ProtectDrive Administration Guide - Secure Support
Contents
1. Tab Field Value Notice Dialog ID 100 Logon Dialog ID 113 Username control ID 1000 Password control ID 1008 Domain control ID 1009 Change Dialog ID 800 Password Ctrl Alt Del Dialog ID 400 Locked Dialog ID 200 Unlock Dialog ID 106 Username control ID 1000 Password control ID 1002 Domain control ID 1009 Shutdown Dialog ID 500 96 SafeNet Inc ProtectDrive Administration Guide Chapter 6 Single Sign On Management Third Party Product Support Overview There are a number of third party products that are often used concurrently with ProtectDrive It can be beneficial if ProtectDrive can perform single sign on for these products while not requiring the direct support for each product This section discusses how this can be achieved in a flexible and minimal manner with ProtectDrive using the Single Sign On Assistant Support for Third Party GINAs ProtectDrive GINA supports the chaining of any third party GINA In this case the dialog configuration for the chained GINA is set up using the Single Sign On Assistant and is stored in the registry ProtectDrive GINA loads this configuration at start up and performs single sign on It is not guaranteed that this approach will work for every third party GINA as there is considerable flexibility with the implementation of replacement GINAs Instead single sign on for GINAs which play fair is offered At this stage the user must manually enter t2. OK Cancel 4m 5 Click Managed by a configuration object and then select the desired configuration object from the drop down list 6 Click Apply and then click OK Note that the client no longer displays in Active Directory Users and Computers t is now linked to the new client configuration object and can only be viewed in the ProtectDrive Management snap in Change a Configuration Object managed Client to a Computer Object managed Client By simply removing the client from its currently assigned configuration object the client will revert to being managed by its own property sheet configuration 1 On the server open the ProtectDrive Management Console Expand the ProtectDrive Management directory 2 3 Expand the Configuration Objects directory 4 Right click on the client to reassign and then click Remove 5 Click Yes to confirm the action SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive ProtectDrive Management Reports Ee Two installation prerequisites are required to run ProtectDrive Management Console reports These prerequisites are located in the VSSetupPrerequisites directory on the ProtectDrive distribution CD and must be installed before you install the ProtectDrive Administrative Management Tools Refer to page 51 for details During the ProtectDrive Administrative Management Tools Installation a ProtectDrive Reports snap in is installed Th
3. ProtectDrive will automatically synchronize passwords during a password change 146 SafeNet Inc ProtectDrive Administration Guide Chapter 9 User Authentication Chapter 9 User Authentication If System policy has been configured to disable pre boot authentication see Activate Pre boot Authentication in the Authentication tab then none of the material in this chapter applies In this case the user will be presented with a standard Windows Domain authentication dialog and normal Windows logon applies The default high resolution pre boot screens shown in the following examples have a black background If high resolution is not supported then the pre boot screens have a white background which is typical of the legacy pre boot screens These low resolution screens function virtually the same as their high resolution counterparts Please note the following e Legacy pre boot screens do not support fingerprint logon e Legacy pre boot screens do not support auditory prompting e If both the Allow Password Domain User Access and the Allow Token User Domain Access pre boot authentication options are enabled in ProtectDrive the legacy screens do not include an initial pre boot screen shown in the example below which allows the user to choose the login method Instead the user must press the F2 function key to toggle between these two logon screens If a PIN only login is required then this login selection scre
4. SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive ProtectDrive Install MSI Package ProtectDrive is deployed using a Windows Installer MSI package The files shown below are used to install the ProtectDrive Administrative Management Tools and Client side components Name Size Type Date Modified E 1031 mst German 103KB MST File 1 5 2011 5 41 PM E 1033 mst English 4KB MST File 1 5 2011 5 41 PM rc 1041 mst Japanese 98KB MST File 1 5 2011 5 41 PM Bl 5afeNet ProtectDrive msi 23 317 KB Windows Installer Package 1 5 2011 5 42 PM Setup exe 56KB Application 1 5 2011 5 39 PM Additionally an Active Directory Group Policy Object GPO responsible for software deployment can be configured customized for network roll out of the SafeNet ProtectDrive msi to multiple client systems Alternatively with ProtectDrive version 8 3 and higher it is possible to customize installations via the ProtectDrive Management Console Configuration Objects see page 55 ES If you are deploying ProtectDrive on a Windows 7 Windows Vista or Windows Server 2008 client run Setup exe located in the same directory instead of SafeNet ProtectDrive msi If deployment to a computer is via GPO and there is an existing lt computer gt _RecoveryEnvelope env file created by a previous manual installation of ProtectDrive from the same directory then this env file should be deleted or saved elsewhere Cus
5. cones on Ale ae Feature name ProtectDrive_Base ID SafeNet Lock Info License type Trial Standalone License start date Mon Jan 01 00 00 00 2011 Trial period 30 day s Duration of Trial License of ProtectDrive_Base is exl Browse lt License Status Expired License or Authorization Cancel Lock Info Browse ke Any time the license changes it is good practice to run the backup exe utility to ensure your recovery files are up to date Refer to Chapter 11 for details on the backup utility SafeNet Inc 133 ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy Upgrade to a Full License From License Manager You can upgrade your license if you currently have a trial license installed or your license has expired Before you begin make sure you have a valid license txt for a single client installation or authorization txt file for locked licensing for multi license client installations stored in a location that the client PC can browse to during the upgrade procedure Client PCs should have Internet access to complete a locked license installation Refer to page 11 for licensing details 1 From the Windows desktop right click on the ProtectDrive icon in the notification area and then select Local Management Console or simply double click on the icon 2 Click the License Manager tab PD Settings PD Users License Manager ndal
6. lt Back Next gt Cancel Launch the SafeNet ProtectDrive msi The ProtectDrive installation wizard opens 65 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 4 Select Typical Client Installation and then click Next if SafeNet ProtectDrive InstallShield Wizard x setip Type SafeNet Choose the setup type that best suits your needs Pr ot e ctD ri ve Please select a setup type Typical Client Installation fe All SafeNet ProtectDrive Client Features will be installed Administrative Management Tools Installation All SafeNet ProtectDrive Management tools will be installed Custom Installation Choose which Client and Server features you want installed 5 Select the language to be used for interface labels and text messages and then click Next i SafeNet ProtectDrive InstallShield Wizard E3 SafeNet ProtectDrive Language SafeNet ProtectDrive Select the language for SafeNet ProtectDrive User Interfaces and Help Manuals English O German O Japanese 6 Select the license type and then click Next ig SafeNet ProtectDrive InstallShield Wizard x SafeNet ProtectDrive License SafeNet ProtectDrive Select license type O Trial Version Full Version Please either enter an authorization code license code or browse to a file containing the code eee Cr nstallShield lt Back Next gt Cancel 66 SafeNet Inc
7. Uninstalling Protect rive ss ne SR Massie dha Aide nn edit 84 WIRGOWS VISTA Sen entente Ne Ne NA Ne 84 Windows 2003 2006 0 PR RS RUES a ne nr 85 AnA TAON AA A E E A E AAA 85 Removable Media ReCOVRE PL Lutte danse E EAE aa ei 86 Standard Recovery Procedure 58 seis Nadas eas laa sia ls dc Ss Sac lla dit nel atie noida 66 Alternate Recovery Procedure 1 Use RMRMBR sise 87 Alternate Recovery Procedure 2 Use Sector 0 Backup Data 88 Exporting the Client Configuration Settings XML file 89 Importing the Client Configuration Settings XML file 91 Chapter 6 Single Sign On Management ssesssecssocesocesoocssocessccesocesocesoocesocessecesocesoosssoessseessocesoose 94 Introduction 0 nn het EEE EE A E A A A RA aE EE E E nt RE 94 Accessing the Single Sign On Assistant 2 ace de A o L S e 94 Windows A thentication asise nine Anita unes nina 95 P st A thentication ACCOUNES ae RE E nn REE A title 95 RSA SOM SUPPOTT sa areas find re tan ne dance ns canoes dde der eave des Te rte ete e het 96 ONA AATA EEEE L is rte an ie ee last ete Reine Ste lanta dede nee an late uee 96 Implementation eeren Riel Ei Oh TR De EE Te ER dala a 96 CONSIDOPALLIONS sara tana tanauccaanisg eens eee tun gs nette et owas genes 96 Thirds Party Product SUPPOSE 97 OUA AAT AURE EE E E A nc aoe a eg 97 Support for Third Party GINAS diode tds s see ee and en tete taste cad es ant 97 Support for Third Pafty ACCOUNIS natale taie idee 97 Administrative Proced
8. SafeNet Inc 187 ProtectDrive Administration Guide Appendix A Smart Card Token amp PIN User Authentication THIS PAGE INTENTIONALLY LEFT BLANK 188 SafeNet Inc ProtectDrive Administration Guide Appendix B Username Password Domain Authentication Appendix B Username Password Domain Authentication SYSTEM Allow Local User Access F2 Press AND ProtectDrive SHIFT F10 Preboot Password Recovery ofl Se To Figure 1 Smartcard Token PIN Authentication SHIFT F9 New User Preboot Introduction Single Sign On Allow Windows Passwort Recovery No No Welcome to Windows 4 Yes ren Professional Yes Y Microsoft Corporation S coven QR aay Insert card or press Ctrl Alt Delete to begin Ctrl Alt Del helps keep your password secure Click Help for more informatic To Windows Shell To Windows Shell Figure 2 Username Password Domain Name Preboot Authentication SafeNet Inc 189 ProtectDrive Administration Guide Appendix B Username Password Domain Authentication THIS PAGE INTENTIONALLY LEFT BLANK 190 SafeNet Inc ProtectDrive Administration Guide Appendix C Post boot User Authentication into Windows Appendix C Post boot User Authentication into Windows From Figure 1 Smartcard Token PIN Authentication Welcome to Windows 4 ey Insert card or press Ctrl Alt Delete to begin Ctrl Alt Del helps keep your
9. 10 11 12 13 SafeNet Inc Click Add in the Single Sign On Account dialog box The Single Sign On Field dialog box displays Single Sign On Field FieldName Username Field Control 1202 HSS SR Drag the magnifying glass icon cursor from the Single Sign On Field dialog box to the field required on the application logon window Field Name and Field Control details appear in the Single Sign On Field dialog box as shown in the screen shot above Choose a selection in the Fill Field With field and then click OK Repeat steps 5 through 7 for each field you want to add Select the logon command the button on the application which performs the logon by dragging the magnifying glass icon cursor from the Single Sign On Account dialog box over the button on the application Either e Click OK The account is committed OR e Click Cancel The account is not created When the Single Sign On Account dialog box closes you are returned to the main Single Sign On Assistant dialog box Either e Click OK to commit the account OR e Click Cancel to not create the account The Single Sign On Assistant exits 101 ProtectDrive Administration Guide Chapter 6 The Multiple Boot System Modifying a Post Authentication Account 1 2 Run the Single Sign On Assistant Select the account to modify from the Post Authentication Accounts list and then click Modify The Single Sign On Ac
10. Assign a ProtectDrive Client to the New Configuration Object A client can be assigned to a new or different configuration object at any time Use this procedure to assign remote ProtectDrive clients to a configuration object other than the Default Configuration Object 1 2 On the server open the ProtectDrive Management Console Expand the ProtectDrive Management directory Expand the Configuration Objects directory Right click on the configuration object and then select Add Clients gt ProtectDrive Management Console File Action View Help e Amx En B m Ca ProtectDrive Management Console Clients S E ProtectDrive Management YMDCEDP1 EDPtest safe net Ts10600 S Configuration Objects H E ProtectDrive Reports E Active Directory Users an Remove All Clients E Saved Queries All Tasks gt ER EDPtest safenet a Builtin View gt B C Computers Delete 1510600 Re E Domain Controller AFF Gal ForeignSecurityPri RER H LostAndFound Properties a NTDs Quotas H E Program Data Help System Er Users Locate the client to add and then click OK Select Computers 21x Select this object type Computers Object Types Erom this location BroncoTest local Locations Enter the object names to select examples testPC Check Names ox _ Cane Click Yes to confirm the addition of the selected client SafeNet ProtectDrive Configuration Management i xj
11. PD Users Tab Configure the Default User Policy By using the options on the PD Users tab certain Windows Domain users can be automatically assigned to newly created computer objects Device access control permissions for these users can also be configured here Device access control permissions that are defined on this tab will override the system settings in the PD Settings gt Advanced gt Default Permissions group PD Settings PD Users License Manager User Certificates Password Current Password Initial Passw admin BEL1 No Yes Windows Default lt gt Add Remove Configuration I Certificate users also have password accounts Device Control Read CDROM M Read Serial Ports M Write CDROM M Write Serial Ports M Read Diskettes M Read Removable Media M White Diskettes M Write Removable Media 1 users with 0 SafeNet ProtectDrive certificates OK Cancel Tip To view a user s current settings at a glance double click on their name The User Details window displays User Details User admin BEL1E4369 admin Certificates No Password Yes Current Password Windows Initial Password Default Shared Key No Added At Windows Logon No lt 5 Cancel SafeNet Inc 129 ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy 130 User This column lists individual domain users and groups of users which will be automatically assigned t
12. Create Salt File Creates Recovery Support Certificate Create Master Security Certificate used for emergency one time logon Create Recovery Support Certificate lt Back Cancel SafeNet Inc 29 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Select the Key Length of the cryptographic algorithm to use to create the certificate and then click Next SafeNet ProtectDrive Certificate Wizard Key Length Select the key length Key Length bits ETES lt Back Cancel 3 The following screen displays gt SafeNet ProtectDrive Certificate Wizard Certificate Key Location Select certificate private key location PRX File Password Confirm Token Smart Card HSM Provider Name lt Back Cancel gt If you are creating a password protected private key select the PFX File option enter and confirm the appropriate password and then click Next gt If you are creating a token or smart card based private key select the Token Smart Card HSM option choose the appropriate CSP from the Provider Name drop down list and then click Next 30 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 4 Browse to the directory where you want to save the output file and then click Next SafeNet ProtectDrive Certificate Wizard Output Files Directory Select the directory to save the
13. Move client testPC from TestConfig to ProtectDrive Default Configuration w If the client you selected was already assigned to a different configuration a confirmation prompt similar to the one shown below will display to confirm the move from one configuration assignment to another SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Remove a ProtectDrive Client from a Configuration Object A client can be removed from a configuration at any time When it is removed from a configuration the client automatically reverts to being managed by the property sheet of its own computer object and it can only be viewed in the Active Directory Users and Computers MMC snap in You can reassign a client from being managed by the property sheet of its own computer object to a different configuration object and vice versa any time Refer to the next section for details on computer object managed clients 1 On the server open the ProtectDrive Management Console 2 Expand the ProtectDrive Management directory 3 Click on the configuration object where the client to be removed is located 4 Choose one of the following removal methods e To remove a single client right click on the client to remove and then select Remove This method will revert the client to being computer object managed e To remove all clients in the configuration object right click on the configuration object and then sel
14. ProtectDrive Administration Guide Chapter 3 System Requirements Supported Operating Systems This version of ProtectDrive is supported on the operating systems listed below For Client Management on Server Microsoft Windows Server 2003 Service Pack 2 32 bit and 64 bit Microsoft Windows Server 2003 R2 Service Pack 2 32 bit and 64 bit Windows Server 2008 Service Pack 2 32 bit and 64 bit Windows Server 2008 R2 Service Pack 1 For Client Microsoft Windows Server 2003 Service Pack 2 32 bit and 64 bit Microsoft Windows Server 2003 R2 Service Pack 2 32 bit and 64 bit Windows Server 2008 Service Pack 2 32 bit and 64 bit Windows Server 2008 R2 Service Pack 1 Microsoft Windows XP Professional Service Pack 2 or 3 32 bit only Microsoft Windows Vista Service Pack 2 32 bit and 64 bit Microsoft Windows 7 all editions 32 bit and 64 bit Please note the following regarding Windows 7 Home editions lt Only local passwords are allowed Windows 7 Home computers cannot be members of a domain ProtectDrive requires that Windows 7 Home accounts must be configured to require a login password The ProtectDrive for Servers variant cannot be installed on a non server ProtectDrive system The non server edition of ProtectDrive will not allow client component installation on a Windows Server ProtectDrive supports the use of FAT16 FAT32 and NTFS file systems MS DOS can be used during ProtectDrive Disaster R
15. SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Upgrade Procedure A ProtectDrive upgrade is initiated the same way as a new client installation run the SafeNet ProtectDrive msi The system will detect that an earlier version of ProtectDrive is installed When upgrading the server you will be prompted to select an MSO certificate that must have a signed value This certificate ensures that a server or client will connect to an ADAM instance that has a Service Connection Point SCP with a signed MSO value The upgrade installation screens are basically the same as a new installation Refer to page 64 for step by step installation details As a reminder prior to upgrading a system that is FIPS enabled and has DES or Triple DES encrypted drives you must either decrypt the drives or disable FIPS mode Otherwise the upgrade will fail SafeNet Inc 83 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Uninstalling ProtectDrive Windows Vista Follow this procedure to uninstall ProtectDrive from a Windows Vista system 1 Make sure that all partitions are decrypted 2 Navigate to Programs and Features in the Windows Control Panel 3 Select SafeNet ProtectDrive and then click Uninstall men OO E gt Control Panel Programs and Features X 4 Search Uninstall or change a program View installed updates To uninstall a program select it from the
16. SafeNet Inc 4690 Millennium Drive Belcamp Maryland 21017 USA Technical Support If you encounter a problem while installing registering or operating this product please make sure that you have read the documentation If you cannot resolve the issue please contact your supplier or SafeNet support SafeNet support operates 24 hours a day 7 days a week Your level of access to this service is governed by the support plan arrangements made between SafeNet and your organization Please consult this support plan for further information about your entitlements including the hours when telephone support is available to you Technical Support Contact Information Phone 800 545 6608 Email support safenet inc com Acknowledgements ProtectDrive includes software developed by Apache Software Foundation http www apache org Windows is a registered trademark of Microsoft Corporation in the United States and other countries Windows Vista is either a registered trademark or trademark of Microsoft Corporation in the United States and or other countries Windows 7 is either a registered trademark or trademark of Microsoft Corporation in the United States and or other countries VVVV Relevant Documentation Basic configuration procedures for token support are discussed in this manual For detailed installation and configuration information relevant to SafeNet s Borderless Security tokens please refer to the following documents gt
17. gt Remove Configuration I Certificate users also have password accounts Device Control M Read CDROM M Read Serial Ports Write CDROM M Write Serial Ports Read Diskettes Read Removable Media White Diskettes M Write Removable Media 1 users with 0 SafeNet ProtectDrive certificates 0K Cancel 218 SafeNet Inc ProtectDrive Administration Guide Appendix F iKey Management 17 Select PD Settings gt Authentication Verify the Allow Token Domain User Access check box is selected for Windows and Preboot for this machine in Active Directory for remotely managed machines or in the Local Management Console for locally managed machines Status Authentication Advanced M Activate Pre boot Authentication Activated Authentication Methods Windows Preboot Allow Local User Access 12 Iv Allow Password Domain erAccess Allow Token Domain User Access Allow Shared Key Access 7 M Single Sign on Pre boot Access Management I Allow Emergency Logon With Username E I Allow Emergency Logon Without Username I Allow Emergency Logon for Token Users Allow Users to Register Shared Key N Add Users to SafeNet ProtectDrive on Windows Logon 18 Restart the machine 19 Enter the PIN at the ProtectDrive pre boot authentication PBA prompt Four messages should follow e Initializing token e Searching for token certificat
18. 23 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 24 Custom Recovery Key Set Creation The Certificate Wizard utility certwizardapp exe is used to create a custom recovery key set Use the Certificate Wizard to create any or all of the following files gt Master Security Certificates MSC These PdMaster cer and PdMaster pfx files are used for Disk Key Recovery in the Remote Recovery Console rpadmin These certificates should be securely stored and only be accessible to individuals who can perform disaster recovery gt Recovery Support Certificates RSC These PdRecovery cer and PdRecovery pfx files are used for Emergency Logon in the Remote Recovery Console rpadmin These certificates should only be accessible to individuals who can perform password recovery for example Help Desk Support personnel gt Salt This file is used to permit the sharing of removable media between ProtectDrive PCs The execution of the Certificate Wizard on Windows XP SP2 requires ProtectDrive to be installed on that system If you have already installed ProtectDrive and you want to create a custom recovery key set make sure you copy the PdMaster PdRecovery and salt files that were created or used during the ProtectDrive installation and save them to another location Otherwise these files may be overwritten After you have safely stored these files to another location follow the Certificate Wizard pro
19. Choose the options that will apply to all removable media Prompt to encrypt If enabled when unprotected non encrypted removable media is inserted the user is prompted whether or not to encrypt the media Allow key recovery If enabled the system will allow a user to regain access to the protected removable media in the event of a forgotten password Deny access to non If enabled the system denies access to any removable media that encrypted media is not encrypted If removable media is connected when this option is set safely remove the device and then reconnect it for the setting to take effect Allow users to If the Deny access to non encrypted media option is selected decrypt this option not available When enabled this option allows a user to decrypt a removable media component Select encryption algorithm for removable media Click on this option and then choose the encryption algorithm to use during ProtectDrive encryption of removable media C Deny access to non encrypted media Allow users to decrypt Select encryption algorithm for removable media AES 256 bit The IDEA Triple DES CBC and DES CBC options are unavailable if the Encryption Mode gt Enable FIPS option is selected Encryption Mode Choose the Enable FIPS check box to use the FIPS mode library If this option is selected the fixed disk and removable media IDEA Triple DES CBC and DES CBC encryption algorithm options are not available
20. L RQ E D H D 7 D 4 5 vas SafeNet ProtectDrive Administration Guide prenet il 2012 SafeNet Inc All rights reserved Part Number 007 011122 001 Rev E August 2012 Software Version 9 4 2 All intellectual property is protected by copyright All trademarks and product names used or referred to are the copyright of their respective owners No part of this document may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical chemical photocopy recording or otherwise without the prior written permission of SafeNet SafeNet makes no representations or warranties with respect to the contents of this document and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose Furthermore SafeNet reserves the right to revise this publication and to make changes from time to time in the content hereof without the obligation upon SafeNet to notify any person or organization of any such revisions or changes We have attempted to make these documents complete accurate and useful but we cannot guarantee them to be perfect When we discover errors or omissions or they are brought to our attention we endeavor to correct them in succeeding releases of the product SafeNet invites constructive comments on the contents of this document These comments together with your personal and or company details should be sent to the address below
21. ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy Advanced Settings Encryption Status Authentication Advanced Settings I Encryption amp Fixed Disks M AES 256 bit C AES 192 bit C aes 128 bit IDEA 128 bit Triple DES CBC 112 bit Pi DES CBC 56 bit Display warning when disks not Fully encrypted Removable Media C Prompt to encrypt M Allow key recovery o Deny access to non encrypted media C Allow users to decrypt E Select encryption algorithm for removable media AES 2 E Encryption Mode M Enable FIPS Interrupt Vector Update Lockout Management aa aami Maka Fixed Disks Choose the encryption algorithms to be made available to users during ProtectDrive encryption The algorithms that you choose here will display as algorithm selections in the Encryption Status group w The IDEA Triple DES CBC and DES CBC options are unavailable if the Encryption Mode gt Enable FIPS option is selected Display warning when disks not fully encrypted This option is enabled by default It displays a ProtectDrive balloon tip to all users to inform them of an incomplete disk encryption status This ProtectDrive warning message displays immediately after Windows logon Refer to page 181 for an example SafeNet Inc 119 ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy 120 Removable Media
22. SafeNet Inc Used to derive unique decryption keys for decrypting the operating system files and the rest of the encrypted hard drive s Support for smart cards tokens and PINs fingerprint authentication as well as Windows Domains Usernames and Passwords Support for auditory prompting during pre boot authentication for the visually impaired for example prompts occur for a number of screen states or conditions such as smart card or token insertion successful logon and unsuccessful logon For details refer to page 114 Smart card token user logon recovery and Windows Domain user pre boot logon procedures which includes emergency one time logon with or without a username at pre boot ProtectDrive provides Automatic Windows Domain user authentication following successful pre boot authentication Manual authentication is also available as an alternative Single sign on is currently not supported with fingerprint logon Device access control of fixed disks and removable media Policy management using the MMC snap ins Automatic System and User Policy data replication from the server Strong data encryption made completely transparent to the user MS DOS utilities used to recover corrupt and or inoperable systems ProtectDrive Administration Guide Chapter 1 Introduction ProtectDrive Variants ProtectDrive is available in two variants ProtectDrive and ProtectDrive for Servers Each variant has its own docum
23. 12 When the following screen displays click Install to begin the installation i SafeNet ProtectDrive InstallShield Wizard amp SafeNet The wizard is ready to begin installation P r ot e ctDri ve Click Install to begin the installation If you want to review or change any of your installation settings click Back Click Cancel to exit the wizard Ready to Install the Program lt Back Install Cancel 13 When the following screen displays click Finish ig SafeNet ProtectDrive InstallShield Wizard InstallShield Wizard Completed The InstallShield Wizard has successfully installed SafeNet ProtectDrive Click Finish to exit the wizard SafeNet ProtectDrive 14 When prompted click Yes to restart the PC i SafeNet ProtectDrive Installer Information You must restart your system for the configuration changes made to SafeNet ProtectDrive to take effect Click Yes to restart now or No if you plan to restart later 70 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Customizing the Installation In addition to Server and Client component installations ProtectDrive provides the ability to custom select the install components 1 If you are deploying ProtectDrive on a Windows 7 Windows Vista or Windows Server 2008 client run Setup exe located in the same directory instead of SafeNet ProtectDrive msi 2 When the Welcome screen d
24. 2 Select ADAM Instance ProtectDrive and then click Remove Ne If the ProtectDrive ADAM instance has been replicated make sure you select the correct instance to remove PD Instance PD Instancel PD Instance2 etc Remove the ADAM SCP When an ADAM instance is removed its SCP should be deleted from Active Directory If SCP removal fails follow the steps below 1 Launch the ADSIEdit msc utility in the MMC 2 Connect to your Active Directory and browse to the computer object that hosted the ADAM instance lt File Action View Window Help e Hm EnB e m 4 ADAM ADSI Edit AD localhost 389 pc domain DC local H CN Builtin CN Computers a oU Domain Controllers 3 CN vM2003 f CN ForeignSecurityPrin E cN LostandFound E CN NTDS Quotas E CN Program Data rl gt You will see one or more objects with a serviceConnectionPoint class There are two in the example shown above SafeNet Inc 33 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 34 3 Right click on each of these objects to view their properties select the keywords attribute and then click Edit gt IV Show optional attributes IV Show only attributes that Attributes alowed ttibutes alowed ttibutesEffe allowedChildClasses allowedChildClassesE canonicalName cn createT imeStamp distinquishedN ame
25. 9 4 0 32bit SafeNet Borderless Security iKey 2032 8 4 0 16 bit 9 4 0 32bit SafeNet Borderless Security ikKey 4000 9 4 0 32bit KOBIL mlDentity XL Siemens SIM 9 4 0 32bit RSA SecurlD 800 Rev A 8 4 0 16 bit 9 4 0 32bit RSA SecurlD 800 Rev D 8 4 0 16 bit 9 4 0 32bit SafeNet Inc ProtectDrive Administration Guide Appendix G Supported Smart Cards Tokens and Readers Smart Card Readers Smart Card Reader Last Version Tested Dell420 Built In 9 4 0 32bit Dell D600 Built In O2Micro OZ711EC1 9 3 0 32bit Dell D610 Built In TI PCI 6515 9 3 0 32bit Dell D620 Built In O2Micro OZ711E0 CCID SC 9 4 0 32bit Dell D630 Built In USB CCID 9 4 0 32bit Dell D810 Built In TI PCI 6515 9 4 0 32bit Dell D820 Built In O2Micro OZ711E0 CCID SC 9 0 0 32bit Dell D830 Built In USB CCID 9 4 0 32bit Dell E4300 Built In 9 4 0 32bit Dell E6400 Built In 9 4 0 32bit Fujitsu 9210 Built In 9 4 0 32bit HP 6930 Built In 9 4 0 32bit HP 8530 Built In 9 4 0 32bit Gemplus GPR400 PCMCIA DKR 600 9 3 0 32bit Gemplus GemPC Card PCMCIA DKR 601 9 4 0 32bit Omnikey CardMan Mobile PCMCIA 4040 DKR 701 9 4 0 32bit SCM SCR 241 PCMCIA Smart Card Reader DKR 800 9 4 0 32bit SCM SCR243 PCMCIA Smart Card Reader 9 4 0 32bit Gemplus GemPC 430 USB DKR 630
26. 9 4 0 32bit Gemplus GemPC USB Smart Card Reader DKR 631 9 4 0 32bit Omnikey 3121 USB Smart Card Reader DKR 731 9 4 0 32bit SCM SCR 331 USB Smart Card Reader DKR 830 9 4 0 32bit Gemplus GemPC Twin CCID 9 4 0 32bit Precise 200 MC 9 4 0 32bit Precise 250 MC 9 4 0 32bit Reflex V2 USB Schlumberger 9 4 0 32bit Dell Smartcard Keyboard 9 4 0 32bit Precise 100 SmartCard Keyboard 9 1 0 32bit SCM SCR335 USB Smart Card Reader 9 4 0 32bit SCM SCR3310 v2 0 USB Smart Card Reader 9 4 0 32bit SCM SCR3500 USB Smart Card Reader SCR 355 9 4 0 32bit SCM SDI010 USB Smart Card Reader 9 4 0 32bit SCM SCR3340 ExpressCard54 Smart Card Reader 9 4 0 32bit SafeNet Inc 223 ProtectDrive Administration Guide Appendix G Supported Smart Cards Tokens and Readers Removable Devices Efforts have been made to ensure ProtectDrive is compatible with all removable media However some third party removable media security software will interfere with ProtectDrive and in most of these cases is not recommended Most version 1 0 and 2 0 USB removable devices and USB hard drives should work with ProtectDrive END OF DOCUMENT 224 SafeNet Inc
27. If this option is selected on ProtectDrive clients on Windows 7 64 bit version or Windows Server 2008 R2 platforms ProtectDrive will use the Microsoft Cryptographic Primitives Library CNG which in turn operates in its FIPS mode of operation only when one of the following DWORD registry values is set to 1 e HKLM SYSTEM CurrentControlSet Control Lsa FIPSAlgorithmPolicy Enabled Or e HKLM SYSTEM CurrentControlSet Policies Microsoft Cryptography Configuration SelfTest Algorithms To ensure ProtectDrive s operation in FIPS approved mode you should pre configure one of these registry values on your system SafeNet Inc ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy For additional details please refer to the following Security Policy document http csrce nist gov groups STM cmvp documents 140 1 140sp 140sp1328 pdf If the Enable FIPS option is not selected performance is enhanced and a secure Common Criteria EAL 4 approved non FIPS library is used lt If you change the status of this option you must reboot the client for the change to take effect Advanced Settings Interrupt Vector Update n Status Authentication Advanced Settings E Accessibility Options Allowed Certificate Usages Default Permissions Encryption Interrupt Vector Update C Update disk interrupt vector address C Update keyboard interrupt vector address T Update clock tick
28. Insert the iKey 1000 token 2 From the Windows desktop select Start gt Programs gt SafeNet gt iKey Components gt iKey Token Utility iKey Token Utility No Token Token Settings Help General Information Admin Tools User Tools User PIN Your User PIN is a secret code that prevents the iKey from being 2 used by anyone but yourself Certificates Certificates are typically used for authentication and signing and encrypting e mail Auto Registration PKI Storage When you use the certificates stored on your iKey for authentication A or e mail signing you are asked to enter the certificate password ee SafeNet Inc 209 ProtectDrive Administration Guide Appendix F iKey Management 3 Select the User Tools tab and then click Change User PIN iKey Change PIN Enter the current and new User PIN The new User PIN must be numeric and may be between 1 to 8 characters in lenath Current PIN New PIN Confirm PIN Cox Cancel 4 Enter the current PIN the factory default is 12345678 enter and confirm the user s new PIN and then click OK 5 Click OK when prompted that the PIN change was successful User Tools Li 1 User PIN has been changed successfully 6 Now you can add this user to the ProtectDrive database and register the iKey 1000 shared key token to the user This can be performed from the PD Users tab either locally in the ProtectDriv
