard Configuration Protection page 129 SafeGuard Enterprise 14 14 1 CHAPTER 14 Installing SafeGuard Enterprise Client on computers with multiple operating systems Installing SafeGuard Enterprise Client on computers with multiple operating systems SafeGuard Enterprise Client can be installed on a computer to protect its data even if several operating systems are installed on se
50. d Enterprise database is to run on The name of the SafeGuard Enterprise database if it has already been created SafeGuard Enterprise 5 4 CHAPTER 5 Setting up SafeGuard Management Center Carrying out initial configuration To start the Configuration Wizard for initial configuration of the SafeGuard Management Center proceed as follows HINT You need to carry out the following steps if for Single Tenancy as well as for Multi Tenancy configurations 1 Start the SafeGuard Management Center The SafeGuard Management Center Configuration Wizard opens automatically and guides you through the necessary steps 2 Select database type SQL Server SafeGuard Management Center Wizard Database backend Please select the database backend to be used SafeGuard Enterprise CHAPTER 5 Setting up SafeGuard Management Center 3 In Database Connection configure the connection to the database server SafeGuard Management Center Wizard Database Server Connection SafeGuard Management Center requires a connection to an MS A SQL database server utimaco m Connection settings Select from drop down or enter server name server alias or IP address or servername INSTANCE_name or IP address INSTANCE_name If the server name is an alias uncheck lt Ping the server gt Database Server E vl Use SSL y Ping the server Authentication O Use Windows NT Authentication Use SQL
51. dalone To install SafeGuard Enterprise Standalone with local management via the SafeGuard Policy Editor follow these installation steps Step Description Installation Configuration Chapter package 1 Preparatory measures Preparations on client and 3 1 computer on which SafeGuard Policy Editor will be installed reference computer 2 Set up SafeGuard Install SafeGuard Policy Editor on SGNPolicyEditor msi 92 Policy Editor the reference computer If no SQL database server is available yet it will be automatically installed 3 Basic configuration of Configure the database SafeGuard Policy Editor 9 3 SafeGuard Policy connection create the Security Configuration Wizard Editor Officer create default policies Basic default create default configuration configuration for package with default policies for Standalone Client Standalone Clients 4 Set up SafeGuard Install the SafeGuard Client SGNClient msi 11 Standalone Client installation package on the user SGNClient withoutDE msi 12 PC Install either with Device z Encryption or without Device Encryption 5 Configure SafeGuard Generate Standalone Client SGNStandaloneClient 11 4 2 Standalone Client configuration package and install Config msi it on the user PC Standalone configuration package generated in the SafeGuard Policy Editor Configuration Package Tool SafeGuard Enterprise CHAPTER 3 Preparing for installation 3 9 Installation s
52. e installed and accessing these volumes when they are encrypted by a SafeGuard Enterprise installation on the primary volume Available for both SafeGuard Enterprise Clients and SafeGuard Standalone Clients Enterprise Client Configuration Created in the SafeGuard Management Center Package SafeGuard Enterprise 11 3 11 3 1 CHAPTER 11 SafeGuard Client Configurations SafeGuard Standalone Clients The SafeGuard Standalone Client is a variant of the SafeGuard Enterprise Client component and is never connected to the SafeGuard Enterprise Server Thus a SafeGuard Standalone Client is not connected to the central management of SafeGuard Enterprise i e it operates in standalone mode The most significant difference to a SafeGuard Enterprise Client is that a SafeGuard Standalone Client only receives SafeGuard Enterprise policies via a configuration package It never receives policies via a connection to the SafeGuard Enterprise Server Standalone Clients are managed locally Policy groups and configuration packages need to be created depending on the operating mode of SafeGuard Enterprise m f SafeGuard Policy Editor is used for local management of Standalone Clients policy groups and configuration files need to be created in the SafeGuard Policy Editor m f SafeGuard Management Center is already in operation Standalone Clients policy groups and configuration files need to be created in the SafeGuard Management Cen
53. ease Notes You should read these carefully before installing System requirements Refer to the Release Notes for details of the system requirements for hardware and software service packs and the disk space required during the installation and for effective operation Specific system requirements for user PCs Dynamic and GPT disks are not supported In such cases the installation will be terminated If such disks can be found on the computer at a later point of time they will not be supported Installation packages You will find the SafeGuard Enterprise install components on the product CDs in the form of msi packages The following msi packages are provided Installation package Description SGNServer msi SafeGuard Enterprise Server SGNManagementCenter msi SafeGuard Management Center for the central administration of domains keys policies etc SGNPolicyEditor msi SafeGuard Policy Editor for managing SafeGuard Standalone Clients SGNClient msi Volume based encryption and file based encryption with SafeGuard Data Exchange for both SafeGuard Enterprise Clients and SafeGuard Standalone Clients SGNClient_withoutDE msi SafeGuard Data Exchange with file based encryption without Power on Authentication for both SafeGuard Enterprise Clients and SafeGuard Standalone Clients SafeGuard Enterprise 3 4 CHAPTER 3 Preparing for installation SGN_CP_PortProtectorClient SafeGuard Configuration P
54. ee S gt mau amp Internet Information Services 8 SGMSRV local computer J Application Pools _J Web Sites f i u 2 Default Web Site The following operations are supported For a formal definition please review the Servi D SGNSRY e CheckConnection J aspnet_client J Web Service Extensior e CloseConnection e ExecCommand e OpenConnection SafeGuard Enterprise CHAPTER Testing communication 5 Test the connection by clicking Invoke 5 Internet Information Services IIS Manager Fie e mg S gt mu Internet Information Services Se y SGMSRY local computer Application Pools Web Sites Default Web site ce SGNSRY J aspnet_cient CheckConnection J Web Service Extensior Action View Window Help Click here for a complete list of operations Test To test the operation using the HTTP POST protccol click the Invoke button Invoke gt If you receive the output below the connection test has been successful Em WebServices ok m DBAuth ok ocalhost SGNSRY Trans asmx CheckConnection Microsoft Internet Explorer File Edit View Favorites Tools Help Q Back O A lA seach 2 Faoite 2 GS Address ja http localhost SGNSR Trans asmx CheckConnection lt xml version 1 0 encoding utf 8 gt lt string xmlnss http utimaco org gt lt Dataroot gt lt WebService gt OK lt WebService gt lt DBAuth gt OK lt
55. eeeeeneeeeeneeeseeeeeeeeeeeeeaaeeeeeaeeeneeeeeenteeeeaaes 126 14 2 Preparations iingie naerda Relea ee ee lee ee 127 14 3 Setting up SafeGuard Enterprise Runtime Client eee eeeeeeeeeeeeneeeeesneeeeeeeees 127 14 4 Booting from a secondary volume via a boot Manager 128 CHAPTER 15 Installing SafeGuard Configuration Protection 0 0 0 0 eeseeeeeeeeeeees 129 15 1 Prerequisites and ReStrictions 0 0 00 eee eeese eens eeneeeteeeeeeeeaeeeeeaeeeseeeeesseeeenaeeseenaees 129 15 2 Command for central installation eee eee eeeeeeeeeeeceeeeeeeeeeeesaeeeeeaeeeeneeeeenaeeeseaes 130 15 3 Sample command for SafeGuard Configuration Protection with SGNClient msi 130 15 4 Sample command for SafeGuard Configuration Protection with SGNClient_withoutDE MSi 0 ee eee cenneeeeeeeeeeeaeeeeeeaeeseeeeeeeeeseeeaeesneeeeneaeeeeeeeees 131 99 5 Local installation 22 c 5e 0 5 22 cage ecneeededeccadsavees ae aeree e eae aE EE i OEE aaa EEan eE 132 15 6 Uninstalling SafeGuard Configuration Protection sseeseeeeeriereerreerrrerrreernns 133 Contents CHAPTER 16 Preventing uninstallation from the user PC eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeees 134 CHAPTER 17 Updating SafeGuard Enterprise ccccccceccceccceeececeeeeeeeeeeeeeeeeeeeteeess 135 17 1 Updating SafeGuard Enterprise Database 000 0 eee eeeeeeeeeneeeteeeeeeneeeeenaeeeeenaees 136 17 2 Updating SafeGuard Enterprise replicated databases 137 17 3 Updating SafeGuard Enterprise Server
56. eeesneeeeeaeeeeenaeeseneeeeeneeeeeaes 70 Contents CHAPTER 8 Replicating the SafeGuard Enterprise Database ccccccceeeeeeeteees 72 81 MERGE EPI CALIOMN e i seeccces ac ce eniten abp eniran reae irae eaa Es EEA EnA s3 ssceseutcstasiencacees 72 8 2 Setting up database replication eee ceeeeeeeeeeeeeeeeeeeneeeseeeeeeseeeeeaeeseeeeeeeneeeenaaes 72 8 2 1 Generating the master database oie eeneeeeeeeeeeeeeseaeeeseeeeetnaeeeeeeeeennees 74 8 2 2 Generating the replication databases Graz and Linz 74 8 3 Installing and configuring SafeGuard Enterprise Server 75 8 3 1 Generating the configuration packages for the Graz database ee 75 8 3 2 Generating the configuration packages for the Linz database ee 76 8 3 3 Installing the server configuration PACKAGES eee eeeeeeeeeeeeeeeteeeeenaeeeeeaees 76 8 4 Installing and configuring SafeGuard Enterprise Client 0 ce eeeeesseeeeeeeeneeeeeaes 76 CHAPTER 9 Setting up an organizational structure cece ee eeetneeeeeeeeeeeeeeeeeeeeeerees 78 9 1 Creating an organizational structure Manually eee eee eeeeeeeeeeeeeeeeeeeeeeeeeeeneeeeeaas 79 9 2 Importing an organizational StrUCtUre eee eeeeeeeeneeeeereeeeteeeesaeeeseeaeeseneeeeeenteeeeaas 81 CHAPTER 10 Setting up SafeGuard Policy Editor eee ceeeeeeeeeeeenneeeeeeeeeeeeeneeeeeeeeees 85 VOT PREr QUISITOS aiiiar oiai scoeeeaiahevaesenevicaegeeseets 86 10 2 Installing SafeGuard Policy Edito
57. een updated to the latest version m There must be a SafeGuard Enterprise Server 5 30 or higher installed Versions below 5 30 must be uninstalled You need Windows administrator rights ASP NET must be upgraded to version 2 0 Updating the Server Reinstall the server see Installing SafeGuard Enterprise Server page 60 After successful updating the server is automatically restarted and is ready to operate again 17 4 Updating SafeGuard Enterprise Management Center Prerequisites SafeGuard Management Center 5 30 or higher must be installed Versions below 5 30 must be uninstalled The SafeGuard Enterprise database and SafeGuard Enterprise Server have already been updated to the latest version m NET Framework 3 0 Service Pack 1 must be installed for successfully updating to the latest version ASP NET must be converted to version 2 0 m You need Windows administrator rights m You need a valid licence file Please contact your sales partner in advance to request it Updating the Management Center 1 Reinstall the Management Center see Setting up SafeGuard Management Center page 30 with the required features 2 Import the license file 3 Start the SafeGuard Management Center The behavior when starting the SafeGuard Management SafeGuard Enterprise CHAPTER 17 Updating SafeGuard Enterprise Center for the first time after the update depends on whether the feature Multi Tenancy has been insta
58. ement Center Policies are created grouped and combined to configuration packages in the SafeGuard Management Center These are afterwards distributed to the Standalone Clients via third party mechanisms such as E Mail or memory sticks For Standalone Clients no connection to the SafeGuard Enterprise Server is ever established at any point in time The following table shows the available Client installation packages for this Standalone scenario and states how the configuration package needs to be created Package Description SGNClient msi SafeGuard Enterprise Device Encryption Volume based encryption with Power on Authentication SafeGuard Data Exchange Easy data exchange with removable media on all platforms without re encryption File based encryption SGNClient_withoutDE msi SafeGuard Data Exchange Easy data exchange with removable media on all platforms without re encryption File based encryption without Power on Authentication SGNClientRuntime msi Runtime Client enabling booting from a secondary boot volume when multiple operating systems are installed and accessing these volumes when they are encrypted by a SafeGuard Enterprise installation on the primary volume Available for both SafeGuard Enterprise Clients and SafeGuard Standalone Clients Standalone Client Configuration Created in the SafeGuard Management Center Package SafeGuard Enterprise 12 CHAPTER 12 Setting up user PCs centrall
59. er msi package on the computer on which the SafeGuard Policy Editor has been set up 1 Start SGNManangementCenter msi from the product CD 2 Click Next in the welcome window 3 Accept the license agreement 4 Select an installation path 5 Confirm that the installation has completed successfully 6 If necessary restart your computer 7 Configure the SafeGuard Management Center see Configuring SafeGuard Management Center page 34 gt The SafeGuard Policy Editor has been migrated to the SafeGuard Management Center SafeGuard Enterprise CHAPTER 18 Migrating SafeGuard Standalone to SafeGuard Enterprise 18 2 Migrating Standalone Clients to Enterprise Clients You can migrate user PCs with a SafeGuard Standalone Client configuration to a SafeGuard Enterprise Client configuration In this way the user computers are defined in the SafeGuard Management Center as objects which can be managed and which have a connection to the SafeGuard Enterprise Server NOTICE The reverse procedure i e migrating a SafeGuard Enterprise Client configuration to a Standalone Client configuration is not advisable To do this you have to completely reinstall SafeGuard Enterprise with the Standalone configuration on to the user PC Prerequisites m SafeGuard Policy Editor has been migrated to SafeGuard Management Center m SafeGuard Standalone Client does not have to be uninstalled Ensure to backup the user computer before starting
60. ertificates and the SafeGuard Policy Editor would have to be reinstalled Creating pre configured default policies You may choose to create pre configured default SafeGuard Enterprise policies during initial configuration They will help to minimize administration efforts The default policies will be written to the database They are combined to a default policy group and a default Standalone Client configuration package msi will be automatically created You may distribute this package to the user computers to define them as Standalone Clients NOTICE The default policies can only be created during the initial configuration of the SafeGuard Policy Editor When the configuration is finished and when you log on to the SafeGuard Policy Editor you may change the default policies created before or create new user defined policies as required Default policies for SafeGuard Enterprise Standalone A default policy group called Default Policy may be created with the following content Default Device Encryption Policy Encryption of all internal hard disks volume based encryption with defined machine key and algorithm AES256 SafeGuard Enterprise CHAPTER 10 Setting up SafeGuard Policy Editor Default Data Exchange Policy Encryption of removable media file based encryption with any key in user key ring and algorithm AES 256 The user may define a passphrase for devices and SG Portable is copied to removable media Default Authe
61. ess User name IUSR_SGMSRY Browse Password eoceceeees m Authenticated access For the following authentication methods user name and password are required when anonymous access is disabled or access is restricted using NTFS access control lists Integrated Windows authentication 7 Digest authentication for Windows domain servers SafeGuard Enterprise CHAPTER 7 Testing communication Proxy server settings for web server and user PC Proxy server settings should be as follows 1 In Internet Explorer select Tools gt Internet options gt Connections gt LAN settings 2 Deactivate Use a proxy server for your LAN 3 If a proxy server is required activate Bypass proxy server for local addresses Local Area Network LAN Settings SafeGuard Enterprise CHAPTER 7 Testing communication Microsoft SQL Server 2005 settings If using Microsoft SQL Server 2005 you need to add the following users in Microsoft SQL Server Management Studio Role sysadmin Fle Edt View Project Tools Window Community Help Aewen D D D DllD la agal PORBRS i Conect 3 m Y aag yE Bre E 0803 SQL Server 9 0 1399 UTIMACO Administrator m CE in yaon Daiabases LJ NT AUTHORITY NETWORK SI Gi Database Snapshots DBO3 Security Logins NT AUTHORITY NETWORK SERVICE S J neve S 0 Database Diagrams amp D Tables a g Views E Synonyms E Programmabiity amp O Service Bro