29. located in the install folder C Program Files SafeNet ProtectDrive can be used to manage the configuration of ProtectDrive for seamless operation in a single sign on user authentication system environment where systems other than Windows are involved Single sign on is currently not supported with fingerprint logon Refer to Chapter 6 for details on Single Sign On Assistant SafeNet Inc 5 ProtectDrive Administration Guide Chapter 2 ProtectDrive Functional Description ProtectDrive Notification Icon The Windows notification area is a portion of the taskbar that displays system and program notifications and status If ProtectDrive has been configured with the Show SafeNet ProtectDrive System Tray Icon option enabled in PD Settings gt Advanced gt User Interface a small ProtectDrive icon amp is placed in the Windows notification area of the taskbar located in the lower right corner of the Windows Desktop The icon indicates that the PC is secured by ProtectDrive lt If the Show SafeNet ProtectDrive System Tray Icon option is not enabled then the ProtectDrive notification icon will not display at all During ProtectDrive related operations the icon changes to This icon notifies the user that an action is underway which is especially helpful during potentially lengthy or system resource hungry tasks ProtectDrive related operations include e Activating or deactivating pre boot authentication e Encrypting o
30. or a combination of both Refer to the table on the next page for a description of each audio prompt and the condition under which it will occur Audio prompting is available on 32 bit pre boot user authentication only it is not supported for legacy pre boot authentication When audio prompting is enabled press F4 to replay the audio prompt for the current field or condition If the user is unable to determine where they are in the login process press Esc to return to the initial pre boot screen This is only applicable if both password and token authentication methods are enabled SafeNet Inc ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy This pre boot prompt state or emits this which and you should condition audio equates to prompt these musical notes Insert the smart card token or press 1 long beep A Insert a smart card token or press Enter Enter to continue Note This screen displays only if both password and token authentication methods are enabled If only one method is enabled the first audio prompt the user hears will either be for user name entry which is 2 short beeps or for PIN entry which is 3 short beeps Enter the user name User ID 2 short beeps B B Enter your user name and press Tab to continue Enter the password 3 short beeps C C C Enter your password and press Tab to continue First domai
31. system and you simply need to enable ADAM via Add Remove Components described in the Enable ADAM procedure on the next page If you are not using Windows 2003 R2 you must first download an ADAM installation from Microsoft and then follow the Enable ADAM procedure on the next page to enable it If you are using Windows 2008 R2 then AD LDS is already a part of the operating system and you simply need to enable AD LDS via Server Manager described in the Enable AD LDS procedure on page 39 For a detailed overview of ADAM and AD LDS refer to the following Microsoft Web pages http technet microsoft com en us library cc776389 WS 10 aspx http technet microsoft com en us library cc754361 WS 10 aspx SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Enable ADAM 1 Onthe member server select Start gt Control Panel gt Add or Remove Programs 2 Click Add Remove Windows Components inix amp Currently installed programs Show updates Sort by Name gt henge or E Microsoft NET Framework Z 0 Si 83 28MB Frograrrs Che r 3 a Used Last Used On 11 22 2007 Dnt To change this program or r ol click Change Remove os E YMuare Tools Size 11 65MB Ta Add Remove Windows Components 3 Highlight the Active Directory Services component Do not select the corresponding Active Directory Services check box If this option is selected additional s
32. the original MBL 1320 VXBIOS GDA read fail A read error occurred on the Standard Recovery GDA file when trying to load Procedure and execute the original MBL 1321 VXBIOS Boot fail Master Boot Loader Standard Recovery signature verification failed Procedure 1322 VXBIOS NetBSD Boot The required NetBSD Boot open fail file is not in the EFS PRE 1323 VXBIOS NetBSD Boot read The required NetBSD Boot fail file is not in the EFS 1324 VXBIOS HMAC SHA 256 VxBIOS is corrupted or has Reboot If the problem test fail been tampered with persists perform Standard Recovery Procedure and install ProtectDrive from scratch AND If the problem persists contact SafeNet Support SafeNet Inc 199 ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages 200 1325 Component VXBIOS Description VxBIOS integrity check fail Possible Cause VxBIOS is corrupted or has been tampered with Recovery Action Reboot If the problem persists perform Standard Recovery Procedure and install ProtectDrive from scratch AND If the problem persists contact SafeNet Support 1326 VXBIOS NB_Boot integrity check fail NetBSD boot module is corrupted or has been tampered with Reboot If the problem persists perform Standard Recovery Procedure and install ProtectDrive from scratch AND If the problem persists contact SafeNet Support 1327
33. you should keep Windows Firewall turned on To ensure successful client updates when using ADAM youll need to configure the firewall to allow traffic over port 50000 which ProtectDrive uses to communicate to ADAM On the Server 1 2 Open the Windows Control Panel Select Security Center gt Windows Firewall Click the Exceptions tab Click Add Port Enter the server s Name Enter the Port number on which the ADAM instance was created For details on creating the ADAM instance refer to page 47 Click OK On Each Client 1 2 Open the Windows Control Panel Select Security Center gt Windows Firewall Click the Exceptions tab Click Add Program Browse to C Program Files SafeNet ProtectDrive Select ClientDM and then click Open Click OK SafeNet Inc 35 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 36 Enable ADAM or AD LDS on a Member Server The ProtectDrive server can centrally manage its clients by using either Active Directory or ADAM Please note the following gt If you already have a member server running ADAM or you plan to use Active Directory skip this section and follow the domain preparation procedure on page 45 If you choose to use ADAM to centrally manage the ProtectDrive clients follow the appropriate ADAM or AD LDS procedure on the following pages If you are using Windows 2003 R2 then ADAM is already a part of the operating
34. 16 bit pre boot environment it is necessary to identify which groups of smart card readers are required 32 bit installations include support for all readers This property defines the readers supported at pre boot authentication This property is set to INTERNAL by default Set to PCMCIA to install PCMCIA supported readers If none are required do not change the default setting SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Deploying Administrative Management Tools How has the ProtectDrive Installation Changed If you are familiar with ProtectDrive versions prior to 8 3 you may find this information helpful Otherwise skip this section Prior to version 8 3 ProtectDrive included a Typical Server Installation option As part of the ProtectDrive server installation process this installation option would extend the schema and configure the server all on the same computer In version 8 3 and higher the Typical Server Installation option was replaced with the Administrative Management Tools Installation option lt The ProtectDrive client installation did not change Refer to page 64 for details Install Administrative Management Tools wherever you intend to manage ProtectDrive from The tools can be installed anywhere and as many times as needed Administrative Management Tools are necessary to centrally manage ProtectDrive clients perform disaster key recovery and emergenc
35. Access option is disabled inserting a smart card token will have no effect Disallowed Post boot Windows Domain Authentication Error If the user attempts to authenticate into the Windows Domain using the Windows Log On screen but the Allow Password Domain User Access authentication System Policy option is disabled then the following error will display ProtectDrive Error xi x Password logons are not permitted For domain users with the current ProtectDrive configuration SafeNet Inc 183 ProtectDrive Administration Guide Chapter 12 Troubleshooting and Reporting Information 184 Event Viewer Log Careful monitoring of event logs can help you to identify and view details of ProtectDrive errors and events such as successful or failed pre boot authentication attempts start and end times for drive encryption and emergency recovery logins To access the Event Viewer from the Windows desktop 1 Select Start gt Settings gt Control Panel gt Administrative Tools gt Event Viewer 2 Click Application in the Event Viewer tree Scroll through the list to view the events B Event Viewer File Action View Help e 2 gj Event Viewer Local Application 1 235 event s Category User rae D information 2 2 2010 1 07 40AM SceCli information 2 1 2010 S 06 27PM DrWatson Error 2 1 2010 S 05 56PM Application Error information 2 1 2010 5 05 08PM DrWatson z Application Typ
36. Activate Pre boot Authentication option on the Authentication tab then none of the material in this chapter applies In this case the user is presented with a standard Windows Domain authentication dialog and normal Windows logon applies In addition to normal pre boot user authentication System Policy can be configured to accommodate the following extraordinary circumstances e Emergency Logon for Token Users Procedure This procedure is used when a token user misplaces their smart card token or forgets their PIN This procedure allows for one time pre boot access to the system with assistance from the System Administrator Note that emergency login for a token user will not be able to be performed until the token user logs in after this selection has been made e Emergency Logon With Username Procedure This procedure is used to accommodate a Windows Domain or Local Windows user who has forgotten his her Windows Password Pre boot access to the system can be achieved with some help from the System Administrator Note that emergency login for a user will not be able to be performed until the user logs in after this selection has been made 155 ProtectDrive Administration Guide Chapter 10 Extraordinary Authentication Scenarios 156 e Emergency Logon Without Username Procedure This procedure is used to accommodate an emergency logon for users who have forgotten their username or for adding newly added Windows Domai
37. Computers ADUC MMC snap in instead Refer to Computer Object managed Clients vs Configuration managed Clients on page 59 What are Configuration Objects A Configuration Object is a ProtectDrive policy that computers can be assigned to By default all remote clients will initially get their policy from the Default Configuration Object Prior to ProtectDrive version 8 3 remote clients were only managed through the ADUC MMC Default Configuration Object meaning only one ProtectDrive policy could be implemented per domain In version 8 3 and higher you can create multiple policy Configuration Objects and assign specific computers to them through the ProtectDrive Management Console When computers are assigned to a particular configuration object they will only receive the updates and changes made to the configuration to which they are linked LE Clients can still be managed individually through the ADUC snap in just as they have been in previous versions of ProtectDrive Refer to Computer Object managed vs Configuration managed Clients on page 59 A client managed by the property sheet of its own computer object can be assigned to a different Configuration Object at any time 56 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Create a New Configuration Object l 2 3 On the server open the ProtectDrive Management Console Expand the ProtectDrive Management directory Right
38. Controllers Organizational Unit Default container For reignSecurityPrincipals Container Default container For ers Container Default container for Customize Enables disables advanced features and objects SafeNet Inc ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy 4 Navigate to Program Data gt SafeNet gt ProtectDrive gt ProtectDrive Default Configuration and select Properties amp active Directory Users and Computers oy x 5 Fie Action View Window Help e m exere e eR hY gE Active Directory Users and Computers t2 PDHOST com au ProtectDrive 1 objects H E Saved Queries 9 PDHOST com au H E Buitin Computers Domain Controllers ForeignSecurityPrincipals LostandFound CA NTDS Quotas C Program Data EC Satenet 43 ProtectDrive H E Microsoft H E System H E Users 0 2 2 Opens property sheet for the current selection 5 Click the PD Settings tab and then configure the default System Policy Refer to page 109 for details on the PD Settings selections 6 Click the PD Users tab and then assign users to the system by default and to configure these users device access control permissions Refer to page 129 for details on PD Users selections 7 Click Apply 8 Click OK SafeNet Inc 107 ProtectDrive Administration Guide Chapter 7 Configuring Default System and Use
39. Get from File AADP XPTEST_RecoveryEnvelope env C Get from AD Recovery Input M Recover for Usemame JSmith Recovey Code 482es mox5c 82 Response Spaces are for display purposes only Generate ie 7 Instruct the user to enter the automatically generated response code into the Enter response below field At this point the user will be granted one time pre boot access to the system Once the user successfully completes their post boot Windows authentication a new pre boot user account is created for them in the local system s ProtectDrive Pre boot User database Unattended Reboot and Automatic Pre boot APB Authentication Certain system administration tasks require unattended system reboots and automatic loading of the operating system For these purposes ProtectDrive is provisioned for creation of the Dummy Pre boot User account Creation of this account combined with the following additions to the Windows Registry allows for the automatic unattended pre boot system authentication Note that the unattended pre boot will disable Single Sign On independent of the System Policy setting The system will automatically log in at pre boot load Windows and stop at the Windows Domain Log On screen 164 SafeNet Inc ProtectDrive Administration Guide Chapter 10 Extraordinary Authentication Scenarios The Unattended Pre boot Authentication setup procedure is as follows 1 Create a n
40. InstallShield Wizard amp SafeNet ProtectDrive Configuration Method SafeNet ProtectDrive Select Remote Configuration if you wish to administer ProtectDrive using Microsoft Active Directory or Active Directory Application Mode ADAM Client Configuration O Remote Configuration 2 Ifyou select the Client Configuration method then the Advanced gt Management update options in the Local Management Console will be unavailable because those options only apply to Active Directory ADAM 67 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 8 Choose the appropriate recovery file set option and then click Next if SafeNet ProtectDrive InstallShield Wizard amp Recovery File Options SafeNet ProtectDrive recovery file set can be generated once and used in subsequent installations Generate new Recovery File Set O Select existing Recovery File Set gt Ifyou select the Select existing Recovery File Set option skip to step 10 gt If you select the Generate new Recovery File Set option the following screen displays Enter and confirm the recovery file set password and then click Next i SafeNet ProtectDrive InstallShield Wizard x Recovery Files Password SafeNet ProtectDrive Enter a password that will protect some files in the Recovery File Set Password Confirm Password 9 Select the recovery files folder location and then click Next gt Ifyou chos
41. Mode is OFF If Single Sign on is not enabled the following standard Windows Domain authentication screen will display Welcome to Windows m Copyright 1985 2001 Microsoft Corporation ae aes Press Ctrl Alt Delete to begin Ctrl Alt Del helps keep your password secure Click Help For more information Help The following standard Windows Domain authentication screen will display after pressing Ctrl Alt Del The relevant Windows Domain User Names and Passwords apply Log On to Windows Copyright 1985 2001 Microsoft Corporation User name Administrator Password Log on to PoHosr he T Log on using dial up connection Shutdown 152 SafeNet Inc ProtectDrive Administration Guide Chapter 9 User Authentication Helpful Hints Legacy pre boot screens only If the system has been configured to allow Smart Card Token PIN access as well as Username Password Domain Name press the F2 function key to switch from one login method to the other Default pre boot screens only A blank screen saver will automatically take effect when a workstation is left unattended for at least 10 minutes From either type of pre boot login screen User Name Password Domain or PIN Fingerprint press the Esc key to return to the previous screen Press the F1 function key to display Help from any pre boot log on screen A few examples are shown below SafeNet Inc In the case
42. PD Settings gt Advanced gt Password Policy group To give all certificate users including group members password accounts select the Certificate users also have password accounts check box This will assign the default password as defined on the Password Policy group to all users who do not have a password assigned A user s default password can be changed to a specific one later on by using the Configuration button described above Shared Key This column indicates whether or not a user has a registered generated shared key for pre boot authentication A shared key can be registered from the LMC or the Active Directory Users and Computers MMC snap in A user with a shared key can log into ProtectDrive using a shared key token iKey 1000 To register a shared key l 2 3 SafeNet Inc Click on the user s name Click the Shared Key button Insert the shared key token and then click OK 131 ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy 4 Enter the PIN and then click OK e Ifthe token has not been initialized a new shared key is created on the token e If an existing shared key is detected on the token you are prompted whether or not to use that shared key gt Choose No and then choose Yes to overwrite the shared key gt If you are configuring the shared key locally from the LMC the procedure is complete A message will display to indicate that
43. Recovery Disk Key This procedure must be performed by the System Administrator Before you begin make sure you have the following e decdisk exe utility e EFS recovery files from the system to be recovered created with backup exe or obtained from Active Directory e Master Security Certificate key for example the pfx file 1 Run rpadmin exe located in Program Files SafeNet ProtectDrive on the server The ProtectDrive Remote Recovery Console window displays 2 Click the Disk Key Recovery tab Emergency Logon Disk Key Recovery Master Security Certificate Key Personal Store Backup File set Location Backup Files Get from AD Disk Key Output Disk Key File 166 SafeNet Inc ProtectDrive Administration Guide Chapter 10 Extraordinary Authentication Scenarios 3 Select the appropriate Master Security Certificate Key option e Personal Store If you select this option the Master Security Certificate s private key must be in the user s Personal Certificate Store on your machine e PFX File TIf you select this option click ie and then browse to the PdMaster pfx file and enter the password e CSP TIf you select this option choose the appropriate Provider from the drop down list where the certificate key is stored 4 Specify the Backup File set Location e To locate the backup file set created with the backup exe recovery tool see Chapter 11
44. Smart Ss acc OR Re FA Se a leh Sle Fah Sa eaten 221 TORIES aia men eme dO anand tet 222 Smart Card REACTS i Sinon mas en ANERE EAE E EE A EISA RRES 223 Removable DEVICE nn as ER EATE EE REEE E mantel 224 viii SafeNet Inc ProtectDrive Administration Guide Chapter 1 Introduction Chapter 1 Introduction Product Overview In today s computing environment hard disk drives HDD have become mass repositories of proprietary information The widely used Windows operating systems provide adequate data privacy whether on a stand alone PC or a networked computer in most operating environments However insufficient data security protection exists in a case of system or HDD loss due to malicious intent Unless appropriate data protection measures are taken any HDD can be removed from the system and data on it may be read To bridge these data security gaps SafeNet has developed the ProtectDrive PD system security and data encryption application SafeNet ProtectDrive is a multi user Windows Active Directory aware computer security application It provides the following functionality listed in order of appearance during normal ProtectDrive operation Pre boot User Authentication 32 bit pre boot is the default Emergency Pre boot User and Token Logon Recovery Single Sign on or Manual Windows Authentication Configurable System and User Policy Hard Drive and Removable Media Encryption Disaster Recovery Tools
45. Utility described on page 45 ProtectDrive Central Management Using ADAM When ProtectDrive is used in combination with ADAM an ADAM instance with a ProtectDrive Partition CD PDPartition will be installed on the member server through a task performed in the Directory Preparation Utility PDDirPrep Refer to the next section for more information on this utility To use ADAM with ProtectDrive ADAM must be installed before you run PDDirPrep Then PDDirPrep can be run before or after performing the ProtectDrive Administrative Management Tools Installation Refer to page 55 for details 2 In the event that the currently active ADAM instance fails which may be identified by errors about service unavailability from PDMC close and reopen PDMC so it can sync up with another ADAM instance Windows Domain Preparation for Central Management The Directory Preparation Utility PDDirPrep is used to prepare a Windows domain to manage remote ProtectDrive clients PDDirPrep can be installed wherever and whenever it is needed The PDDirPrep can gt Create one unique ProtectDrive ADAM instance as well as replicas of that instance if desired on each domain instead of using Active Directory A replica uses the configuration and schema partitions replicated from the unique ADAM instance gt Extend the Active Directory or ADAM instance schema on the primary domain with the attributes that are required to manage the ProtectDrive clien
46. You must run PDReport vbs from the command line DOS prompt Make sure you navigate to the Tools directory where the script is located in order to run it and use the following command format PDReport vbs lt server name where ADAM is installed gt lt port number gt Example PDReport vbs win2k3ent_server 50000 Sample Report Output ComputerName W2K3ENT CLIENT1 W2K3ENT CLIENT2 W2K3ENT CLIENT3 W2K3ENT CLIENT4 186 PDStatus LastUpdate UTC Active 1 5 2011 18 10 Active 12 29 2010 06 08 Inactive Active 1 2 2011 10 20 EncryptedDrives C D C C SafeNet Inc ProtectDrive Administration Guide Appendix A Smart Card Token amp PIN User Authentication Appendix A Smart Card Token amp PIN User Authentication ProtectDrive SYSTEM BOOT Allow Token Domain Access Yes M LEE F2 Press AND Allow Local User Access OR ew Domain Password Access No Yes SHIFT F9 Pressed in PIN field Token User Preboot Password Fallback Requested Single Sign On No To Figure 2 Username Password Domain Name Authentication No Allow Windows Password Fallback is ON Yes Welcome to Windows 1 Copyright 1985 2001 croft Corporation Yes ES GE Press Ctri Alt Delete to begin Ctrl Alt Del helps keep your password secure Click Help for more information Hel To Windows Shell To Windows Shell Figure 1 Smartcard Token PIN Preboot Authentication
47. a smart Domain User card token and PIN fingerprint for authentication Access Allow Shared Key This method allows pre boot authentication for a token Access shared key non PKT user If this option is selected at least one Windows authentication method must be selected as for iKey 1000 users only well Notes About Token Domain User Access as the Sole Authentication Method Caution must be taken if Allow Token Domain User Access is the only enabled authentication method If the following options are all disabled then smart cards tokens are the only means of authentication into the system at pre boot e Allow Local User Access e Allow Password Domain User Access e Allow Emergency Logon Without Username If any problems with the smart cards tokens are encountered the system may be rendered inaccessible For this reason it may be a good idea to temporarily enable the Allow Local User Access and or the Allow Emergency Logon Without Username and or the Allow Emergency Logon for Token Users options This will allow for at least one alternative method of Pre boot authentication until the smart cards tokens are proven to be reliable and properly set up for use with ProtectDrive SafeNet Inc 111 ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy Single Sign on In single sign on mode a user need only log in once to authenticate at both the Pre boot and Windows levels This option
48. account user accounts from the ProtectDrive pre boot user database e Add Local and Domain user accounts including Token PIN user accounts to the ProtectDrive user database Usage PDUSERDB EXE options Options Description usage Displays usage help a add Adds a user to the pre boot database d domain Specifies the Windows Domain that the newly added user is a member of defaults to the Local System Name This domain name must be a NetBIOS domain name file Specifies the filename of a file containing a user certificate al list Displays a list of all existing pre boot users n name Specifies a username to add to the pre boot database p password Specifies the password of the newly added user IE remove Removes a user from pre boot database v version Displays version information To change a password remove the user account r first and then add a new account a with the new password 174 SafeNet Inc ProtectDrive Administration Guide Chapter 11 RapidRecovery Disaster Recovery Tools PEPREP EXE WinPE Bootable Recovery Disk Utility WinPE Windows Pre Installation Environment is a lightweight version of the Windows operating system which can be used to run 32 bit or 64 bit recovery tools The PEPREP utility is a WinPE based pre boot recovery tool located in the Tools WinPE folder on the SafeNet ProtectDrive installation medium It should be used by WinPE savv
49. add local Windows users to the ProtectDrive Pre boot user database is described below Before you begin go to the PD Settings gt Authentication tab and verify the Add Users to SafeNet ProtectDrive on Windows Logon option is selected 1 Log out of your Windows Administrator session on the client PC 2 Have each user log into the local Windows Once they successfully log in their pre boot user accounts will be automatically created 3 Open the PD Users tab and verify each user has been added SafeNet Inc 145 ProtectDrive Administration Guide Chapter 8 System and User Management Change a Pre boot Password 1 Press CTRL ALT DEL and select Change Password Widows Security Microsoft rs Windows Copyright 1985 2001 Professional Microsoft Corporation Logon Information You are logged on as VIRTUAL administrator Logon Date 01 08 2010 9 57 12 AM Use the Task Manager to close an application that is not responding Lock Computer Log Off Task Manager Cancel 2 Verify the appropriate domain is selected in the Log on to field 3 Specify the old and new password and then click OK Change Password Microsoft Windows Copyright 1985 2001 Professional Microsoft Corporation User name administrator Log on to DELL7000 this computer Old Password 0 0 New Password 0000000 Confirm New Password 0000000009
50. alteration to the ProtectDrive MBR the following message displays Current MBR is not the ProtectDrive MBR SafeNet Inc ProtectDrive Administration Guide Chapter 11 RapidRecovery Disaster Recovery Tools RMBR Version Compatibility Check Rmbr will attempt to verify that it is working with the correct version of the ProtectDrive system If the version is incorrect the following message displays Incompatible versions ProtectDrive Version 8 1 example RMBR EXE Version X X X example k Depending on the level of system data corruption it is not always possible to determine the version of the currently installed ProtectDrive system Restoring the ProtectDrive MBR RMER p RMBR will initially display the list of all ProtectDrive partitions Select the partition you wish to recover the ProtectDrive MBR for Disk Start Sector End Sector Megabytes Type 1 63 16771859 8189 Primary Boot ProtectDrive Select partition to recovery Ctrl C to exit _ Current MBR is not the ProtectDrive MBR Searching for super block from sector 63 to sector 20487599 99 99 and 3hrs 20mins remaining Press Ctrl C to stop Rmbr exe will search the disk sector by sector looking for the ProtectDrive super block corresponding to the start of the ProtectDrive embedded file system It is possible that remnants of previously installed ProtectDrive systems may exist on the disk If a super block is found but it does not correspond to
51. attempts further logon attempts are prevented for a configurable period of time Open the system s Event Viewer for details on failed logon attempts and other events See page 184 for more on Event Viewer Lock out all users Lock out individual users These settings determine whether access to all or individual user accounts is blocked for a period of time after too many failed logon attempts The default is Lock out all users Allowed invalid logon attempts before lockout ProtectDrive will lock a computer after the specified number of unsuccessful logon attempts at the pre boot logon screen has occurred Click in this field and then select the desired number of attempts The default value is three 3 a Lockout Lock out all users Lock out individual users E Allowed invalid logon attempts before lockout s JE E Lockout Period 3 Minutes 122 SafeNet Inc ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy Lockout period This value determines the length of time that access to the system or an individual account is blocked Click in this field and then select the desired lockout period The default setting is three 3 minutes The maximum lockout period is 365 days a Lockout Lock out all users Lock out individual users E Allowed invalid logon attempts before lockout 3 E Lockout Period A Minutes X Advanced Settings Management Status Authe
52. can be used to later decrypt a failed system These files must be stored off the client system The backup file set that is created by the backup utility is used in conjunction with the Master Security Certificate MSC to perform Disk Key Recovery Le In ProtectDrive 8 3 and higher periodic backups are not necessary for remotely managed ProtectDrive clients as backup recovery files can be obtained from Active Directory ProtectDrive also provides a set of command line recovery tools which can be used to perform disaster recovery tasks such as data decryption and Pre boot User database management These RapidRecovery tools are included on the ProtectDrive distribution CD and generally used by System Administrators only Refer to Chapter 11 for details ProtectDrive Licensing ProtectDrive licensing includes license codes to activate disk encryption removable media and Active Directory ADAM management Typically ProtectDrive is sold with this complete functionality To install a full version of ProtectDrive a license code or authorization code is required Otherwise you can only install the 30 day trial version of ProtectDrive for evaluation purposes When a ProtectDrive license is purchased you will receive a license file or an authorization file txt format Prior to installing ProtectDrive copy the appropriate txt file to a location that you can browse to during the installation process or for silent GPO installations th
53. click on the Configuration Objects directory Select New Configuration Enter a name for the new configuration object and then click OK Do not use special characters for example or in the name Proceed to the next section to add at least one user to the new configuration object Add a User to the New Configuration Object Any time you add a new configuration object make sure there is at least one user assigned to the configuration before making changes to the ProtectDrive settings 1 2 On the server open the ProtectDrive Management Console Expand the ProtectDrive Management directory Expand the Configuration Objects directory Right click on the configuration object and then select Properties Click the PD Users tab Click Add and then follow the prompts to add a user Click Apply and then click OK Proceed to the next section to modify the ProtectDrive settings for the configuration object Customize the New Configuration Object l 2 3 SafeNet Inc On the server open the ProtectDrive Management Console Expand the ProtectDrive Management directory Expand the Configuration Objects directory Right click on the configuration object and then select Properties Click the PD Settings tab 57 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 58 6 Customize the settings as needed for this configuration 7 Click Apply and then click OK
54. hielo le SE ae Atel acts 42 Deploying Administrative Management Tools c cccceccccceseceseceeeceescecsaeceeeeeeceeeseecsaeeneeneeeenaees 45 How has the ProtectDrive Installation Changed 45 Prepare the Windows Domainz eresio ree Ah ia ce TR Arcane eau ne outa eee te ns 45 Install the ProtectDrive Administrative Management Tools Us 51 What are the ProtectDrive Administrative Management Tools 33 ProtectDrive Management Console iiisichinsiisats wii siaetia ean na leans 55 Deploying Client Side Components en RUE Re A ee aueeunces 64 Custom Gr phics PUCES SE M a data nuda Mn lvoe ds nie ne EU Relais 64 Install the ProtectDrive Client Side Components ss 64 Customizing the Instaltion sine cundens hint tar ES A KRE TAA AKE SERTE a ESSES 71 Disk Imaging Norton Ghost Interoperability with ProtectDrive version 9 0 and higher 79 Using Norton Ghost in RAW Mode serres 79 Creating a Unique Disk Key for Each Deployed System ss 80 Upgrading From a Previous Version of ProtectDrive se ssssesssesssesessssessesrrssressessrssressessessressess 81 gjor LOU Begins sais manier Sea tua a a a a a a aada aaiae 81 Creating a New Recovery File Set RE D Re A TT a sats Miles iste Cel ahi 82 About Interactive Upgrade icenean ana a E E had E E es 82 About Silent GFO Upgrdds soena e e i a a a a a aa 82 PEGG CE TO CELUI icin ace a inina a ha Sa SA a a RS Re nn 83 iv SafeNet Inc ProtectDrive Administration Guide Table of Contents
55. in the notification area is opened Add Users to SafeNet ProtectDrive on Windows Logon When this option is enabled a new ProtectDrive pre boot user account will be created if it does not already exist for a user when they logon to Windows This functionality depends on the settings of the Allow Local User Access the Allow Password Domain User Access and the Allow Token Domain User Access options An entry will be created for the user in the ProtectDrive Pre boot User database only if a setting that corresponds with the type of Windows logon being performed is set SafeNet Inc 113 ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy Advanced Settings Accessibility Options Status Authentication Advanced Settings El Accessibility Options Enable Pre boot Auditory Prompts a E Allowed Certificate Usages EH Default Permissions E A Encryption Interrupt Vector Update Lockout Management EH s Password Policy User Interface Enable Pre boot Auditory Prompts Auditory prompts are intended to be used by visually impaired users When this feature is enabled audio prompts will occur for a number of screen states or conditions during the pre boot login process k The auditory prompting feature can also be toggled on and off by pressing F3 from any pre boot login screen Each audio prompt consists of a series of short or long beeps
56. interrupt vector address C Disable Interrupt Vector Check 2 Lockout L Management Q9 Password Policy User Interface ProtectDrive maintains a store of some of the BIOS interrupt vector addresses This allows ProtectDrive to detect potential attacks mounted by the changing of the interrupt vector address When ProtectDrive detects a difference between the BIOS interrupt vector address and the copy held by ProtectDrive an error message displays When interrupt vector addresses change for example updating the BIOS this error message is still displayed The Interrupt Vector Update group provides a mechanism to accept a legitimate change by updating ProtectDrive s copy of the disk keyboard and clock tick interrupt vector address as well as a means to disable the interrupt vector check SafeNet Inc 121 ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy Advanced Settings Lockout Status Authentication Advanced Settings Accessibility Options Allowed Certificate Usages Default Permissions Encryption Interrupt Vector Update Lockout Lock out all users Lock out individual users E Allowed invalid logon attempts before lockout 3 E Lockout Period 3 Minutes L Management Q Password Policy User Interface The Lockout group is used to prevent password guessing attacks After a number of failed logon