62. estrictions General restrictions Dynamic and GPT disks are not supported In such cases the installation will be terminated If such disks are to be found on the computer at a later point of time they will not be supported Restrictions for initial encryption of SafeGuard Enterprise Clients Initial configuration of SafeGuard Enterprise Clients may involve the creation of encryption policies that may be distributed inside a configuration package to the SafeGuard Enterprise Clients However when the SafeGuard Enterprise Client is not connected to a SafeGuard Enterprise Server immediately after the configuration package is installed but is temporarily offline only encryption policies with the following specific settings will become immediately active on the Enterprise Client Device protection of type volume based using the Defined Machine Key as encryption key For all other policies involving encryption with user defined keys to become active on the Enterprise Client the respective configuration package has to be reassigned to the Enterprise Client s OU as well The user defined keys will then only be created after the Enterprise Client is connected to SafeGuard Enterprise Server again The reason is that the Defined Machine Key is directly created on the SafeGuard Enterprise Client at the first restart after installation whereas the user defined keys can only be created on the SafeGuard Enterprise Client after it has been registered at
63. example computer name domain com or the IP address of the domain controller b Distinguished name DNS name for example DC computername3 DC Domain DC Country SafeGuard Enterprise CHAPTER 9 Setting up an organizational structure c Adescription for the domain optional d Domain Netbios Name of the domain controller e The type of object is displayed under Connection state in this case Domain f To prevent policy inheritance you may activate Block Policy Inheritance 4 Confirm details with OK To create a new workgroup proceed as follows To display open the SafeGuard Management Center and click Users amp Computers 1 Select Root filter is active in the navigation window on the left 2 In the context menu select New gt Create new workgroup auto registration 3 Enter the following information in Common information a Full name a name for the workgroup b Adescription for the workgroup optional c The type of object is displayed under Connection state in this case Workgroup d To prevent policy inheritance you may activate Block Policy Inheritance 4 Confirm details with OK gt The new domain workgroup has now been created The users computers within this domain will be automatically assigned to this domain workgroup when they log on Continue in the same way until your organizational structure has been created SafeGuard Enterprise 9 2 CHAPTER Setting up an organizational structure Importin
64. figuration steps is aimed at SQL administrators and relates to Microsoft SQL Server 2005 Express Edition 1 Open the SQL Server Management Studio Express program Log on to the SQL Server with your credentials x M AY Windows Server System SOL Server 2005 Server type Database Engine 7 Server name a j i Authentication sau Server Authentication Logre 3a P n peee o O SafeGuard Enterprise 2 CHAPTER 4 Setting up SafeGuard Enterprise Database In the left hand navigation window of Microsoft SQL Server Management Studio Express select Security gt Logins In the right hand window right click New Login a Microsoft SQL Server Management Studio Express E Databases B 0 Security E E Logins BUILTIN Administrators BUILTIN Users amp NT AUTHORITY SYSTEM A sa Adminis 1 8 2007 fz UTIMACO SQLServer2005M55QLUser 1 8 2007 E Server Roles 1 8 2007 E Credentials 4 8 2003 niet AR UTIMACO SQLServer2005MSSQLLUser SERVER SQLEXPRESS 1 8 2007 E Management SafeGuard Enterprise CHAPTER 4 Setting up SafeGuard Enterprise Database 3 In Login New under General enter the following Login name Name of the new user e g SGN SQLSERVICE Select the required authentication method recommended SQL and assign a password Disable Enforce password policy Default Database If a script has not been used to create a SafeGuard Enterprise database yet select master Later on you will h
65. g an organizational structure You have the option of importing an existing organizational structure to the SafeGuard Enterprise database e g via an Active Directory 1 Start the SafeGuard Management Center 2 Select Tools gt Options gt Directory Login and click Add General Key Database Connection Company Cert 4 gt a LDAP Authentication appears SafeGuard Enterprise 9 CHAPTER 9 Setting up an organizational structure DAP A e atio x r Server information Active Directory via LDAP O windows single computer ONovell Directory Server name or IP SERVER Distinguished name l Port 3895 LI 55L logon r User credentials User name administrator Ca bes b For Server name or IP enter the NetBIOS name of the domain controller or its IP address c For User name and password enter your Windows credentials HINT Windows single computer A directory must be approved on the PC to enable a connection via LDAP When synchronizing users and their group membership membership to a primary group will not be synchronized as it is not visible for the group 3 Confirm with OK 4 Click Users amp Computers 5 In the left hand navigation window click the root directory Root filter is active 6 Select Synchronize File Edit view GoTo Actions Tools Help r ohen t i vee ARA Users amp Computers Ig Root Filter is active
66. ge database www utimaco com myutimaco search for migration amp SGE amp SGN SafeGuard Enterprise CHAPTER 19 Migrating SafeGuard Easy to SafeGuard Enterprise To install SafeGuard Enterprise on the user PC that is to be migrated you need the SGNClient msi package from the product CD The client package SGNClient_withoutDE msi cannot be used The installation can be carried out on a running SafeGuard Easy system No decryption of encrypted hard drives or volumes is necessary The following will be migrated m The keys and algorithms will be stored in the SafeGuard Enterprise system core Encrypted hard disks are automatically migrated to encrypted SafeGuard Enterprise volumes m After migration you need to actively confirm the migration of encrypted data on removable media NOTICE For a successful migration the installation should best be performed centrally in unattended mode Installation via the setup folder is not recommended Proceed as follows 1 Create a new migration configuration file by using WIZLDR exe on any of the SafeGuard Easy Clients 2 Rename this migration file from SGEMIG cfg to SGE2SGN cfg 3 Use the msiexec command parameter MIGFILE and add the path to the configuration file SGE2SGN cfg for example MIGFILE Distributionserver Software Utimaco SGN SGE2SGN cfg 4 Use the msiexec command to install the SafeGuard Enterprise installation and configuration packa
67. ge on the SafeGuard Easy Clients EXAMPLE msiexec i Distributionserver Software Utimaco SGN SGNClient msi L VX Distributionserver Software Utimaco SGN Computername log MIGFILE Distributionserver Software Utimaco SGN SGE2SGN cfg gt If the migration is successful SafeGuard Enterprise can be used on the computer gt If the migration fails SafeGuard Easy can still be used on the computer In such cases SafeGuard Enterprise is automatically removed SafeGuard Enterprise 19 6 CHAPTER 19 Migrating SafeGuard Easy to SafeGuard Enterprise After the migration After successful migration the following is available in SafeGuard Enterprise after logging on to the Power on Authentication m the keys and algorithms of encrypted volumes m the keys and algorithms for encrypted removable media Encrypted volumes remain encrypted and the encryption keys are automatically converted to a SafeGuard Enterprise compatible format Encrypted removable media remain encrypted as well but the keys have to be converted to a format that is compatible with SafeGuard Enterprise NOTICE To be able to decrypt the hard disk or add and remove keys for hard disk encryption the user first needs to restart the computer To be able to decrypt removable media or add and remove keys for removable media encryption the user first needs to detach the media from the computer and reinsert it again Removable media migra
68. gement Center does not necessarily need to be installed one computer only It can be installed on any computer on the network from which the databases can be accessed SafeGuard Enterprise manages the access rights to the Management Center in its own certificate directory This directory must contain all certificates for all security officers authorized to log on to the Management Center Logging on to the Management Center then requires only the password to the certificate store The following steps relate to the configuration of a second Management Center installation 1 Install SGNManagementCenter msi on a further computer with the required features SafeGuard Enterprise CHAPTER 5 Setting up SafeGuard Management Center 2 Open the SafeGuard Management Center The Configuration Wizard is started 3 Select the database to which this Management Center instance is to be connected to 4 The SafeGuard Management Center Authentication dialog is displayed Select an authorized person from the drop down list If Multi Tenancy is enabled the Authentication dialog shows at which configuration the user is going log on to 5 Now enter the password for the certificate store NOTICE After entering this password a certificate store is created for the current user account and is protected by this password You require only this password for any subsequent logon 6 Click OK You will see a message that the certificate and private key
69. h disks are to be found on the computer at a later point in time they will not be supported Restrictions for initial encryption of SafeGuard Enterprise Clients Initial configuration of SafeGuard Enterprise Clients may involve the creation of encryption policies that may be distributed inside a configuration package to the SafeGuard Enterprise Clients However when the SafeGuard Enterprise Client is not connected to a SafeGuard Enterprise Server immediately after the configuration package is installed but is temporarily offline only encryption policies with the following specific settings will become immediately active on the Enterprise Client Device protection of type volume based using the Defined Machine Key as encryption key For all other policies involving encryption with user defined keys to become active on the Enterprise Client the respective configuration package has to be reassigned to the Enterprise Client s OU as well The user defined keys will then only be created after the Enterprise Client is connected to SafeGuard Enterprise Server again The reason is that the Defined Machine Key is directly created on the SafeGuard Enterprise Client at the first restart after installation whereas the user defined keys can only be created on the SafeGuard Enterprise Client after it has been registered at the SafeGuard Enterprise Server Restrictions for SafeGuard Standalone Clients m The following modules are not supported for SafeGuard S
70. has been put onto the hard disk using a software cloning tool we recommend that the MBR be rewritten This is because the installation process of SafeGuard Enterprise captures and stores the original hard disk MBR for later use in starting your computer therefore we recommend having a clean unique MBR for each installation of your Windows operating system And it may be that by using image clone tools the master boot record is no longer clean So you should clean up the master boot record using Microsoft applications or by restarting the system from diskette CD DVD We recommend an MBR that is identical to that operating system on the hard disk Run FIXMBR from the Windows CD SafeGuard Enterprise 3 2 3 3 CHAPTER 3 Preparing for installation m Ifthe boot partition has been converted from FAT to NTFS but the system has not yet been restarted you should not install SafeGuard Enterprise In this case it may be that the installation will not be completed because the file system was still FAT at the time of installation while NTFS was found when it was activated In this case you have to reboot the computer once before SafeGuard Enterprise is installed New functionality is regularly being added to SafeGuard Enterprise as it is upgradable software Therefore your version may include new functionality which we were unable to include in the manual or the online help before the editorial deadline Such modifications are described in the Rel
71. he Trans page shows Check Connection connection to SafeGuard Enterprise Server is made Prerequisites for Windows Vista BitLocker If you wish to use SafeGuard Enterprise to manage BitLocker user computers you need to do the following preparation on the user PC Windows Vista Enterprise or Ultimate must be installed on the user PC There must be a second partition for the Bitlocker system volume with NTFS formatted text partition with at least 1 5 GB Microsoft provides a BitLocker partitioning tool BitLocker must be installed and activated If TPM is to be used for authentication TPM must be initialized in possession and activated If you wish to install SafeGuard Enterprise volume based encryption you should make sure that no volumes have yet been encrypted with BitLocker Otherwise the system may be harmed If you need more information contact Microsoft Support You will also find information on these websites Information about the preparation and about BitLocker http technet2 microsoft com WindowsVista en library c6 1f2a12 8ae6 4957 b031 97b4d762cf311033 mspx mfr true BitLocker FAQ http technet2 microsoft com WindowsVista en library 58358421 a7f5 4c97 ab4 1 2bcc61a58a701033 mspx mfr true SafeGuard Enterprise 12 3 CHAPTER 12 Setting up user PCs centrally Restrictions General restrictions Dynamic and GPT disks are not supported In such cases the installation will be terminated If suc
72. he SafeGuard Enterprise database There are two ways to do so m via the SafeGuard Management Center Configuration Wizard This procedure requires that the SafeGuard Management Center is already installed see Installing SafeGuard Management Center page 32 via an SQL script you can find on the product CD This procedure is often preferred if extended SQL permissions during SafeGuard Management Configuration is not desirable It depends on your enterprise environment which method should be applied It is best to be clarified between SQL administrator and SafeGuard Enterprise security officer Generating SafeGuard Enterprise Database via SafeGuard Management Center As a security officer you can easily generate the SafeGuard Enterprise database after installation of the SafeGuard Management Center The SafeGuard Management Center Configuration Wizard takes you through the basic configuration which also includes database creation see Configuring SafeGuard Management Center page 34 Generating SafeGuard Enterprise Database with a script If extended SQL permissions during database creation in the Management Center is not desirable you can also generate the SafeGuard Enterprise database with a script Two scripts are provided on the product CDs tools folder for this purpose m CreateDatabase sql CreateTables sql The description of the steps below is aimed at SQL administrators and relates to Microsoft SQL Server 2005 E
73. ials on hand Where necessary you can obtain this information from your SQL administrator Starting the configuration wizard Start the SafeGuard Policy Editor The configuration wizard opens A dialog appears in which you can fully configure the SafeGuard Policy Editor This includes Setting up the SQL database Specifying a password for the security officer Creating a certificate store Creating pre configured default policies Creating a default Standalone Client configuration package Y SafeGuard Policy Editor configuration 5H C MyCompanyCertificates SafeGuard Enterprise CHAPTER 10 Setting up SafeGuard Policy Editor 10 3 1 Setting up the SQL database Select the database you want to use for data storage All SQL databases that are found locally and on the network are available for selection 1 To select the required database click Change 2 In Database Connections make the following selections a Click the arrow and select the required Database Server from the list b The relevant SQL authentication data will now be displayed Correct them if necessary c Activate Use SSL to secure the connection to this database server with SSL NOTICE Use SQL authentication for computers that are not part of a domain otherwise use Windows authentication This however requires additional configuration Using SQL authentication will guarantees that the SafeGuard Policy Editor can easily be upgr
74. icies for the Standalone Clients A on reference computer set of default policies as well as a default configuration package for Standalone Clients may be created during initial configuration The SafeGuard Policy Editor communicates with the database SafeGuard Standalone Client Client software for authentication and data encryption on on user PCs Standalone computers SafeGuard Enterprise 3 1 CHAPTER 3 Preparing for installation Preparing for installation This chapter explains the prerequisites for installing SafeGuard Enterprise successfully First steps before installing To use SafeGuard Enterprise as effectively as possible you need to do various preparatory jobs prior to installation General preparations Prior to installing SafeGuard Enterprise create a full backup of your data m The hard disk partitions should be fully formatted and a drive letter should be assigned Switch off any active virus scanners for the duration of the install uninstall Ensure that there is enough free hard disk space Information about this may be found in the Release Notes Preparations for user PCs m Check the hard disk s for errors Run chkdsk You will find further information on this subject in the knowledge base http www utimaco com myutimaco Use the knowledge base search function to look for keywords such as file system and NTFS m Uninstall third party boot managers m lf data
75. icrosoft If further settings are enabled which are not recommended by Microsoft or as explained in this chapter this might lead to unwelcome results HINT You will find detailed information on Web Server hardening in Microsoft Solutions for Security and Compliance Windows Server 2003 Security Guide which can be downloaded for free from the Microsoft Website The explanations in this chapter are based on the following sample configuration m Server 1 Microsoft Windows Server 2003 SP1 SafeGuard Enterprise Server latest version SafeGuard Enterprise Management Center latest version Microsoft SQL Server 2005 Express IIS with minimal components m Server 2 Microsoft Windows Server 2003 SP2 SafeGuard Enterprise Server latest version Microsoft SQL Server 2005 Express IIS with minimal components Server 2 only runs the SafeGuard Enterprise Server IIS server If Server 2 is additionally in use the services enabled for Server 1 will be automatically disabled Client SafeGuard Enterprise CHAPTER 6 Setting up SafeGuard Enterprise Server SafeGuard Enterprise Client SafeGuard Enterprise Management Center latest version Installing only necessary IIS components Ensure that only essential and necessary IIS components are installed as this will reduce the chance that the IIS server might be attacked Disable all unnecessary settings The minimal component set of the IIS server to run with SafeGuard Enterprise Server is
76. ill be displayed in the selected language Setup language The language of the installation and configuration wizards will be matched automatically to the language preferences of the computer s operating system English German French and Japanese are supported for the installation and configuration wizards For example if the language of the operating system is English the installation wizard will be displayed in English as well SafeGuard Enterprise CHAPTER 3 Preparing for installation 3 5 Interaction with other SafeGuard products 3 5 1 Interaction with SafeGuard LAN Crypt Note the following SafeGuard LAN Crypt 3 7x and SafeGuard Enterprise 5 4x can coexist on the same computer and are fully compatible SafeGuard LAN Crypt with versions below 3 7x and SafeGuard Enterprise 5 4x cannot coexist on one computer If you are trying to install SafeGuard Enterprise 5 4x on a computer with an already installed SafeGuard LAN Crypt of version 3 6x or below the setup will be cancelled and a respective error message will be displayed SafeGuard LAN Crypt 3 7x and SafeGuard Enterprise with version below 5 35 4 cannot coexist on one computer If you are trying to install SafeGuard LAN Crypt 3 7x on a computer with an already installed SafeGuard Enterprise of versions below 5 35 4 the setup will be cancelled and a respective error message will be displayed 3 5 2 Interaction with SafeGuard PrivateCrypto and SafeGuard Private Disk
77. ion package Make sure to select the correct server the Linz clients are to be connected to In the example this is WS_2 4 Once you have created the client and server configuration packages link the SafeGuard Management Center with the Vienna database again Installing the server configuration packages To install the server configuration packages on the web servers proceed as follows 1 Install the server configuration package ws_1 msi on web service WS_1 which is to communicate with the Graz database 2 Install the server configuration package ws_2 msi on web services WS_2 which is to communicate with the Linz database gt If communications between the SafeGuard Enterprise Server and these databases are running correctly you can then install the SafeGuard Enterprise Clients Installing and configuring SafeGuard Enterprise Client You install the SafeGuard Enterprise Clients in the same way as for SafeGuard Enterprise without replication For details see Setting up user PCs centrally page 102 or see Setting up user PCs locally page 121 For the correct configuration make sure to install the correct client configuration package after you have installed each SafeGuard Enterprise Client According to the example proceed as follows 1 Install the Graz Client configuration package on the clients to be connected to the Graz server WS_1 SafeGuard Enterprise CHAPTER 8 Replicating the SafeGuard Enterprise Datab
78. ion packages for this Standalone scenario and states how the configuration package needs to be created Package Description SGNClient msi SafeGuard Enterprise Device Encryption Volume based encryption with Power on Authentication SafeGuard Data Exchange Easy data exchange with removable media on all platforms without re encryption File based encryption SGNClient_withoutDE msi SafeGuard Data Exchange Easy data exchange with removable media on all platforms without re encryption File based encryption without Power on Authentication SGNClientRuntime msi Runtime Client enabling booting from a secondary boot volume when multiple operating systems are installed and accessing these volumes when they are encrypted by a SafeGuard Enterprise installation on the primary volume Available for both SafeGuard Enterprise Clients and SafeGuard Standalone Clients Standalone Client Configuration Created in the SafeGuard Policy Editor Package SafeGuard Enterprise CHAPTER 11 SafeGuard Client Configurations 11 3 3 Standalone Clients managed via SafeGuard Management Center If the SafeGuard Management Center is already in operation e g to manage SafeGuard Enterprise Clients and Standalone Clients are to be used additionally the SafeGuard Management Center may as well be used to additionally manage these Standalone Clients The required Standalone Client configuration package is then created in the SafeGuard Manag
79. ise Client configuration package is run EXAMPLE msiexec i F SGNClient msi qn log I Temp SGNClient log ADDLOCAL Client Authentication SecureDataExchange BaseEncryption SectorBasedEncryption Installdir C Program Files Utimaco SafeGuard Enterprise msiexec i F SGNEnterpriseClientConfig msi qn log I Temp SGNEnterpriseClientConfig log SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally 12 5 4 Sample command for Windows Vista with BitLocker support The sample command runs the following m Users will log on to their PCs using Windows Vista Credential Provider m SafeGuard Data Exchange with file based encryption is installed by specifying SecureDataExchange SafeGuard Enterprise BitLocker support with BitLocker volume based encryption is installed Alog file is created The SafeGuard Enterprise client configuration package is then run HINT When installing SafeGuard Enterprise with BitLocker ensure that only BitLocker volume encryption is run Do not add SafeGuard Enterprise s volume based encryption to the command line EXAMPLE msiexec i F SGNClient msi qn log I Temp SGNClient log ADDLOCAL Client Authentication CredentialProvider SecureDataExchange BaseEncryption BitLockerSupport Installdir C Program Files Utimaco SafeGuard Enterprise msiexec i F SGNClientConfig msi qn log I Temp SGNEnterpriseClientConfig log
80. ker i Storage T Security B O Securty Gi Logins BUILTIN Administrators NT AUTHORIT YINETWO A NT AUTHORITYISYSTEM a A UTIMACO Administrator ad sense natnn a anamannan iananisan Microsoft SQL Server 2000 settings If using Microsoft SQL Server 2000 you need to enter the machine account under Logins e g Domain WebservicePC ji Console Root Microsoft SQL Servers SQL Server Group local Windows NT Security Logins Console Root Ej Merosott SQL Servers g SQL Server Group Gy local Windows NT Databases E Replication a Security W Loors Server Roles Urked Servers SafeGuard Enterprise CHAPTER 7 Testing communication 7 2 Performing connection test 1 On the SafeGuard Enterprise Server open the Internet Information Services IIS Manager 2 In IIS Manager click Server local computer gt Web Sites gt Default Web Site 3 Right click the server you want and then Browse Internet Infor Internet Information Services SI SGMSRY local computer _ Application Pools Web Sites 3l global asax trans asmx E web config It Web Site J bin Explore aspnet Open J Web ServiceE gt Permissions 4 Click the Check Connection link 5 Internet Information Services IIS Manager amp File Action Yiew Window Help 5 m X
81. licts can occur when updates are merged Merge replication includes default and custom choices for conflict resolution that you can define as you configure a merge publication When a conflict occurs a resolver is invoked by the Merge Agent and determines which data will be accepted and propagated to other sites Setting up database replication Setting up a replication for the SafeGuard Enterprise database is described by means of an example based on Microsoft SQL Server 2005 In the example SafeGuard Enterprise is administered exclusively from the database in Vienna Any changes are passed on by the SafeGuard Management Center to the databases in Graz and Linz by way of the replication mechanism in Microsoft SQL Server 2005 Changes reported by the client computers SafeGuard Enterprise CHAPTER 8 Replicating the SafeGuard Enterprise Database via the web servers are also passed on to the Microsoft SQL Server 2005 by way of the replication mechanism SGN Management Center ge repicat Grpz Li Webservice WS_2 connected to tvs DB Webservice WS_2 connected to ts DE WS_2 erver 2 Clients for Webservice WS_2 SGN Client_1 SGN Client_n SGN Client_1 SGN Client_n SafeGuard Enterprise 8 2 1 8 2 2 CHAPTER 8 Replicating the SafeGuard Enterprise Database Generating the master database Set up the SafeGuard Enterprise master database first In the example this is the Vienna database The procedu
82. lled with the update Multi Tenancy has not been installed You are prompted to enter the security officer credentials Multi Tenancy has been installed The SafeGuard Management Center Configuration Wizard will be started and prompt you to select which database is to be used The wizard will already preselect a previously used database Select the required database and finish the Wizard HINT m If Multi Tenancy is installed with the update the SafeGuard Management Configuration Wizard will be started after the first the update The wizard will already preselect a previously used database m If Multi Tenancy is uninstalled the last used configuration will be used in the SafeGuard Management Center After reinstallation of the Multi Tenancy feature this configuration will be preselected Please note that existing SafeGuard Enterprise policies might have been modified as the policy structure has changed from SafeGuard Enterprise version 5 30 upwards SafeGuard Enterprise 17 5 CHAPTER 17 Updating SafeGuard Enterprise Updating SafeGuard Enterprise Client SafeGuard Enterprise Server and Management Center version 5 40 will be able to manage SafeGuard Enterprise Clients version 5 30 or higher Prerequisites m There must be a SafeGuard Enterprise Client version 5 30 or higher installed Versions below 5 30 must be uninstalled m The SafeGuard Enterprise database the SafeGuard Enterprise Server and the SafeGuard Management
83. n Merely a new configuration package needs to be created and deployed to the respective server or client However prior to activating SSL in SafeGuard Enterprise a working SSL environment needs to be set up NOTICE General security measures The computers on which SafeGuard Enterprise Server the database and the Management Center are running should be protected against unauthorized local attack The following are a few practical measures that can be taken Only use trusted administrators or apply two person rule Protect against electronic attacks firewalls secure configuration virus scanner regular updates robust passwords etc Protect against physical access e g secure rooms Setting up SSL Prior to enabling SSL encryption in SafeGuard Enterprise you need to set up your web server database server and clients for it The following general tasks must be carried out for setting up the web server with SSL SafeGuard Enterprise 3 6 2 CHAPTER 3 Preparing for installation Certificate Authority must be installed for issuing certificates used by SSL encryption A certificate must be issued and the IIS server configured to use SSL and point to the certificate The server name specified when configuring the SafeGuard Enterprise Server must be the same as the one specified in the SSL certificate Otherwise client and server cannot communicate For each SafeGuard Enterprise Server a separate certificate is
84. n Setup is automatically started b Confirm all following dialogs gt The computer is registered as SafeGuard Enterprise Server SafeGuard Enterprise CHAPTER 6 Setting up SafeGuard Enterprise Server 6 The server and its properties are displayed in the Register Server tab xi Register Server Create Server Package Create Enterprise Client Package Create Standalone Client Package Add at least one server to the list to begin with Scripting allowed C i Master Security Y Make this computer an SGN server Add Add server role Remove Close You can set the following properties for the selected server Scripting allowed Activate to enable use of the SafeGuard Enterprise Management API Server roles Click to select a security officer role Click Add server role at the bottom to add further security officer roles Database connection Click to configure a specific database connection for any registered web server including database credentials and SSL transport encryption between the web server and the database server The Database Connection dialog will be displayed HINT SSL encryption requires a working SSL environment and additional configuration see Setting up SSL page 13 SafeGuard Enterprise CHAPTER 6 Setting up SafeGuard Enterprise Server Y SafeGuard Management Center Database Ca r Connection settings Database Server SGNSRY bs
85. nce a 5 2x gt 5 3x RunMigrateSGN520 SGN530 sql b 5 3x gt 5 35 Run MigrateSGN530 SGN535 sql c 5 35 gt 5 40 RunMigrateSGN535 SGN540 sql 5 Set the SafeGuard Enterprise database to MULTI_ USER mode again gt After updating the database the cryptographic check sums of some tables might no longer be correct When starting the SafeGuard Management Center warning messages will be displayed accordingly You can repair the tables in the relevant dialog The latest version of the SafeGuard Enterprise database is then ready for use SafeGuard Enterprise 17 2 CHAPTER 17 Updating SafeGuard Enterprise Updating SafeGuard Enterprise replicated databases When the SafeGuard Enterprise Database is to be updated to a later version and replicated databases are in use it is best to uninstall the replicated databases before starting the update on the master database Updating the SafeGuard Enterprise database requires running special SQL migration scripts which might conflict with replicated databases 1 Uninstall the replicated databases 2 Run the SQL migration scripts on the master database You can find it in the Tools folder of the product CD see Updating SafeGuard Enterprise Database page 136 3 Setup the replication databases anew SafeGuard Enterprise CHAPTER 17 Updating SafeGuard Enterprise 17 3 Updating SafeGuard Enterprise Server Prerequisites The SafeGuard Enterprise database has already b