57. is available only when authentication at both the Pre boot and Windows access levels is enabled for at least one authentication method Single sign on is currently not supported with fingerprint logon Select the Single Sign on check box to enable single sign on mode Pre boot Access Management The Pre boot Access Management settings are available when authentication is enabled at the Pre boot level when the Allow Local User Access and or Allow Password Domain User Access check boxes are selected The Pre boot Access Management settings are described below Allow Emergency Logon With Username Single Sign on After Emergency Logon 112 When enabled this option allows the user to invoke the Emergency Logon With Username Procedure It is used in cases where the user has forgotten their pre boot authentication password not a PIN This includes Windows Domain or Local Windows user password accounts that have been added to ProtectDrive It allows for one time only pre boot access to the system This feature will require a user to successfully log in through Pre Boot Authentication before it can be invoked by that user When enabled this option allows the user to automatically authenticate post boot into Windows immediately following successful exercise of the Emergency Logon With Username Procedure With the Pre boot Access Management group box enabled this option becomes available for selection when authentica
58. manage or view the ProtectDrive clients locally This selection installs the SafeNet ProtectDrive User Manual 173 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 74 6 Select the license type and then click Next if SafeNet ProtectDrive InstallShield Wizard x SafeNet ProtectDrive License SafeNet ProtectDrive Select license type O Trial Version Full Version Please either enter an authorization code license code or browse to a file containing the code Browse lt Back Next gt Cancel If you select Trial Version a 30 day evaluation version of ProtectDrive will be installed After installation a trial license can be updated to a valid full license via the LMC License Manager tab If you select Full Version you must have either a valid license code for example license txt or authorization code for example authorization txt The default path for the license authorization file is the source directory from which the SafeNet ProtectDrive msi file is run gt To enter the license code or authorization code either browse to and open the file copy and paste the entire contents into the browse field and then click Next or browse to the license file and then click Next gt To enter the authorization code an Internet connection is necessary to contact the license server Browse to the authorization file and then click Next The license server is con
59. must be checked at both the Windows and Pre boot levels across the authentication methods A If you do not have any tokens the drivers are not installed to log on to Windows do not configure ProtectDrive to only allow Windows logon authentication using tokens and smart cards If you configure ProtectDrive in such a way and the PC is locked there is no way to unlock it with a password since ProtectDrive is configured to only allow token logons The administrator should ensure there is a valid token to be used for both PBA and Windows logon and unlocking before configuring ProtectDrive for token only access SafeNet Inc ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy Allow Local User Enabled by default this method allows the Local Windows Access users to authenticate into the system using their Local Windows Username Password and Local System Name Local Windows users can only be added using the Local Management Console utility or via a Windows Logon when Add Users to SafeNet ProtectDrive on Windows Logon is set at the bottom of this Authentication screen Local Windows users can not be added to the client system s user database from the server Allow Password This method allows the Windows Domain users to Domain User authenticate into the system using their Windows Domain Access User Name Password and Domain Name Allow Token This method enables Windows Domain users to use
60. option should be set ON in the evaluated configuration so that the user is warned of unsuccessful logons Access Control ProtectDrive offers a number of access control options User ID and Password Token and PIN and emergency logon options Evaluated versions of ProtectDrive may not include all access control options When using an evaluated version of ProtectDrive users should refer to the evaluation Security Target to determine which options form part of the evaluated version Only those access control options that form a part of the evaluated version of ProtectDrive should be enabled SafeNet Inc 207 ProtectDrive Administration Guide Appendix E Additional Guidance Regarding Security THIS PAGE INTENTIONALLY LEFT BLANK 208 SafeNet Inc ProtectDrive Administration Guide Appendix F iKey Management Appendix F iKey Management iKey 1000 The SafeNet iKey 1000 tokens can easily be used in conjunction with ProtectDrive to provide secure two factor authentication This section briefly reviews how to manage iKey 1000s through the standard iKey SDK Please refer to the iKey 1000 Series Developer s Guide SDK for more specific details The following procedure assumes that iKey 1000 software including the device driver and iKeyAPI DLL are properly installed For more specific details refer to the documentation that accompanies the iKey 1000 Manage the iKey 1000 Through the iKey SDK To assign a user a PIN 1
61. option so that you can write to the device 7 Select Set Active for that drive and then select OK 8 Make no changes to the default settings Select Sectors gt Write and then click Write it 9 Respond Yes to any warnings that display When you attempt to access the drive you will be prompted to format it which you can now Safely do 88 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Exporting the Client Configuration Settings XML file After you have installed and configured the desired ProtectDrive settings on a client PC you can export the settings to an XML file and then import the file to multiple clients This xml file is encrypted using the salt cid file used for removable media recovery Therefore you can only import this file to client PCs that share the same salt cid For large installations multiple client PCs can be configured quickly with an exported XML file from another ProtectDrive configured client in your network You can use this exported xml file in a GPO installation by including the ERA_ CONFIG_FILE_XML_PATH property in the customized SafeNet ProtectDrive msi file Refer to page 42 for details Follow these steps to export the client settings to an XML file 1 Open the Local Management Console on the configured client 2 Click the ProtectDrive icon in the upper left corner of the screen 3 Select Export gt Local Management Console Mo
62. or Windows This column indicates the user s current password By default this setting will display as Initial for users who have been manually added in ProtectDrive and who have not yet authenticated into Windows using their actual Windows Domain passwords After logging into Windows the user s pre boot authentication password is synchronized with their Windows password and the setting is replaced with Windows SafeNet Inc ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy Initial Password The settings for this column are Set or Default This column indicates whether the user s initial password was specified by the administrator Set or if the default password is being used Default The number of password users and smart card token certificate users should not exceed 2000 Passwords are assigned by using one of these methods To specify a user s password highlight the user s name and then click the Configuration button De select the Use default password check box and then enter and confirm a unique password for the selected user group Setting a specific password will always override the default password The Password State will now be changed to Set To use the default password highlight the user s name and then click the Configuration button Select the Use default password check box The default password assigned to the user will be the one that is defined in the
63. output files Directory lt Back Cancel 5 When the recovery files are successfully created the following message displays Click Next to continue Action SUCCEEDED Press Next to continue 6 When the creation process is complete the following screen displays Click Finish to close the Certificate Wizard or click Continue to return to the Operation Selection screen to perform another procedure gt SafeNet ProtectDrive Certificate Wizard Wizard Operation Completed Click Finish to exit or click Continue to restart the Wizard aaa Continue 7 Verify that the PdRecovery files were created and saved to the location you specified in step 5 SafeNet Inc 31 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Remove ADAM Instance and Unused ADAM SCPs In Active Directory environments Active Directory Application Mode ADAM uses service connection points SCPs to publish ADAM service information in Active Directory An SCP is a pointer in Active Directory that contains information about a service such as an ADAM instance including how and where to contact that service SCPs are important for ProtectDrive to locate the correct ADAM instance When an ADAM instance is removed from the computer it deletes its SCP from Active Directory If SCP removal fails client applications may be directed to a nonexistent ADAM instance which can cause the Active Direc
64. password secure Click Help far more informati CTRL ALT DEL AND Allow Password Domain Access OR Smartcard or Token Inserted No Allow Local User Access I Log on using dial up connection Log On to Windows User name Administrator Password Log on to PDHOST 7 IT Log on using dial up connection Figure 3 Smartcard Token PIN or Username Password Domain Postboot Authentication SafeNet Inc 191 ProtectDrive Administration Guide Appendix C Post boot User Authentication into Windows THIS PAGE INTENTIONALLY LEFT BLANK 192 SafeNet Inc ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages Appendix D System Debug and ACS Error Messages Before proceeding familiarize yourself with the contents of Chapter 11 RapidRecoveryTM Disaster Recovery Tools System Debug Problem Password type account user can not be authenticated by the ProtectDrive Pre boot Authentication program Fix Run Dispefs exe u This will display a list of all users and their account types Password type account users are indicated with Token User False setting If the user is shown to have a Password account type then it is possible they are entering an invalid password Passwords are case sensitive Finally if the user is positive they are entering the correct password and no other user is able to log on then the ProtectDrive files have becom
65. the key has been updated gt If you are configuring the shared key from the ProtectDrive server from the Active Directory Users and Computers MMC snap in you are prompted for the salt cid file Proceed to step 5 5 Navigate to and select the salt cid file and then click Open Locate sak cid required to protect the shared key Look in E PDkeys adm E salt cid File name sait cid gt Open Files of type System KeyFile cid X Cancel T Open as read only A message will display to indicate that the key has been updated A shared key can also be registered to a user through the Shared Key option accessible from the SafeNet ProtectDrive notification area icon located in the lower right corner of the Windows desktop Added at Windows Logon This column indicates whether or not a user is automatically added to the ProtectDrive database when the user logs into Windows If the user does not already exist in the ProtectDrive database and the Add Users to SafeNet ProtectDrive on Windows Logon option is selected on the PD Settings gt Authentication tab then the user is added to ProtectDrive after logging into Windows Device Control The settings in this section are used to define the default read and write permissions to the devices listed for each user or group in this tab The Write setting for each device can only be enabled if the Read setting is also enabled Make sure you click Set
66. type that best suits your needs Pr ot e ctD riv e Please select a setup type O Typical Client Installation 8 All SafeNet ProtectDrive Client features will be installed O Administrative Management Tools Installation ie All SafeNet ProtectDrive Management tools will be installed Custom Installation Choose which Client and Server features you want installed InstallShield and then click Next it SafeNet ProtectDrive InstallShield Wizard x Custom Setup SafeNet Select the program Features you want installed Pr ot e ctD riv e Click on an icon in the list below to change how a feature is installed E Egl Server Compon J Remote Recovery Console X AD ADAM Preparation Utility X Management Console x Mi Management Console Deskto Feature Description SafeNet ProtectDrive Server E Client Components Custom Setup Select the program Features you want installed _X Administration Guid ASN ee T Click on an icon in the list below to change how a feature is installed i x M User Manual InstallShield l Local Management Console x SafeNet ProtectDrive Feature Description SafeNet ProtectDrive Client This feature requires 4078KB on your hard drive It has 1 of 2 subfeatures selected The subfeatures require 32MB on your hard drive 5 Select the Server Components and or Clien
67. upgrades from versions 8 2 1 8 3 0 8 4 x 8 5 x 9 0 x 9 1 x 9 2 x 9 3 x and 9 4 x Prior to upgrading a system that is FIPS enabled and has DES or Triple DES encrypted drives you must either decrypt the drives or disable FIPS mode Otherwise the upgrade will fail and the following message will display Xx Drives encrypted with DES or Triple DES have been detected These algorithms are no longer available in FIPS mode To remain using FIPS mode decrypt these drives otherwise de select FIPS mode before upgrading Re run PDDirPrep when you are upgrading Active Directory or ADAM to a new version of ProtectDrive gt When upgrading a server and remote clients always upgrade the server first gt After upgrading from ProtectDrive version 8 2 1 or higher to the latest version all SafeNet Inc existing clients will be recognized as managed by the property sheet of their own computer objects They will function no differently than they did before the upgrade Once the clients are upgraded to the latest version they can be configured to retrieve their policy from any Configuration Object After the upgrade change their policy configuration assignment from Managed by this property sheet to Managed by a configuration object Refer to page 59 for details If you currently have ProtectDrive installed on a Windows XP or Windows 7 client and you intend to upgrade to a Windows Vista client and upgrade to ProtectDrive versio
68. user s Windows Domain password in the ProtectDrive Pre boot User database Windows passwords must also be limited to a maximum length of 127 characters 125 ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy Advanced Settings User Interface Status Authentication Advanced Settings Accessibility Options 5 Allowed Certificate Usages THs Default Permissions Encryption Interrupt Vector Update L Management Q9 Password Policy User Interface Logon Messages V Show Logon Information UE HER ES Y Z o oy JAMAKE Show Unsuccessful Logon Warnings Unsuccessful Logon Message Show Certificate Expiry warning 30 days prior to certificate Show SafeNet ProtectDrive System Tray Icon Show Logon Information By default the SafeNet ProtectDrive Logon Information balloon tip displays immediately before the Windows Explorer Shell loads This message shows the date and time of the last successful logon the date and time of the last password change and the number of successful logons Clear this check box to disable displaying of logon information Refer to page 182 for an example Show Unsuccessful Logon Warnings By default a ProtectDrive balloon tip displays if previous unsuccessful pre boot authentication attempts have occurred This warning is displayed immediately preceding the loading of the W
69. user16 EGIN CERTI Smartcard User Sm 61438191000000000008 a eos PROTECTDRIVE user 16 EGIN CERTI Smartcard User Sm 6144580 000000000007 Moine PROTECTORIVEluser21 EGIN CERTI Smartcard User Sm 61427c97000000000008 PROTECTORIVE user16 GIN CERTI Smartcard User Sm 6134b866000000000009 PROTECTORIVE user41 GIN CERTI Smartcard User Sm 61707c7200000000000a PROTECTORIVEluser2i EGIN CERTI Smartcard User Sm 618bdc2300000000000b PROTECTORIVE user21 EGIN CERTI Smartcard User Sm 2868407800000000000c PROTECTORIVE user2i GIN CERTI Smartcard User Sm 286e473200000000000d PROTECTORIVE TLOCSRV2K3 EGIN CERTI CA Exchange CAEx 287290ca00000000000e PROTECTORIVE user2i EGIN CERTI Smartcard User Sm 2675644a00000000000F PROTECTORIVE user2i GIN CERTI Smartcard Logon 5 26818082000000000010 PROTECTORIVEluser2i EGIN CERT Smartcard Logon 5 288c7ede00000000001 1 PROTECTORIVE user2i EGIN CERTI Copy of Smartcard L 2699a2d4000000000012 PROTECTORIVE user2i EGIN CERTI Smartcard User Sm 28c1f233000000000013 PROTECTORIVEuser21 GIN CERTI Smartcard User Sm 2e150F35000000000014 PROTECTORIVE user39 GIN CERTI Smartcard User Sm 2 367c1 1000000000015 PROTECTDRIVE TLOCSRV2K3E EGIN CERTI Domain Controller 61047d63000000000017 PROTECTORIVE user39 EGIN CERTI Smartcard User Sm 1da703F1000000000018 PROTECTDRIVE TLOCSRV2K3 EGIN CERTI CA Exchange CAEx S fSbc4f000000000019 P
70. 19 iolo System Mechanic Professio uen nn el Pr cu 19 Windows and Third party Boot Manap rs siens ns dti mai nantes 19 Windows BitLocker and BitLocker To Go Drive Encryption Utilities 19 Windows Disk Manager UV lines urnes dates int Mavebeaaasbacdes 20 Windows Fast User Switching Ut noise stunt 20 Windows Folder Compression Utility 20 Windows System Restore Utility eme TS en uted ae Pa Claus 20 Chapter 5 Deploying ProtectDrive ssccsssccssssscsssscssssscssssscsssccssssssssscssssssssssscsssssssssosesssssesses 21 Best PEA CUIC CS ics users ec in A aa Sa Sc Fh tel A Fala tel ne 21 Fingerprint AUC CATION tend ete den sen lets toire ee l aa tds Rite sites eee de AE TR dns 21 DSIOV AGE System Preparations taenn areas alta Rata none ent latte 21 Back Up the License File vi sy cic nimes ins late alan de nnd lets atlas as 22 Recovery File Set Preparation sr Le nets pond oad uke A A Re Et AR nent A 22 Sector 0 Backup for Removable Media only Optional ss 23 Custom Recovery Key Set Creation His brasserie tirent dard es ini im dre uate eee date 24 Certificate Wizard Procedure S ne rt dant ne tai ins OE a 25 Remove ADAM Instance and Unused ADAM SCPS resserre 32 Configure the Windows Firewall for ADAM sise 35 Enable ADAM or AD LDS on a Member Server ss 36 ProtectDrive Install MSI Package nadia nn Ant ne Ad des 41 CusiominetheMSMPaAkage sante ie tete agite etes al reste 41 ProtectDrive MSI Properties EE LE UE
71. 307 MBL No SafeNet Partition table corruption or Run rmbr exe to partition info change Addition of fixed recover the disk after ProtectDrive ProtectDrive MBR installation 0313 MBL Disk i o error Disk IO error Hard disk Run rmbr exe to reading sector failure or partition table recover the stack corruption ProtectDrive MBR 0314 MBL Disk i o error Disk IO error Hard disk Run rmbr exe to reading VXBIOS failure or partition table recover the corruption ProtectDrive MBR 1100 VXBIOS System Not System could not load the Standard Recovery Initialized disk encryption key or the Procedure DTE EFS is missing or corrupted SafeNet Inc 197 ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages 198 Component Description Possible Cause Recovery Action 1101 VXBIOS EFS Protection Fragmented disk Standard Recovery incomplete due to Procedure and then extensive defrag the drive fragments 1204 VXBIOS VROM load Error VROM file is missing has an Standard Recovery incorrect size or a read error Procedure occurred 1205 VXBIOS VROM Status VROM signature verification Standard Recovery Error failed or the program loader Procedure reported an error 1300 VXBIOS Insufficient Failed to allocate memory for Try to free up memory the VROM resources Insufficient memory available 1301 VXBIOS GDA file load error GDA file is missing or a
72. 330 GSA2 9 4 0 32bit SafeNet 330 GSA3 8 4 0 16 bit 9 4 0 32bit SafeNet 330 M 9 4 0 32bit SafeNet 400 8 4 0 16 bit 9 4 0 32bit Siemens CardOS 4 3B 8 4 0 16 bit 9 4 0 32bit RSA SecurlD 5100 9 4 0 32bit Gemalto NET 9 4 0 32bit CAC Axalto Access 64K 9 4 0 32bit CAC Gemalto Access 64KV2 9 4 0 32bit CAC Gemalto GCX4 72K DI 9 4 0 32bit CAC Gemalto TOPDLGX4 144 9 4 0 32bit CAC GemPlus GXP3 64V2N 9 4 0 32bit CAC Oberthur CosmopollC V4 9 4 0 32bit CAC Oberthur ID One V5 2 Dual 9 4 0 32bit CAC Oberther ID One V5 2a Dual 9 4 0 32bit CAC Schlumberger Access 32K V2 9 4 0 32bit SafeNet Inc 221 ProtectDrive Administration Guide Appendix G Supported Smart Cards Tokens and Readers 222 Tokens Token Last Version Tested Aladdin eToken PRO 16k 9 4 0 32bit Aladdin eToken PRO 32k 8 4 0 16 bit 9 4 0 32bit Aladdin eToken PRO 32k 4 2b FIPS 9 4 0 32bit Aladdin eToken PRO 64k 9 4 0 32bit Aladdin eToken PRO 64k 4 2b FIPS 9 4 0 32bit Aladdin eToken NG OTP 32k 9 4 0 32bit Aladdin eToken PRO Anywhere Java 9 4 0 32bit Aladdin eToken PRO 72k Java 9 4 0 32bit Aladdin eToken PRO 72k Java FIPS 9 4 0 32bit Aladdin eToken NG OTP 72k Java 9 4 0 32bit Aladdin eToken NG FLASH 72k Java 9 4 0 32bit Aladdin eToken PRO 64k 4 2b 9 4 0 32bit SafeNet Borderless Security iKey 1000 8 4 0 16 bit
73. 6 1 4 1 311 20 2 2 Enc 1 3 6 1 4 1 311 10 3 4 Exchange 1 3 6 1 4 1 311 21 5 Mar RSA Encryption _ 1 2 840 113549 3 Pas New Usage Name 1 1 1 1 1 111 11 1 Status Authentication Advanced SafeNet Inc 117 ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy Advanced Settings Default Permissions Device Access Status Authentication Advanced Settings Accessibility Options 5 Allowed Certificate Usages HE Default Permissions Read CDROM Write CDROM Read Diskettes Write Diskettes Read Removable Media Write Removable Media Read Serial ports Write Serial ports Z Encryption Interrupt Vector Update ER EREREE A Li Management Password Policy User Interface Default Permissions only apply to users whose individual User Policy has not yet been defined explicitly on the PD Users tab In fact individual User Policy settings that are defined in the PD Users tab will override these Default Permissions For example a user may be added to the ProtectDrive pre boot user database following a successful Windows login see the Add Users to SafeNet ProtectDrive on Windows Logon option on the Authentication tab If this user was not explicitly added to the system using the PD Users tab then their device access permissions to the systems resources will be governed by the settings in the Default Permissions group 118 SafeNet Inc
74. Allow Password Domain User Access option on the Authentication tab is set the following ProtectDrive pre boot authentication screen will display SafeNet ProtectDrive Fi tor Heip ProtectDrive Default Username Password Domain Log On Screen Legacy Username Password Domain Log On Screen The Domain field lists all the relevant Windows Domains available on the system Use the Up Arrow and Down Arrow to navigate the list of available domain names Assuming the Allow Local User Access option on the Authentication tab is selected the Local System Name will also be listed in the Domain field of the following ProtectDrive pre boot authentication screen Note that in the case of consecutive failed pre boot authentication attempts the lockout policy will be enforced to prevent password guessing Open the system s Event Viewer for details on failed logon attempts and other events See page 184 for more on Event Viewer SafeNet Inc 151 ProtectDrive Administration Guide Chapter 9 User Authentication Windows Authentication Every time a user successfully logs into Windows their most current Windows Password propagates to the ProtectDrive Pre boot User database Automatic Single Sign on Mode is ON Assuming the ProtectDrive Single Sign on mode is ON the user is automatically authenticated into their relevant Windows Domain following successful pre boot authentication Manual Single Sign on
75. Borderless Security PK and SSO Administration Guide gt Borderless Security PK and SSO User Guide gt iKey 1000 Series Developer s Guide SafeNet Inc ProtectDrive Administration Guide Table of Contents Table of Contents Chapter L IntrOdUCRON sise ten er penses nn ne en ner csse soet eee te dans 1 Product Overview nn Mt Lt a ne en net A A Ga eee oats oats ihe l ProtectDrive Variants sceniniai nunen n aa a a aa a aa 2 Who Should Kead This Document Listes uns Lee ar dead de nn kes 2 Chapter 2 ProtectDrive Functional Description oessoesssesssecesocesoocssoecssecssocesocesoocesocsssecesocssooseso 3 Supported Pre boot User Authentication Credentials 2 0 0 0 ccecceecceesceesseeeeceeeceeeeeeseecsaeeeeeneeeensees 3 Misplaced Forgotten User Authentication Credentials ss 4 Unattended Reboot Followed by Automatic Pre boot Authentication 4 Windows User Authenticationc0 2 0 00 ss aesiavitesacts at enteral aa dee te anced ete aye 5 Single Sign On SSO ccesassasca ate nal anys ase ae 5 Manual Windows Authentication rise ds usa cet sia edd dale dal lt en tan et 5 Borderless Security BSEC AUtheNNCAHONs st A den td dde ere a 5 Single Sign on in a Non Windows Environment 5 ProtectDrive NOUMCAO Icon serenita cant ten M Rs iii tante that us 6 Hard Drive and Removable Media Encryption and Decryption 0 cccecccesceeeeeeeeeeteeeneeeteeeees 7 ProtectDrive System and User Pole er dre ae teens 7 RemoteManagem ent nisss ha
76. Directory install SafeNet Inc ProtectDrive Administration Guide Chapter 10 Extraordinary Authentication Scenarios 5 Enter the code provided by the user into the Recovery Code field and then click Generate Response Emergency Logon Disk Key Recovery Recovery Support Certificate Key C Personal Store PFX File File A PdRecovery pfx al Password fi CSP Provider i Recovery Envelope Get from File A DP XPTEST_RecoveryEnvelope eny y C Get from AD Recovery Input 1 Recover for Usemame Recovery Code kvwyu wu6ny h3 Response Spaces are for display purposes only Generate Response 6 Instruct the user to enter the automatically generated response code into the Enter response below field At this point the user will be granted pre boot access to the system 7 For security purposes instruct the user to change their Windows Domain Password as soon as they log on to Windows SafeNet Inc 161 ProtectDrive Administration Guide Chapter 10 Extraordinary Authentication Scenarios Emergency Logon Without Username Procedure This procedure does not apply to the smart card token and PIN users If a user has not yet had the opportunity to log on to their ProtectDrive secured PC they may be required by the System Administrator to execute the following Emergency Logon Without Username Procedure during their first time ever system log on End User Instructi
77. E 2 6771923 78140159 3DES CBC 29964 100 00 Logical 3 2 63 417689 3DES CBC 203 100 00 Primary 4 2 417690 10217339 3DES CBC 4784 100 00 Primary S 2 10217403 12498569 3DES CBC 1113 100 00 Logical Select encrypted area to decrypt Ctrl C to exit _ In the above example decdisk displays information regarding all known hard disk partitions Disk is the physical disk number Start Sector and End Sector are relative to the start of the physical disk Decdisk also displays information regarding the encryption status of the above partitions The Start Sector and End Sector columns show the extent of the encryption The value in the Area section is used to select which area to decrypt The information above portrays two physical disks The first disk has primary and extended partitions containing one logical drive The second disk contains two primary partitions and an extended partition containing one logical drive All partitions on these disks are fully encrypted with Triple DES The user is required to select one of the encrypted areas to decrypt As the decryption progresses the user is informed of the percentage of the encrypted area still to be decrypted and approximately how long the decryption will take as follows 75 10 3hrs 15mins remaining Press Ctrl C to stop Once the decryption is complete the list of encrypted areas will be refreshed When there are no more encrypted areas the following will message will display No enc
78. ERA_VROM_READERS_SET 44 This property does not exist in the SafeNet ProtectDrive msi file by default This property defines the license path relative full or network path that contains the ProtectDrive license file or the full license code copied pasted from the license txt file The default license file path is the source directory from which the SafeNet ProtectDrive msi file is run If this property is not defined then the installation searches for a license txt file If authorization txt also exists then it will take precedence over license txt If neither file exists then the trial license is installed This property applies to upgrades only 32 bit pre boot installation is the default If a legacy 16 bit installation is desired set this property to 1 If set to 1 the ERA_VROM_READERS_SET property must also be set If a 32 bit environment is already installed lt and there is a need to revert to legacy 16 bit press the Shift key while the PC is booting The PC will start in 16 bit pre boot one time only until the next reboot occurs To make this adjustment permanent please contact Technical Support This property is set to Client by default for client installation Set to Server to install Administrative Management Tools ProtectDrive Management Console PDDirPrep Remote Recovery Console etc This property applies to 16 bit pre boot installations only Due to driver limitations in the
79. Inc 169 ProtectDrive Administration Guide Chapter 11 RapidRecovery Disaster Recovery Tools 170 If for some reason the ProtectDrive secured system becomes inaccessible due to data corruption for example the System Administrator can use the following disaster recovery tools to perform system diagnosis decrypt the hard disk s manipulate the MBR and administer the Pre boot User database The following tools are included in the Tools directory of the ProtectDrive distribution CD These tools along with the original salt cid and the EFS recovery files provide enough functionality to recover any inoperable ProtectDrive system DECDISK EXE Disk Decryption Utility This 16 bit MS DOS command prompt disk decryption utility is only used to decrypt a non bootable Windows installation i e when access to the GUI based decryption mechanism is not available If Windows is bootable use the decryption mechanism in the ProtectDrive Management Console snap ins in PD Settings gt Status After a successful decryption using decdisk and a successful Windows boot occurs the disk is re encrypted Usage Options usage v ver a display a all e est r rec rp recpath dk diskkeyfile mbr restorembr s sel DECDISK EXE options Description Displays usage information Displays utility version information Displays encryption information only Decrypts all encrypted parti
80. ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 7 SafeNet Inc gt Ifyou select Trial Version a 30 day evaluation version of ProtectDrive will be installed After installation a trial license can be updated to a valid full license via the LMC License Manager tab gt Ifyou select Full Version you must have either a valid license code for example license txt or authorization code for example authorization txt The default path for the license authorization file is the source directory from which the SafeNet ProtectDrive msi file is run gt To enter the license code or authorization code either browse to and open the file copy and paste the entire contents into the browse field and then click Next or browse to the license file and click Next gt To enter the authorization code an Internet connection is necessary to contact the license server Browse to the authorization file and then click Next The license server is contacted via the Internet connection and will in turn provide an authorization code to allow the installation to continue Choose the appropriate ProtectDrive configuration method Select Client Configuration for stand alone installations or select Remote Configuration for remote configuration using Active Directory ADAM and then click Next If you select Remote Configuration you must have an existing recovery file set to use in step 9 ig SafeNet ProtectDrive
81. RD When set to 1 this option will ignore the 0 1 APB USERNAME and APB DOMAIN entries and will logon to the token using the PIN defined by the APB_ PASSWORD option APB_PERSISTENCE LEVEL REG DWORD Set to zero 0 to save the APB information on graceful 0 1 shutdown or restart This is effectively the same as no APB PERSISTENCE LEVEL entry at all Set to 1 to save the APB information at Windows startup as well as on graceful shutdown or restart This setting although not as secure will still allow for APB after an unexpected shutdown or power failure SafeNet Inc 165 ProtectDrive Administration Guide Chapter 10 Extraordinary Authentication Scenarios Creating a Disaster Recovery Disk Key This procedure is used to recover a hard disk in the event that a ProtectDrive encrypted computer fails to boot to Windows In this procedure the System Administrator will create a disk key file by using the rpadmin utility The disk key file encrypted with a passphrase is used with the decdisk utility and the EFS recovery files created with the backup exe utility or obtained from Active Directory at the same time as the disk key creation to complete the disk decryption and recovery procedure Refer to Chapter 11 for details on backup exe decdisk exe A recovery disk key is also required for the peprep utility the WinPE bootable disk recovery utility Refer to Chapter 11 for details on peprep exe Create the
82. REC_FILES_FOLDER_PATH ERA_LANGUAGE_CHOICE SafeNet Inc This property is set to 0 by default Set it to 1 if you wish to install the ProtectDrive Administration Guide To install this file it must reside in the same directory as the MSI package This property is set to 1 by default Set it to 0 to not install the Client component This is also set to 1 automatically if ERA_INSTALL_LOCAL_MC is set to 1 This property is set to 0 by default Set it to 1 to install rpadmin exe Refer to Chapter 10 Extraordinary Authentication Scenarios for additional information This property is set to 1 by default Set it to 0 to not install the Local Management Console utility This property is set to 1 by default Set it to 0 to not install the ProtectDrive User Manual To install this file it must reside in the same directory as the MSI package This property defines the recovery file path relative full or network path that contains the recovery file set The default recovery file set path is the source directory from which the SafeNet ProtectDrive msi file is run This property defines the language used for labels and text messages It is set to the operating system language by default 0 Alternate settings are 1 English 2 German or 3 Japanese 43 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive ERA_LICENSE_PATH_OR_CODE ERA_NO_NETBSD ERA_SETUP_TYPE
83. ROTECTDRIVE Administrator EGIN CERTI Smartcard User Sm _ 56f7c5ff00000000001 PROTECTORIVE Administrator Smartcard Logon 5 572cfa3e00000000001d PROTECTDRIVE Administrator Copy of Smartcard L 572fea9d00000000001e PROTECTORIVE pdusert Copy of Smartcard L 7492a7bo0000000001F PROTECTDRIVE TLDCSRV2K3 Gross Certification A 578b4cc3000000000021 PROTECTDRIVE TLOCSRV2K3 Cross Certification A 578b4e0d000100000022 PROTECTDRIVE TLDCSRY2K3 Directory Email Repl 578dfb06000100000023 PROTECTDRIVE TLOCSRV2K3 Domain Controller A 578dfe31000100000024 PROTECTDRIVE TLOCSRV2K3 CA Exchange CAEx 1f4c7d01000100000025 PROTECTDRIVE TLOCSRV2K3 CA Exchange CAEx __41c04ado000100000028 m O A start 3 L BY active Directory Users a E Certification Authority Document WordPad 14 Log off this user and log back into the Windows domain by reinserting the token at the Windows logon prompt 15 Enter the PIN at the prompt Login should be successful with the certificate Logging in this way will ensure the user is updated as a certificate user in the ProtectDrive users database 16 Open the ProtectDrive Local Management Console and note that the user name and certificate entry displays on the PD Users tab PD Settings PD Users License Manager User Certificates Password Current Password Initial Passw admin BEL1 2 Yes Windows Default 4 Yes Windows Default lt i