86. ne Clients Several configuration packages msi files can be created and distributed to the client computers via third party mechanisms The packages may be distributed when installing the SafeGuard Client software or at a later point in time To ease installation and administration efforts SafeGuard Policy Editor offers the following m The SQL Database Server is installed transparently during SafeGuard Policy Editor installation if the installer detects that it is not present on your reference computer Microsoft SQL 2005 Express Edition will then be installed automatically No license fees will arise Apart from that already existing database servers may be used as well Pre configured default SafeGuard Enterprise policies are available and may be activated for your convenience during the initial configuration of the SafeGuard Policy Editor The policy settings are stored in an SQL database A default configuration package for Standalone clients can easily be created during initial configuration SafeGuard Policy Editor features Due to the fact that the central management server is missing in this scenario the SafeGuard Policy Editor offers reduced management functionalities Compared to the SafeGuard Management Center the following restrictions apply to the SafeGuard Policy Editor No Active Directory import thus no user and domain management m The Standalone Client packages containing the configuration settings have to be di
87. needed If you use Network Load Balancer make sure that the port range includes the SSL port For further information on SSL setup refer to the following links or contact our technical support http msdn2 microsoft com en us library ms998300 aspx http support microsoft com default aspx scid kb en us 316898 https blogs msdn com sql_protocols archive 2005 1 1 10 491563 aspx Activating SSL encryption in SafeGuard Enterprise For the connection between web server and database server SSL encryption can be set when registering the SafeGuard Enterprise Server via the SafeGuard Management Center Configuration Package Tool For details see Registering and configuring SafeGuard Enterprise Server page 60 For the connection between the database server and SafeGuard Management Center SSL encryption can be set in the SafeGuard Management Center Configuration Wizard For details see Configuring SafeGuard Management Center page 34 For the connection between the database server and SafeGuard Policy Editor If the SafeGuard Policy Editor is in operation i e in the SafeGuard Enterprise Standalone scenario the connection between database server and SafeGuard Policy Editor may also be secured with SSL SSL encryption may be enabled in the SafeGuard Policy Editor Configuration Wizard For details see Configuring SafeGuard Policy Editor page 88 For the connection between SafeGuard Enterprise Server and the Safe
88. nt Center To create a SafeGuard Standalone Client configuration package proceed as follows 1 Select Tools gt Configuration Package Tool from the menu bar 2 Select Create Standalone Client Package for a Standalone Client configuration a Click Add Standalone Client Package to add the Standalone Client configuration package SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally b Enter a name of your choice for the SGNClientConfig msi file Client package registration xi Please enter the name of the client package SGNClient Config c Specify a Policy Group which must have been created beforehand either in the SafeGuard Policy Editor or in the SafeGuard Management Center to be applied to the Standalone Clients In contrast to Enterprise Clients you can only apply policy groups to Standalone Clients not individual policies d To enable recovery for Standalone Clients the required data has to be available to the help desk For Standalone Clients this data is saved as a specific recovery file xml file This file is created during configuration of the Standalone Client It contains the defined machine key the kernel key a session key as well as a copy of the MBR e Specify a shared network path for storing this file xml file in Share Path so that it will be available to the help desk in case of an emergency E
89. nt Center MSO on SGNSR SafeGuard 5 xi File Edit view GoTo Actions Tools Help 6 move N GoTo A R Key Policies Inventory Synchronize Licenses 4 Authenticated Users gt Auto registered Directory DSN Dc utimaco DC edu ir H uTIMaco eDu M Synchronize memberships Synchronize user enabled state Policies SP Keys amp Certificates _o Tokens amp Security Officers Reports Synchronize Synchronization Completed gt Synchronization of the SafeGuard Management Center and Active Directory is complete The imported objects are displayed in the Users amp Computers area You can view a synchronization protocol in the status bar at the left When clicking on it you can copy this protocol to the clipboard and paste it into an E mail or file in case you would like to inform your users on the synchronization results SafeGuard Enterprise CHAPTER 10 Setting up SafeGuard Policy Editor 10 Setting up SafeGuard Policy Editor The SafeGuard Policy Editor is the local management tool for Standalone Clients in the SafeGuard Enterprise Standalone scenario The SafeGuard Policy Editor may be installed on the computer that you want to use to carry out administrative tasks As a security officer you use the SafeGuard Policy Editor to manage SafeGuard Enterprise policies and to create configuration packages for Standalo
90. nt configuration packages for both of them 8 3 1 Generating the configuration packages for the Graz database Create the server and client configuration package for the Graz database Start the SafeGuard Management Center and proceed as follows 1 Link the SafeGuard Management Center with the Graz database In Tools gt Options select Database Connection and select ws_1 as Database Server and Graz as Database 2 In Tools gt Configuration Package Tools gt Create Server Package create the Server configuration package 3 In Tools gt Configuration Package Tools gt Create Enterprise Client Package create the Enterprise Client configuration package Make sure to select the correct server the Graz clients are to be connected to In the example this is WS_1 SafeGuard Enterprise 8 3 2 8 3 3 8 4 CHAPTER 8 Replicating the SafeGuard Enterprise Database Generating the configuration packages for the Linz database To create the server and client configuration package for the Linz database start the SafeGuard Management Center and proceed as follows 1 Link the SafeGuard Management Center with the Linz database In Tools gt Options select Database Connection and select WS_2 as Database Server and Linz as Database 2 In Tools gt Configuration Package Tools create the Server configuration package 3 In Tools gt Configuration Package Tools gt Create Enterprise Client Package create the Enterprise Client configurat
91. nter the shared path in the following form networkcomputer eg mycompany edu If you do not specify a path here the user will be prompted to name a storage location for this file when first logging on to the user PC HINT Make sure to save this xml file at a file location accessible to the helpdesk for example a shared network path Alternatively the files can be provided to the helpdesk via different mechanisms This recovery key file xml file is encrypted by the company certificate The file can therefore be saved to any external media or to the network to provide it to the help desk in case of an emergency It can also be sent by E mail SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally Wutimaco edu C Program Files Utimaco SafeGuard Enterprise SG Policy Editor f Specify an output path for the msi file g Click Create Standalone Client MSI gt The SGNClientConfig msi will be created in the specified directory Y SafeGuard Policy Editor gt The Standalone Client configuration package for the SafeGuard Standalone Client has now been created in the specified directory You now need to distribute this package to the Standalone Clients and deploy it on them SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally 12 5 Command for centralized install When centrally installing SafeGuard Enterprise Client on the user PCs use the Windows Installer
92. ntication Policy A maximum of 5 failed logons is allowed Default Machine Settings Policy The SafeGuard Enterprise system tray icon will be displayed in the information area of the taskbar of the user computer however there status information will not be displayed via balloon tool tips Default Logging Policy Only errors will be logged in the event log other events will be discarded For a detailed description of the policy settings see the SafeGuard Enterprise Administrator s Manual chapter SafeGuard Policy Editor To create the default policies Defaul The default policies encrypt all internal hard disks and do not allow uninstall You can manually adjust the default policies later For details please refer to the manual To make use of the default policies and to create a default Standalone Client configuration package do as follows 1 Activate Create Default Policy The policy group Default Policy will be automatically created and stored in the previously selected database as a configuration package msi 2 In Folder for Client Package select the storage location for the Default Standalone Client configuration package msi 3 In Share path select a storage location for the Standalone Client recovery file This file xml file is needed to enable recovery for Standalone Clients so that the required data may be available to the help desk later on You may have this file automatically created
93. ny certificates and user computer assignments Recommended backup cycles are for example after the data is first imported after major changes or at regular time intervals e g every week or every day Prerequisites The following prerequisites must be met SafeGuard Enterprise 4 2 4 3 CHAPTER 4 Setting up SafeGuard Enterprise Database Microsoft SQL Server must already be installed and configured Microsoft SQL 2005 Express Edition is suitable for use in smaller companies as there are no license fees For performance reasons Microsoft SQL Server should not be installed on the computer on which SafeGuard Enterprise Server is installed Authentication methods and access rights for the database should be clarified Authentication for the database To be able to access the SafeGuard Enterprise database the SafeGuard Management Center s first security officer must be authenticated This can be done in the following ways Windows authentication SQL authentication You can find out from your SQL administrator which authentication method is intended for you a security officer You need this information before generating the database and before installing the SafeGuard Management Center Use SQL authentication for computers that are not part of a domain otherwise use Windows authentication This however requires additional configuration You will find further information on Windows authentication in our knowledge da
94. o eee eee erence eeeeeeeenaeeeeneeeeeneeeeeaes 13 SiO lt SOMINGIUP SOL iseia E asee n aera teats tcessscedcnsaceeua Eee ar a ta orr Eeer eena Eaa 13 3 6 2 Activating SSL encryption in SafeGuard Enterprise cee eeeeeeeeeeeeeeeeeeees 14 3 7 Installation steps for SafeGuard Enterprise eeeceeeeeeeseeeeeenneeeeeeeeeseneeeeeeeeennaes 15 3 8 Installation steps for SafeGuard Enterprise Standalone ccc eecceeseeeeeeeeeeeeeeeeaes 17 3 9 Installation steps for SafeGuard Enterprise Client on multiple operating systems runtime SYSIOM ei ccsccesscevexstacedgccthes sede cshre nance reaps eea eaa aia asiaasi 18 Setting up SafeGuard Enterprise Database ceseeeseeeeeereeeneeeee 19 MPV PERC GUISICS az ca 22 2c a2 es scntearsietmeds roaa e iescvecs isacbesadstieaacecsisces cvazseaienpeasaceenaescere 20 4 2 Authentication for the database 0 eee eeeeeeenneeeeeeeeeeaeeeeeaeeeseeeeenaeeesnaeeseneeeeeaa 21 4 3 Rights to access the database eee ceeeee eee eeenneeeeeeeeeeeaeeseaaeeseneeeeeaeeseeaeeeeneeeen 21 4 4 Setting up an SQL user account for SafeGuard Enterprise eee eeeeeeeeeeeeeeeeeees 24 4 5 Generating the SafeGuard Enterprise database eee ee eneeeeereeeenneeeeeneeeeeeeeeeeaa 28 4 5 1 Generating SafeGuard Enterprise Database via SafeGuard Management COMMS Bas src doco oe cd dc abeeianc cast itaenctes ts detese E E 28 4 5 2 Generating SafeGuard Enterprise Database with a script Contents
95. o determine the types of access a user or a process has on a specific file or folder You should assign NTFS permissions to allow or deny Web site access to specific users on the IIS server For the sample configuration the minimal NTFS permissions are as follows User Folder NTFS permissions for NTFS permissions for E inetpub F mycompany web Administrators full control full control System full control full control Users execute execute You may set a different account or group for Users as long as this is provided on the IIS server When doing so you need to update the account IUSR_SRVERNAME on the IIS server accordingly The NTFS permissions for file types are as follows File type Recommended NTFS permissions CGI files exe dll cmd pl Administrators full control System full control Everyone User execute Script files asp Administrators full control System full control Everyone User execute Include files inc shtm shtml Administrators full control System full control Everyone User execute Static content txt gif jog htm html Administrators full control System full control Everyone User read only SafeGuard Enterprise 6 2 2 6 2 3 CHAPTER 6 Setting up SafeGuard Enterprise Server Disable Integrated Windows Authentication It is recommended to disable Integrated Windows Authentication in IIS to avoid sending unnece
96. omputer Dsensrv Microsoft E Application Pools J aspnet_client Eh Web Sites iisstart htm 1 Defaut Web Ste pagerror gf fy SGNSRY J aspnet_client J Web Service Extensior ASP NET version Virtual path Default Web Site File location c inetpub wwwroot web config File creation date Date not available File last modified Date not available Edit Global Configuration Edit Configuration 5 Al Cancel Apply Help SafeGuard Enterprise Setting up SafeGuard Enterprise Server 6 2 5 5 CHAPTER Alternatively you can select the command aspnet_regiis exe lv to ensure that ASP Services Version 2 0 is installed e Command Prompt H gt C WINDOWS Microsoft NET Framework 3 0 aspnet_regiis exe luy Enabling recycling for the IIS server We recommend enabling Recycle worker processes for the IIS 1 2 Open the Internet Information Services Manager In IIS Manager click Server local computer Right click Application Pools gt Properties Under Memory recycling set the following values Maximum virtual memory 500 MB m Maximum used memory 192 MB Confirm with Apply and OK SafeGuard Enterprise 6 CHAPTER 6 Setting up SafeGuard Enterprise Server Application Pools Properties i i gt The IIS server is now set up for SafeGuard Enterprise SafeGuard Enterprise 6 3 6 4 CHAPTER 6 Setting up SafeGuard Enter
97. onfigurations User computers can be configured as follows as SafeGuard Enterprise Clients with central server based management via the SafeGuard Management Center For SafeGuard Enterprise Clients a connection to the SafeGuard Enterprise Server exists SafeGuard Enterprise Clients receive their policies via the SafeGuard Enterprise Server The connection may temporarily be disabled for example during a business trip but even so the user computer is defined as a SafeGuard Enterprise Client The required Enterprise Client configuration package is created in the SafeGuard Management Center m as SafeGuard Standalone Clients with local management Local management can either be performed via the SafeGuard Policy Editor or via the SafeGuard Management Center For SafeGuard Standalone Clients no connection to the SafeGuard Enterprise Server is ever established at any point in time SafeGuard Standalone Clients therefore receive their policies in configuration packages via third party mechanisms m If policy groups are created and managed via the SafeGuard Policy Editor The required Standalone Client configuration package is created in the SafeGuard Policy Editor m If policy groups are created and managed via the SafeGuard Management Center The required Standalone Client configuration package is created in the SafeGuard Management Center SafeGuard Enterprise 11 1 CHAPTER 11 SafeGuard Client Configurations R
98. ooo eee cceeseeeeeeeeeeneeeeeeeeteeeeeesneeeensaeeeeeeees 138 17 4 Updating SafeGuard Enterprise Management Center enneren 138 17 5 Updating SafeGuard Enterprise Client eee ceseeeeeeceeeeeeeeeeeaeeeeeeeeeenaeeennaeeeeenaees 140 17 6 Updating SafeGuard Enterprise Standalone eceeeeeeeeseeeeseneeeeeneeeeenaeeeeeeees 141 17 6 1 Updating SafeGuard Policy Editor ec ce eeneeeeeeeeesneeeeeeneeeeeeeeeenaeeeenaes 141 17 6 2 Updating SafeGuard Standalone Client 0 0 eeeeeeeeneeeeeeneeeeeeeeeeneeeeeaes 142 17 6 3 Enhancing SafeGuard Standalone Client with volume based encryption 142 17 7 Updating the operating System 0 0 eee cece eeeeeeeeenneeeeeeeeeeeaeeeeeaeeteeeaeeeneeeeseaeeeeneaees 143 CHAPTER 18 Migrating SafeGuard Standalone to SafeGuard Enterprise 144 18 1 Migrating SafeGuard Policy Editor to SafeGuard Management Center 145 18 2 Migrating Standalone Clients to Enterprise Clients 146 CHAPTER 19 Migrating SafeGuard Easy to SafeGuard Enterprise cceeeeeee 147 19 1 Requirements rnea nein eed eerie ee ee 147 TIZ UMMA OMS ecesna eO LEO E dae cpuce A OE NaNO ET EEr E 148 19 3 Which functionality is migrated oe ee ee eeee centr eeeeeeeeaeeeeeaeeeseeeeesaeeeenaeeseeeaees 149 194 PreparatlonS 2 x ccess 2c ected iieiea ea a iea E Ea Te 151 19 5 Starting the migratiOm eesecscuseveeeaesces cesar seveecesasuecteatcn tescecetbsteedeancnptuaeeieaheteadenetneteea ss seed 151 TOG Afte
99. opyright owner SafeGuard is a registered trademark of Utimaco Safeware AG a member of the Sophos Group All other product and company names mentioned are trademarks or registered trademarks of their respective owners You will find copyright information on third party suppliers in the file entitled Disclaimer and Copyright for 3rd Party Software rtf on your product CD SafeGuard Enterprise
100. or issuing certificates used by SSL encryption A certificate must be issued and the IIS server configured to use SSL and point to the certificate m The server name specified when configuring the SafeGuard Enterprise Server must be the same as the one specified in the SSL certificate Otherwise client and server cannot communicate For each SafeGuard Enterprise Server a separate certificate is needed m f you use Network Load Balancer make sure that the port range includes the SSL port m NET Framework 3 0 Service Pack 1 is installed NET Framework is available free of charge You will find the program e g on your Windows CD Depending on the Windows version it will have already been installed by default m ASP NET 2 0 is activated This is automatically checked and correctly set during installation SafeGuard Enterprise 6 2 6 2 1 CHAPTER 6 Setting up SafeGuard Enterprise Server Configuring Microsoft Internet Information Services The chapter explains how to prepare the Microsoft Internet Information Services IIS server to run with SafeGuard Enterprise Server Hardening the IIS server To enhance security in your company s intranet it is recommended that you protect each IIS server and the applications that run on it by specific security settings so that the IIS server is hardened This chapter describes how to set up the IIS server for use with SafeGuard Enterprise Server to meet the hardening recommendations of M
101. or the first migration m First migrate older versions of SafeGuard Easy to version 4 20 Ensure that the computer can access the configuration file SGE2 SGN c fg with valid SafeGuard Easy credentials during the migration The system key generated from this file is needed during migration to decrypt the encrypted SafeGuard Easy system data m Leave the user PCs switched on throughout the migration process m The security officer should keep the users Windows credentials to hand in case users have forgotten their Windows passwords after migration This can happen if users have previously logged on to the SafeGuard Easy Pre Boot Authentication and have later been logged on via Windows Secure Autologon SAL So users never used their Windows credentials NOTICE Users need to know their password for Windows logon before migration This is essential as a Windows password cannot be subsequently set after migration and installation of SafeGuard Enterprise If users do not know their Windows password because they have used Secure Automatic Logon in SafeGuard Easy they will not be able to log on to SafeGuard Enterprise In this case pass through to Windows is rejected and users will not be able to log on to SafeGuard Enterprise Thus there is the risk of data loss as users will not be able to access their computers anymore 19 5 Starting the migration HINT For a detailed description on the necessary migration steps see our knowled
102. ou select a feature you also need to add the feature parents to the command line SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally Client features for SGNClient msi The Features Client and Authentication must be installed by default Feature Parents Feature Client Authentication The feature Authentication and its parent feature Client must be installed by default Client Authentication CredentialProvider For computers with Windows Vista you must select this feature It enables logon via the Credential Provider Client SecureDataExchange With SecureDataExchange SafeGuard Data Exchange with file based encryption is always installed at local level and for removable media SafeGuard Data Exchange provides secure encryption for removable media Data can securely and easily be shared with other users All encryption and decryption processes run transparently and with minimal user interaction If you have installed SafeGuard Data Exchange to your computer SafeGuard Portable is installed as well SafeGuard Portable enables data to be securely shared with clients that do not have SafeGuard Data Exchange installed SafeGuard Data Exchange can be installed parallel to the BitLocker Client Client BaseEncryption SectorBasedEncryption Installs SafeGuard Enterprise s volume based encryption with the following features m Any volumes including removable media can be encrypted with SafeGuard Enterp
103. parate volumes of the hard disk SafeGuard Enterprise provides a so called runtime system SafeGuard Enterprise Runtime Client enables the following when it is installed on volumes with an additional Windows installation The Windows installation residing on these volumes may successfully be booted by a boot manager Partitions on these volumes that have been encrypted by a full SafeGuard Enterprise Client installation with the defined machine key can successfully be accessed Requirements and restrictions Note the following SafeGuard Enterprise Runtime Client does not provide any SafeGuard Enterprise Client specific features or functionality SafeGuard Enterprise Runtime Client only supports those operating systems that are also supported for SafeGuard Enterprise Client Successful operation of USB keyboards may be restricted Only boot managers that become active after Power on Authentication are supported Support for third party boot managers is not guaranteed We recommend to use Microsoft boot managers m The SafeGuard Enterprise Runtime Client cannot be updated to a full SafeGuard Enterprise Client This scenario is valid for SafeGuard Enterprise Clients as well as SafeGuard Standalone Clients The Runtime installation package must be installed before the full version of the Enterprise Client installation package is installed m Only volumes encrypted with the defined machine key in SafeGuard Enterpri
104. press dynamic port Port 1148 TCP for SQL 2005 Active Directory Port 389 TCP SLDAP Port 636 for the Active Directory import The SafeGuard Enterprise Server needs to create the following connections Connection to via Port SQL database Port 1433 TCP and Port 1434 TCP for SQL 2000 amp 2005 Express dynamic port Port 1148 TCP for SQL 2005 Active Directory Port 389 TCP SafeGuard Enterprise CHAPTER 7 Testing communication Authentication method 1 On the SafeGuard Enterprise Server open the Internet Information Services IIS Manager 2 Inthe tree structure select Internet Information Services gt Servername gt Web Sites gt Default Web Site gt SGNSRV 3 Right click SGNSRV and select Properties F3 Elle Action View Window Help e om xean ela of Internet Information Services SGMSRY local computer bin Application Pools global asax lJ Web Sites trans asmx Default Web Site web config l J Explore J WebSe Open Permissions Browse New b All Tasks View L New Window from Here Delete 4 Select the Directory Security tab 5 In the Authentication and Access Control box click Edit Activate Enable anonymous access and deactivate Integrated Windows authentication Authentication Methods xi MIV Enable anonymous access Use the following Windows user account for anonymous acc
105. prise Client configuration package For successful operation you need to create a configuration package for the SafeGuard Enterprise Client The package is created with the SafeGuard Management Configuration Package Tool 1 Start the Management Center In the Tools menu select Configuration Package Tool 2 Select Create Enterprise Client Package a Click Add Client Package to create the Enterprise Client configuration package xi _ Client MSI Package Primary Server Secondary Ser Policy Group Transport E Creat EMS Configuration Package Tool b Enter a name of your choice for the SGNClientConfig msi file Client package registration xi SGNClientiConfig SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally c Assign a primary server the secondary server is not absolutely essential Y Configuration Package Tool x Register Server Create Server Package Create Enterprise Client Package Create Standalone Client Package Select one or more client packages specify an output path and click lt Create Client MSI gt Client MSI Package A SGNClientConfig SGNSRY Utim faaan Pollinterval Group Utimaco SGNSRY Utimaco edu Add Client Package Remove Client Package Client MSI output path C Program Files Utimaco Create Client MSI Close d If required specify a policy created in the SafeGuard Management Center which is to apply to
106. prise Database Microsoft SQL Server Web Server MS Internet Information Services IIS User PC SafeGuard Enterprise Server SafeGuard Enterprise Client SafeGuard Enterprise CHAPTER SafeGuard Enterprise components The table below describes the individual components Component Description SafeGuard Enterprise database s based on Microsoft SQL Server Database The SafeGuard Enterprise database s hold all the relevant data such as keys certificates information about users amp computers events and policy settings The database s need to be accessed by the SafeGuard Enterprise Server and from just one security officer from the SafeGuard Management Center usually the MSO The SafeGuard Enterprise databas es can be generated and configured using a wizard or scripts 2 SafeGuard Enterprise Server on IIS based web server Microsoft Internet Information Services ISS with NET Framework 3 0 SP 1 and ASP NET 2 0 The web server used for SafeGuard Enterprise must be based on Internet Information Services IIS we recommend using a dedicated IIS server for SafeGuard Enterprise Server The IIS Server may be clustered SafeGuard Enterprise Server Interfaces between the database and the SafeGuard Enterprise user computers Upon request the SafeGuard Enterprise Server sends policy settings to the user computers It requires access to the database It runs as an application on a Microsoft Internet Information Se
107. prise Server Installing SafeGuard Enterprise Server After the IIS is configured you can install SafeGuard Enterprise Server on the IIS server You will find the install package SGNServer msi on the product CD 1 Start SGNServer msi from the product CD 2 Click Next in the welcome window 3 Accept the license agreement 4 Select an installation path 5 Confirm that the installation has completed successfully gt The SafeGuard Enterprise Server is installed NOTICE To enhance performance the concatenation of logged events is deactivated for the SafeGuard Enterprise Database by default after installation of the SafeGuard Enterprise Server However without concatenation no integrity protection is provided for logged events Concatenation strings together all entries in the event table so that if an entry is removed this is evident and can be verified via an integrity check To make use of integrity protection you thus need to set the concatenation manually For detailed information see the SafeGuard Enterprise Administrator s Manual chapter Reports Registering and configuring SafeGuard Enterprise Server The SafeGuard Enterprise Server still needs to be registered and configured this is carried out with the SafeGuard Management Center Configuration Package Tool A configuration file needs to be created for the server and deployed on it SafeGuard Enterprise CHAPTER 6 Setting up SafeGuard Enterprise Server 1
108. pt will be logged See the SafeGuard Enterprise Administrator s Manual for further details about policies HINT If you work with a demo version you should not activate this policy setting or in any case deactivate it prior to expiry of the demo version to ensure easy uninstallation SafeGuard Enterprise 17 CHAPTER 17 Updating SafeGuard Enterprise Updating SafeGuard Enterprise If you have already installed a previous version of SafeGuard Enterprise you can update SafeGuard Enterprise by installing the latest version Updating to SafeGuard Enterprise version 5 40 is supported for SafeGuard Enterprise version 5 30 onwards Apart from the SafeGuard Enterprise database the SafeGuard Enterprise Server Management Center Policy Editor and Client updates are the same as a new installation However no uninstall needs to be done beforehand From SafeGuard Enterprise 5 30 onwards the import of a valid license file is required that covers all rolled out clients If the amount of licenses is exceeded the policy transport will be blocked after the update of the backend Please contact your sales partner in advance to request a license file HINT It is essential that you update the components in the order outlined below Any update from an earlier version to the current version of SafeGuard Enterprise will only succeed if you follow this sequence Updating the SafeGuard Enterprise components is supported for SafeGuard Enterprise version
109. r eseeeeeeseeesieessseinsrirneiirreiinntrnnntnnnnrineeranrennnnnnn 87 10 3 Configuring SafeGuard Policy Editor eeeeeseeieesiiesriiesiiresinneirnirrsrinnernnnerrnrnen 88 10 3 1 Setting up the SQL database occ ee ene ee ceaeeeeeeeeeeeeeeeaaeeeseeeeeeaeeeseas 89 10 3 2 Setting up a password for the security Officer 90 10 3 3 Creating a Certificate Store cccccceseeceseceeeessteescccee caneededateesecneeessceeevedeedenatentecs 90 10 3 4 Creating pre configured default policies 0 ee eeeeeeeeeeeeeeeeeeneeeeeeeeeeeeeeeaas 90 10 3 5 Logging on to the SafeGuard Policy Editor ee eeceeeeeeeeeeneeeeeeeeeeeneeeeeaaes 92 CHAPTER 11 SafeGuard Client Configurations eeeeceeeeeeeeeeeeenneeeeeeeeeeeteeeeeeeeeees 93 TET ReStNCHONS sci ee aeaa EEE ein E AEEA EE AAEREN 94 11 2 SafeGuard Enterprise Cents sc ccccceccnccccvsecsnsseceweceesescaneerencenvecceeavesneesectensecceeenetnenee 96 11 3 SafeGuard Standalone Clients 0 ee eee eeneee cence eeeeeeeeenaeeeeeeaeeeeneeeeeneeeeneeeeeeneeenaa 98 TIT RESMHICHONS caicosa enrera Hien apie eee eee eee 98 11 3 2 Standalone Clients managed via SafeGuard Policy Editor eee 99 11 3 3 Standalone Clients managed via SafeGuard Management Center 101 Contents CHAPTER 12 Setting up user PCs centrally eiciiasccvees seek ces cashes lievea bess scent deciedivan vigten teins 102 12 1 General PrEEQuISHES 222224050226 ceseceeeceeeas secs naseedsechinbavesea
110. r TS MIGRATION as Send ceesci as folenccssacheanstcs teadcnes cette sadea tesestoniazstssiacdanstceennicertebact ss4ceze 153 CHAPTER 20 Annex Best practice SCEMAriO cccccceceeceeccecceeeceeeeceeeeeeeeeeeeeeeeeeeeess 154 CHAPTER 21 Technical Support saiitesi Wi Ai ieee ais eld ee 155 CHAPTER 22 Copyn Nies he Peer Rene Pere erry E era rerer ees reer a a i er een S 156 CHAPTER 1 SafeGuard Enterprise Overview SafeGuard Enterprise Overview SafeGuard Enterprise is a comprehensive modular data security solution that uses a policy based encryption strategy to provide reliable protection for information and information sharing on servers PCs and mobile end devices The central administration is done by the SafeGuard Enterprise Management Center Security policies keys and certificates smartcards and tokens can be managed using a clearly laid out role based administration strategy Detailed logs and report functions ensure that users and administrators always have an overview of all events On the user side data encryption and protection against unauthorized access are the main security functions of SafeGuard Enterprise SafeGuard Enterprise can be seamlessly integrated into the user s normal environment and is easy and intuitive to use SafeGuard s own authentication system Power On Authentication POA provides the necessary access protection and offers user friendly support when recovering credentials TIP Our video tutori