84. To continue click Next T Skip this page by default On the Select Server Roles page in the Roles list select the Active Directory Lightweight Directory Services check box and then click Next Add Roles Wizard xj ic Select Server Roles Before You Begin Select one or more roles to install on this server Server Roles Roles Description AD LDS TT Cort ve Active Directory Lightweight Directory re prenon Certificate Services Services AD LDS provides a store for Confirmation E ECNE EMECIONY DOMEN SEVERS UnNEUNEG application specific data for directory C Active Directory Federation Services enabled applications that do not fet ans J ices require the infrastructure of Active Results Active Directory Rights Management Services Directory Domain Services Multiple ver instances of AD LDS can exist ona peace Serre single server each of which can have DCH Server its own schema OL Fax Server Ne Print and Document Services Remote Desktop Services we r IIS vs Deployment Services indows Server Update Services Policy and Access Services poppan eae More about server roles lt Previous Lrex gt Install Cancel Follow the remaining instructions in the wizard and finish adding the AD LDS server role After the installation is finished the Installation Results screen displays Review the messages on the screen to ensure the installation was successful and then click Close
85. User Access Vv Vv Allow Password Domain User Access Vv Vv Allow Token Domain User Access ra E Allow Shared Key Access a IV Single Sign on Pre boot Access Management M Allow Emergency Logon with Username M Single Sign on After Emergency Logon IV Allow Emergency Logon Without Username r F Allow Users to Register Shared Key M Add Users to SafeNet ProtectDrive on Windows Logon Activate Pre boot Authentication This check box must be selected for ProtectDrive to provide disk encryption and pre boot authentication on the client To disable ProtectDrive without uninstalling it clear this check box All aspects of ProtectDrive including disk encryption will be disabled If this check box is cleared changes to other settings on the Authentication tab can be made but the settings do not take effect until ProtectDrive is enabled by selecting the Activate Pre boot Authentication check box again Check the activation status by referring to the Activated Pending Deactivated indicator located to the right of the Activate Pre boot Authentication check box An example is shown below IV Activate Pre boot Authentication Pending SafeNet Inc 109 ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy 110 The status messages that may display are Active Pre boot authentication is turned on Pending The server is wai
86. Users and Computers I These snap ins ProtectDrive Management ProtectDrive Reports and Active Directory Users and Computers are installed during the ProtectDrive Administrative Management Tools Installation Note This installation option replaced the Typical Server Installation option in ProtectDrive version 8 2 1 The Administrative Management Tools Installation allows the administrator the flexibility to install the necessary tools wherever remote client management will take place this could be on a server or even a workstation ProtectDrive clients with their own unique configuration objects clients managed by the property sheet of their own computer objects are managed remotely through the ADUC MMC snap in The central management of a computer object by ProtectDrive allows for central changes to affect only a specific computer This is no different than the way clients were managed prior to ProtectDrive version 8 3 In version 8 3 and higher groups of ProtectDrive clients that use the same configuration object are managed remotely through the ProtectDrive Management snap in An unlimited number of custom configuration objects can be created for any number of client sets New configuration objects can be created and added to the ProtectDrive Management snap in Clients can be added to and removed from configuration objects any time Refer to page 55 for details SafeNet Inc 7 ProtectDrive Adm
87. VXBIOS CRYPdll integrity check fail Pre boot crypto module is corrupted or has been tampered with Reboot If the problem persists perform Standard Recovery Procedure and install ProtectDrive from scratch AND If the problem persists contact SafeNet Support 1328 VXBIOS CRYPadll AES test fail Pre boot crypto module is corrupted or has been tampered with Reboot If the problem persists perform Standard Recovery Procedure and install ProtectDrive from scratch AND If the problem persists contact SafeNet Support SafeNet Inc ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages 1329 Component VXBIOS Description NB_ Kern integrity check fail Possible Cause NetBSD main module is corrupted or has been tampered with Recovery Action Reboot If the problem persists perform Standard Recovery Procedure and install ProtectDrive from scratch AND If the problem persists contact SafeNet Support 2301 NetBSD NetBSD AES test fail NetBSD main module is corrupted or has been tampered with Reboot If the problem persists perform Standard Recovery Procedure and install ProtectDrive from scratch AND If the problem persists contact SafeNet Support 2302 NetBSD NetBSD SHA 1 test fail NetBSD main module is corrupted or has been tampered with Reboot If the p
88. Wizard Output Files Directory Select the directory to save the output files Directory lt Back Cancel 6 When the recovery files are successfully created the following message displays Click Next to continue Action SUCCEEDED Press Next to continue 28 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 7 When the creation process is complete the following screen displays Click Finish to close the Certificate Wizard or click Continue to return to the Operation Selection screen to perform another procedure 7 SafeNet ProtectDrive Certificate Wizard Wizard Operation Completed Click Finish to exit or click Continue to restart the Wizard www safenet inc com ad Sata and j Continue 8 Verify that the PAMaster files were created and saved to the location you specified in step 5 Create a Recovery Support Certificate This option is used to create a Recovery Support Certificate to use for emergency one time logon 1 Navigate to the Tools directory on the ProtectDrive distribution CD and then double click on certwizardapp exe When the Certificate Wizard displays click Next to continue 2 Double click Create Recovery Support Certificate or select the operation and then click Next 7 SafeNet ProtectDrive Certificate Wizard Operation Selection Select the operation you would like to perform with the Certificate Wizard
89. application Select the information to fill in the field Either e Click OK to store the field in the account OR e Click Cancel to discard the new field The Single Sign On Field dialog box closes and user returns to the account dialog box Either e Click OK to store the account OR e Click Cancel to discard the new account information The Single Sign On Account dialog box closes and you are returned to the Single Sign On Assistant dialog box Either e Click OK to commit the account OR e Click Cancel to discard the account The Single Sign On Assistant exits 103 ProtectDrive Administration Guide Chapter 6 The Multiple Boot System Modifying a Post Authentication Account Field 1 Run the Single Sign On Assistant 2 Click Modify to change an existing account 3 Run the application to perform the post authentication account logon The Single Sign On Accounts dialog displays 4 Click Modify The Single Sign On Field dialog box displays 5 Change the file information 6 Either e Click OK to store the modified field in the account OR e Click Cancel to discard the new field information 7 The Single Sign On Field dialog box closes and you are returned to the Single Sign On Account dialog box 8 Either e Click OK to store the account OR e Click Cancel to discard the new field information 9 The Single Sign On Account dialog closes and you are returned to the Single Sign On Assistant
90. are ProtectDrive can encrypt decrypt all fixed non removable system HDD partitions with a drive letter assigned no hidden partition support including all IDE EIDE SATA SCSI drives and selected removable media such as USB external hard drives lt The ProtectDrive and ProtectDrive for Servers editions both support a hardware based RAID system Software RAID however is not supported ProtectDrive does not in any way interfere with the normal operation of the storage sub system with the following exceptions e Itis not possible to format any partition on the system HDD e Ifa physical drive is partitioned into logical drives it cannot be changed after ProtectDrive is installed e During installation ProtectDrive accounts for all partitions present on the system Post installation partition resizing converting masking active or re partitioning is not supported This includes the Master Boot Record manipulation Device Access Control ProtectDrive System Policy and User Policy management consoles provide configurable default and individual user access rights to devices such as removable media diskettes and CD ROMs Floppy disk drives removable devices such as CD RW DVD RW and Iomega Zip Drives are excluded from encryption and decryption ProtectDrive does not interfere with the normal operation of these devices but it does control configurable user read write privileges to most of these devices SafeNet Inc
91. ared key iKey 1000 only at pre boot After pre boot authentication occurs Windows authentication is required Refer to page 209 for basic information on iKey lt 1000 management For a list of supported tokens and smart cards refer to the latest ProtectDrive customer release notes on the SafeNet Web site in the Customer Care Center http c3 safenet inc com secure asp Misplaced Forgotten User Authentication Credentials ProtectDrive will accommodate users who have misplaced their authentication credentials This refers to such instances where for example a user has misplaced their smart card token or forgotten their Windows Domain Password ProtectDrive System Policy provides automated procedures for handling these pre boot authentication scenarios Unattended Reboot Followed by Automatic Pre boot Authentication Various System Administration functions not related to ProtectDrive may at times require an unattended reboot followed by automatic pre boot authentication ProtectDrive provides this functionality with the use of a special User Account System Registry amendments are required to implement this functionality 4 SafeNet Inc ProtectDrive Administration Guide Chapter 2 ProtectDrive Functional Description Windows User Authentication Single Sign on SSO ProtectDrive System Policy can be configured to automatically authenticate users to Windows Users are automatically logged on to the
92. ary 1 Go to C Program Files SafeNet ProtectDrive 2 Copy the Iservre file and save it to a safe location preferably on another drive or computer since you will be formatting this drive Rename the Iservre file to license txt 4 Use this license txt file when you re install ProtectDrive on the same machine Recovery File Set Preparation SafeNet recommends that you create a Recovery File Set saved on a floppy disk or CD for example that includes the ProtectDrive Recovery Tools and Recovery Keys These files are required by the e ProtectDrive Disaster Recovery Tools e Pre boot Emergency Logon Procedures After ProtectDrive has been installed on a system follow these steps to create Recovery Disks 1 Copy the PdMaster pfx PdRecovery pfx salt cid and lt computer name gt _RecoveryEnvelope env files to a Recovery Disk CD These files are created during the installation The PdMaster pfx PdRecovery pfx and salt cid files can also be created pre installation 2 Copy the contents of the Tools directory the ProtectDrive recovery tools from the ProtectDrive distribution CD to the Recovery File Set location a floppy disk or CD for example 3 On a separate CD copy the EFS recovery files produced by running backup exe or obtained from Active Directory These files are required for disaster disk key recovery Refer to page 168 for details about this recovery procedure SafeNet Inc ProtectDrive Administrati
93. at actually exist on the client will display When viewing the client computer from the Local Management Console however the existing drives are always the only ones that display Configuring default encryption on a partition letter that does not actually exist J ona particular client will result in no negative consequence Configured Algorithm This column lists the algorithm selected for the encryption of the given partition If None is shown the partition is either not configured for encryption or if already encrypted see the Current Algorithm column it is slotted for decryption For each partition that you wish to encrypt by default click the Encrypt Decrypt button and then choose an algorithm from the list that displays If a particular algorithm does not display in this list check the Encryption group Current Algorithm This has no effect on the default configuration In general this column represents the encryption status of the partition If None is shown then the partition is not currently encrypted Removable Drive Protection Progress This window displays the progression of an encryption or decryption operation of the removable media A drive letter and progress bar will display only if the operation is started prior to opening the PD Settings gt Advanced gt Status group or while that screen is open 128 SafeNet Inc ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy
94. ate users also have password accounts check box if you want to allow all users listed here pre boot access with the use of the password as defined by the Default Password in the PD Settings gt Advanced gt Password Policy group 141 ProtectDrive Administration Guide Chapter 8 System and User Management Managing User Policy via the User Object or Group Object Set ProtectDrive device access permissions for individual Windows Domain users or user groups through either of the ProtectDrive Management Console snap ins Use the Active Directory Users and Computers Snap in for Computer Object managed Clients 1 On the server open the ProtectDrive Management Console 2 Open the Active Directory Users and Computers MMC snap in 3 Open the Users directory 4 Right click on a Windows Domain user or user group name and then select Properties 5 Click the SafeNet ProtectDrive tab 6 Set the device access permissions as appropriate for the user or user group 7 Click Apply and then click OK These settings will be applied across the entire Windows Domain and will be picked up by all clients where this Windows Domain user or user group is listed John Doe Properties 21 x Member Of Dialin Environment Sessions Remote control General Address Account Profile Telephones Organization Terminal Services Profile COM SafeNet ProtectDrive r Device Control Configure the ProtectDrive device control for t
95. be granted pre boot access to the system 158 SafeNet Inc ProtectDrive Administration Guide Chapter 10 Extraordinary Authentication Scenarios Emergency Logon With Username Procedure End User Instruction If a Username Password Domain Name user forgets their password the Emergency Logon With Username procedure can be used to gain access to the system l SafeNet Inc Enter your username into the User ID field of the Username Password Domain Name Log On screen shown below ProtectDrive Place the cursor in the Password field and press Shift F10 The following recovery response screen displays Serial no 21396 Username Administrator Machine Name VMVISTA Domain VMVISTA Recovery Code Kywyul wu6ny h3 Enter response below e Contact your System Administrator either in person or on the phone and communicate to them the displayed Recovery Code Challenge along with your Username In return the Administrator will communicate to you the Response Code Enter this code into the Enter response below field Enter response below rr ee ee E At this point Windows will proceed to load normally and will either log you on to Windows automatically or manually depending on how the System Administrator configured ProtectDrive 159 ProtectDrive Administration Guide Chapter 10 Extraordinary Authentication Scenarios System Administrator Instruction The user will perform the proce
96. ced Settings Encryption Desert Pa ee RE SRE AT NS ne 119 Advanced Settings Interrupt Vector Update ss 121 SafeNet Inc Vv ProtectDrive Administration Guide Table of Contents Advanced Settings Lockont sus inner ia aa ea ee a ek 122 Advanced Settings Mantpementisss niet intel Rand dettes 123 Advanced Settings Password PoliCy sas cel sete rested RON Re Sn 124 Advanced Settings User Imeracessstisstein minette lunes 126 Salus SEINES een dt ir le ne sl a tha a e aaa aaaeeeaei 127 PD Users Tab Configure the Default User Policy 129 License Manager Tab View Install Update License 0 0 0 esceceescesecetecneeeeeeeeeeeceseceaeeaeeeneeeeees 133 Upgrade to a Full License From License Manager 134 Upgrade to a Full License From the Nag Screen 134 Chapter 8 System and User Management sccsssscssssscssssccssssccssscccssscscssscccssssscssssscssssseesees 136 Manage System Policy From the Server 44m taitaninenaindatennien 136 Manage User Policy From the SVT nds al nant te tentent ieuilass 141 Assigning Users to Clients and Managing User Policy via the Computer Object 000006 141 Managing User Policy via the User Object or Group Object 142 Manage System and User Policy Locally ss is tininhnnete Smet 144 PL Settings TODS iii nant nn ela 144 PLS TIS CVS Tuba unanime ttae cassis obbtadiawcascndiseteatiacaed oa oa intel edit ati 145 Chancie a Pre boot Password asser tn ER eens plane at nt A ten 146 Chapt
97. cedure on page 25 If you have not installed ProtectDrive yet and you want to use a custom recovery key set during the installation follow the Certificate Wizard procedure on page 25 before you install ProtectDrive The Certificate Wizard utility is located in the Tools directory on the ProtectDrive distribution CD SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Certificate Wizard Procedures Create a Salt File This option is used to permit sharing of removable media among ProtectDrive computers 1 Navigate to the Tools directory on the ProtectDrive distribution CD and then double click on certwizardapp exe When the Certificate Wizard displays click Next to continue Double click Create Salt File or select the operation and then click Next gt SafeNet ProtectDrive Certificate Wizard Operation Selection Select the operation you would like to perform with the Certificate Wizard Creates Salt File used to permit sharing Create Master Security Certificate of removable media among SafeNet Create Recovery Support Certificate ProtectDrive computers lt Back Cancel 3 Browse to the directory where you want to save the output file and then click Next SafeNet Inc 7 SafeNet ProtectDrive Certificate Wizard Output Files Directory Select the directory to save the output files Directory lt Back Cancel 25 ProtectDriv
98. cense upgrade 13 ProtectDrive Administration Guide Chapter 2 ProtectDrive Functional Description THIS PAGE INTENTIONALLY LEFT BLANK 14 SafeNet Inc ProtectDrive Administration Guide Chapter 3 System Requirements Chapter 3 System Requirements Minimum Hardware Requirements e 32 bit Intel compatible CPU computer system e Sufficient memory to run the operating system plus 150MB of free hard disk space e CD ROM drive or access to a server based installation directory e lt 2TBHDD size limitation e Client firewall must allow access to the Internet on port 80 or port 5094 if connection to the License Server is required e Active Directory only The Active Directory Server must have the following ports open to allow ProtectDrive clients to receive updates e port 88 TCP UDP Kerberos network authentication protocol e port 135 TCP RPC End Point Mapper Distributed Component Object Model DCOM services e port 389 TCP UDP LDAP e port 1026 TCP calendar access protocol DCOM services Ports 88 and 389 are required for proper communication of the domain member with the domain controller and Active Directory Ports 135 and 1026 are specific to proper communication with the ProtectDrive server and its remote clients Refer to page 35 for details on configuring the Windows firewall for ADAM SafeNet Inc 15 ProtectDrive Administration Guide Chapter 3 System Requirements 16 Supported Storage Hardw
99. ck Create ADAM Instance gt ADAM Replicalnstance Information Ports Enter the ports you would like the ADAM instance to Port listen on SSL Port File 2l Password Provider 2 Enter the Port and SSL Port values on which to create the ADAM replica 3 Click OK The status window displays the action s being performed Information is also logged to the PDDirPrep log file SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive About Replication Delays Replication takes time You may find that configuration changes do not immediately propagate to the clients if they are pulling updates from a replicated ADAM instance Be patient Depending on the configuration it can take several seconds up to several minutes Generally this may be an issue when you are making configuration changes on the newly recovered unique instance while at the same time the clients are pulling updates from the replica instance that was previously in control If you are experiencing replication issues determine whether an instance is bindable Use ADAM ADSIEdit and try to connect to the node with DN EN PDPartition on the instance being tested If the connection fails then most likely the PDMC and ProtectDrive clients will fail too when trying to bind to this instance Wait a few minutes and then check that the clients have been updated with the configuration changes Extend Directory Schema You m
100. computer with ProtectDrive installed boots up If an error occurs during its initialization the system will display an error message composed of an error number and a brief description Error numbers are composed of three components CTXX where C is the module the error occurred in T identifies the type of error and XX isthe actual error number Module identifiers are 0 Master Boot Loader MBL 1 VXBIOS 2 NetBSD 3 VROM Type identifiers are 0 Not used 1 Warning 2 Error 3 Fatal The table starting on the next page lists all ACS errors possible causes and recommended recovery actions SafeNet Inc ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages ACS Component Description Possible Cause Recovery Action Error 0301 MBL Invalid master MBR corruption Run rmbr exe to boot code recover the checksum s ProtectDrive MBR MBR Trojan attack 0305 MBL Invalid VXBIOS Signature checksum or size Contact SafeNet verification of the VXBIOS Support failed possibly caused by disk corruption OR OR OR Cannot boot from Removable Media does not Unplug Removable encrypted _ have an OS Media and reboot Removable Media again USB OR Modify the Boot Order in the BIOS configuration and move the USB further down the device list 0306 MBL Invalid master MBR corruption Run rmbr exe to boot record MBR Trojan attack recover the signature ProtectDrive MBR 0
101. count dialog box displays the account information Change the account information as required Either e Click OK to save the new account information OR e Click Cancel to discard the account information The Single Sign On Account dialog box closes and you are returned to the Single Sign On Assistant dialog box Either e Click OK to commit the new account information OR e Click Cancel to discard the new account information The Single Sign On Assistant exits Removing a Post Authentication Account l 2 102 Run the Single Sign On Assistant Select the account to remove from the Post Authentication Accounts list and then click Delete Either e Select OK to commit the account deletion OR e Select Cancel to not delete the account The Single Sign On Assistant exits SafeNet Inc ProtectDrive Administration Guide Chapter 6 The Multiple Boot System Creating a Post Authentication Account Field l 2 3 10 11 12 13 SafeNet Inc Run the Single Sign On Assistant Click Add to create a new account or click Modify to change an existing account Run the application to perform the post authentication account logon The Single Sign On Accounts dialog box displays Click Add The Single Sign On Field dialog box appears Specify a unique Account Name Select the field control by dragging the magnifying glass icon cursor over the control to be filled in the
102. covery Tools Introduction This chapter details the utilities that SafeNet offers in its RapidRecovery suite of recovery tools These command line utilities must be run by an administrator With these tools you will be able to safely recover a ProtectDrive system in as little as five minutes BACKUP EXE Creating ProtectDrive Recovery Files In preparation for disaster recovery the command prompt utility backup exe must be used following each disk encryption status change or license update A folder labeled with the computer name will be created with the EFS recovery files inside which are necessary for disk recovery Note that you can also run this utility as a scheduled administrative task Usage BACKUP EXE options Onions Description Default usage Displays usage help v ver Displays utility version t tgt Specifies target directory for backed up Current directory Recovery Files Note that it may be good practice to store the Recovery Files off the client system This will ensure their availability in the rare case when the client system is rendered inoperable n noverchk No ProtectDrive version compatibility check is performed For example an 8 2 1 version of backup exe can be run on an 8 5 version of ProtectDrive If n is not used a message will display to notify the user that there is a version mismatch between the backup exe and the ProtectDrive version SafeNet
103. ct Click Yes to restart now or No if you plan to restart later 78 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Disk Imaging Norton Ghost Interoperability with ProtectDrive version 9 0 and higher Disk imaging is a way to replicate the complete contents and structure of a hard drive or other data storage device This method also called ghosting can be used to clone a fully prepared ProtectDrive system which can then be rapidly deployed to a large number of computers in an enterprise An installation of ProtectDrive is designed to modify the Master Boot Record MBR and encrypt the entire drive partition Attempting to back up such a drive using a program such as Norton Ghost can result in some confusion There is an option in Ghost to back up the MBR and the entire disk contents including free space However this is incompatible with ProtectDrive Imaging a ProtectDrive system must be done sector by sector to create a compatible backup Ghost offers an option called RAW mode to preserve sectors This document describes how to use Ghost in RAW mode to create a backup of an encrypted system Using Norton Ghost in RAW Mode Command line options switches can be specified when running the Norton Ghost program Note that not all switches are available in all versions To launch Ghost in RAW mode run the DOS mode Ghost exe file distributed with Norton Ghost with th
104. d drive s For this purpose ProtectDrive introduces the Pre boot User Authentication 32 bit pre boot environment is the default but the 64 bit and legacy 16 bit environments are also supported The decryption key is encrypted by a unique data key derived from the user authentication credentials After user authentication the disk key can be decrypted and the operating system can be loaded In support of this functionality ProtectDrive maintains its own Pre boot User Database pduserdb To assist the visually impaired auditory prompting can be configured for pre boot authentication These prompts will occur for a number of screen states or conditions such as smart card or token insertion successful logon and unsuccessful logon For details refer to page 114 The ProtectDrive Pre boot User database has the following characteristics e Maximum Number of Users Certificates 2 000 e Username Length Syntax 1 to 20 characters e Password Length Syntax Up to 127 case sensitive characters no minimum Windows maximum password length is also 127 lt Although the maximum number of users is 2 000 three of these slots are reserved for ProtectDrive use only The remaining slots are dedicated to your user database However keep in mind that each user can potentially use multiple user slots one for their password one for their shared key and one for every certificate 32 bit environment only A blank screen saver
105. d is used to manage ProtectDrive clients with their own unique configuration policies The ProtectDrive Management snap in is virtually the same as the Active Directory Users and Computers MMC snap in it has the PD Settings and PD Users tabs but it is used to manage groups of ProtectDrive clients with the same configuration policy Alternatively the Local Management Console utility may be used to manage clients locally Local configurations may be saved in Active Directory ADAM Each client reports updated policy data back to the server Manage System Policy From the Server Before configuring System and User Policy review the contents of Chapter 7 Configuring Default System and User Policy This will familiarize you with the fields on the PD Settings tabs These tabs are used to configure ProtectDrive System Policy All systems in a Windows Domain can be managed remotely with the use of the PD Settings and PD Users tabs in the ProtectDrive Management Console snap ins The configuration settings in these tabs are stored in Active Directory ADAM and are replicated this is configurable to the client systems Alternatively System Policy settings applied on the server can be viewed and modified locally on the client systems only if gt the Client Configuration option was selected at install time or gt the ERA_CLIENT_CONFIGURATION_ONLY property in the SafeNet ProtectDrive msi was set to configure the client locally via the Loca
106. d to function correctly if it is installed with another disk encryption product ProtectDrive is not compatible with Trusted Platform Module TPM If the machine is TPM capable then it must be disabled in the BIOS in order for ProtectDrive to operate properly iolo System Mechanic Professional It is not recommended that System Mechanic Professional be installed on the same PC as ProtectDrive Windows and Third party Boot Managers At system start up ProtectDrive manipulates the Master Boot Record MBR while verifying its integrity All software that needs to manipulate the MBR for its own purposes is incompatible with ProtectDrive This also applies to the standard Windows boot manager Windows BitLocker and BitLocker To Go Drive Encryption Utilities It is not recommended that these utilities be used on a system that is encrypted with ProtectDrive SafeNet Inc 19 ProtectDrive Administration Guide Chapter 4 ProtectDrive Software Compatibility Windows Disk Manager Utility Any post installation disk repartitioning resizing and mirroring configuration changes are prohibited by ProtectDrive If any of the above operations are required decrypt all disks and uninstall ProtectDrive before proceeding Windows Fast User Switching Utility ProtectDrive disables the standard Windows Welcome screen along with its fast user switching functionality Windows Folder Compression Utility Windows folder compression is
107. describe the suggested order in which to create new configuration objects and link clients to them New configuration objects can only be added through the ProtectDrive Management snap in in the ProtectDrive Management Console You can access the ProtectDrive Management Console two ways gt From the Windows desktop double click the ProtectDrive Management Console SafeNet Inc shortcut icon The shortcut is added to the Windows desktop during the ProtectDrive Administrative Management Tools Installation 55 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive gt From the Windows Start menu select Programs gt SafeNet ProtectDrive gt Management Console gt ProtectDrive Management Console Mi x a File Action View Window Help laj xl 0 XF bhB ea EE ProtectDrive Management a Last Update pdate Status Encryption Status PBA Activated Rec Env Rec Fies S safenet inc local DU W2KSENT WALLABY Never No iinserronsqo0 1 Never No D600 XP Never No a D610 XP gt 2 25 2010 1 Update succes C Partial D Cle Yes Yes No TestConfig ce ProtectDrive Reports B G Active Directory Users and H E Saved Queries 5 2 safenet inc local lt If a client is managed by the property sheet of its own computer object it relies on its own configuration which is automatically replicated from to Active Directory or ADAM use the Active Directory Users and
108. di vanceuasiecatiadeedects iieobuulectithhearsouasts 163 Unattended Reboot and Automatic Pre boot APB Authentication 164 Creating a Disaster Recovery Disk Key nan Re en A tint 166 Create the Recovery Disk Rens ana R CAS NES ELEC 166 Recover Decrypt the DISK ester mine aa tae nn tr EAA 168 vi SafeNet Inc ProtectDrive Administration Guide Table of Contents Chapter 11 RapidRecovery Disaster Recovery Tools cccsccccssssscccssscsccsssssssccsesssssees 169 TierOne HOME ER NRA RO AS ee E ne cn nn no ne pra 169 BACKUP EXE Creating ProtectDrive Recovery Files ss 169 DECDISK EXE Disk Decryption LME sn bin re nie nine 170 Using Recovery ECS a0 icc date cp A a da feet le Lie ae elas Sa A ne A A a 172 Manually Specifying the Decryption Area ois iscseas less sash c snstatinud ssseddselgatiesa siansicospaaddueesiadisadsases 172 DISPEFS EXE ProtectDrive Diagnostic Utility 173 PDUSERDB EXE Pre boot User Database Administration Utility 174 PEPREP EXE WinPE Bootable Recovery Disk Utility 175 DUMP IE SCC INA Ostet Rents NRA de ne den es Rd ciated Re en LA Eee 175 Create the WinPE Bootable Recovery Disk issimmmnmsmsananitdiuninnitius 175 Inject the ProtectDrive Disk Key iiissginynro tentera iiine aai e Mae Ea aaia 176 Mapa Network Driv Eee hal ir a E Mes ter at A dy re a a a 177 PEPREP Command Line Options visctrsnssteiseisanceaar
109. dialog box 10 Either e Click OK to commit the new field information OR e Click Cancel to discard the account 11 The Single Sign On Assistant exits 104 SafeNet Inc ProtectDrive Administration Guide Chapter 6 The Multiple Boot System Removing a Post Authentication Account Field l 2 3 Run the Single Sign On Assistant Click Modify to change an existing account Run the application to perform the post authentication account logon The Single Sign On Accounts dialog box displays Click Delete Either e Click OK to remove the field temporarily from the account OR e Click Cancel to keep the field in the account The Single Sign On Account dialog box closes and you are returned to the main the Single Sign On Assistant dialog box Either e Click OK to permanently delete the field from the account OR e Click Cancel to keep the field in the account The Single Sign On Assistant exits Exporting SSO Settings 1 2 3 SafeNet Inc Run the Single Sign On Assistant Click Export Browse to the file to export the settings to and then click Save Click OK when the Single Sign On Assistant reports successful export 105 ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy Chapter 7 Configuring Default System and User Policy 106 ProtectDrive will store an instance of a Default System and User Policy in Active Dir
110. dministration Guide Chapter 5 Deploying ProtectDrive 48 Create a Replica of the ADAM Instance After the unique ProtectDrive ADAM instance is created you can create one or more replicas of the ADAM instance A replica of an ADAM instance uses duplicate configuration and schema partitions from the unique ADAM instance Computers with the ADAM replica connect to the unique ADAM instance using the same ports Any configuration changes made to the primary unique ADAM instance will be updated on the replica s Having an ADAM replica always ensures there is a backup available In the event the primary ADAM server is inaccessible the clients can continue to be updated via the replicated secondary ADAM instance until the primary ADAM server is available again To view all of the configurations simply open the ProtectDrive Management Console on the secondary server If multiple instances were created the clients will continue to search for an accessible ADAM replica instance in random order until one is located Replicas are named sequentially the unique ADAM instance is named PD Instance so the first replica is named PD Instance1 the second is named PD Instance2 and so on Follow the steps below to create the replica s of the primary ADAM server instance on another member server in the same domain In this procedure note that the Master Security Key options are inactive as it is replicated from the unique ADAM instance 1 Cli