111. r example install a Windows XP Service Pack update However you cannot migrate from one operation system series to a different one when SafeGuard Enterprise is installed for instance you cannot migrate from Windows XP to Windows Vista with SafeGuard Enterprise installed SafeGuard Enterprise 18 CHAPTER 18 Migrating SafeGuard Standalone to SafeGuard Enterprise Migrating SafeGuard Standalone to SafeGuard Enterprise You can easily migrate the SafeGuard Enterprise Standalone solution to the SafeGuard Enterprise suite with central management to make use of the full functionality of SafeGuard Enterprise For this purpose the following steps must be taken m The SafeGuard Policy Editor must be migrated to the SafeGuard Management Center The SafeGuard Standalone Clients must be migrated to SafeGuard Enterprise Clients SafeGuard Enterprise 18 1 CHAPTER 18 Migrating SafeGuard Standalone to SafeGuard Enterprise Migrating SafeGuard Policy Editor to SafeGuard Management Center You can migrate the SafeGuard Policy Editor to the SafeGuard Management Center to use comprehensive management features e g user and computer management as well as logging Prerequisites You do not have to uninstall SafeGuard Policy Editor Setup the SafeGuard Enterprise Server prior to migration see Setting up SafeGuard Enterprise Server page 51 Migrating SafeGuard Policy Editor For migration simply install the SGNManagementCent
112. r methods for example E mail or USB memory sticks In contrast to central management SafeGuard Enterprise Standalone offers reduced management functionality Basic policies may be created and managed Other forms of management such as user domain management or centralized logging are not supported The standalone mode can however be easily upgraded to the central management solution Administration of the Standalone Clients is best achieved using SafeGuard Policy Editor the local management tool for Standalone Clients With SafeGuard Policy Editor basic pre configured default policies as well as a default configuration package for Standalone Clients may be created during initial configuration Additionally user defined policies may be created combined to groups and exported to configuration files Data is collected on the computer where SafeGuard Policy Editor is installed in a Microsoft SQL database server The SQL database server is automatically installed during the SafeGuard Policy Editor setup However if the SafeGuard Management Center is already in operation administrative tasks for Standalone Clients may also be carried out in the SafeGuard Management Center To set up the SafeGuard Enterprise Standalone read the following information For prerequisites see Preparing for installation page 9 For installing the SafeGuard Policy Editor see Setting up SafeGuard Policy Editor page 85 For installing the SafeGuard S
113. ration is undesirable the SQL administrator can generate the SafeGuard Enterprise database with a script The two scripts included on the product CD CreateDatabase sql and CreateTables sql can be run for this purpose SafeGuard Enterprise CHAPTER Setting up SafeGuard Enterprise Database The following table shows the necessary SQL permissions for the different versions of Microsoft SQL Server Access Right Generate database SQL Server 2000 SQL Server PAES SQL Server 2005 Express 4 public default public default Server db_creator db_creator db_creator Master database db_owner None None public default SafeGuard Enterprise Database db_owner db_owner db_owner public default Use not generate database Server None None None Master database None None None SafeGuard Enterprise Database db_datareader db_datawriter public default db_datareader db_datawriter public default db_datareader db_datawriter public default SafeGuard Enterprise CHAPTER 4 Setting up SafeGuard Enterprise Database 4 4 Setting up an SQL user account for SafeGuard Enterprise To generate the SafeGuard Enterprise database a new user has to be created under Microsoft SQL Server for SafeGuard Enterprise the authentication method needs to be specified and the necessary rights have to be issued The description below of the individual con
114. rd Enterprise SGNServer msi 6 3 Enterprise Server Server on the IIS web server 8 Register and configure Generate server configuration SGNServerConfig msi 6 4 SafeGuard Enterprise package and deploy it on the web Server configuration package Server server generated in the SafeGuard Management Center Configuration Package Tool 9 Test connection Check and establish the 7 connection between server database and SafeGuard Management Center SafeGuard Enterprise CHAPTER 3 Preparing for installation Description Installation Configuration Chapter package 10 Create import Create a new structure or import 8 organization structure an active directory in the SafeGuard Management Center 11 Set up SafeGuard Install the SafeGuard Client SGNClient msi 11 Enterprise Client installation package on the user SGNClient_withoutDE msi 12 PC Install either with Device SGN CP Port a Encryption or without Device ProtectorClient msi Encryption and additionally install Configuration Protection optional 12 Configure SafeGuard Generate Enterprise Client SGNEnterpriseClientConfig 11 4 1 Enterprise Client configuration package and install it on the user PC msi Enterprise Client configuration package generated in the SafeGuard Management Center Configuration Package Tool SafeGuard Enterprise CHAPTER 3 Preparing for installation 3 8 Installation steps for SafeGuard Enterprise Stan
115. re for generating the master database is the same as for an SafeGuard Enterprise installation without replication There are two ways to proceed m via the SafeGuard Management Center Configuration Wizard This procedure requires that the SafeGuard Management Center is already installed see Installing SafeGuard Management Center page 32 via an SQL script you can find on the product CD This procedure is often preferred if extended SQL permissions during SafeGuard Management configuration is not desirable see Setting up SafeGuard Enterprise Database page 19 Generating the replication databases Graz and Linz After setting up the master database you may generate the replication databases In the example the replication databases are called Graz and Linz HINT Data tables and EVENT tables are held in separate databases Event entries are not concatenated by default so that the event database can be replicated to several SQL servers to enhance performance If EVENT tables are concatenated problems may arise during replication if its data records To generate the replication databases proceed as follows 1 When using distributed databases you first have to create a publication for the master database via the management console of the SQL server 2 Select all tables views and stored procedures for synchronization in this publication 3 Create the replication databases by generating a subscription for Graz and a s
116. reated gt The Enterprise Client configuration package has now been created for the SafeGuard Enterprise Client Deploy this package on the SafeGuard Enterprise Client SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally 12 4 2 Creating a Standalone Client configuration package For successful operation you need to create a configuration package for the SafeGuard Standalone Client and distribute it to the user computers HINT The process of creating the default policy group during initial configuration of the SafeGuard Policy Editor involves the automatic creation of a default Standalone Client msi package When using preconfigured default policies only the following steps may not have to be carried out separately see Creating pre configured default policies page 90 m f you manage the Standalone Client via the SafeGuard Policy Editor create the Standalone Client configuration package in the SafeGuard Policy Editor Log on to the Policy Editor Then proceed as described in the below mentioned steps The pictures refer to the SafeGuard Policy Editor m f you happen manage the Standalone Clients via the SafeGuard Management Center you need to create the Standalone Client configuration package in the SafeGuard Management Center Log on to the Management Center Then proceed as described in the below steps The pictures refer to the SafeGuard Policy Editor but the steps are identical for the SafeGuard Manageme
117. relevant data such as keys certificates information about the users and computers events and policy settings It can be generated in two different ways m bythe first SafeGuard Enterprise Security Officer while installing the SafeGuard Management Center using the SafeGuard Management configuration wizard by an SQL administrator using a script To enhance performance the SafeGuard Enterprise Database may be replicated to several SQL servers To set up database replication see Replicating the SafeGuard Enterprise Database page 72 Multiple tenant specific SafeGuard Enterprise Databases can be created and maintained for different tenants such as different company locations organizational units or domains To configure multi tenancy see Configuring for multiple databases Multi Tenancy page 41 Prior to generating SafeGuard Enterprise Database you need to set up an SQL user account for it SafeGuard Enterprise 4 1 CHAPTER 4 Setting up SafeGuard Enterprise Database SafeGuard Enterprise Components Microsoft Active Directory optional Q 2e SafeGuard Management Center Administrator MSO SafeGuard Enterprise Database Microsoft SQL Server Web Server MS Internet Information Services IIS SafeGuard Enterprise Server User PC SafeGuard Enterprise Client NOTICE We recommend operating a permanent online backup for the database Backup your database regularly to protect keys compa
118. rise s volume based encryption SafeGuard Enterprise Power on Authentication POA m SafeGuard Enterprise Recovery with Challenge Response HINT Either SectorBasedEncryption OR BitLockerSupport can be specified SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally Feature Parents Feature Client BaseEncryption BitLockerSupport Installs BitLocker support for SafeGuard Enterprise with the following functions Boot volume encryption with BitLocker Encryption of other volumes with BitLocker m BitLocker Pre Boot Authentication m BitLocker Recovery HINT Either SectorBasedEncryption OR BitLockerSupport can be specified Not available for SafeGuard Standalone Clients Client ConfigurationProtection Port protection and management of peripheral devices To install SafeGuard Configuration Protection you need to list this feature in the msiexec command for the Client installation package AND carry out additional installation steps see Installing SafeGuard Configuration Protection page 129 Not available for SafeGuard Standalone Clients SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally Client features for SGNClient_withoutDE msi Feature Parents Feature Client SecureDataExchange With SecureDataExchange SafeGuard Data Exchange with file based encryption is always installed at local level and for removable media SafeGuard Data Exchange provides
119. rotection port protection and msi management of peripheral devices on user computers This package is NOT available for SafeGuard Standalone Clients SGNClientRuntime msi Runtime Client enabling booting from a secondary boot volume when multiple operating systems are installed and accessing these volumes when they are encrypted by a SafeGuard Enterprise installation on the primary volume Available for both SafeGuard Enterprise Clients and SafeGuard Standalone Clients In addition there are configuration packages which are generated during installation User interface language You define the language of SafeGuard Enterprise on the Client in the Management Center using the policy type General Settings gt Customization gt Client language m If the language of the operating system is selected the SafeGuard Enterprise product language uses the operating system language setting If the relevant operating system language is not available in SafeGuard Enterprise the SafeGuard Enterprise product language will default to English m If one of the available languages is selected the SafeGuard Enterprise product parts on the client side will be displayed in the selected language You define the language of the SafeGuard Management Center inside the Management Center Open menu Extras gt Options gt General gt SafeGuard Management Center language and select a language Restart the SafeGuard Management Center and it w
120. rt and click OK SafeGuard Enterprise 5 5 6 CHAPTER 5 Setting up SafeGuard Management Center Y Enter password X Please enter the password for the configuration file Password ff OK Cancel 4 The selected configuration will be displayed Confirm to activate it with OK 5 To authenticate to the SafeGuard Management Center you are prompted to select the Security Officer name for this configuration and to enter their certificate store password Confirm with OK The SafeGuard Management Center opens gt The SafeGuard Management Center will be opened and connected to the imported database configuration Importing a configuration by double clicking the configuration file Single and Multi Tenancy NOTICE Note that this task is possible in Single Tenancy and Multi Tenancy mode It is also possible to export a configuration and distribute it to several security officers The security officers then only need to directly double click the configuration file to open a fully configured SafeGuard Management Center This is advantageous when you use SQL authentication for the database and to avoid that the SQL password is known by every administrator You then only need to enter it once create a configuration file and distribute it to the respective Security Officers computers Prerequisite The initial configuration of the SafeGuard Management Center must have been carried out For details see the SafeGuard Enterprise
121. rver 3 Select the server s machine certificate This is generated when the SafeGuard Enterprise Server is installed By default it is located in the MachCert directory of the SafeGuard Enterprise Server installation directory Its file name is lt Computername gt cer If the SafeGuard Enterprise Server is installed on a different PC than the SafeGuard Management this cer file must be accessible in the form of a copy or a network permission Select server certificate 29x Look in e MachCert gt ck Ea My Recent Documents Desktop Y Server registration xi S Please select the server certificate i C Program Files Utimaco SafeGuard Enterprise MachCert SERVER cer ea My Documents Server name Jserverutimacoedu 0 Pr a m Certificate informatior My Computer Subject O Utimaco CN SERVER Ki Issuer o utimaco CN SERVER w gt My Network File name SERVER cer Serial 1127A2F6449E418686A080614EE6851C H Files of type cer files eons NOTICE Do not select the MSO certificate 4 Under Server name enter the FQDN e g server utimaco edu and confirm with OK NOTICE When using SSL as transport encryption between Client and Server the server name specified here must be identical with the one specified in the SSL certificate Otherwise Client and Server cannot communicate 5 You have selected to Make this computer an SGN Server a SafeGuard Enterprise Server Configuratio
122. rvices IIS based web server SafeGuard Management Center with NET Framework 3 0 SP 1 ASP Net 2 0 on administrator PC Central management tool for SafeGuard Enterprise for managing keys and certificates users amp computers and creating SafeGuard Enterprise policies The SafeGuard Management Center communicates with the database Directory Services optional Import of an active directory It holds the company s organizational structure with users and computers SafeGuard Enterprise Client on user PCs Client software for authentication and data encryption on user computers The SafeGuard Enterprise Client communicates with the SafeGuard Enterprise Server SafeGuard Enterprise 2 2 CHAPTER 2 SafeGuard Enterprise components SafeGuard Enterprise Standalone SafeGuard Enterprise can also be operated in standalone mode without any central management or any connection to a central SafeGuard Enterprise Server In this scenario SafeGuard Standalone Clients are managed locally They receive their policies by way of configuration files which are distributed via third party mechanisms This solution is well suited for smaller enterprise environments With SafeGuard Enterprise Standalone basic SafeGuard Enterprise policy groups may be created on a computer These are distributed in configuration packages to the Standalone Clients either during installation or at a later point in time using different transfe
123. se Server This will improve the performance Moreover it ensures that other applications cannot conflict with SafeGuard Enterprise for instance concerning the version of ASP NET to be used This chapter describes how to install SafeGuard Enterprise Server on an IIS server To do this you first have to configure Microsoft Internet Information Services IIS SafeGuard Enterprise Components fe Microsoft Active Directory optional 2e SS SafeGuard Management Center Administrator MSO SafeGuard Enterprise Database Microsoft SQL Serer Web Server E MS Internet Information Services IIS fo User PC SafeGuard Enterprise Serer SafeGuard Enterprise Client SafeGuard Enterprise 6 1 CHAPTER 6 Setting up SafeGuard Enterprise Server Prerequisites The following prerequisites must be met in this sequence m You need Windows administrator rights Microsoft Internet Information Services IIS must be installed and hardened IIS is available free of charge You will find the program e g on your Windows CD or on the Microsoft website Please note when using Windows XP Professional that the IIS is limited to a maximum of ten simultaneous user PC connections m Ifyou use SSL transport encryption between SafeGuard Enterprise Server and Enterprise Client you have to set up the IIS for it in advance see Securing transport connections with SSL page 13 Certificate Authority must be installed f
124. se may be accessed SafeGuard Enterprise CHAPTER 14 Installing SafeGuard Enterprise Client on computers with multiple operating systems 14 2 Preparations To set up SafeGuard Enterprise Runtime carry out the following preparations in the order mentioned 1 Ensure that those volumes on which SafeGuard Enterprise Runtime is to run are visible at the time of installation and may be addressed by their Windows name e g C 2 Decide on which volume s of the hard disk the SafeGuard Enterprise Runtime Client is to be installed In terms of SafeGuard Enterprise these volumes are defined as secondary Windows installations There can be several secondary Windows installations You may install the following package from the product CD m SGNClientRuntime msi 3 Decide on which volume of the hard disk the full version of the SafeGuard Enterprise Client is to be installed In terms of SafeGuard Enterprise this volume is defined as the primary Windows installation There can only be one primary Windows installation You may install the following packages from the product CD SGNClient msi additionally SGN_CP_PortProtectorClient msi 14 3 Setting up SafeGuard Enterprise Runtime Client Proceed as follows 1 Select the required secondary volume s of the hard disk you want to install SafeGuard Enterprise Runtime Client on 2 Boot the secondary Windows installation on the selected volume 3 Install SGNCLientRuntime msi
125. ssary authentication information 1 In IIS Manager double click the local computer right click the Web Sites folder and then click Properties 2 Click the Directory Security tab and then in the Authentication and access control section click Edit 3 Inthe Authenticated access section deselect the Windows Integrated Authentication check box 4 Click OK twice Settings for Application Pool DefaultAppPool m Ifthe SQL server resides on the same computer as the IIS server set the built in Local Service user account for DefaultAppPool In the sample configuration this applies to Server 1 m lIf the SQL server resides on a different computer than the IIS server set the built in Network Service user account for DefaultAppPool In the sample configuration this applies to Server 2 Otherwise synchronization with the client will fail IIS rollout name During IIS setup a standard user is created on the IIS server with standard rights When SafeGuard Enterprise Server is installed on the IIS server a standard IIS SafeGuard user will be created with standard IIS rights and the following logon name IUSR_SafeGuardServeruUser This will help to authenticate to the IIS server in case it is renamed after installation as this specific SafeGuard IIS user can always be used as a valid logon name Testing NET Framework registration Check whether NET Framework Version 3 0 with Service Pack 1 is installed on the IIS server 1
126. st be met m You need Windows administrator rights m NET Framework 3 0 Service Pack 1 must be installed on the administrator PC f you want to create a new SafeGuard Enterprise database during SafeGuard Management configuration you need the necessary SQL access rights see Rights to access the database page 24 Installing SafeGuard Management Center You will find the required SGNManagementCenter msi install package on the product CD 1 Start SGNManagementCenter msi from the product CD 2 Click Next in the welcome window 3 Accept the license agreement 4 Select an installation path SafeGuard Enterprise CHAPTER 5 Setting up SafeGuard Management Center 5 Select the installation type To install SafeGuard Management Center to support one database only select an installation of type Typical To install SafeGuard Management Center to support multiple databases select an installation of type Custom Then activate the feature Multi Tenancy Note This feature is not installed with an installation of type Typical im SafeGuard Enterprise 5 40 0 122 Beta Management Center Setup Select Features Please select which features you would like to install Management Console Multi Tenancy For further information on the configuration of Multi Tenancy see Configuring for multiple databases Multi Tenancy page 41 6 Confirm that the installation has completed successfully gt The SafeGuard
127. stributed to the client computers via separate distribution mechanisms and have to be installed there Nocentral key management An automatically generated machine key will be used for SafeGuard Device Encryption For file based encryption and SafeGuard Data Exchange keys generated locally by the user will be used m When restarting the client computer for the first time after a complete installation Client software and configuration package a recovery file will be created The help desk needs this file when performing a Challenge Response procedure for logon recovery This file must therefore be saved at a file location accessible to the help desk SafeGuard Enterprise CHAPTER 10 Setting up SafeGuard Policy Editor Nocentral logging No definable administrative roles The SafeGuard Policy Editor may be easily migrated to the SafeGuard Management Center to make use of the full management functionality of SafeGuard Enterprise SafeGuard Enterprise Standalone Components SafeGuard Policy Editor Reference Computer Security Officer 3 Q Policies in client Ss configuration package Software distribution mechanisms SE N v sg N SafeGuard Enterprise Database Standalone User PC Microsoft SAL Server SafeGuard Standalone Client 10 1 Prerequisites The following prerequisites must be met m You need Windows administrator rights m If you want to use an already installed Microsoft SQL database server
128. t be executed in the order specified in the sample In this sample the following is installed SafeGuard Enterprise volume based encryption is installed SafeGuard Configuration Protection must be listed as feature for the client installation package SGNClient msi To initiate the installation of the SafeGuard Configuration Protection module a separate installation package must be added by specifying an additional msiexec command m Alog file is created m Finally the Client configuration package SGNEnterpriseClientConfig msi is run EXAMPLE msiexec i F SGNClient msi qn log I Temp SGNClient log ADDLOCAL Client Authentication BaseEncryption SectorBasedEncryption ConfigurationProtection Installdir C Program Files Utimaco SafeGuard Enterprise msiexec i SGN _CP_PortProtectorClient msi quiet norestart msiexec i F SGNEnterpriseClientConfig msi qn log I Temp SGNEnterpriseClientConfig log SafeGuard Enterprise 15 4 CHAPTER 15 Installing SafeGuard Configuration Protection Sample command for SafeGuard Configuration Protection with SGNClient_withoutDE msi The msiexec commands must be executed in the order specified in the sample In this sample the following is installed SafeGuard Data Exchange with file based encryption is installed SafeGuard Configuration Protection must be listed as feature for the client installation package SGNClient_withoutDE msi To initiate the
129. tabase www utimaco com myutimaco category Implementation If you use SQL authentication we highly recommend to secure the connection to and from the database server with SSL For further information see see Securing transport connections with SSL page 13 Rights to access the database SafeGuard Enterprise is set up in such a way that to work with the SQL database it only needs a single user account with minimal access rights for the database This user account is used by the SafeGuard Management Center and is only issued to the first Management Center security officer This guarantees the connection to the SafeGuard Enterprise database While SafeGuard Enterprise is running a single SafeGuard Management Center security officer only needs read write permission for the SafeGuard Management Center database The SafeGuard Enterprise database can either be generated by the company s SQL administrator or by the SafeGuard Management Center security officer The SafeGuard Management Center security officer needs for a short time during installation extended access rights for the SQL database db_creator if SafeGuard Enterprise CHAPTER 4 Setting up SafeGuard Enterprise Database they are going to generate the SafeGuard Enterprise database themselves However after the install these rights can be revoked by the SQL administrator until the next install update If extending permissions during the SafeGuard Management Center configu
130. talling the Client package 1 Start the relevant msi package from the product CD 2 Click Next in the welcome window 3 Accept the license agreement 4 If necessary select the features that you want to install see Selecting features page 123 5 Select an installation path The default installation path is C Program Files Utimaco SafeGuard Enterprise 6 Confirm that the installation has completed successfully Creating the configuration package The security officer must now configure the user PC by creating a configuration package For creating an Enterprise Client configuration see Creating an Enterprise Client configuration package page 106 For creating an Standalone Client configuration see Creating a Standalone Client configuration package page 109 1 As security officer create the configuration package 2 Distribute the configuration package to the user 3 The user then needs to install the client configuration package on the user PC gt The SafeGuard Enterprise Client Standalone Client has now been completely installed gt The User Manual describes how the user PCs behave when first logging on after installing SafeGuard Enterprise SafeGuard Enterprise 13 3 CHAPTER 13 Setting up user PCs locally Selecting features While SafeGuard Enterprise is being installed on your user PC you are offered optional features depending on the operating system and installation
131. tandalone Client see Setting up user PCs centrally page 102 and particularly see Creating a Standalone Client configuration package page 109 HINT For the Standalone Clients the modules Device Encryption and Data Exchange may be installed The Configuration Protection module is not supported SafeGuard Enterprise CHAPTER 2 SafeGuard Enterprise components SafeGuard Enterprise Standalone Components SafeGuard Policy Editor Reference Computer Security Officer Pa g amp Policies in client Pa Ss J configuration package __ Software distribution mechanisms S ra SN SafeGuard Enterprise Database Standalone User PC Microsoft SQL Server SafeGuard Standalone Client SafeGuard Enterprise CHAPTER 2 SafeGuard Enterprise components Component Description SafeGuard Enterprise database The SafeGuard Enterprise database holds all the relevant based on Microsoft SQL Server data concerning the policy settings for the Standalone Clients Database If there is no Microsoft SQL Database Server on the reference computer available Microsoft SQL 2005 Express Edition will be automatically installed on the reference computer during the SafeGuard Policy Editor setup Microsoft SQL 2005 Express Edition is delivered on the product CD SafeGuard Policy Editor with NET Standalone management tool for SafeGuard Enterprise Framework 3 0 SP 1 ASP Net 2 0 Standalone for creating pol
132. tandalone Clients SafeGuard BitLocker support Configuration Protection Restrictions for BitLocker support The following installation package is not available for SafeGuard Enterprise Clients with BitLocker support m SGNClient_withoutDE msi SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally 12 4 Tasks for centralized install As a security officer create an installation package that includes the following SafeGuard Enterprise Standalone Client installation package The client installation packages are included on the product CD The installation packages are valid for Enterprise Clients and Standalone Clients alike For Standalone Clients however the Configuration Protection package may not be installed Client configuration package The Client configuration package must be generated beforehand Different configuration packages need to be installed for Enterprise and Standalone Clients Script with commands for automatic installs You need to distribute this installation package to the user PCs in the specified sequence To do so you can use the Windows Installer command msiexec The packages are executed on the user PCs The user PCs are then ready for use of SafeGuard Enterprise gt The User Manual describes the behavior of the user PCs when first logging on after installing SafeGuard Enterprise SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally 12 4 1 Creating an Enter
133. teps for SafeGuard Enterprise Client on multiple operating systems runtime system Step Description Installation Configuration Chapter package 1 Set up SafeGuard Install the SafeGuard Client SGNClientRuntime msi 14 Enterprise Client runtime package on the Runtime system secondary boot volume s of the user PC 2 Set up SafeGuard Install the SafeGuard Client SGNClient msi 11 Enterprise Client installation package on the 12 primary boot volume of the user PC Install with Device Encryption 3 Configure SafeGuard Generate Enterprise or SGNEnterpriseClientConfig 11 4 1 Enterprise or Standalone Client configuration msi Standalone Client package and install it on the user Enterprise Client PC configuration package generated in the SafeGuard Management Center Configuration Package Tool SGNStandaloneClient 11 4 2 Config msi Standalone configuration package generated in the SafeGuard Policy Editor Configuration Package Tool SafeGuard Enterprise CHAPTER 4 Setting up SafeGuard Enterprise Database Setting up SafeGuard Enterprise Database This chapter describes how to set up a SafeGuard Enterprise Database It describes the authentication for the database server which you need to be able to generate a SafeGuard Enterprise database It also gives details on the SQL access rights that are required The SafeGuard Enterprise database is an SQL database based on Microsoft SQL Server It holds all
134. ter Token Smartcards To some degree The token smartcard hardware can continue to be used in SafeGuard Enterprise However the credentials are not migrated The tokens used in SafeGuard Easy therefore need to be re issued in SafeGuard Enterprise and as with every other SafeGuard Enterprise user PC set up using policies SafeGuard Easy credentials in file form on token smartcards remain as such but can only be used to log on to computers with SafeGuard Easy support SafeGuard Easy Pre Boot No SafeGuard Easy Pre Boot Authentication PBA Authentication is replaced by the SafeGuard Enterprise Power on Authentication POA SafeGuard Easy installations Yes SafeGuard Easy installations without GINA are without GINA migrated to SafeGuard Enterprise with SGNGINA installed SafeGuard Enterprise CHAPTER 19 Migrating SafeGuard Easy to SafeGuard Enterprise 19 4 Preparations The following measures should be taken before starting the installation of SafeGuard Enterprise For security purposes create a full backup of the user PCs that are to be migrated For details on e g chkdsk and defrag see our knowledge database http Awww utimaco com myutimaco search for keywords chkdsk and defrag Create a valid SafeGuard Easy kernel backup and save this backup in a location that can always be accessed e g a network path For security purposes create a test environment f