111. dure on the previous page and contact the System Administrator In turn the System Administrator will use the Recovery File Set originally created after the ProtectDrive install to perform the following steps to complete the emergency logon procedure 1 Run rpadmin exe located in Program Files SafeNet ProtectDrive on the server The ProtectDrive Remote Recovery Console window displays 2 Click the Emergency Logon tab 3 Inthe Recovery Support Certificate Key section select the appropriate Recovery Support Certificate Key option Personal Store If you select this option you must have the user s private recovery key certificate copied from their Personal Store to your machine PFX File If you select this option click E and then browse to and open the user s private PdRecovery pfx file Enter the password Entering a password will enable the Generate Response button CSP If you select this option choose the appropriate Provider from the drop down list where the certificate key is stored 4 Select the Recovery Envelope file for the user s computer 160 Get From File If you select this option click and then browse to and open the lt computername gt _RecoveryEnvelope env file Get From AD If you select this option click El and then browse to the Active Directory computer and locate the computer object This option will only work if the client was installed as remotely configured with an Active
112. dy been generated by either a previous installation or via the Certificate Wizard utility refer to page 24 SafeNet Inc 75 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive gt If you select the Select existing Recovery File Set option skip to step 10 gt Ifyou select the Generate new Recovery File Set option the following screen displays Enter and confirm the recovery file set password and then click Next i SafeNet ProtectDrive InstallShield Wizard amp Recovery Files Password SafeNet ProtectDrive Enter a password that will protect some files in the Recovery File Set Password Confirm Password lt Back Next gt Cancel 9 Select the Recovery Files folder location and then click Next gt If you chose the Select existing Recovery File Set option in step 8 the Recovery Files folder is the location where the existing files are located gt Ifyou chose the Generate new Recovery File Set option in step 8 the Recovery Files folder is the location where the new recovery file set you are creating will be stored Choose a secure location on your network a floppy drive or any other location except the local drive if SafeNet ProtectDrive InstallShield Wizard Select Recovery Files Folder SafeNet ProtectDrive Please select or enter Recovery Files Folder la C3 Recovery Files New Folder 76 SafeNet Inc ProtectDrive Administration G
113. e Once the network is connected it is possible to access another computer on the same network For example net use z 192 168 0 30 apps user mydomain jdoe lt enter gt You will be prompted for the user s password and once it is verified files can now be copied from the target computer to the specified computer PEPREP Command Line Options Usage PEPREP EXE options peprep vl prep img path pd path inj file clean img path usage Displays usage help clean clean Removes ProtectDrive WinPE support from an image e est Estimates the region intended for decryption and forces the r option img peimage Path to the WinPE image for example c winpe_x86 mount inj inject Inject the disk key file dke pd pdfiles Path to ProtectDrive WinPE support files prep prep Prepare a WinPE image r rec Uses Recovery Files for the decryption operation rp recpath Specifies the path to the Recovery File points to the backup file set created with backup exe u usb Provides the ability to access USB drives v ver Displays version information SafeNet Inc 177 ProtectDrive Administration Guide Chapter 11 RapidRecovery Disaster Recovery Tools 178 RMBR EXE MBR Recovery Utility The ProtectDrive Boot Manager Master Boot Loader is the very first utility that runs after the system BIOS is loaded ProtectDrive modifies part of the MBR during i
114. e e Deciphering user key e Deciphering disk key 20 After passing PBA the certificate is handed off to Windows and domain login proceeds automatically with Single Sign on enabled SafeNet Inc 219 ProtectDrive Administration Guide Appendix F iKey Management THIS PAGE INTENTIONALLY LEFT BLANK 220 SafeNet Inc ProtectDrive Administration Guide Appendix G Supported Smart Cards Tokens and Readers Appendix G Supported Smart Cards Tokens and Readers This appendix summarizes the smart cards tokens and smart card readers supported by the current version of ProtectDrive which provide two factor authentication prior to operating system startup This information is constantly evolving If you do not see a specific smart card token or reader on this list please contact Technical Support as there may be more information available Smart Cards Smart Card Last Version Tested ActivCard Client Gold 9 4 0 32bit Aladdin Card OS eToken 32k 9 4 0 32bit Aladdin Card OS eToken 64k 9 4 0 32bit Aladdin Java eToken 72k 9 4 0 32bit Axalto Cyberflex 64k V1 Schlumberger 9 4 0 32bit Axalto Cyberflex 64k V2c 9 4 0 32bit Nexus Smartcard 9 4 0 32bit SafeNet 330 non FIPS 9 4 0 32bit SafeNet 330 FIPS 8 4 0 16 bit 9 4 0 32bit SafeNet 330 U 9 4 0 32bit SafeNet 330 I 9 4 0 32bit SafeNet 330 GSA1 9 4 0 32bit SafeNet
115. e mage raw command line switch ir The ir switch is available in Norton Ghost 2002 and later When ir is used disk backup operations will be performed in RAW mode and an Image RAW message will display while Ghost is in progress The ir switch tells Ghost to create a sector by sector copy without attempting to repair minor boot track problems The result is an image file that is an exact duplicate of the source disk which includes extraneous or erroneous boot track information Partitions are not resized when Ghost is performing sector copies For more information on this and the other sector copy switches refer to the following Symantec documents e Forensic imaging using Ghost at http entsupport symantec com docs n1999110813413225 e Switches Sector copy at http service symantec com SUPPORT on technology nsf docid 2001 111413481325 SafeNet Inc 719 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Creating a Unique Disk Key for Each Deployed System If you image a ProtectDrive system which has pre boot activated all systems that are deployed with that image will have the same disk encryption key Currently there is no mechanism in ProtectDrive to change a disk key after installation other than to deactivate pre boot and then re activate it which involves a full decryption and re encryption This is a time consuming and undesirable scenario It is highly rec
116. e Administration Guide Chapter 5 Deploying ProtectDrive 26 4 The system will proceed to collect entropy to generate the recovery files Move the mouse and then click OK when it is completed SafeNet ProtectDrive Key Generation Please move the mouse while entropy is collected SafeNet ProtectDrive Key Generation Please move the mouse while entropy is collected ef Select OK to continue OK Click Next When the creation process is complete the following screen displays Click Finish to close the Certificate Wizard or click Continue to return to the Operation Selection screen to perform another procedure SafeNet ProtectDrive Certificate Wizard Wizard Operation Completed Click Finish to exit or click Continue to restart the Wizard www safenet inc com Copyright 2011 Safer e_AE ighas rusarvad Sata and Protective are aithor registurud tradenaras of Bataat incorporated in tho United State and or other couner ius Continue 7 Verify that the Salt file was created and saved to the location you specified in step 3 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive SafeNet Inc Create a Master Security Certificate This option is used to create a Master Security Certificate to use for disaster recovery l Navigate to the Tools directory on the ProtectDrive distribution CD and then double click on certwizardapp exe When th
117. e Certificate Wizard displays click Next to continue Double click Create Master Security Certificate or select the operation and then click Next SafeNet ProtectDrive Certificate Wizard Operation Selection Select the operation you would like to perform with the Certificate Wizard Create Salt File Creates Master Security Certificate used for disaster recovery Create Recovery Support Certificate lt Back Cancel 3 Select the Key Length and then click Next SafeNet ProtectDrive Certificate Wizard Key Length Select the key length Key Lenath bits ETES lt Back Cancel 27 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 4 The following screen displays 2 SafeNet ProtectDrive Certificate Wizard Certificate Key Location Select certificate private key location Password Confirm Token Smart Card HSM Provider Name lt Back Cancel gt If you are creating a password protected private key select the PFX File option enter and confirm the appropriate password and then click Next gt If you are creating a token or smart card based private key select the Token Smart Card HSM option choose the appropriate CSP from the Provider Name drop down list and then click Next 5 Browse to the directory where you want to save the output file and then click Next gt SafeNet ProtectDrive Certificate
118. e Local Management Console or centrally managed from the ProtectDrive Management Console 210 SafeNet Inc ProtectDrive Administration Guide Appendix F iKey Management iKey 2032 There are two ways to manage the iKey 2032 through the SafeNet Token Manager Utility or through Web Enrollment SafeNet Token Manager Utility 1 Insert the iKey 2032 token The light on the token should remain lit 2 From the Windows desktop select Start gt Programs gt SafeNet gt SafeNet Token eye Manager Utility F SafeNet Token Manager Utility Microsoft Internet Explorer File Edit View Favorites Tools Help EJ x JO search De Favortes o2 SBk Address c Program Files SafeNet BSecClient WebPages index html Es Links Gl Internet 3 Click Enrollment 4 When prompted enter a label for this token up to 32 characters This can be the user s name or anything else you choose F SafeNet Token Manager Utility Microsoft Internet Explorer File Edit View Favorites Tools Hel Q ha gt Search Sie Favoites O O 2 B Be 3B Address fles C Program 20Files SafeNet B5ecClient WebPages enrallment htm display enrall Welcome pduser1 Step 1 of 2 Enter token label pdusert SafeNet Inc 211 ProtectDrive Administration Guide Appendix F iKey Management 5 Click Next When prompted enter and confirm a PIN for this token 4 to 32 al
119. e Tools VMware Inc 4 13 2010 When prompted click Yes to confirm the action When prompted click Yes to restart the computer 85 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Removable Media Recovery To ensure the recovery and reusability of a removable media device should it become unstable or compromised follow one of these this repair procedures to remove encryption from the device and then reformat it for reuse Standard Recovery Procedure This procedure should be performed for each USB flash drive that is deployed 1 Connect the removable media to the PC The following screen should display when the device is detected gt SafeNet ProtectDrive Removable Media Protection Enter a password to unlock the following drives Unlock ES Do not unlock Password Recovery Repair 2 Click Repair 3 Click OK when the following message displays SafeNet ProtectDrive Removable Media Protection The encrypted status can be removed so that the drive can be Formatted and usable This will result in data loss Would you like SafeNet ProtectDrive to remove the encrypted status of the drive Yes No 4 Click Yes 5 When prompted click OK and safely remove the device SafeNet ProtectDrive Removable Media Protection Please remove drive E and re insert it Then Format the drive to make it usable 6 Re connect the removable media device and reformat it for reuse Ref
120. e a new salt cid key in the Certificate Wizard to upgrade a client 6 Any time the license changes it is good practice to run the backup exe utility to ensure your recovery file set is up to date Refer to Chapter 11 for details on the backup utility About Interactive Upgrades You can choose to either generate a new recovery file set or use an existing ProtectDrive version 8 2 1 or higher file set gt If you choose to generate a new file set the PdMaster and PdRecovery files and a backup of the license file will be created during the install gt If you choose to use an existing file set the PdMaster and PdRecovery files must be previously created from a previous install or from Certificate Wizard gt If you are upgrading multiple clients it is recommended that you use an existing file set gt If you are upgrading a server and remote clients upgrade the server first About Silent GPO Upgrades This requires that you use an existing recovery file set The recovery file set should be located in the same directory as the SafeNet ProtectDrive msi file or it should be in the path defined by the ERA_KM_REC_FILE_FOLDER_PATH MSI property The directory specified here must be writeable since the RecoveryEnvelope env file and the lt computername gt _license txt file will be created in this directory If Active Directory or ADAM is being used the RecoveryEnvelope env file will also be copied to the management server
121. e corrupt See below for ProtectDrive appears to be corrupt Smart Card Token type account user can not be authenticated by the ProtectDrive Pre boot Authentication program Run Dispefs exe u to list of all existing users and their account types Smart Card Token type account users are designated with Token User True setting Although a user may have one or more token accounts it is possible that the Certificate contained by the token does not match the Certificate originally used for this user s record creation in the ProtectDrive Pre boot User database Note that users may have multiple records in the pre boot user database The Hash field displayed by Dispefs exe u is the same as the Thumbprint field displayed when certificate details are viewed in Windows Finally if the user is positive they are using a valid token and no other user is able to log on then the ProtectDrive files have become corrupt See below for ProtectDrive appears to be corrupt Other alternatives include e f smart cards are used try an alternative smart card reader e Remove and re insert the smart card or token e Reboot the system and then retry the smart card or token SafeNet Inc 193 ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages Problem Fix User successfully authenticates at It s possible that one of the Windows system files is corrupt Pre boot but Windows does not I
122. e l Date Time Source error 2 1 2010 5 04 01 PM Application Error information 2 1 2010 5 03 41 PM DrWatson 2 1 2010 5 03 25PM Application Error EA 4 49 20PM 5 ProtectDrive DinFormation 2 1 2010 SafeNet ProtectDrive Information 2 1 2010 ESENT information 2 1 2010 ESENT information 2 1 2010 ESENT information 21 2010 ESENT information 2 1 2010 SafeNet ProtectDrive D information 2 1 2010 SafeNet ProtectDrive Information 2h 2010 4 31 SecurityCenter Error 2 1 2010 5 04 30PM Alert Manager Event information 2 1 2010 StorageEncryptionse None None None None None None None None None None General General General General None None None None NjA NjA NjA NjA NjA NjA NjA NjA Computer DORY DORY DORY DORY DORY DORY Event Date AAN Si SafeNet ProtectDrive Time 4 31 12PM Category None Type None EventID 12289 User N A Computer DORY Description Successfull preboot authentication Thursday February 01 2010 16 30 31 Password logon SAFENET INC test SafeNet Inc ProtectDrive Administration Guide Chapter 12 Troubleshooting and Reporting Information Active Directory ADAM Reporting Script The PDReport vbs reporting script is used to view the encryption status of all client computers in your Windows Domain This tool is provided in particular for regulatory compliance audit purposes The Tools directory on the ProtectDrive distribution CD inc
123. e license txt or authorization txt file do not change the name of the file that you received must be in the same directory as the SafeNet ProtectDrive msi file If a license has expired update the license through License Manager or the nag screen that displays periodically after the license expired Refer to page 133 for more details Any time the license changes it is good practice to run the backup exe utility to ensure your recovery files are up to date Refer to Chapter 11 for details on the backup utility SafeNet Inc 11 ProtectDrive Administration Guide Chapter 2 ProtectDrive Functional Description 12 License txt Installation During the ProtectDrive installation browse to the txt license file to install the license s Refer to page 64 for detailed step by step procedures for a ProtectDrive client installation For silent GPO installations the file license txt must be included in the same directory as the SafeNet ProtectDrive msi file For single installations make sure the appropriate txt file is in a location that you can browse to during the installation process Authorization txt Installation Most deployments require an authorization txt file Client PCs should have Internet access to complete this type of installation The client s firewall must allow access to the Internet on port 80 or port 5094 If Internet access is not available refer to the next section During the ProtectDrive installatio
124. e system boots in 16 bit mode the 16 bit legacy ProtectDrive pre boot logon screen displays 3 Logon with your ProtectDrive credentials as usual lt Using this method to switch to 16 bit is only in effect until the system is rebooted again Switch from the Default to Legacy Pre boot Permanent If you wish to permanently change from the default pre boot environment to the legacy pre boot environment contact SafeNet Technical Support for instructions Additionally Technical Support maintains an extensive list of systems which SafeNet has validated that no pre boot adjustment is necessary for use with ProtectDrive Disk Encryption Warning If the Display warning when disks are not fully encrypted option PD Settings gt Advanced gt Encryption gt Fixed Disks is set and any of the drives are found to be unencrypted or partially encrypted then the following ProtectDrive balloon tip will display right after the Windows Explorer shell loads A SafeNet ProtectDrive Encryption Warning All hard drives must be fully encrypted to ensure your system is secure The following drives have not been fully encrypted SafeNet Inc 181 ProtectDrive Administration Guide Chapter 12 Troubleshooting and Reporting Information 182 ProtectDrive User Authentication Activity Tracking If the Show Logon Information and or the Show Unsuccessful Logon Warnings options PD Settings gt Advanced gt User Interface are set th
125. e the Select existing Recovery File Set option in step 8 the recovery files folder is the location where the existing files are located 68 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive gt If you chose the Generate new Recovery File Set option in step 8 the recovery files folder is the location where the new recovery file set you are creating will be stored Choose a secure location on your network a floppy drive or any other location except the local drive i SafeNet ProtectDrive InstallShield Wizard E3 Select Recovery Files Folder SafeNet ProtectDrive Please select or enter Recovery Files folder fan Recovery Files New Folder 10 The system will proceed to collect entropy to generate the recovery files Move the mouse and then click OK when it is completed SafeNet ProtectDrive Key Generation Please move the mouse while entropy is collected SafeNet ProtectDrive Key Generation Please move the mouse while entropy is collected miRNA Select OK to continue OK 11 A prompt similar to the one shown below will display if the recovery files were successfully created Click OK to continue SafeNet ProtectDrive InstallShield Wizard Label and store safely the SafeNet ProtectDrive key Files in 4 after the installation is complete SafeNet Inc 69 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive
126. eNet Inc ProtectDrive Administration Guide Chapter 8 System and User Management Manage User Policy From the Server Assigning Users to Clients and Managing User Policy via the Computer Object Before configuring User Policy review the contents of Chapter 7 Configuring Default System and User Policy This will familiarize you with the fields contained in the PD Users tab This tab is used to configure ProtectDrive User Policy Sample Configuration The following steps outline how to configure a client system l 2 SafeNet Inc On the server open the ProtectDrive Management Console Open the Active Directory Users and Computers MMC snap in right click on the client PC s name and then select Properties OR Open the ProtectDrive Management snap in select Configuration Objects right click on ProtectDrive Default Configuration or alternative configuration object to which the client had been or will be assigned and then select Properties Select the PD Users tab and then add all of the Windows Domain users and user groups you would like to give pre boot access to this on client system For each user or group click Set to set their device access permissions Note that changes to device access permissions for any user or user group apply across the entire Windows Domain Changing permissions here will make the change for all client systems where this user or group is listed Select the Certific
127. ecovery Inaccessible or corrupt ProtectDrive systems can be booted to MS DOS from a floppy disk or CD Drives that require special DOS drivers for example SCSI or TSRs are only accessible to the ProtectDrive recovery tools if the respective drivers are loaded SafeNet Inc 17 ProtectDrive Administration Guide Chapter 3 System Requirements 18 Supported Networks ProtectDrive is Active Directory aware and fully supports Windows Domains It does not interfere with normal operation of any of the Windows network services including Remote Desktop connections Windows Domain as well as Local Windows users are able to authenticate successfully into systems secured by ProtectDrive All hard disk partitions encrypted with ProtectDrive are configurable as shared volumes at the discretion of the System Administrator SafeNet Inc ProtectDrive Administration Guide Chapter 4 ProtectDrive Software Compatibility Chapter 4 ProtectDrive Software Compatibility ProtectDrive has been tested and does not interfere with normal operation of most MS Windows compliant software applications services and utilities Some care needs to be taken however when using the following DOS Drivers and TSRs When booted from a DOS floppy or CD ProtectDrive sees hard disks accessible via DOS drivers and TSRs if the appropriate drivers are loaded Other Disk Encryption Products and Security Components ProtectDrive cannot be expecte
128. ect Remove All Clients 5 A configuration object cannot be deleted when clients are still assigned to it 5 Click Yes to confirm the action Computer Object managed Clients vs Configuration managed Clients When a client is computer object managed it relies on its own property sheet configuration which is automatically replicated from to Active Directory or ADAM Computer object managed clients can only be viewed in the Active Directory Users and Computers MMC snap in Alternatively a client managed by a different configuration object other than its own configuration is a configuration managed client You can reassign a client from being managed by its computer object to a different configuration object and vice versa any time Refer to page 60 for details SafeNet Inc 59 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 60 Change a Computer Object managed Client to a Configuration Object managed Client 1 On the server open the ProtectDrive Management Console 2 Open the Active Directory Users and Computers MMC snap in 3 Select Computers right click on the client and then select Properties 4 Select PD Settings gt Configuration Management The client will display as Managed by this property sheet testPC Properties E 2x General Operating System MemberDf Location Managed By PD Settings PD Users Configuration Management Status Authentication Advanced
129. ectDrive distribution CD are required to run ProtectDrive Management Console reports If these prerequisites are not installed first the ProtectDrive installation will fail The VSSetupPrerequisites directory includes the following subfolders Subfolder Action Required 074EE22F 2485 4FED 83D1 AAC36C3D9ED0 Run dotnetfx35 exe This is the NET Framework 3 5 Setup a0689fe9 3467 4d73 bc25 d0f696ad268a Run CRRedist2008_x86 msi for a 32 bit environment OR cdd854f9 a31f 4f99 82f5 3c0be21104a4 Run CRRedist2008_x64 msi for a 64 bit environment Install the ProtectDrive Administrative Management Tools component before you install the client components These tools are required to manage remote clients Refer to page 55 for a description of each tool and how and when to use them Open the ISSetupPrerequisites folder and run dotnetfx35 exe Then e For 32 bit environments run CRRedist2008_x86 msi e For 64 bit environments run CRRedist2008_x64 msi Launch the SafeNet ProtectDrive msi The ProtectDrive installation wizard opens 51 Chapter 5 ProtectDrive Administration Guide Deploying ProtectDrive 3 When the Welcome screen displays click Next ig SafeNet ProtectDrive InstallShield Wizard Welcome to the InstallShield Wizard for SafeNet ProtectDrive The InstallShield R Wizard will install SafeNet ProtectDrive on your computer To continue click Next WARNING This program is protected by copyr
130. ector End Sector Algorithm Megabytes Enc ed FE 63 16771859 3DES CBC 8189 100 00 Select encrypted area to decrypt Ctrl C to exit SafeNet Inc ProtectDrive Administration Guide Chapter 11 RapidRecovery Disaster Recovery Tools DISPEFS EXE ProtectDrive Diagnostic Utility This diagnostic tool displays contents of the ProtectDrive system files ProtectDrive stores system data in a number of files contained in the Embedded File System EFS Usage DISPEFS EXE options gt output_text file Options Description es usage Displays usage help v ver Displays version information a all Displays contents of all ProtectDrive system files d dtes Displays drive table entries rg cfg Displays configuration data g gda Displays general data x ex Displays exchange data u user Displays the Pre boot User database ie rec Displays data from Recovery Files rp recpath Specifies the path to the Recovery Files No Arguments Displays all system files SafeNet Inc 173 ProtectDrive Administration Guide Chapter 11 RapidRecovery Disaster Recovery Tools PDUSERDB EXE Pre boot User Database Administration Utility This command line MS_DOS tool manipulates the ProtectDrive pre boot user database allowing the ProtectDrive Administrator to e List the names of users authorized to perform ProtectDrive pre boot authentication e Remove Local and Domain including Token PIN user
131. ectory ADAM Every time a new computer account is created in the Windows Domain these stored default settings will automatically apply Clients that are managed by the property sheet of their own computer object are managed through the ProtectDrive Management Console via the Active Directory Users and Computers ADUC MMC snap in Clients that are linked to either the Default Configuration Object or another Configuration Object are managed through the ProtectDrive Management Console via the ProtectDrive Management Console snap in Configure Default Settings in Active Directory Users and Computers ADUC MMC Snap in The ADUC MMC snap in is primarily used for initial ProtectDrive configuration immediately after ProtectDrive is installed For subsequent configuration changes use the ProtectDrive Management Console 1 On the server open the ProtectDrive Management Console 2 Open the Active Directory Users and Computers MMC snap in 3 Select View gt Advanced Features amp Active Directory Users and Computers ioj x E2 Eile Action View Window Help 18 xx mle Add Remove Columns Be Large Icons ST com au 5 objects 5 Active Director H Q Saved Quei Small Icons E E PDHOST co List H Buitin Detail H E Comput H Domain Users Groups and Computers as containers E Foreign sect Features H E Users Filter Options builtinDomain mputers Container Default container For main
132. eed to create a unique ProtectDrive ADAM instance It must be created on a computer that is not a domain controller running Active Directory Each domain can contain one ADAM configuration set which consists of the unique ProtectDrive ADAM instance and its replicated instances After the unique ProtectDrive ADAM instance is created you can create one or more replicas of the ADAM instance as a backup Refer to page 48 for details 1 Click Create ADAM Instance 7 ADAM Unique Instance Information Ports Enter the ports you would like the ADAM instance to Port listen on SSL Port Master Security Key Personal Store C PPX File File Password Provider OK Cancel 2 Enter the Port and SSL Port values on which to create the ADAM instance 3 Select the appropriate Master Security Key option e Personal Store If you select this option the Master Security Certificate s private key must be in the user s Personal Certificate Store on this machine e PFX File TIf you select this option click EI browse to the PdMaster pfx file and then enter the password e CSP TIf you select this option choose the appropriate Provider from the drop down list where the certificate key is stored 4 Click OK The status window displays the action s being performed Information is also logged to the PDDirPrep log file 5 Proceed to the Extend Directory Schema task SafeNet Inc 47 ProtectDrive A
133. en after successful Windows authentication and right before the Windows Explorer shell loads the following two ProtectDrive balloon tips will display These messages alert the user of their ProtectDrive pre boot authentication activity to date SafeNet ProtectDrive Logon Information PBA User Sue Domain SAFENET 88F0C60 Accounts 1 Password account Logon counts 1 Previous logon never Total Failed logon attempts since last system logon 2 Logons since last password change 1 Last failed logon Monday October 11 2010 10 09 17 Password last changed never A SafeNet ProtectDrive Logon Warnings Incorrect Pre boot Username and or Password Lockout policy defines the maximum number of failed pre boot authentication attempts along with the lockout period If a lockout occurs ProtectDrive will display the screen shown below A countdown period will commence for a pre determined period of time this is defined in PD Settings gt Advanced gt Lockout The system will be inoperable during this time In the above example the user is denied access for three minutes Once access is regained open the system s Event Viewer for details on failed logon attempts and other events See page 184 for more on Event Viewer Pre boot Log On Failure Due to System Inoperability If any of the ProtectDrive system files and or encrypted hard drive partitions experience corruption the user may not be able to authenticate into the sy
134. en does not display ProtectDrive Default Initial Pre boot Screen choose login method e Inthe case of consecutive failed pre boot authentication attempts the Lockout configuration policy will be enforced to prevent PIN guessing Open the system s Event Viewer for details on failed logon attempts and other events See page 184 for more on Event Viewer SafeNet Inc 147 ProtectDrive Administration Guide Chapter 9 User Authentication Authenticate with Smart Card Token and PIN Fingerprint 148 Pre boot Authentication Refer to Appendix A for a detailed diagram of the Smart Card Token and PIN Fingerprint Pre boot Authentication logic flow If the ProtectDrive Allow Token Domain User Access or Allow Shared Key Access Authentication option is set then the pre boot authentication screen will be as shown below Safenet FI for Help ProtectDrive ProtectDrive ow Default Smart Card Token and PIN Log On Screen Legacy Smart Card Token and PIN Log On Screen High resolution only If smart card token log in requires a fingerprint the inserted smart card or token is fingerprint enabled and a biometric reader is detected then the pre boot authentication screen will display as shown below PIN entry is an alternative logon method on this screen Cards used for fingerprint logon must be initialized as PKI cards with BSEC middleware version 7 1 1 or higher ProtectDrive Default Sma
135. entation suite e ProtectDrive tThis standard edition is targeted for workstations and laptops e ProtectDrive for Servers tThis edition is targeted for server operating systems Servers have unique full disk encryption requirements compared to workstations and laptops ProtectDrive for Servers operates seamlessly with hardware based RAID systems rendering removable disks unreadable to unauthorized parties outside of the original or recovered server system Who Should Read This Document This document is intended for System Administrators who are resposibile for configuration and maintenance of various computer system components such as ProtectDrive You must have administrative privileges to install and configure ProtectDrive Use this document as a guide for ProtectDrive deployment on stand alone and networked multi user computer systems with single boot configurations for issues pertaining to ProtectDrive installation data encryption system and user management and disaster recovery 2 SafeNet Inc ProtectDrive Administration Guide Chapter 2 ProtectDrive Functional Description Chapter 2 ProtectDrive Functional Description Supported Pre boot User Authentication Credentials In order to boot an encrypted operating system partition ProtectDrive must get access to the decryption keys prior to the operating system boot These keys are used for decrypting the operating system files as well as the rest of the encrypted har
136. ents and perform disaster key recovery and emergency logon procedures 52 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 6 7 Browse to the MSO certificate folder where existing MSO certificates are located and SafeNet Inc Select the language to be used for interface labels and text messages and then click Next if SafeNet ProtectDrive InstallShield Wizard 3 SafeNet ProtectDrive Language SafeNet ProtectDrive Select the language for SafeNet ProtectDrive User Interfaces and Help Manuals English O German O Japanese lt Back Next gt Cancel then click Next This certificate ensures that a server or client will connect to an ADAM instance that has a Service Connection Point SCP with a signed MSO value if SafeNet ProtectDrive InstallShield Wizard amp Select MSO Certificate Folder SafeNet ProtectDrive Please select or enter path to MSO Certificate Folder C MSO Certificates Ca mso Certificates v del Gases Cisafenet Documents and Settings ijInetpub Cawinpows drivers il nrosasficff2328f9c4 C lt lt Back Next gt Cancel 53 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 8 The following screen displays Click Install to continue i SafeNet ProtectDrive InstallShield Wizard SafeNet ProtectDrive The wizard is ready to begin installation Click Install to begin the ins
137. er 9 User AufthentiCatiQn juss cccscsscscensessissrerosccsogucaconsinasdsessubacesontecasonn Seuecdedesduenbebssvenctonsvenses 147 Authenticate with Smart Card Token and PIN Fingerprint 148 PPE DOOL Authentication RE Ne A ON ARS tu le 148 Windows Authentication eea RER et lee lt cater Rae hs 149 Token Removal Policy Stern derriere EEE toasts tae eae Aa ed au ane et le ne 150 Authenticate with Username Password and Domain Name 151 Pre boot A thenti cation ae RS AS ae A Te ee ee ee te 151 Windows Aufhentication snsasanisnn nt tata R EE E een 152 Helpful Hints sn irine an ct Le AA EA ds il 153 Chapter 10 Extraordinary Authentication Scenarios sessoesoessessoesocssessoseoossessoesocesessossoossosss 155 Emergency Logon for Token Users Procedure ss 156 End User Instruction rise trente pr tente tive e sea er ant etre elle taste 156 System Administrator THSITUCTLOM sn ie et trs mister Sites etait tresteni les tante sde d de nettes 157 Emergency Logon With Username Proc dure is ered eens 159 End User ANSICUCTION sixsitevisdetucdexsastonnaboctaastlnde blnavisal T A ds E ER Wl 159 System Administrator INSITHETION raies indien italie 160 Emergency Logon Without Username Procedure cccccsscceseceeeceesceesceceeceeeneeeeeseecsaeenseenaes 162 POA SCT MASI UCHION ob crlcotastiaccadoeel sttasoisvasienideCamlaaes anse t vadiscateasassiawass Seti a 162 System Administrator INSITUCLIONM sr dette be
138. ery mechanism 3309 VROM Configuration file EFS corruption Standard Recovery has been fatally Procedure corrupted Hard disk failure 3310 VROM Error occurred The token module could not To diagnose this error initializing the token be initialized and password logons are not allowed further contact SafeNet Support To get access to the system exercise the password fallback function SafeNet Inc ProtectDrive Administration Guide Appendix E Additional Guidance Regarding Security Appendix E Additional Guidance Regarding Security Evaluated Versions of ProtectDrive This chapter provides important guidance to users of evaluated versions of ProtectDrive Evaluation of ProtectDrive is based on assumptions contained in a Security Target for the evaluation The Security Target describes the basis of the evaluation including e Threats that the security claims of ProtectDrive are designed to counter e Environmental and organizational assumptions required to support the security claims e Constraints to the configuration of the ProtectDrive required to support the security claims When relying on an evaluated version of ProtectDrive users should follow the recommendations in this appendix refer to the evaluation Security Target and refer to the Certification Report for guidance on use of the evaluated version of ProtectDrive The Security Target and the Certification Report can be found in the Com