135. ter The configuration files may be distributed via company software distribution mechanisms or the configuration package is installed manually on the user computers Restrictions For SafeGuard Standalone Clients the following modules are not supported Configuration Protection BitLocker support SafeGuard Enterprise CHAPTER 11 SafeGuard Client Configurations 11 3 2 Standalone Clients managed via SafeGuard Policy Editor This is the typical Standalone scenario with SafeGuard Standalone Clients being locally managed via the SafeGuard Policy Editor The required Standalone Client configuration package is created in the SafeGuard Policy Editor Policies are created grouped and combined to configuration packages in the SafeGuard Policy Editor These are afterwards distributed to the Standalone Clients via third party mechanisms such as e mail or memory sticks For Standalone Clients no connection to the SafeGuard Enterprise Server is ever established at any point in time SafeGuard Enterprise Standalone Components SafeGuard Policy Editor pe Reference Computer Security Officer a g amp Policies in client a Ss configuration package Software distribution mechanisms S SafeGuard Enterprise Database Standalone UserPC Microsoft SQL Server SafeGuard Standalone Client SafeGuard Enterprise CHAPTER 11 SafeGuard Client Configurations The following table shows the available installat
136. the migration m You need Windows administrator rights Migrating Standalone Clients to Enterprise Clients For migration you only have to create a different client configuration package and assign it to the Standalone Client 1 Create the client configuration package called Enterprise Client Package in the SafeGuard Management Center via Tools gt Configuration Package Tool 2 Assign this package to the Standalone Client computers via a group policy NOTICE During migration all users and certificates will be deleted and the Power on Authentication will be disabled as the user computer assignment is not migrated After migration the user computers are therefore unprotected 3 Reboot twice after migration The first logon is still done via Autologon New keys and certificates are assigned to the user Thus users can only log on at the Power on Authentication when rebooting for the second time Only after the second reboot the user computers are protected again gt The SafeGuard Standalone Client is now a SafeGuard Enterprise Client SafeGuard Enterprise 19 19 1 CHAPTER 19 Migrating SafeGuard Easy to SafeGuard Enterprise Migrating SafeGuard Easy to SafeGuard Enterprise SafeGuard Easy 4 20 or higher can be directly migrated to SafeGuard Enterprise 5 40 SafeGuard Easy Clients can be directly migrated to SafeGuard Enterprise Clients by simply installing the SafeGuard Client installation package on the user computer
137. tion When accessing removable media after migration the user needs to actively confirm the transformation of the encryption keys into a SafeGuard Enterprise compatible format Prerequisite The appropriate policy for volume based encryption has to be present on the user computer before conversion Otherwise the keys will not be converted The user is prompted to confirm the conversion for any removable media An appropriate message is displayed m If the user confirms the conversion full access to the migrated data is possible m lf the user rejects the conversion the migrated data can still be opened for reading and writing Newly added removable media are encrypted as with any SafeGuard Enterprise Client if the appropriate policy is present on the user computer SafeGuard Enterprise CHAPTER 20 Annex Best practice scenario 20 Annex Best practice scenario Active Directory America CC sonm 1000 Clients 5000 Clients 4000 Clients In this scenario Europe is the ideal location for the SafeGuard Enterprise database The reasons are The Active Directory is located in Europe and thus permits rapid synchronization Central management using the SafeGuard Management Center is done in Europe The IIS server is located in Europe Most users reside in Europe SafeGuard Enterprise Technical Support Online Documentation Our knowledge database provides answers to many typical questions about the SafeG
138. uard product range including its functionality implementation administration and troubleshooting Link to support area htto Awww utimaco com myutimaco To access the public area of the knowledge database you can logon as a guest user To access the restricted area of the knowledge database you need a valid software maintenance agreement Our support staff continually adds to the contents of both areas and keeps them up to date on an on going basis Advanced support services and telephone support For customers with a valid maintenance contract qualified support staff is available to provide advice and assistance To receive a contract offer tailored to your specific needs please contact your sales partner We hope you understand that some enquiries from customers without a maintenance agreement may require several working days to process In urgent cases please contact the sales partner from whom you bought your licenses or software subscription SafeGuard Enterprise Copyright Copyright 1996 2009 Utimaco Safeware AG a member of the Sophos Group All rights reserved No part of this publication may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical photocopying recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the c
139. ubscription for Linz The new Graz and Linz databases will then also appear in the subscriptions SQL configuration wizard 4 Close the SQL configuration wizard The replication monitor shows whether the replication mechanism runs correctly 5 Make sure to enter the correct database name in the first line of the SQL script For example use SafeGuard Enterprise CHAPTER 8 Replicating the SafeGuard Enterprise Database Graz oruse Linz 6 Generate the snapshots again using the Snapshot Agent gt The replication databases Graz and Linz have been created Proceed with installing the SafeGuard Enterprise Server 8 3 Installing and configuring SafeGuard Enterprise Server To install SafeGuard Enterprise Server on the web servers proceed as follows For installation details see Setting up SafeGuard Enterprise Server page 51 1 Install SafeGuard Enterprise Server on server WS_1 2 Install SafeGuard Enterprise Server on server WS_2 3 Register the servers in the SafeGuard Management Center via Tools gt Configuration Package Tool gt Register Server gt Add 4 Youare asked to add the server certificates ws_1 cer and ws_2 cer You will find them in Program Files Utimaco SafeGuard Enterprise MachCert folder These certificates are needed to create the appropriate server and client configuration packages gt The SafeGuard Enterprise servers are installed and registered You now need to create the server and the clie
140. ucture from an Active Directory or if there is no directory service available you can implement the organizational structure manually by creating new domains workgroups which the user computer can log on to T SafeGuard Management Center MSO on SGNSRY SafeGuard File Edit view GoTo Actions Tools Help Favela Ev mee AEDES X imwe P ap 2 Ee Users amp Computers IB Root Filter is active i B Authenticated Computers D Authenticated Users 2 Auto registered Description T ain auto registration 2HE UTIMACO EDU Create new dom xj Auto registered E B Board Group e bomani B BoardMembers HC Builtin Distinguished name aD Computers D i B Desktops HZ Domain Controllers Domain Netbios ie ForeignSecurityPrincipals Connection state Domain HZ Headquarter B Laptops r Policy B NewEmployees C Block Policy Inheritance HH Users a Workgroup1 of Auto registered To create a new domain proceed as follows To display open the SafeGuard Management Center and click Users amp Computers 1 Select Root filter is active in the navigation window on the left 2 In the context menu select New gt Create new domain auto registration 3 Enter the following information about the domain controller in Common information All three name entries must be correct otherwise the domain will not be synchronized a Full name For
141. uration package is directly installed afterwards the restart can be postponed 5 Generate and install the SafeGuard Enterprise Client configuration package SGNEnterpriseClientConfig msi 6 Restart the computer gt SafeGuard Enterprise Configuration Protection is installed on the user computer SafeGuard Enterprise CHAPTER 15 Installing SafeGuard Configuration Protection 15 6 Uninstalling SafeGuard Configuration Protection To uninstall SafeGuard Configuration Protection carry out the tasks in the order mentioned 1 Run the SafeGuard Enterprise Client installation package on your computer either SGNClient msi or SGNClient_withoutDE msi 2 Select the option Modify in the installation wizard 3 Deactivate the feature Configuration Protection 4 When the uninstall is finished do not restart the computer 5 Uninstall SGN_CP_PortProtectorClient msi 6 Restart the computer gt SafeGuard Configuration Protection has been removed from the user computer SafeGuard Enterprise 16 CHAPTER 16 Preventing uninstallation from the user PC Preventing uninstallation from the user PC To provide extra protection for user PCs you can prevent local uninstallation of SafeGuard Enterprise via a central machine policy If this kind of policy is applied to the user PC SafeGuard Enterprise can only be uninstalled when the appropriate policy is assigned Otherwise uninstallation will be cancelled and the unauthorized attem
142. user PCs locally page 121 Windows Installer recognizes the modules already installed and only installs these modules afresh You do not have to create a new configuration package Enhancing SafeGuard Standalone Client with volume based encryption If you want to enhance a Standalone Client on which only the SafeGuard Data Exchange module with file based encryption is installed SGNClient_withoutDE msi to a Standalone Client with volume based encryption and SafeGuard Data Exchange with file based encryption SGNClient msi you need to carry out the following steps These steps are necessary to ensure a secure and correct authentication at the Power on Authentication 1 Uninstall the SafeGuard Data Exchange installation package SGNClient_withoutDE msi 2 Uninstall the Standalone Client configuration package 3 Install the Client installation package with volume based encryption SGNClient msi selecting the features Device Encryption and Data Exchange 4 Generate and install a new Standalone Client configuration package The recovery key file as well as the local keys created during the installation of the Data Exchange package will not be deleted but will still be available SafeGuard Enterprise 17 7 CHAPTER 17 Updating SafeGuard Enterprise Updating the operating system Once SafeGuard Enterprise is installed it is only possible to update the Service Pack version of the operating system series installed You may fo
143. utimaco safe ware a member of the Sophos Group Professional IT Security for your Corporation SafeGuard Enterprise Installation manual Version 5 40 Document date July 2009 Contents CHAPTER 1 CHAPTER 2 CHAPTER 3 CHAPTER 4 SafeGuard Enterprise OVervieW csceeseeeeeeeceeeseeaeeeaaeesaeeaaeeaaeeaeeees 1 SafeGuard Enterprise component sceseeeseeeeeeensneeaaeeaeeeaeeeaeeeeeeees 2 2 1 SafeGuard Enterprise with central management eee eee eeeeeeceeteeeeeaeeeeeeeeeeeeeeeaaes 3 2 2 SafeGuard Enterprise Standalone 0 0 ce eecceeeeeeeeeeeeeeeeeeeeeneeeseeaeeeeaeeesenaeeeseeeeeenaeeeeeaes 6 Preparing for installation xcicsseitareiccindiadadetiaies deneecdameast ntastnelencabednndentinitadnceliie 9 3 1 First steps before installing c cc cc ccsccenccseeeesseceeonccesssecseesaecenesaeessceesndeeseaaaneerepcenesiees 9 32 SYSTEM TEQUIFEMENTS oneic irois iieii 10 3 Installation package Srce onasin er A o rE ai a aaea 10 34 User interface language ee eescceeenneeceeeeeeenaeeceeaeeeseeeeeeeaeeeceaaeeesaeeeseaaeeeeeeeeeenaeeeseaas 11 3 5 Interaction with other SafeGuard products 0 ee eeeeseeceseeeeeeeeeeeeneeeeeneeeeeteeeeeneeeeeaes 12 3 5 1 Interaction with SafeGuard LAN Cry to eee sence ceeeee sense eeeneeeeeneeeeneeene 12 3 5 2 Interaction with SafeGuard PrivateCrypto and SafeGuard Private Disk 12 3 6 Securing transport connections With SSL oo
144. xpress Edition 1 Open script CreateDatabase sql and check the two target path specifications under FILENAME They must match the paths specified on your server Correct them if necessary SafeGuard Enterprise CHAPTER 4 Setting up SafeGuard Enterprise Database Double click to start the CreateDatabase sqI script Microsoft SQL Server Management Studio Express is launched Log on to SQL Server with your credentials Click the Execute button to generate the database Ry Microsoft SQL Server Management Studio Express File Edit View Query Tools Window Help TI New Query D GF bel g DOPET mp a3 HI master Object Explorer 4x 4aa AT a z a H IF EXISTS SELECT name FRO Far Next use the CreateTables sql script off the product CD to generate the tables 1 Double click to start the CreateTables sql script Microsoft SQL Server Management Studio Express is launched Enter your credentials for the SQL Server Select the correct database that you have created for SafeGuard Enterprise To do this in the SQL Server login window click Options gt Connection Properties and under Connect to Database select the SafeGuard Enterprise database in which the tables are to be created Click Connect Click the Execute button to generate the tables The SafeGuard Enterprise database and the associated tables have been created SafeGuard Enterprise CHAPTER 5 Setting up SafeGuard
145. y Setting up user PCs centrally This chapter describes how to set up the SafeGuard Enterprise Client centrally for multiple computers Installation and configuration is described for SafeGuard Enterprise Clients as well as for SafeGuard Standalone Clients The tasks required for an installation of users computers with Windows Vista BitLocker are described as well SafeGuard Enterprise security officers may carry out the installation and initial configuration of user computers as part of centralized software distribution This ensures a standardized installation on multiple user computers NOTICE Within central software distribution the installation and configuration packages must only be assigned to a computer they cannot be assigned to a user gt The behavior of the user PCs when first logging on after installing SafeGuard Enterprise is described in the SafeGuard Enterprise User Manual SafeGuard Enterprise CHAPTER 12 Setting up user PCs centrally 12 1 12 2 General prerequisites The following prerequisites must be met You need Windows administrator rights A user account must be set up and active on the user PCs Create a full backup of data on the user PCs This prerequisite does only apply to SafeGuard Enterprise Clients Check whether there is a connection to the SafeGuard Enterprise Server Select this web address in Internet Explorer on the user PCs http lt ServerlPAdresse gt sgnsrv If t
146. you need the necessary SQL access rights see Rights to access the database page 21 m NET Framework 3 0 Service Pack 1 and ASP Net 2 0 must be installed on the reference computer SafeGuard Enterprise 10 2 CHAPTER 10 Setting up SafeGuard Policy Editor Installing SafeGuard Policy Editor You will find the installation package SGNPolicyEditor msi on the product CD 1 2 6 Start SGNPolicyEditor msi from the CD Click Next in the welcome window Accept the license agreement Select an installation path If the installer does not detect an SQL Database Server on the reference computer you are prompted to have Microsoft SQL 2005 Express Edition installed on your computer Confirm to install Microsoft SQL Server 2005 Express Edition on the reference computer The SQL Database Server will be installed automatically Your Windows credentials are used as SQL user account Click Finish to complete the installation gt The SafeGuard Policy Editor is installed SafeGuard Enterprise 10 3 CHAPTER 10 Setting up SafeGuard Policy Editor Configuring SafeGuard Policy Editor After installation you need to configure the SafeGuard Policy Editor A wizard is provided to take you through the necessary steps This wizard opens automatically when you start the SafeGuard Policy Editor for the first time after installation If you want to access an existing Microsoft SQL Server you should keep the SQL credent
Download Pdf Manuals
Related Search