139. ery pfx file Enter the password Entering a password will enable the Generate Response button e CSP If you select this option choose the appropriate Provider from the drop down list where the certificate key is stored SafeNet Inc 157 ProtectDrive Administration Guide Chapter 10 Extraordinary Authentication Scenarios 4 Select the Recovery Envelope file for the user s computer e Get From File If you select this option click and then browse to and open the lt computername gt _RecoveryEnvelope env file e Get From AD If you select this option click EI and then browse to the Active Directory computer and locate the computer object Le This option will only work if the client was installed as remotely configured with an Active Directory install 5 Enter the code provided by the user into the Recovery Code field and then click Generate Response Emergency Logon Disk Key Recovery Recovery Support Certificate Key Personal Store C PFX File Fie El Password CSP Provider Gemplus GemSAFE Card CSP v1 0 x Recovery Envelope Get from File JANDP XPT EST_RecoveryEnvelope eny B C Get from AD FA Recovery Input I Recover for Usemame Recovery Code 482es moxoc 8z2 Response Spaces are for display purposes only Generate 6 Instruct the user to enter the automatically generated response code into the Enter response below field At this point the user will
140. ettings gt Authentication e About SafeNet ProtectDrive View the ProtectDrive version license and copyright information Status Settings Status Authentication Advanced Fixed Disks Drive Configured Curent Size MB Percent Time Rer Cc None None 8181 0 0 00 A 2 Encrypt Decrypt Removable Drive Protection Progress Drive Size MB Percent Encrypted Time Remaining lt gt Update Status Last Configuration Change Never Last Client Update 6 13 2007 11 50 43 4M Client Status Message Update successful The Status group allows for default configuration and automatic execution of disk encryption on the remote client system Any partitions configured for encryption here will be automatically encrypted by default on all systems newly added to the Windows Domain SafeNet Inc 127 ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy The Update Status section of this screen includes the date time and status of the last client update and or client configuration change Drive This column lists all possible partitions for the client system Note that this list does not accurately portray the partition allocation table on the client system Since this information is not readily available in Active Directory ADAM ProtectDrive will first list all possible partitions between C and Z Then after the first successful update only the drives th
141. ew pre boot user account with any unique Username and Password One way to do this is to use pduserdb exe see Chapter 11 2 Amend the Windows Registry as shown below HKLM Software SafeNet ProtectDrive Refer to the table below for details on the key values you can add to this account After adding the keys for APB every type of logon for example RDP connection log off log on etc will cause the deletion of that specific key APB_COUNT REG _DWORD Set to zero 0 by default this option allows no automatic 0 N pre boot authentication If any of the automatic pre boot authentications attempts fails this value is reset back to zero 0 If set to a value greater than 0 0 lt N lt 65535 then N number of automatic pre boot authentications is allowed Set to OXOOOOFFFF or greater for unlimited automated pre boot authentications APB USERNAME REG SZ Username APB_PASSWORD REG_SZ User Pre boot Password Use this option to enter the PIN for the token if APB_TOKEN is used APB_DOMAIN REG SZ Domain Name for the User APB_RESETINTVECTS REG_DWORD Set to zero 0 by default this option causes no change in 0 1 the normal ProtectDrive operation When set to 1 this option will suppress the standard ProtectDrive warning message displayed when any system tampering is detected This can be useful when performing a BIOS upgrade which can change the interrupt vector addresses as part of automated system maintenance APB_TOKEN REG_DWO
142. ew replacement GINA and prompts if you would like to chain the replacement GINA with the ProtectDrive GINA 3 Either e Select not to chain the GINA You are warned of the security implications of that selection ProtectDrive cannot provide single sign on and cannot enforce the login method OR e Select to chain the replacement GINA so the Single Sign On Assistant chains the GINA and you can set the GINA configuration You must run the Single Sign On Assistant after the installation of any additional software 98 SafeNet Inc ProtectDrive Administration Guide Chapter 6 The Multiple Boot System Changing Chained GINA 1 2 5 Run the Single Sign On Assistant Select the desired GINA in the Single Sign On Assistant If you select a third party GINA the Single Sign On Assistant must be used to specify the GINA configuration Either e Click OK or Apply and the Single Sign On Assistant commits the GINA selection OR e Click Cancel and the new GINA selection is thrown away The Single Sign On Assistant exits Setting GINA Configuration l 2 SafeNet Inc Run the Single Sign On Assistant Select a third party GINA Standard Windows and the RSA GINAs are automatically configured Click Configuration Browse to the GINA DLL filename and location For each GINA dialog of interest Notice Logon Change Password etc to the ProtectDrive GINA specify the dialog and control ID
143. f Drive C is not encrypted proceed with normal Windows boot recovery e If Drive C is encrypted run decdisk exe to decrypt the system drive and enable Windows Recovery tools access the system drive ProtectDrive Pre boot e If rmbr o or another utility has replaced the ProtectDrive Authentication Program does not MBR the Pre boot Authentication program will not be run run e If the system drive is encrypted the operating system will also fail to load e If the system drive is not encrypted but other drives are the operating system will load but access to the encrypted drives will be prevented by the ProtectDrive driver To recover from these situations run rmbr p ProtectDrive appears to be If ProtectDrive is corrupt then one of the following is possible corrupt e Pre boot Authentication Program will not run or behaves strangely e Valid users can not be authenticated at pre boot e Operating system fails to load If none of the above sections apply or you failed to restore ProtectDrive to normal working order then all the encrypted drives will need to be decrypted using decdisk exe If decdisk exe is unable to access the ProtectDrive Embedded File System EFS then use the Recovery Files originally created by backup exe Once all the drives have been decrypted run rmbr o to restore the ProtectDrive MBR It is possible to boot the operating system once the system drive has been decrypted It is not
144. fect will be achieved if no users have been assigned to the system In short the Pending status will prevail until the system is properly configured and the policy data successfully replicates from the server If the Activate Pre boot Authentication option is reactivated ProtectDrive resets all user passwords to the configured initial pre boot password which may be explicitly defined in PD Settings gt Advanced gt Password Policy where the default password is set to be equal to the username or set to a designated default the pre set default is password Status Tab 138 Monitor the Update Status section on this tab for indication of the time of the most recent policy data change and client update If the Last Client Update is chronologically later than the Last Configuration Change then the policy data has successfully replicated to the client In the following example policy data has been successfully updated from the server snapshot on the left In the snapshot on the right the client is still awaiting the next update Update Status Update Status Last Configuration Change 1 13 2011 07 13 43 AM Last Configuration Change 1 13 2011 07 13 43 AM Last Client Update 1 13 2011 11 50 43 AM Last Client Update 1 11 2011 10 50 43 4M Client Status Message Update successful Client Status Message SafeNet Inc ProtectDrive Administration Guide Chapter 8 System and User Management e Click the Encrypt Decryp
145. for details click the Backup Files option click and then browse to the folder location and click OK e To locate the backup file set on the Active Directory computer click the Get from AD option click ie and then browse to the computer object in the domain where the backup file set is located and click OK The ACSVER BACKUP TLV DKENV DTE GDA and MBR recovery files will be saved to the same location as the disk key dke file specified in the next step 5 Enter the Disk Key File name for example diskkey dke click and then browse to the location where the file should be saved and click Save 6 Enter and confirm the passphrase for the key file For your reference a completed sample Disk Key Recovery screen is shown below 3 Remote Recovery Console Emergency Logon Disk Key Recovery Master Security Certificate Key Personal Store PFX File File PD 8 3 Recovery Files PdMaster pfx Password Backup File set Location C Backup Files Get from AD LDAP sfnt local CN BEL1 203330 0U Computers Disk Key Output Disk Key File PD 8 3 Recovery Files diskkey dke Passphrase Passphrase Confirmation 7 Generate Disk Key File SafeNet Inc 167 ProtectDrive Administration Guide Chapter 10 Extraordinary Authentication Scenarios 7 8 Click Generate Disk Key File Click OK when the Disk Key File is successfully generated Remote Recovery Cons
146. fromE ntry instanceT ype keywords modifyTimeStamp msDS Aoorox Immed Ce TwoUcccoo0com modify it CN 12339b4d f4ce 480F 9eb 21x Attribute Editor 1 IV Show mandatory attribute DR ELITE LOTS x Attribute keywords Value to add Add Remove 0e8259d3 e131 4829 a1 7b 6f509e704478 1 2 840 113556 1 4 1791 1 2 840 113556 1 4 1851 12339b4d f4ce 480f Jebc 091 a66d7d39d d5864088 d9a0 4310 ad41 a04fa4269640 fsmo naming fsmo schema instance ProtectDrive partition CN Configuration CN DD574F5E QAE 5 45 partition CN PDPattition site D efault First Site Name If you see the instance ProtectDrive value listed for this attribute in the Multi valued String Editor window you have verified that this is the SCP for the ProtectDrive ADAM instance Continue with step 4 If you do not see the instance ProtectDrive value listed for this attribute in the Multi valued String Editor this is an SCP for a different service Do not delete or 4 After you have located the ProtectDrive SCP close the Multi valued String Editor and the Attribute Editor windows 5 Select the ProtectDrive SCP to remove from the right pane in ADSIEdit and select Action gt Delete 6 Click Yes to confirm the deletion SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Configure the Windows Firewall for ADAM To help protect the security of your ProtectDrive server and clients
147. fully supported but with one exception The ProtectDrive system files directory Securdsk must not be compressed on any partition Do not install ProtectDrive to a compressed system drive if the system drive is C only This will result in the compression of the C Securdsk directory which will interfere with normal ProtectDrive operations Windows System Restore Utility Windows System Restore points created prior to the ProtectDrive install are rendered useless The system can only be restored to any restore point created following the ProtectDrive install 20 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Chapter 5 Deploying ProtectDrive Best Practices Review the sections below and make sure you have performed the appropriate procedures before and after installing ProtectDrive You must have administrative privileges to install and configure ProtectDrive Before deploying ProtectDrive e Defragment the drives which will be encrypted by ProtectDrive e Repair any existing disk errors The utilities provided by the hard disk manufacturer are typically the most robust tools for repairing disk errors Fingerprint Authentication If fingerprint authentication will be used before deploying ProtectDrive the smart cards tokens must be initialized as PKI cards with BSEC middleware version 7 1 1 or higher prior to installing ProtectDrive If ProtectDrive was installed before the BSEC m
148. gement 11 If you are prompted to do so enter the PIN of the SD800 token You may also receive the following warning Potential Scripting Violation This Web site is adding one or more certificates to this computer Allowing an untrusted Web site to update your certificates is a security risk The Web site could install certificates you do not trust which could alow programs that you do not trust to run on this computer and gain access to your data Do you want this program to add the certificates now Click Yes if you trust this Web site Otherwise click No jows Internet Explorer Go Erm foertr men asp BMerosoft Cernficate Sen Certificate installed Your new certificate has been successtuly installed SafeNet Inc 217 Appendix F iKey Management ProtectDrive Administration Guide 13 Your certificate should now be on your token and in the local machine store Note the serial number for this certificate It can be compared to the list of issued certificates on the CA refer to the example below er Authority Bile Action View Help e Amare BB Certification Authority Local 7 Requester Name Binary Certificate Certificate Template _ Serial Number EE darpes PROTECTORIVE TLDCSRV2KS BEGIN CERTI CA Exchange CAEx 61382c0d000000000004 ER Revoked Certificates PROTECTDRIVE User 13 EGIN CERTI Smartcard User Sm 6139860e000000000005 Sn PROTECTORIVE
149. gerprints that are enrolled will determine the login screen that displays Refer to the SafeNet Borderless Security PK and SSO User Guide for details on fingerprint enrollment Token Login i Token Login ThisUser ThisUser Please select and place your fingerprint on the reader Please place your fingerprint on the reader now F OR OF Enter your Token Password Enter your Token Password oOo es y x One fingerprint enrolled More than one fingerprint enrolled After authentication is successful the Windows desktop displays Token Removal Policy Computers using tokens or smart cards for Windows Domain authentication can be configured to automatically lock the system when the token is removed This behavior is controlled by the Smart card removal behavior policy in the MMC Local Security Settings snap in By default this policy is set to No action or Not defined SafeNet recommends setting this policy to Lock Workstation This setting will require the user to re insert their token and enter their PIN upon returning to the workstation 150 SafeNet Inc ProtectDrive Administration Guide Chapter 9 User Authentication Authenticate with Username Password and Domain Name Pre boot Authentication Refer to Appendix B for a detailed diagram of the Username Password Domain Name pre boot authentication logic flow If either the Allow Local User Access or the
150. he dialog and control IDs using Single Sign On Assistant The user must be able to source this information from the seller manufacturer of the third party product Dynamic discovery as used for post authentication accounts may be added in future releases Support for Third Party Accounts Logging on to third party products can occur using a post authentication approach In this case the ProtectDrive GINA and the chained GINA are used to log on to Windows Then each third party product is logged on to when the Windows shell is initialized This is only possible if the third party product provides a logon application Then the Single Sign On Assistant can be used to create a post authentication account which can be run to log on to the product using the logon application SafeNet Inc 97 ProtectDrive Administration Guide Chapter 6 The Multiple Boot System Administrative Procedures Configuring After ProtectDrive Installation Over an Existing System 1 Install ProtectDrive on the system 2 Either e Run the Single Sign On Assistant ssoassistant exe to configure the SSO settings OR e Import an SSO configuration by running the registry file reg exported from the Single Sign On Assistant Configuring After Installing Additional Software to the ProtectDrive System 1 Install additional software to the ProtectDrive system that installs a replacement GINA 2 Run the Single Sign On Assistant which detects the n
151. his user These controls can only be enforced if ProtectDrive is installed on the workstation the user lags onto Fi M Read Serial Ports MN Write CDROM MN Write Serial Ports M Read Diskettes IV Read Removable Media M Write Diskettes IV Write Removable Media Shared Key w Settings that differ for various members of a user group will be grayed out indicating conflicting data Check these settings and set as appropriate 142 SafeNet Inc ProtectDrive Administration Guide Chapter 8 System and User Management Use the ProtectDrive Management Snap in for Configuration Object managed Clients 1 On the server open the ProtectDrive Management Console 2 Open the ProtectDrive Management snap in 3 Open the Configuration Objects directory 4 Right click on a configuration object and then select Properties 5 Click the PD Users tab and then click on a user or user group name 6 Set the device access permissions as appropriate for the user or group of users 7 Click Apply and then click OK These settings will be applied across the entire Windows Domain and will be picked up by all clients where this Windows Domain user or group of users is listed testi Properties en E gt 2i xl Configuration Clients PD Settings PD Users Domain Users Certificates Password Current Password No Yes Windows JDoe BRONCOTEST I gt Add Remove Configuration I Certif
152. i tue le dan treated 205 Tokens Te ls BI i de de REE LR cee E A R a A E E r Tes 205 SOS are a a a E le NE r a O te 205 Device Permissions reiri sce tad as Melee a Tutt O Solna Moab dale e A A aaa as 205 Guidance for the Operating System Configuration ss 206 EIA NA A Ra Rire Han italie RSI eds Mode Saucassp RE 206 Password PONS TRE Oe AR ee Ten a Odes ee DA DENG 206 Screen LOCK Fedture ss dansante tte 206 Information Relevant to Administrators of ProtectDrive cccccccessccesscecesscecsseeeesseeecseeeesaes 207 On rane SYST CNS See R MS A DS Se T E 207 IRUAK AA RA EET TA Area h e oat savas ani sien at tele anti ere eat 207 Encryption AlgorithM Elan oh ledunauedhaian 207 Display Warning When Disks Not Fully Encrypted ss 207 Automatic Pre boot AMtheniCaon aidants nat aille 207 Show Unsuccessful Logon WANT cata cuiysanenans ven 207 ACCESS CONMO ls tant un s rie oh ne ses les nn on ad la da bg ea ten aE eae dl 207 Appendix F iKey Management ugscscccssscscssececcasscdsstacsidesccacsiestsvbacsnddaces ssdabscdashessongivedescaddadentaseasieas 209 DOW O OEE AE AAE E E E SR A E E AEEA TAT 209 Manage the iKey 1000 Through the iKey SDK 209 iKey 2032 ann amsn e a a a a a a a a ann 211 SafeNet Token Manager UI Thy ec sentaisute th utabiaaie stole sandtaand aon miiaeti nadie ani ences Ao a adatiaadtte 211 Web Enrollment sia i waved aes LUE a a ea nt ea Peer M Ts 213 Appendix G Supported Smart Cards Tokens and Readers sssseees 221
153. icate users also have password accounts Device Control M Read CDROM M Read Serial Ports I Write CDROM M Write Serial Ports M Read Diskettes M Read Removable Media M Write Diskettes IV Write Removable Media Cancel LE Settings that differ for various members of a user group will be grayed out which indicates conflicting data Check these settings and set as appropriate SafeNet Inc 143 ProtectDrive Administration Guide Chapter 8 System and User Management 144 Manage System and User Policy Locally The Local Management Console LMC utility is used to configure System and User policy locally or to view the configuration that was set by the ProtectDrive server The tabs are very similar to the ones in the server s ProtectDrive Management Console in the Active Directory Users and Computers MMC and ProtectDrive Management snap ins A few minor differences on the PD Settings gt Status tab are described below To run the LMC utility from the Windows desktop select Start gt Programs gt SafeNet ProtectDrive gt Local Management Console g New Office Document lo Open Office Document Set Program Access and Defaults Programs Accessories d Snaglt 7 gt T 2 9 Documents A SafeNet ProtectPack gt 2 fai SafeNet ProtectDrive amp Local Management Console D C Settings N y sie p Search Help and Support n A EF Run Q Shut Down Y
154. iddleware please contact SafeNet Technical Support For BSEC installation and configuration details refer to the Borderless Security PK and SSO Administration Guide Storage System Preparation Before deploying ProtectDrive e Ensure that your data storage system is well planned and that no further rearranging of any of the partitions will occur Use Windows Disk Management as needed to repartition set up disk mirroring resize partitions etc e Run CHKDSK f and the hard disk manufacturer s diagnostic utility to ensure file system health on all drives intended for encryption Repair any bad sectors should any exist as ProtectDrive cannot encrypt them e Back up all important data prior to disk encryption SafeNet Inc 21 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 22 Back Up the License File Better safe than sorry In the event that your hard drive requires reformatting or re imaging after ProtectDrive has been installed you ll need the existing ProtectDrive license file to re install on the same machine If you do not have a backed up copy of the existing license file you will be required to contact SafeNet for a new license file for the same machine which could take longer to get the machine back up and running After ProtectDrive has been installed follow these steps to preserve the ProtectDrive license file and then store it in a safe location for future use if it is ever necess
155. ight law and international treaties SafeNet ProtectDrive Next gt Cancel 4 Accept the License Agreement and then click Next i SafeNet ProtectDrive InstallShield Wizard x License Agreement SafeNet Please read the Following license agreement carefully ProtectD rive SOFTWARE LICENSE AGREEMENT IMPORTANT READ THESE TERMS CAREFULLY BEFORE DOWNLOADING INSTALLING OR USING THIS SOFTWARE BY DOWNLOADING OR READ THIS LICENSE AGREEMENT THAT YOU UNDERSTAND IT AND THAT YOU AGREE TO BE BOUND BY ITS TERMS IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT YOU MAY NOT INSTALL OR USE THIS SOFTWARE 1 Grant of License for Personal Use accept the terms in the license agreement O1 do not accept the terms in the license agreement 5 Select Administration Management Tools Installation and then click Next i SafeNet ProtectDrive InstallShield Wizard E Setup Type SafeNet Choose the setup type that best suits your needs Prot e ctD rive Please select a setup type O Typical Client Installation is all SafeNet ProtectDrive Client Features will be installed Administrative Management Tools Installation fis All SafeNet ProtectDrive Management tools will be installed Custom Installation Choose which Client and Server features you want installed lt Back Next gt Cancel This selection will install the tools that are necessary to centrally manage ProtectDrive cli
156. ike to proceed and create objects in Active Directory Yes No 3 The status window displays the action s being performed Information is also logged to the PDDirPrep log file View Log File You can view the log file any time Use this file as an investigative tool for troubleshooting purposes As each task is performed the status window will display information related to the action and whether or not the action was successful If the previous task has not been performed or it has not completed an error will display All task related information is also written to the log file 1 Click View Log File The file opens in Microsoft Notepad 2 Click File gt Exit to close the file SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Install the ProtectDrive Administrative Management Tools Before you begin please note the following gt SafeNet Inc If you intend to use ADAM with ProtectDrive install ADAM on a machine Windows Server 2003 that is not a domain controller running Active Directory In addition make sure ADAM is installed prior to installing and using the ProtectDrive tools Run the PDPrepDir utility before you install the Administrative Management Tools see page 45 Install the ISSetupPrerequisites before you install the ProtectDrive Administrative Management Tools see below These tools located in the VSSetupPrerequisites directory on the Prot
157. iled log in attempts and is now ain pt 10g locked out for a period of time gain Critical fatal error 3 short beeps B B B F Contact your administrator 1 long beep SafeNet Inc 115 ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy Advanced Settings Allowed Certificate Usages Status Authentication Advanced Settings Accessibility Options E Allowed Certificate Usages J Usages Hs Default Permissions Encryption Interrupt Vector Update fi Management GQ Password Policy User Interface This option is used to configure the acceptable certificate usages that are allowed for token or smart card pre boot logon Usages Click the Usages option to display the currently available certificate usages The name and object identifiers OIDs of each certificate usage displays OIDs are the numeric values that enable programs to determine whether a certificate is valid for a particular use such as pre boot authentication By default the following certificate usages are available e Smart Card Logon Select this usage type to allow smart card logon to Windows e EFS Select this usage type to allow third party certificate authority support for encrypting file systems e Exchange Select this usage type to allow a private key or a certificate authority e RSA Encryption Select this usage type to allow this algorithm for Window
158. indows Explorer Shell Clear this check box to disable the display of this balloon tip Refer to page 182 for an example Unsuccessful Logon Message When the Show Unsuccessful Logon Warnings option is selected an optional message can also be displayed by entering this message in the Unsuccessful Logon Message field Show Certificate Expiry warning 30 days prior to certificate expiry If this option is selected smart card token users will see a warning the specified number of days before their certificate expires 126 SafeNet Inc ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy Show SafeNet ProtectDrive System Tray Icon After ProtectDrive is installed a small ProtectDrive icon amp is placed in the Windows notification area of the taskbar located in the lower right corner of the Windows desktop This icon can be disabled by clearing the Show SafeNet ProtectDrive System Tray Icon check box When this option is enabled right click on the icon and then choose one of the following e Local Management Console Open the Local Management Console you can double click on the icon to open LMC as well e Lock Computer Lock the Windows desktop This option is not available if ProtectDrive is installed on Windows Vista or Windows 7 e Shared Key Manage the user s shared key This option will display only if the Allow Users to Register Shared Key option is selected in PD S
159. ing matches the version listed in the Evaluated Products List e If installing ProtectDrive from an electronic archive then ensure that the file name is pd_x_yy_zz where x_yy_zz is the version number e Ensure that the Customer Release Note CRN file on the distribution CD refers to the product version being used After Installation Verify the version number of ProtectDrive after installation Right click on the ProtectDrive icon in the notification area and then select About SafeNet ProtectDrive Verify that the version number displayed matches the expected version number of the installed software SafeNet Inc ProtectDrive Administration Guide Appendix E Additional Guidance Regarding Security Organizational Requirements Connections to Outside Systems Those responsible for management of the systems in which ProtectDrive is used must ensure that no connections are provided to outside systems that would undermine the security features of ProtectDrive Guidance Guidance should be provided that details the delivery installation configuration administration and operation of ProtectDrive within an organization Tampering The system on which the product is installed must have features that detect physical tampering and provide a clear indication to users that tampering has occurred Users must be able to regularly check the system for indications of tampering Training All users of ProtectDrive with Administrator privi
160. inistration Guide Chapter 2 ProtectDrive Functional Description In version 9 4 and higher ProtectDrive Reports is available to provide views of various status reports such as Update Status shows which clients have up to date settings and the last time they were updated and Encryption Status shows which clients are not encrypted which are and with what Refer to page 61 for more on ProtectDrive Reports Local Management System policy can be managed locally using the ProtectDrive Local Management Console utility LMC which is deployed as part of the installation of the ProtectDrive Client side components The LMC allows you to make local configuration changes after ProtectDrive is installed Users are assigned to client systems and user device access control permissions are configured using the PD Users tab User policy defines individual user access permissions to all devices Central Management via Active Directory or ADAM Active Directory is a widely deployed management platform that most enterprises already use to manage users and computers Active Directory Application Mode ADAM is a mode of Active Directory which is designed for organizations that require flexible support for directory enabled applications ADAM was first released in Windows Server 2003 R2 It has been updated with new and improved features for Windows Server 2008 and is now called AD Lightweight Directory System AD LDS Excluding the section on in
161. ir respective Windows Domain or Local Windows accounts following their successful pre boot authentication This method of automatic Windows authentication is referred to as single sign on Single sign on is currently not supported with fingerprint logon Not all smart card and reader combinations support SSO Manual Windows Authentication As an alternative to the single sign on mode ProtectDrive System Policy can be configured to provide standard Windows authentication screens allowing the user to manually authenticate into their respective Windows Domain account Borderless Security BSEC Authentication When fingerprint authentication is used single sign on is not supported When a user logs in to ProtectDrive with a smart card token and fingerprint a Token Login BSEC authentication screen will display for the user to log in to Windows After the user s credentials are verified the Windows desktop displays The system can be configured to accept up to four fingerprints The number of fingerprints that are enrolled will determine the appearance of the login screen that displays Refer to the SafeNet Borderless Security PK and SSO User Guide for details on fingerprint enrollment Single Sign on in a Non Windows Environment In a Windows only single sign on user authentication environment ProtectDrive will operate seamlessly without any required setup Alternatively the Single Sign On Assistant application
162. is snap in provides several built in Status and User reports which can be run from the ProtectDrive Management Console PDMC A domain administrator can run these reports any time and view the state of the ProtectDrive clients in a domain Report data can be viewed by Organizational Unit and sorted by various filtering criteria printed or exported Each report provides data in column format and includes a pie chart at the bottom of the report which represents percentages of the report data An example of the Update Status report is shown below x amp Eile Action View Window Help F ajx e am e Console Root Fab Client Version x o Bl ProtectDrive Management Organizational Unit lt All gt fi Sot By Client Version h Filter Value lt All gt X EG test local S E Configuration Objects P G s mn oh w nes D Winx Main Report Default Configuration D Hy1 Win2003 E ProtectDrive Reports D Hy3 win2003 Update Status Ex test local D Hy6 Winvista S E Status Reports Dy Hy7 Win7 amp 9 Administration Status D HYLINK WIN2003 Wednesday September 08 2010 H E Configuration Status E Encryption Status Client Name Update Status UpdateTime Client Version H Recovery Status C Update Status WINXP a mi oe Successful 8 30 2010 9 11 01 AM 940 5 H E User Reports EB Active Directory Users and Compt H E Saved Queries Hy1 Win2003 6 8 test local Inact
163. isplays click Next 3 Read and accept the License Agreement and then click Next SafeNet Inc i SafeNet ProtectDrive InstallShield Wizard Welcome to the InstallShield Wizard for SafeNet ProtectDrive The InstallShield R Wizard will install SafeNet ProtectDrive on your computer To continue click Next WARNING This program is protected by copyright law and international treaties SafeNet ProtectDrive i SafeNet ProtectDrive InstallShield Wizard License Agreement SafeNet Please read the following license agreement carefully P rotectD rive SOFTWARE LICENSE AGREEMENT 2 IMPORTANT READ THESE TERMS CAREFULLY BEFORE DOWNLOADING INSTALLING OR USING THIS SOFTWARE BY DOWNLOADING OR INSTALLING THIS SOFTWARE YOU ACKNOWLEDGE THAT YOU HAYE READ THIS LICENSE AGREEMENT THAT YOU UNDERSTAND IT AND THAT YOU AGREE TO BE BOUND BY ITS TERMS IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT YOU MAY NOT INSTALL OR USE THIS SOFTWARE 1 Grant of License for Personal Use a T accept the terms in the license agreement O1 do not accept the terms in the license agreement Launch the SafeNet ProtectDrive msi The ProtectDrive installation wizard opens 71 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 72 4 Select Custom Installation and then click Next i SafeNet ProtectDrive InstallShield Wizard amp setup Type SafeNet Choose the setup
164. ive Unknown Hy3 Win2003 Inactive Unknown Hy6 WinVista Inactive Unknown Hy Win Inactive Unknown HYLINK WIN2003 Inactive Unknown Count of ClientName ClientVersion 9405 mo405 1 167 M Unknown 5 833 Total 6 1000 Current Page No 1 Total Page No 1 Zoom Factor 100 4 SafeNet Inc 61 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive lt Windows MMC v3 0 includes a feature called the Action pane To enable this feature click the Show Hide Action Pane icon shown circled below or select View gt Customize gt Action pane gt OK File Action View Window Help e gt am efm The Action pane lists the actions that are available to the users based on the currently selected items in the tree on the left hand side of the console window or in the results pane in the center When enabled the Action pane displays on the right hand side of the MMC snap in shown below and can be hidden from view by clicking the Show Hide Action Pane icon again or by deselecting the Action pane option in the View gt Customize dialog box j igxi Actions Status Reports a view gt New Window from Here Refresh 2 Help Note that the Refresh option in the Action pane does not function when a specific ProtectDrive Status or User report is selected To refresh a report and view changes you ve made to it you must close and reopen PDMC 62 SafeNet Inc ProtectD
165. l Management Console 136 SafeNet Inc ProtectDrive Administration Guide Chapter 8 System and User Management Sample Configuration The following steps outline how to configure a client system 1 On the server open the ProtectDrive Management Console 2 Open the Active Directory Users and Computers MMC snap in right click on the SafeNet Inc client PC s name and then select Properties OR Open the ProtectDrive Management snap in select Configuration Objects right click on ProtectDrive Default Configuration or alternative configuration object to which the client had been or will be assigned and then select Properties Click the PD Settings tab and use all the displayed tabs to set the desired ProtectDrive System Policy Go through all the ProtectDrive tabs and set the client PC s System Policy accordingly Pay particular attention to the settings outlined below Authentication Tab Status Authentication Advanced M Activated Authi Windows Preboot Allow Local User Access VF F Allow Password Domain User Access Iv Iv Allow Token Domain User Access VF R Allow Shared Key Access i IV Single Sign on Pre boot Access Management IV Allow Emergency Logon With Username M Single Sign on After Emergency Logon IV Allow Emergency Logon Without Username r I Allow Users to Register Shared Key IV Add Users to SafeNet P
166. leges must receive sufficient training to enable them to securely administer ProtectDrive Users of ProtectDrive with administration privileges are responsible for implementing guidance that ensures ProtectDrive is installed configured administered and operated in a secure manner consistent with the evaluated configuration Tokens Smart cards or tokens used with ProtectDrive for authentication must provide an adequate level of security to protect authentication information and perform the functions required by ProtectDrive This security may be gained though assurance of the smart card or token or a combination of smart card token assurance combined with organizational procedures Users Users of ProtectDrive must receive sufficient guidance and training to be able to fulfill their duties Device Permissions ProtectDrive manages secure use of many device types Control is based on system and user policy by independently setting read write access permission for each device in the PD Settings gt Advanced gt Default Permissions group SafeNet Inc 205 ProtectDrive Administration Guide Appendix E Additional Guidance Regarding Security Guidance for the Operating System Configuration General ProtectDrive provides protection of information through pre boot authentication and access control of peripheral devices combined with hard disk encryption Once access is gained to a computer by correct user authentication the
167. list and then click Uninstall Change or Repair Get new programs online at Windows Marketplace Organize v 33 Views v Ek Uninstall View purchased software digital locker Name R Publisher Turn Windows features on or Microsoft Visual Studio 6 0 Enterprise Edition off Microsoft Web Publishing Wizard 1 53 SafeNet ProtectDrive SafeNet Inc 4 When prompted click Yes to confirm the action 5 A list of currently open applications displays Click the Do not close the applications option and then click OK SafeNet ProtectDrive The following applications should be closed before continuing the installation ProtectDrive Tray Icon Application SafeNet ProtectDrive PD Encoder Client Data Manager Storage Encryption Service Automatically close applications and attempt to restart them after setup is complete Do not close applications A Reboot will be required 6 When prompted click Yes to restart the computer 84 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Windows 2003 2008 or XP Follow this procedure to uninstall ProtectDrive from a Windows 2003 2008 or XP system 1 2 Make sure that all partitions are decrypted Navigate to Add or Remove Programs in the Windows Control Panel Select SafeNet ProtectDrive and then click Remove e Accessibility Options SS Add Hardware F Add or Remove Progra
168. ll need to install drivers for the device onto the image For example peimg inf lt path to NIC Driver INF file gt c winpe_x86 mount Windows Optimize the WinPE image for size Run this command peimg prep image c winpe_x86 mount When prompted enter yes to continue Capture the WinPE image Run this command imagex capture boot compress max c winpe_x86 mount c winpe_x86 iso sources boot wim My PE Image Create the ISO image The image which now contains ProtectDrive support files needs to be compressed back into the ISO form which can then be burned to a CD or DVD Run this command oscdimg n c winepe_sx86 iso c winpe_x86 my_pe_image iso n bc winpe_x86 etfsboot com Inject the ProtectDrive Disk Key Once the WinPE image has booted the affected computer the disk key can be injected into the driver You must know the DKE file s password to complete this task l 2 Boot the affected computer from the WinPE recovery CD DVD or USB drive Change the directory to X Safenet ProtectDrive and run peprep exe inj dsk dke lt enter gt Refer to the PEPREP Command Line Options section below for additional details SafeNet Inc ProtectDrive Administration Guide Chapter 11 RapidRecovery Disaster Recovery Tools 3 When prompted enter the DKE file s password 4 After the disk key is verified encrypted drives will now be accessible to recover the desired files Map a Network Driv
169. ludes the PDReport vbs script It is not necessary to modify the PDReport vbs script before you run it but you may choose to customize it Run this script on your Active Directory or ADAM server that is managing your ProtectDrive clients The procedures to run this reporting script are slightly different on an Active Directory or ADAM server and are described below When the reporting script is run a PDReport csv file is generated This output includes a list of the client computer names and the following information which can be easily viewed in a spreadsheet application such as Microsoft Office Excel gt PDStatus indicates Active if the client was accessible and Inactive if the client was inaccessible gt LastUpdate displays the date and time the client was last updated by the ProtectDrive server gt EncryptedDrives displays the drives that are currently encrypted on the client If this column is blank the client has no encrypted drives ProtectDrive Server with Active Directory You can run PDReport vbs by double clicking on the file name in the Tools directory on the ProtectDrive distribution CD or running it from the command line From the command line DOS prompt make sure you navigate to the Tools directory where the script is located in order to run it SafeNet Inc 185 ProtectDrive Administration Guide Chapter 12 Troubleshooting and Reporting Information ProtectDrive Server with ADAM
170. main However there is no harm in running it more than once it will simply verify that all changes have been made and make any that still need to be made 1 e if a failure was encountered the first time PDDirPrep was run There are a few ways to launch PDDirPrep gt Initially you will access the utility from the ProtectDrive installation CD Navigate to the Tools directory and double click on PDDirPrep exe gt After you have installed the Administrative Management Tools you can also access PDDirPrep using one of these methods e At the end of the ProtectDrive installation Select the Launch Directory Preparation Utility check box on the final installation screen and the utility will start after the installation is complete e From the Windows Start menu Select Start gt Programs gt SafeNet ProtectDrive gt Directory Preparation Utility PDDirPrep consists of the following tasks e Create ADAM Instance e Extend Directory Schema e Prepare Domain e View Log File Perform the first three tasks in the order in which they are listed above Proceed to the next page for details on how to complete each task You can view the log file any time After you have completed each PDDirPrep task install the ProtectDrive Administrative Management Tools as described on page 51 46 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Create a Unique ADAM Instance Perform this task if you n
171. ment Tools are used to centrally manage ProtectDrive clients and perform disaster key recovery and emergency logon procedures They can be installed on a machine that supports Active Directory or via ADAM on a Windows Server 2003 machine which is not a domain controller Administrative Management Tools consist of gt ProtectDrive Management Console The ProtectDrive Management Console is used to centrally manage ProtectDrive clients The console includes these snap ins ProtectDrive Management which is used to create and manage multiple Configuration Objects for groups of ProtectDrive clients ProtectDrive Reports which is used to run Status and User reports and Active Directory Users and Computers MMC The ProtectDrive Management Console is described in more detail in the next section Remote Recovery Console The Remote Recovery Console is used to perform disaster key recovery and emergency logon procedures and is discussed in Chapter 11 Directory Preparation Utility PDDirPrep The Directory Preparation Utility is used to initially prepare a domain to remotely manage the ProtectDrive clients It is provided here as part of the tool set as a convenience PDDirPrep is also located on the ProtectDrive installation CD in the Tools directory which is where you would typically run it For details on this utility refer to the Prepare the Windows Domain procedure on page 45 ProtectDrive Management Console The following sections
172. mon Criteria Evaluated Products List EPL This list for ProtectDrive may be found at http www dsd gov au infosec evaluation_services epl ep html Both the Security Target and Evaluation Technical Report are available online on completion of an evaluation SafeNet Inc 203 ProtectDrive Administration Guide Appendix E Additional Guidance Regarding Security Guidance for Users of ProtectDrive 204 Further Reading Relevant to the CC Certification The following documents should be read in conjunction with this manual e Security Target e Certification Report e Release Notes included on the distribution CD Users are reminded that evaluated versions of ProtectDrive are based on assumptions contained in the evaluation Security Target In particular read the following chapters e Chapter 3 Assumptions e Chapter 4 Security Objectives for the Environment These chapters describe the responsibility of users and detail requirements needed to ensure that ProtectDrive product is used and administered securely Product Identification To ensure that the copy of ProtectDrive you have is authentic and is the correct version Before Installation e Check the product version number on the CD label You should ensure that the label identifies the version as PD x yy zz where x yy zz is the ProtectDrive version number If you are using an evaluated version of ProtectDrive ensure that the version you are install
173. ms 4 Administrative Tools Automatic Updates 2 Date ani SK Display F Add or Remove Programs Folder Of ou 4 E Fonts Lil Currently installed programs Show updates Sort by Game Cq Change o r eToken Run Time Environment 3 51 Internet 9 Programs amp HyperSnap Dx 5 a Keyboar Mouse SafeNet ProtectDrive e Network add on Click here For support information Be Phone a Programs To remove this ompute k c e program from your computer click Remove a ra Remove Sy Printers p amp Virtual Machine Additions Regional Add Remove ES Scanner Schedul When prompted click Yes to confirm the action When prompted click Yes to restart the computer Windows 7 Follow this procedure to uninstall ProtectDrive from a Windows 7 system 1 2 SafeNet Inc Make sure that all partitions are decrypted Navigate to Programs gt Programs and Features in the Windows Control Panel Select SafeNet ProtectDrive and then click Uninstall a GU a gt Control Panel Programs Programs and Features X Search Programs and Features Pp Control Panel Home Uninstall or change a program View installed updates To uninstall a program select it from the list and then click Uninstall Change or Repair Turn Windows features on or off Organize Uninstall Name Publisher Installed On SafeNet ProtectDrive _SafeNet Inc O MBN VMwar
174. n The pre boot user s account details are used to perform the logon so the username password and domain name must be the same A command is added to each account to logon to the account It is selected by choosing which button on the application dialog box should be clicked to perform the logon action SafeNet Inc 95 ProtectDrive Administration Guide Chapter 6 Single Sign On Management RSA SOM Support Overview RSA Sign On Manager SOM is an application that performs single sign on across a number of enterprise applications It is advantageous that ProtectDrive collaborates with RSA SOM This section discusses how this can be achieved Implementation RSA SOM is supported in ProtectDrive by allowing the ProtectDrive GINA pcvgina dll to chain the RSA SOM GINA This allows the RSA SOM to function correctly while providing single sign on for pre boot users The ProtectDrive GINA loads the RSA SOM GINA dialog configuration when the Chained GINA registry value is set to the RSA SOM GINA This can be configured by using the ProtectDrive Single Sign On Assistant Considerations Currently the Single Sign On Assistant and ProtectDrive GINA assume that the RSA SOM GINA is located in the standard location C Program Files RSA Security RSA Sign On Manager Client 3 Gina dll If this is not the case third party GINA support should be used in the Single Sign On Assistant with these dialog fields configured as follows
175. n browse to the txt authorization file For silent GPO installations the authorization txt file must be included in the same directory as the SafeNet ProtectDrive msi file The SafeNet server or authorized reseller will automatically be contacted via the Internet to complete this licensing process When the authorization code is transmitted to the server a license is granted in kind to the client and the client installation is allowed to continue At the same time the customer s license count is decremented by one on the license server If the client license count is depleted the server will deny the client a license and a message will display notifying you that the installation cannot be completed Please contact your sales agent if you require additional licenses Refer to page 64 for detailed step by step procedures for a ProtectDrive client installation What Happens if Internet Access is Unavailable If you are attempting to perform a multi licensed installation and Internet access is unavailable you can only install the 30 day trial version After the trial version is installed however you can install a fully licensed version of ProtectDrive once you have obtained a license To obtain a locked license without an Internet connection contact SafeNet Support support safenet inc com or 800 545 6608 A SafeNet Support representative will guide you through the following procedure to obtain the required information to issue
176. n 8 3 or higher you must uninstall the current version of ProtectDrive upgrade to Windows Vista and then run a clean new installation of ProtectDrive If you are currently using Active Directory you should continue to use it when you upgrade rather than changing to ADAM as there is no real benefit to the change However if you do choose to change from Active Directory to ADAM you must e Remove ProtectDrive on the server refer to page 84 e Install the Administrative Management Tools e Create an ADAM instance on a separate machine not the domain controller by using the PDDirPrep utility Please be aware that after changing from Active Directory to ADAM you will have two sets of schema extensions Even though ProtectDrive is uninstalled and reinstalled the schema extensions cannot be removed from the Active Directory server 81 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 82 Creating a New Recovery File Set A recovery file set should include these files for an upgrade PdMaster cer pfx PdRecovery cer pfx salt cid and lt computername gt _license txt There are two ways to create the PdMaster and PdRecovery files gt Generate them during a new ProtectDrive installation A backup of the license file will also be created at the same time gt Create them using the Certificate Wizard certwizardapp exe Refer to page 24 for details on how to use this utility A Do not creat
177. n in the list is selected 4 short beeps D D D D Press Enter to select the first domain in the list to continue or press the down arrow to select a different domain Press the up down arrow to choose a 1 short beep E Press Enter to continue different domain Note One short beep will occur with every press of the up down arrow If the first domain is reached again 4 short beeps will sound to indicate the user is at the top of the domain list Enter the PIN 3 short beeps C C C Enter your PIN and press Enter to continue Logon is successful 1 long beep G D B A None 3 short beeps A pop up box is displayed as a result 1 short beep B D Press Enter to clear the pop up of the user s last action The pop up 1 long beep box and continue box describes feedback such as S e f the condition occurred while e A general entry error occurred for entering a user name or example an invalid user name password continue by re password PIN smart card or bad entering that information certificate e f the condition occurred while e The user pressed F1 which displays entering a PIN continue by re a login help screen entering a correct valid PIN or by replacing the card with one that works Challenge response screen is active 2 long beeps A A Contact your administrator for recovery instructions Lockout screen is displayed 2 beeps B B F Press Enter to acknowledge the The user has reached the number of 1 long beep Hake en un Rete rit fa
178. n or Local Windows users to the client system s Pre boot User database In addition this procedure would be appropriate in situations where the Active Directory User Policy has not yet replicated to the client system prior to the user s initial pre boot authentication Once the user executes this procedure and then authenticates into Windows an account is created for him her in the local system s Pre boot User database e Unattended Reboot with Automatic Pre boot Authentication If an unattended reboot followed by an automatic pre boot authentication is needed by the System Administrator then a special Pre boot User account must be created This function is not controlled by System Policy Instead the System Registry must be amended as described later in this chapter Emergency Logon for Token Users Procedure End User Instruction If a Smart Card Token PIN Fingerprint user misplaces their smart card token or forgets their PIN access to the system may be achieved by performing the ProtectDrive Emergency Logon for Token Users procedure at the discretion of the System Administrator 1 Place the cursor in the PIN field and press Shift F9 ProtectDrive ProtectDrive The following recovery response screen displays Serial no 21396 Username Administrator Machine Name VMVISTA Domain VMVISTA Recovery Code Kwwyul wu ny h3 Enter response below PRESS F1 FOR HELP SafeNet Inc Protec
179. nd asabaiens 185 ProtectDrive Server with ADAM Std Et at ten rl eat es 186 Sample Report Outputs ee E A A aches uit reine ease ean ened 186 Appendix A Smart Card Token amp PIN User AuthentiCation ssseess 187 Appendix B Username Password Domain Authentication eesooessocsssesssecesocesocecooessoesssocssosee 189 Appendix C Post boot User Authentication into Windows eesesessocsssesssccesocesooesoocesoecssocesooee 191 Appendix D System Debug and ACS Error Messages sseessocesocescocessesssccesocesooecoocesoesssecesocee 193 System Debug sirosti una o a e E E sn ns ni 193 ACS Fror M SSA E S a Nr r 196 SafeNet Inc vii ProtectDrive Administration Guide Table of Contents Appendix E Additional Guidance Regarding Security ccsscccsssscssssscssssccssssccsssccsssssscoess 203 Evaluated Versions of Protect Drive sai nn essai eG AES 203 Guidance Tor Users OF PTOSCEDTIVe Sn tatu e aay ea ae 204 Further Reading Relevant to the CC Certification ss 204 Product Identification ve cin Re ete ne ne RE nn ved aie nt te 204 Door installations ss Anais nee nest tes Si end a aie aasa 204 After Installation aidant tib taine Nation 204 Organizational R quir ments susssonsnininnelhhdienmtits dns usa einer 205 Connections to Outside SVSIGINIS ten nintendo den list tiitte 205 OIL A ATE CE le Pre tel ral Re RE AL a ENT 205 FAMDERNE eee een tte tint ti et rat Tk aa aad 205 Trainin Poate eie a tene dada R aE af a A A a
180. nformation Hele If fingerprint authentication is used refer to Manual Fingerprint Authentication on the next page Inserting the smart card token into the reader will result in the standard Windows Domain PIN authentication screen similar to the one shown below At this point the user enters their PIN Log On to Windows Microsott F0 D Winco Copyright 1985 2001 Professional Microsoft Corporation T Log on using dial up connection SafeNet Inc 149 ProtectDrive Administration Guide Chapter 9 User Authentication Alternatively assuming that either the Allow Local User Access or the Allow Password Domain User Access option is set on the Authentication tab the user may press Ctrl Alt Del to invoke the standard Windows Domain Log On screen see page 152 Manual Fingerprint Authentication Single Sign on Mode is not supported Single Sign on is currently not supported with fingerprint logon This means you are not automatically logged into Windows after you ve successfully logged into ProtectDrive After logging in to ProtectDrive you are immediately presented with a Token Login screen shown below rather than the Windows Log On screen as shown in the previous examples On the Token Login screen you can use either fingerprint authentication or log in with a PIN If a fingerprint is used note that the system can be configured to accept up to four fingerprints The number of fin
181. ns Encryption Interrupt Vector Update Lockout Management Password Policy C Default password equals username E Default Password eetk E Confirm Password he User Interface Oe BB Bl 124 SafeNet Inc ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy Default password equals username This option is an alternative to specifying the Default Password Note that in this case the users still need to type in their password their Windows Username for pre boot authentication Note that when the password is the user s name it is only used for the initial first time ever pre boot authentication and is then replaced by the Windows Domain password Le Windows passwords must also be limited to a maximum length of 127 characters Default Password Confirm Password SafeNet Inc This field defaults to password To change the password click the Default Password check box and then enter the new password Repeat this procedure in the Confirm Password check box g Password Policy C Default password equals username E Default Password E Confirm Password kkk R Newly added Windows Domain users may be instructed to enter the Default Password for their initial first time ever pre boot authentication Once the user authenticates into Windows using their actual Windows Domain password the ProtectDrive Default Password will be replaced with the
182. nstallation This is done to enable ProtectDrive to locate its embedded file system upon system boot and prior to all other disk access If the MBR is altered replaced or corrupted after the ProtectDrive install the rmbr exe utility is used to recover it Restoring the ProtectDrive MBR requires a sector by sector search of the embedded file system EFS located on the boot partition Once the EFS is located the ProtectDrive MBR can be restored Usage RMBR EXE options Options Description usage Displays usage help v ver Displays utility version p pd Recover the ProtectDrive MBR 0 original Recover the original prior to the ProtectDrive install system MBR x recovery Use the ProtectDrive Recovery Files to perform any of the above operations rp recpath Specifies the path to the Recovery File points to the backup file set created with backup exe or obtained from Active Directory s sel Selects the installation partition w If the backup file set was provided during disk decryption using decdisk by invoking the r rp argument then the same argument r rp should be invoked with rmbr when restoring MBR RMBR Initial Status Check Prior to performing any MBR recovery rmbr will display the current MBR status If the ProtectDrive MBR has been unaltered since the install the following message displays Current MBR is the ProtectDrive MBR However if rmbr detects any
183. ntication Advanced Settings Accessibility Options Allowed Certificate Usages Default Permissions Encryption Interrupt Vector Update Lockout Management M On Restart M On Lagon M On Interval M Every 3 Hours Password Policy User Interface UE EEE This group configures how the ProtectDrive client retrieves System and User Policy data for example updated information from Active Directory ADAM These options will display as inactive on the client if this was a Client Configuration installation On Restart If this check box is selected the ProtectDrive client pulls policy data from the Active Directory ADAM service on Windows login On Logon If this check box is selected the ProtectDrive client pulls policy data from the Active Directory ADAM service on user login SafeNet Inc 123 ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy On Interval If this check box is selected the ProtectDrive client pulls policy data from the Active Directory ADAM service based on the specified number in the Every __ Hours Days field Every _ Hours Days Click in this field and then select the desired interval that the ProtectDrive client pulls policy data from Active Directory ADAM Advanced Settings Password Policy mere Status Authentication Advanced Settings Accessibility Options 1 Allowed Certificate Usages Default Permissio
184. o all newly created computer objects in the given domain Click Add or Remove to populate this column from Active Directory ADAM Certificates The settings for this column are Yes or No If the column indicates No the user does not have any certificates If a column indicates Yes the number of valid smart card token certificates the user possesses in the given domain is also shown Users with certificates are able to log into ProtectDrive using their smart card token Note that the total number of assigned certificates is also listed at the bottom of the PD Users tab A ProtectDrive User account is created for each smart card token certificate Including any accounts created for password users the total number of accounts on each client system cannot exceed 2000 Password The settings for this column are Yes or No to indicate whether or not a user or all members of a Windows group possesses an initial password account to log into ProtectDrive The Password column displays Yes if e A user with certificate s is assigned a password via the use of the Configuration button e A user with a password account only is added e A certificate user is added and the Certificate users also have password accounts check box is selected The Password column displays No if e A certificate user is added and the Certificate users also have password accounts check box is not selected Current Password The settings for this column are Initial
185. oaded from http www microsoft com downloads details aspx FamilyID c7d4bc6d 15f3 4284 9123 679830d629f2 amp DisplayLang en 2 Open a Windows PE Tools Command Prompt from the Windows Start menu Select Start Programs Microsoft Windows AIK 3 Create a Windows PE customization working directory Run this command copype cmd winpe_x86 c temp winpe_x86 SafeNet Inc 175 ProtectDrive Administration Guide Chapter 11 RapidRecovery Disaster Recovery Tools 176 10 Expand the image for customization Run this command imagex apply c winpe_x86 winpe wim I C winpe_x86 mount Configure the image for SafeNet ProtectDrive Run this command e tools winpe peprep prep img c winpe_x86 mount pd e tools winpe where e refers to the location of the SafeNet ProtectDrive installation files Copy the DKE file onto the image Run this command copy f targetcomputers dke c winpe_x86 mount safenet protectdrive The DKE files are created by running rpadmin exe A DKE file contains the encoded disk key Refer to Creating a Disaster Recovery Disk Key on page 166 for details Multiple DKE files can be copied onto the image if required Install the network card driver The simplest method of copying files off the target computer is to use net use command to map a drive to other networked computers see Map a Network Drive on page 177 If the target computer s network card is not supported by the operating system you wi
186. of consecutive failed pre boot authentication attempts the Lockout configuration policy will be enforced to prevent PIN guessing Open the system s Event Viewer for details on failed logon attempts and other events See page 184 for more on Event Viewer 153 ProtectDrive Administration Guide Chapter 9 User Authentication THIS PAGE INTENTIONALLY LEFT BLANK 154 SafeNet Inc ProtectDrive Administration Guide Chapter 10 Extraordinary Authentication Scenarios Chapter 10 Extraordinary Authentication Scenarios SafeNet Inc lt To retrieve a client s recovery envelope from Active Directory for password recovery the client installation MUST be set to Remote Configuration from the Active Directory install This will ensure that the client can be remotely configured via Active Directory To ensure Active Directory updates and envelope retrieval on the client set the SafeNet ProtectDrive msi ERA_CLIENT_CONFIGURATION_ONLY property to 0 If an installation has not been installed as a Remote Configuration this can be changed by setting the ClientConfigurationOnly DWORD value registry setting to 0 in HKLM Software SafeNet ProtectDrive Installer and then rebooting the computer The recovery envelope will not be available from Active Directory with this method but it will still be available from the env file created at install If System Policy has been configured to disable pre boot authentication see the
187. ole 1 The Disk Key File was successfully generated Recover Decrypt the Disk Before you begin verify that you have the decdisk exe utility the encrypted dke file and corresponding passphrase and the EFS recovery files l 2 168 Boot the affected PC into DOS mode From the command line decrypt the hard disk using the ProtectDrive decdisk utility Make sure you use the dk option For example decdisk dk diskkey dke Enter the passphrase created in step 6 in the previous section when prompted Select the area of the disk to be decrypted when prompted After decrypting the disk run rmbr o r rp lt backup files path gt to remove the ProtectDrive pre boot authentication and then reboot the PC For details on the RMBR recovery utility refer to page 178 If the system drive remains unbootable which indicates it is heavily corrupted try to regain a standard bootable MBR on it by using any system or third party aid The information on the following Web page may help you choose a system method of MBR repair http fixmbr net Keep in mind that forcing the system drive to boot will not succeed if its decryption is not completed After the PC reboots uninstall ProtectDrive Discard the encrypted dke file and passphrase as they are now obsolete SafeNet Inc ProtectDrive Administration Guide Chapter 11 RapidRecovery Disaster Recovery Tools Chapter 11 RapidRecovery Disaster Re
188. ommend that each system has a unique disk encryption key But how do you deploy a ProtectDrive image onto many computers while ensuring the disk keys are unique for each system At what point should an image be created to ensure this occurs To ensure unique disk keys create the initial system image after ProtectDrive is installed but before the first boot is performed immediately after installation is complete In this state the imaged system will not have pre boot activated and therefore would not yet have a disk key Later when this image is deployed and as each system is booted up pre boot is activated and if so configured will start the encryption Follow this procedure to create a unique key for each computer 1 Install ProtectDrive on the computer to be imaged 2 When the installation is complete shut down the computer 3 Image the hard drive using Norton Ghost 4 Distribute the image on a computer 5 Boot the computer and activate pre boot A unique disk encryption key is generated at this point for this computer 6 Repeat steps 4 and 5 on all computers w When distributing a ghosted ProtectDrive image it must be put back on a drive with the same geometry as the original ghosted system 80 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Upgrading From a Previous Version of ProtectDrive Before You Begin gt gt The latest version of ProtectDrive supports
189. omponents Wizard You have successfully completed the Windows Components Wizard To close this wizard click Finish 10 Proceed to Prepare the Windows Domain on page 45 Enable AD LDS 1 On the member server select Start gt Server Manager gt File Services E Fie services Heo Provides technologes that helo you manage storage enable fie replication manage shared folders ensure fast fle searching and enable access for UNE cent computers Bi Go to Fle Services WY CR LastRefresn Today at 11 15AM Configure refresh 2 Inthe console tree right click Roles and then click Add Roles SafeNet Inc 39 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 40 3 Review the information on the Before You Begin page of the Add Roles Wizard and then click Next Add Roles Wizard xj b Before You Begin Before Foal Bee This wizard helps you install roles on this server You determine which roles to install based on the tasks you Server Roles want this server to perform such as sharing documents or hosting a Web site Confirmation Before you continue verify that Progress The Administrator account has a strong password Results Network settings such as static IP addresses are configured The latest security updates from Windows Update are installed Tf you have to complete any of the preceding steps cancel the wizard complete the steps and then run the wizard again
190. on 1 Place the cursor in the User ID field of the Username Password Domain Name Log On screen shown below and press Shift F9 ProtectDrive The following recovery response screen displays Serial no 21396 Username lt Emergency Logon gt Machine Name VMVISTA Domain VMVISTA Recovery Code H8265 mox5e 1822 Enter response below pE 2 Contact your System Administrator either in person or phone and communicate to them the displayed Recovery Code Challenge 3 In return the System Administrator will communicate to you the Response Code Enter this code into the Enter response below field Enter response below A eee 4 Atthis point one time only pre boot access to the system is granted Proceed to normal Windows log in 162 SafeNet Inc ProtectDrive Administration Guide Chapter 10 Extraordinary Authentication Scenarios System Administrator Instruction The user will perform the procedure on the previous page and contact the System Administrator In turn the System Administrator will use the Recovery File Set originally created after the ProtectDrive install to perform the following steps to complete the emergency logon procedure 1 Run rpadmin exe located in Program Files SafeNet ProtectDrive on the server The ProtectDrive Remote Recovery Console window displays Click the Emergency Logon tab In the Recovery Support Certificate Key section select the appropriate Recovery Supp
191. on Guide Chapter 5 Deploying ProtectDrive Sector 0 Backup for Removable Media only Optional As an added level of assurance to recover a failed removable media device you can create a backup of the removable media device s Sector 0 data and when needed use it to perform the recovery procedure outlined below Create this backup before you actually need it If the device fails and you do not have the Sector 0 data this recovery procedure cannot be performed Refer to page 86 for details on the recovery procedure This procedure should be performed on each USB flash drive that is deployed 1 SafeNet Inc Insert the USB flash drive into a computer that does not have ProtectDrive installed and make sure the device drive appears as a readable drive Run the dskprobe exe utility This utility is included in the Microsoft Windows 2003 Resource Kit and can be downloaded from the Internet Select Drives gt Physical Drive Double click the last drive in the list which should be the USB flash drive It will appear under Handle 0 in the bottom of the screen Select Set Active for that drive and then click OK Make no changes to the default settings Select Sectors gt Read and then click Read The Sector 0 data will be displayed Select File gt Save As Choose a secure location such as a protected hard drive or network drive Specify a filename that clearly identifies the device from which the data came
192. on settings and use the same salt cid SafeNet Inc 92 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive THIS PAGE INTENTIONALLY LEFT BLANK SafeNet Inc 93 ProtectDrive Administration Guide Chapter 6 Single Sign On Management Chapter 6 Single Sign On Management Introduction This chapter is only relevant to non Windows Vista users If you are a Windows Vista user no action is required for single sign on This chapter is specific to the use of the GINA graphical identification and authentication library GINA a component of Microsoft Windows operating systems prior to Windows Vista provides secure authentication and interactive logon services If you are a Windows Vista user GINA was replaced by Credential Providers Credential Providers allow for significantly increased flexibility in supporting multiple credential collection methods The Single Sign On Assistant is an application that manages aspects of single sign on for ProtectDrive It is a flexible solution that enables users to configure the logon to their PC and other network services There are two components that Single Sign On Assistant manages Windows authentication accounts and post authentication accounts These components are discussed in this chapter Single sign on is currently not supported with fingerprint logon Accessing the Single Sign On Assistant To access the Single Sign On Assistant execute the ssoas
193. one an 01 00 00 00 2011 s 15 dayfs 4 hours 57 min s left License Status Normal You have 1 license s installed 1 1 License or Authorization Lock Info Browse Install 3 Perform one of the following e Browse to the license txt file and then click Install e Browse to the license txt file and then open it Copy and paste the entire block of text into the blank field and then click Next e Browse to the authorization txt file and then click Next 4 If you are using the authorization txt file to receive a license the client will now contact the license server If successful the license server will send a locked license to the client 5 A message will display if the license update was a success Upgrade to a Full License From the Nag Screen From the nag screen perform steps 3 through 5 detailed in the previous section 134 SafeNet Inc ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy THIS PAGE INTENTIONALLY LEFT BLANK SafeNet Inc 135 ProtectDrive Administration Guide Chapter 8 System and User Management Chapter 8 System and User Management ProtectDrive clients are managed centrally from the ProtectDrive Management Console on the server with the System and User Policy data stored in and replicated from Active Directory ADAM The Active Directory Users and Computers MMC snap in is amended with the PD Settings and PD Users tabs an
194. ormatting should be done before the device is re encrypted 86 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Alternate Recovery Procedure 1 Use RmRMBR In the event that the Standard Recovery Procedure described on the previous page does not return the device to a reusable state follow the steps in this section Contact SafeNet Support prior to attempting this procedure This procedure should be performed for each USB flash drive that is deployed l SafeNet Inc Connect the removable media device to be recovered Perform the appropriate step based on the state of the device e Ifthe device is encrypted a password prompt will display Enter the password and then click OK to continue e Ifthe device is not encrypted an encryption dialog box will display Click Do not encrypt Go to the command line To do so e From the Windows desktop select Start gt Run e Inthe Run dialog box enter cmd and then click OK Change to the ProtectDrive directory cd Program Files SafeNet ProtectDrive Run the recovery utility rmrmbr d x where x equals the drive letter of the removable media device A prompt displays stating that you are about to remove ProtectDrive from the device Press Enter to confirm and continue If you wish to abort press Ctrl C When prompted safely remove the removable media device Re connect the removable media device and reformat it for reu
195. ort Certificate Key option Personal Store If you select this option you must have the user s private recovery key certificate copied from their Personal Store to your machine PFX File If you select this option click E and then browse to and open the user s private PdRecovery pfx file Enter the password Entering a password will enable the Generate Response button CSP If you select this option choose the appropriate Provider from the drop down list where the certificate key is stored 4 Select the Recovery Envelope file for the user s computer Get From File If you select this option click and then browse to and open the lt computername gt _RecoveryEnvelope env file Get From AD If you select this option click El and then browse to the Active Directory computer and locate the computer object This option will only work if the client was installed as remotely configured with an Active Directory install 5 Select the Recover for Username check box and enter the user s name SafeNet Inc 163 ProtectDrive Administration Guide Chapter 10 Extraordinary Authentication Scenarios 6 Enter the code provided by the user into the Recovery Code field and then click Generate Response Emergency Logon Disk Key Recovery Recovery Support Certificate Key Personal Store PFX File Fil le JA PdRecovery pix E Password 1 C CSP Provider Recovery Envelope
196. ou can also right click on the ProtectDrive icon amp in the notification area and then select Local Management Console or simply double click on the icon PD Settings Tabs The PD Settings tabs are virtually the same in the LMC as they are in the server s ProtectDrive Management Console snap ins The only exception is the Status tab which in the LMC has three additional columns Size MB Percent Encrypted and Time Remaining described below Refer to page 127 for a complete description of the Status tab Size MB This column indicates the size of the hard drive partition Percent Encrypted This column indicates the encryption status of the hard drive partition Time Remaining This column indicates the time remaining to completion while encryption is in progress SafeNet Inc ProtectDrive Administration Guide Chapter 8 System and User Management PD Users Tab Use the PD Users tab to add Windows Domain users and groups to the client Note that all existing pre boot user accounts are listed here Click Add to add Windows Domain users PD Settings PD Users License Manager User Certificates Password Current Password Initial Passw admin BEL1 No Yes Windows Default Allusers have password accounts E aie te at 1 users with 0 SafeNet ProtectDrive certificates OK Cancel Add Local Windows Users to the ProtectDrive Pre boot User Database The easiest way to
197. phanumeric characters F SafeNet Token Manager Utility Microsoft Internet Explorer File Edit View Favorites Tools Help Q ha Ph JO serh She Favortes 2 amp Br 3 file C Program 20Files SafeNet BSecClient WebPages enrolment html display enroll Welcome pduser1 Step 2 of 2 Enter new token PIN Confirm new token PIN Finish Ready Please make a selection 7 Click Finish The following pop up window displays Enrollment may take a few moments to complete You may also see the message Communicating with server Enrolling token 8 Click OK when enrollment is complete SafeNet Token Manager Utility x JI Enrollment Complete 212 SafeNet Inc ProtectDrive Administration Guide Appendix F iKey Management Web Enrollment SafeNet Inc l Request a certificate Open Windows Internet Explorer and type in the URL of your CA using the following format http lt IP address of CA gt certsrv For example http 70 15 15 10 certsrv If prompted enter a valid user name and password Supply the credentials of the user requesting the certificate and then click OK waa ford Wang for nghe Once connected a Welcome screen displays for Microsoft Certificate Services for your CA Use thes Web site to request a certificate for your Web browser e mail chert or other program By using a certificate you can vent
198. possible to uninstall ProtectDrive until all drives are decrypted 194 SafeNet Inc ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages The following flowchart represents the system debug information listed above It is included for additional information SYSTEM BOOT TO MS DOS RUN RMBR P TO RESTORE PROTECTDRIVE MBR REBOOT BOOT TO MS DOS RUN DECDISK EXE TO DECRYPT ALL DRIVES RUN FDISK MBR OR RMBR O TO RESTORE THE ORIGINAL WINDOWS MBR REBOOT TO WINDOWS REINSTALL PROTECTDRIVE RECREATE PREBOOT USER ACCOUNTS BOOT TO MS DOS Y RUN DISPEFS EXE U TO LIST ALL VALID USERS vY VERIFY THAT USER S PREBOOT ACCOUNT EXISTS TOKEN USER FALSE INDICATES PASSWORD TYPE USER vY RECREATE USER ACCOUNT IF NEEDED REBOOT TOKEN USER IS ABLE TO AUTHENTICATE AT PREBOOT TO WINDOWS DESKTOP YES WINDOWS LOADS YES gt NO BOOT TO MS DOS RUN DISPEFS EXE U TO LIST ALL VALID USERS VERIFY THAT USER S PREBOOT ACCOUNT EXISTS TOKEN IS DRIVE C ENCRYPTED USER TRUE INDICATES TOKEN TYPE USER YES RECREATE USER ACCOUNT IF NEEDED REBOOT BOOT TO MS DOS RUN DECDISK EXE TO DECRYPT DRIVE C REBOOT SafeNet Inc 195 ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages ACS Error Messages 196 The ProtectDrive Access Control System ACS becomes active when a
199. r Policy Configure Default Settings in ProtectDrive Management Snap in 1 On the server open the ProtectDrive Management Console 2 Select ProtectDrive Management gt Configuration Objects m File Action View Window Help lal xi E JEEE EC ProtectDrive Management 4 eens leren astupate passons Encryption status _ pba activated Rec Env rec Fies_fa E E safenet inc local B W2K3ENT WALLABY Never ao came eas Binspronesoo 1 z Never M No e coni D600 XP Never No Lene cont C Biost0 xe 2 25 2010 1 Update succes C Partial D Cle Yes Yes No TestConfig ProtectDrive Reports E eA Active Directory Users and H Saved Queries B p safenet inc local 3 Right click on the ProtectDrive Default Configuration and then select Properties 4 Click the PD Settings tab and then configure the default System Policy Refer to page 109 for details on the PD Settings selections 5 Click the PD Users tab and then assign users to the system by default and to configure these users device access control permissions Refer to page 129 for details on PD Users selections 6 Click Apply 7 Click OK 108 SafeNet Inc ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy PD Settings Tab Configure the Default System Policy Authentication Settings Status Authentication Advanced Activated Authentication Methods Windows Preboot Allow Local
200. r decrypting fixed and removable drives e Processing remote configuration updates Hover the mouse pointer over the icon to display a tooltip of the task that is in progress The following example shows the tooltip for the encryption process of drive C SafeNet ProtectDrive Encrypting C Qe 6 42PM 6 SafeNet Inc ProtectDrive Administration Guide Chapter 2 ProtectDrive Functional Description Hard Drive and Removable Media Encryption and Decryption All data encryption is invisible transparent to the end user ProtectDrive automatically encrypts and decrypts multiple HDD partitions and selected removable media Any authenticated computer that shares the encryptor s system key created at installation time can decrypt the removable media provided the correct encryption password is entered When encrypted data is being read ProtectDrive decrypts it on thdly it s ready for display to the user or for use by other applications and software processes All data written back to the HDD or removable media is automatically re encrypted Consequently normal system operation remains unaffected ProtectDrive System and User Policy Remote Management System policy can be managed remotely for ProtectDrive clients through the ProtectDrive Management Console snap ins E Action view Help sem x AB8 r C3 ProtectDrive Management Console ProtectDrive Management H E ProtectDrive Reports Hh Active Directory
201. rding Security Information Relevant to Administrators of ProtectDrive Operating Systems Evaluated versions of ProtectDrive are tested on specific version of operating systems While the product will operate with a wider range of service packs and builds if you wish to use it in its evaluated configuration you should only use it on those specified in the most current ProtectDrive Customer Release Notes CRN Evaluated Items Note that the Server Edition of ProtectDrive has not been evaluated and nor has the Multiple Boot Manager functionality Furthermore only the Registered Product has been evaluated Encryption Algorithm To comply with Government advice only the AES and Triple DES encryption algorithms have been evaluated and one these algorithms should be selected during installation This will ensure that the correct components are installed and the choice of algorithms available for initial encryption will be limited to AES and Triple DES Display Warning When Disks Not Fully Encrypted It is strongly recommended that this option be set ON in the evaluated configuration so that users are advised if the disk they are working on is not completely encrypted If this is set to ON the warnings will be displayed for all users Automatic Pre boot Authentication This option must be used with caution and strictly as directed in the relevant chapter of this administration guide Show Unsuccessful Logon Warnings This
202. read Standard Recovery error occurred when tying to Procedure initialize encryption information 1310 VXBIOS Cannot Init EFS EFS corruption Standard Recovery Procedure 1311 VXBIOS VROM load Error VROM file is missing has an incorrect size or a read error occurred Displayed after a ACS1204 error 1312 VXBIOS VXVECT save fail Failed to store original disk Standard Recovery interrupt service routine Procedure ISR address in the EFS super block EFS corruption 1313 VXBIOS SBLK get fail Failed to locate the EFS Run rmbr exe to Super Block attempt to restore the ProtectDrive MBR 1314 VXBIOS Info open fail Missing VDX EFS file Standard Recovery EFS corruption Procedure 1315 VXBIOS Info write fail EFS corruption Standard Recovery Procedure SafeNet Inc ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages Component Description Possible Cause Recovery Action 1316 VXBIOS VROM EXEC fail Failed to execute the VROM Displayed after a ACS1205 error 1317 VXBIOS Info read fail EFS corruption Standard Recovery Procedure 1318 VXBIOS Diskette boot fail Master Boot Loader Use bootable floppy signature verification failed diskette Missing operating system on Eject floppy diskette floppy disk from drive and boot from hard disk 1319 VXBIOS GDA open fail GDA file is missing when Standard Recovery trying to load and execute Procedure
203. removable media recovery Therefore you can only import this file to client PCs that share the same salt cid The client PCs must have ProtectDrive installed before the configuration settings can be imported Follow these steps to import the client settings from an XML file 1 Open the Local Management Console on the client to configure 2 Click the ProtectDrive icon in the upper left corner of the screen 3 Select Import Users and Data Import Users Only or Import Data Only Local Management Console Move Minimize X Close Alt F4 Import Users and Data Import Users Only Size MB Percent E Time Re 15531 0 0 00 Export nager About Te Encrypt Decrypt Removable Drive Protection Progress Dri Size MB Percent E Time Remaining Update Status Last Configuration Change Never SafeNet Inc 91 Chapter 5 Deploying ProtectDrive ProtectDrive Administration Guide 4 Locate and select the xml file to import and click Open XML File PD Client Settings rl et Be z My Recent Documents amp My Documents Open z X X a File name l PDConfig Files of type XML File xml Zi Cancel My Network I Open as read only Places Local Management Console Import from C PD Client Settings PDConfig xml successful 6 Repeat this procedure on as many client PCs that require the same ProtectDrive configurati
204. repare Domain You must be logged in as the domain administrator to perform this task This task prepares the Active Directory ADAM domain objects for ProtectDrive data storage by attaching ProtectDrive attributes to existing computer objects creating Default Configuration Objects etc By default all new clients in the domain will automatically be linked to the Default Configuration Object If you are upgrading from an earlier version of ProtectDrive any existing clients will initially be managed by the property sheet of their own computer object They will not automatically be linked to the Default Configuration Object but can be linked to it later Refer to page 59 for details on clients managed by the property sheet of their computer object 1 Click Prepare Domain 2 The system will verify whether an ADAM configuration set exists If one exists then the ADAM instance is configured with the domain directory changes If one does not exist then the user administrator is prompted to confirm the domain directory changes should be made to Active Directory If this prompt displays click Yes to continue SafeNet ProtectDrive Directory Preparation Utility No SafeNet ProtectDrive ADAM instance Found for this domain Objects will be created in Active Directory NOTE IF you have recently installed a SafeNet ProtectDrive ADAM instance its existence may not have replicated through AD yet You should cancel and retry later Would you l
205. rive Administration Guide Chapter 5 Deploying ProtectDrive Status Reports The following Status reports are currently available Administration Status This report shows who has read or write access to ProtectDrive configuration data Configuration Status This report shows if there are pending updates that need processing and which computers are managed by a configuration object Encryption Status This report shows which clients are fully or partially encrypted decrypted and which are not encrypted in the enterprise Recovery Status This report shows the presence of disaster recovery files for particular clients Update Status This report shows which clients have up to date settings their last update status and time etc User Reports The following User reports are currently available User List Members This report shows which users belong to each member group Client Users This report shows which users can log on to a particular client Run the Reports 1 2 3 Make sure the ProtectDrive Administrative Management Tools are installed Launch the ProtectDrive Management Console Open the ProtectDrive Reports snap in Navigate to the report to run SafeNet Inc 63 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Deploying Client Side Components ProtectDrive Client Side components are used for management and encryption of ProtectDrive stand alone and or networked sys
206. rnais er ns east ents ete 7 Local Management ends li eR une tive amp Central Management via Active Directory or ADAM 8 ProtectDrive Central Management Using ADAM sise 9 Windows Domain Preparation for Central Management 9 ProtectDrive Recovery Files and Key Management seen 10 ProtectDrive Disaster Recovery insu disaient den ads 11 PIQUE CEI VE ACE SIND Me aac cs tases wes eciecy ne end ue die 11 BAGCISC NETS TOIT ON ches 5 ole Os RTS ar Se aetna leas a k 12 Authorization ANE Installation sustainable 12 What Happens if Internet Access is Unavailable ss 12 Chapter 3 System Requirements 5 cocisccssssiesssesnsencessiceatssexesuciceisesenoovincdeandeadavenssunshossevensovannsetesies 15 Minimum Hardware R equirementsi52c0 cscnaish RE Dern Se ne Sun ne des 15 Supported Storage Hardware mn ne nn ed Ne a nds 16 DEVICE ACCESS CONTOUR A este te A T 16 Supported Operate S ystems Son nn a Soa A esis ioe No Sa Rea 17 For Client Management on Server issued na aan ede 17 For Client oenen tae E E E a get ated a a a a a a os 17 Su pp rted ING IV ORKS otal nr te E E AE E EER R a tenes 18 SafeNet Inc iii ProtectDrive Administration Guide Table of Contents Chapter 4 ProtectDrive Software Compatibility cccssccssssscssssscssssscssssscssscscssssssssssssssssees 19 DOS Drivers and SRS ss nn one M ne ate aed RP cutee 19 Other Disk Encryption Products and Security Components 00 ccccceesceeseeenseceeceteeeeeeeeseeeaeens
207. roblem persists perform Standard Recovery Procedure and install ProtectDrive from scratch AND If the problem persists contact SafeNet Support 3301 VROM Too many logon attempts Forgotten password Corrupted user database Log on as other user Exercise user key recovery Run dispefs exe 3302 VROM I O error reading disk Corrupted EFS Hard disk failure Standard Recovery Procedure 3304 VROM An unknown error has occurred Internal program error Standard Recovery Procedure SafeNet Inc 201 ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages 202 Component Description Possible Cause Recovery Action 3305 VROM Configuration file MAC check of configuration Standard Recovery has been file failed Procedure corrupted Corrupted EFS 3306 VROM User information MAC check of user database Log on as different user has been entry failed at pre boot and let corrupted failed user log on to Windows Corrupted EFS User database entry will be regenerated Alternatively exercise user key recovery mechanism 3308 VROM ProtectDrive MAC check of ProtectDrive Log on as different user Administrator Administrator failed at pre boot and let information has Corrupted EFS failed user log on to been corrupted Windows User database entry will be regenerated Alternatively exercise user key recov
208. rotectDrive on Windows Logon e Click Apply and then click OK to store System and User Policy data in Active Directory ADAM and is time stamped in preparation for eventual replication to the client system s Replication of the configuration changes to the client s will take place in accordance with the update settings located in the Management group 137 ProtectDrive Administration Guide Chapter 8 System and User Management Pay attention to the Activated Pending Deactivated Indicator An example is shown below The indicator shows the current status of the client s ProtectDrive Pre boot Authentication The ProtectDrive client Activated Deactivated state gets updated in accordance with the settings in the Management group When the setting of the Activate Pre boot Authentication option changes the ProtectDrive client goes through a delayed transitionary period indicated by Pending before the actual Activated or Deactivated state takes effect IV Activate Pre boot Authentication Pending In the above example the indicator tells us that although the pre boot authentication is activated the check box is selected no pre boot users have replicated to the client yet Therefore for the time being all ProtectDrive features are disabled on the system This may be the case when ProtectDrive is first installed on the system and the System Policy has not yet propagated to it from Active Directory ADAM Alternatively the same ef
209. rt Card Token and PIN Fingerprint Log On Screen After selecting a finger to be read from the FINGER drop down list the user will then be prompted to position a finger on the biometric reader to complete the logon process lt Single sign on is currently not supported with biometric fingerprint logon The user will be required to log into Windows after logging in to ProtectDrive Refer to Windows Authentication starting on page 149 SafeNet Inc ProtectDrive Administration Guide Chapter 9 User Authentication Windows Authentication Every time a user successfully logs into Windows their most current Windows Password propagates to the ProtectDrive Pre boot User database Refer to Appendix C for a detailed diagram of the Windows Domain authentication logic flow Automatic Single Sign on Mode is ON Assuming the ProtectDrive Single Sign on mode is ON the user is automatically authenticated into their relevant Windows Domain Single sign on is currently not supported with fingerprint logon Manual Single Sign on Mode is OFF In the case of no Single Sign on the standard Windows Domain authentication screen will display if fingerprint authentication is not used similar to the one shown below Welcome to Windows gt Copyright 1985 2001 Microsoft Corporation Ne anion RQ EES Insert card or press Ctrl Alt Delete to begin Ctrl Alt Del helps keep your password secure Click Help For more i
210. rv certrama asp Advanced Certificate Request Contficate Template Copy of Smartcard Logon Kay Options Additional Options Request Format CMC OPKCS10 Submit gt Select the following options as described below For all other options retain the default settings e Certificate Template Select Copy of Smartcard Logon e CSP Select RSA Sign on Manager CSP e Mark keys as exportable Select this check box Click Submit to continue The following message displays Potential Scripting Violation A This Web site is requesting a new certificate on your behalf You should allow only trusted Web sites to request a certificate for you Do you want to request a certificate now Yes 215 ProtectDrive Administration Guide Appendix F iKey Management 9 Click Yes to continue You may note the message Waiting for server response This may take a few moments Microsol g Soe pe Qmerosoft Certificate Services R D mr OTobr Advanced Certificate Request Contficate Template Copy of Smartcard Logon Additional Options Certificate 54 Go enpm ce amp Erost Cerniicate Services x P a Pares Certificate Issued The certificate you requested was issued to you EE instais certificate 216 SafeNet Inc ProtectDrive Administration Guide Appendix F iKey Mana
211. rypted areas found SafeNet Inc 171 ProtectDrive Administration Guide Chapter 11 RapidRecovery Disaster Recovery Tools 172 Using Recovery Files If serious system corruption occurs the ProtectDrive system files may not be accessible In this case decdisk exe requires the backed up Recovery Files These files are produced using backup exe during normal ProtectDrive operation or obtained from Active Directory at the same time as disk key creation The following command line syntax example allows the user to select partitions for decryption decdisk dk 1 pd diskkeys computer dke r rp 1 pd backups computer where I pd diskkeys is the path and computer dke is the disk key file and pd backups computer is the path to the backup file set 1 e the recovery file set Le After decdisk is run with the use of recovery files it is necessary to run the rmbr lo command After the PC reboots uninstall ProtectDrive Refer to Recover the Disk on page 168 for additional details Manually Specifying the Decryption Area Decdisk decrypts disk areas selectable by sector number using the e est option The user manually provides the Start and End Sectors and the Algorithm as follows Partition Information Disk Start Sector End Sector Megabytes Type 1 63 16771853 8183 Primary Boot Enter disk number 1 Enter start sector 63 Enter end sector 16771859 Enter Alg 1 DES 2 3DES 3 Idea 3 rea Disk Start S
212. s encryption Enable any or all of these usages or manually add more certificate usages as needed Certificate usages that are enabled are highlighted in gray 116 SafeNet Inc ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy e To allow an existing certificate usage right click on its name or corresponding OID and then choose Select Once it is selected the background will turn gray Status Authentication Advanced Settings Allowed Certificate Usages Friendly Name Smart Card Logon EFS Locl Exchange Mar RSA Encryption Pas 1 3 6 1 4 1 311 20 2 2 1 3 6 1 4 1 311 10 3 4 1 3 6 1 4 1 311 21 5 1 2 640 113549 3 Select hE EP e To disallow an existing certificate usage right click on its name or corresponding OID and then choose Unselect Once it is de selected the background will turn white e To manually add a certificate usage double click inside the blank row at the bottom of the list enter the name and OID and then press Enter A new blank row is automatically created Any item that is manually added is automatically allowed highlighted in gray e Manually added items cannot be de selected they can only be deleted To delete a manually added certificate usage right click on the name or OID and then click Delete Settings Allowed Certificate Usages O Friendly Name OID Def Smart Card Logon 1 3
213. s for the third party GINA shown below If any of the IDs are left unspecified you will be warned that this can create unexpected behavior in the ProtectDrive GINA 7 Single Sign On Windows Authentica GINA DII Please select a GINA dll Browse Notice Logon Change Password Ctrl Alt D_4 gt Dialog ID 1000 Username control ID 1002 Password control ID 1004 8 Domain control ID 1006 PIN control ID p OK control ID 0 Cancel 99 ProtectDrive Administration Guide Chapter 6 The Multiple Boot System 6 Either e Click OK The settings are stored but not committed OR e Click Cancel The settings are thrown away 7 The GINA configuration dialog closes and the main Single Sign On Assistant dialog box displays 8 Either e Click OK or Apply The settings are committed OR e Click Cancel The settings are thrown away 9 The Single Sign On Assistant exits Creating a Post Authentication Account 1 Run the Single Sign On Assistant 2 Click Add to create a new account The Single Sign On Account dialog box displays gt Single Sign On Account Account Name Client Fields Doaa delete Mois Logon Command Command Name OK Cancel 3 Specify a unique name in the Account Name field 4 Run the application This will perform the post authentication account logon 100 SafeNet Inc ProtectDrive Administration Guide Chapter 6 The Multiple Boot System 5
214. se If this procedure does not fully recover the device perform the procedures outlined i in the next section 87 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Alternate Recovery Procedure 2 Use Sector 0 Backup Data In the event that the Standard Recovery Procedure and the first alternate recovery procedure using RmRMBR described on the previous pages does not return the device to a reusable state follow the steps in this section Contact SafeNet Support prior to attempting this procedure You must already have a backup of the device s Sector 0 data from the backup created on page 23 in order to restore the device using the procedure outlined below The steps in this section will restore the Sector 0 data to the USB flash drive which will allow the device to be reformatted for reuse This procedure should be performed on each USB flash drive that is deployed 1 Insert the USB flash drive into a computer that does not have ProtectDrive installed 2 Run the dskprobe utility This utility is included in the Microsoft Windows 2003 Resource Kit and can be downloaded from the Internet 3 Select File gt Open File Open the file with the saved Sector 0 data for this USB flash device 4 Select Drives gt Physical Drive 5 Double click the last drive in the list which should be the USB flash drive It will appear under Handle 0 in the bottom of the screen 6 De select the read only
215. sesositandattanatuduatda ides ansado dna saedbansdeesaiiaatenccn 177 RMBR EXE MBR Recovery Utility as nan tr tante it eaten lie 178 RMBR Fri tial States Checken ni vatseaeecdads gs eas EEA ik edna onan 178 RMBR Version Compatibility CHECK cae ccs Naelpsteeacasizc cd cdesadyatadsantisspebotensdteed votdasyctadsce Corebeaeies 179 Restoring the ProtectDrive MBR RMBR JD wnavedinicuii nnn aaah eats 179 Restoring the Original MBR RMBR 7 0 cites hehe des serie 180 Chapter 12 Troubleshooting and Reporting Information esse 181 Switch from the Default to Legacy Pre boot Temporary cccccccceceseceseceeseeeseecsseceteeeeeeensees 181 Switch from the Default to Legacy Pre boot Permanent 181 Disk Encryption W fhihee urnes a nain mena Aaa Sao uations Aa eee n s 181 ProtectDrive User Authentication Activity Tracking 182 Incorrect Pre boot Username and or Password cccccesscesssecsseceseeeeeceeseecsaecneeeeeeenseecseenseenaes 182 Pre boot Log On Failure Due to System Inoperability 182 Disallowed Device ACCESS BION ns an iii nee a E re i aTa 183 Disallowed Local Windows Authentication Error us 183 Disallowed Post boot Windows Domain Authentication Error ccccsccesceeceeeeetseeeteeeteeeees 183 Event Viewer Log nan a e EE E ay aaa sya ens ates M PR ER 184 Active Directory ADAM Reporting Script ss 185 ProtectDrive Server with Active Directory lt issstiiestacen neti cea ad liaiied taih
216. sistant exe file This file is located in the install folder C Program Files SafeNet ProtectDrive Windows Authentication Standard Windows Logon Post Authentication Accounts 94 SafeNet Inc ProtectDrive Administration Guide Chapter 6 Single Sign On Management Windows Authentication The Windows Authentication field allows users to choose the GINA they would like ProtectDrive to work with The selections are e Standard Windows Logon msgina dil e RSA Sign On Manager Logon or RSA Secure Logon 3 gina dil e Third party Logon Support for the Windows and RSA GINAs is provided with ProtectDrive refer to the RSA SOM Support section below whereas a third party logon must be configured by the user Configuration of third party GINAs allows the selection of the GINA DLL and manual entry of the dialog and control IDs for the GINA These settings are stored in the registry for pevgina dll to access during Windows startup Post Authentication Accounts Post Authentication Accounts allow users to logon to multiple accounts that provide network services There are specific user configurations which can benefit from using post authentication accounts refer to the Third Party Product Support section on page 97 You can add an unlimited number of fields to each account Each field is configured by specifying which control in the application dialog box to fill with the required information Username Password or Domai
217. stalling enabling ADAM or AD LDS in Chapter 5 all other references to ADAM in this document implies both ADAM and AD LDS ProtectDrive clients can be centrally managed by either Active Directory or ADAM They will function virtually the same with either one The primary difference between Active Directory and ADAM is the way in which schemas are applied gt With Active Directory all domain controllers use the same schema Schema changes are forest wide gt With ADAM there can be only one ADAM configuration set consisting of a unique ProtectDrive ADAM instance and any number of replicated ProtectDrive ADAM instances with their own schema and they are completely independent from the Active Directory schema After a unique ADAM instance is created replica instances for it may also be created each of which replicating one or more directory partitions from the unique instance ADAM replications can be created as a backup precaution In the event the primary ADAM server is inaccessible the clients can continue to be updated via a replicated secondary ADAM instance until the primary ADAM server is available again 8 SafeNet Inc ProtectDrive Administration Guide Chapter 2 ProtectDrive Functional Description If a more than one instance is created the system will randomly select an instance to take over for the primary For details on creating a unique ADAM instance and ADAM replication refer to the Directory Preparation
218. stem at Pre boot In these isolated instances an error screen will display an ACS Error Number as shown in the example below The user must communicate the error to the System Administrator Error ACSO301 Refer to Appendix D for a complete list of ACS Error Codes SafeNet Inc ProtectDrive Administration Guide Chapter 12 Troubleshooting and Reporting Information Disallowed Device Access Errors The ProtectDrive Administrator can configure the system to disallow user access to specific devices such as ports or removable media If a user whose device access control permissions are disabled attempts to access a certain device a message similar to the following will display My Computer x x E is not accessible Access is denied If this occurs the user should contact their System Administrator for further assistance Disallowed Local Windows Authentication Error If the Allow Local User Access authentication System Policy option is disabled and the user attempts to authenticate post boot into the Local Windows by specifying Local System Name in the Domain field of the Windows Log On screen then the following error will display Q Local user logons are not permitted with the current ProtectDrive configuration Note that if the Allow Local Password Access and Allow Domain Password Access options are both disabled then pressing CTRL ALT DEL will have no effect Similarly if the Allow Domain Token
219. t Client Update Client Status Message 1 6 2011 11 00 10 AM 1 8 2011 4 15 16 AM Update successful Status Authentication Advanced m Fixed Disks i Configured Algorithm Current Algorithm Gc None None BE IDEA None F IDEA None se DES None None porypt AES256 AES192 m Removable Drive Protection Progress AES128 Time Remaining IDEA 3DES m Update Status Last Configuration Change Last Client Update Client Status Message 1 6 2011 11 00 10 AM 1 8 2011 4 15 16 AM Update successful SafeNet Inc 139 ProtectDrive Administration Guide Chapter 8 System and User Management 140 If you wish to decrypt any of the encrypted partitions set the Configured Algorithm to None In the following example drives E and F are configured for decryption which will take place as soon as the policy data replicates to the client in accordance with the Updates settings in the Client Configuration group Status Authentication Advanced r Fixed Disks r Removable Drive Protection Progress Size MB Percent Time Remaining Drive _ Configured Algorithm Current Algorithm C None None BE IDEA IDEA EF None IDEA Bc None DES AES256 n En al 4E5192 r Update Status Last Configuration Change 1 6 2011 11 00 10 AM Last Client Update 1 8 2011 4 15 16 AM Client Status Message Update successful Saf
220. t Components that you wish to install SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Server Components Remote Recovery Console AD ADAM Preparation Utility Management Console Administration Guide Client Components This selection installs rpadmin exe the Remote Recovery Console Refer to Chapter 10 Extraordinary Authentication Scenarios for additional information This selection installs the ProtectDrive Preparation Utility for ADAM Active Directory Schema Extensions Refer to page 55 for details on this utility This selection installs the Management Console which includes the Active Directory Users and Computers MMC ProtectDrive Management and ProtectDrive Reports snap ins These snap ins are required to manage the ProtectDrive System and User policy from the server and view various status reports such as the Update Status report shows which clients have up to date settings and the last time they were updated and the Encryption Status report shows which clients are not encrypted which are and with what The sub feature Management Console Desktop selection adds a shortcut named ProtectDrive Management Console to the Windows desktop This selection installs the SafeNet ProtectDrive Administration Guide Local Management Console User Manual SafeNet Inc This selection installs the Local Management Console LMC application which is used to
221. t System and User policies Only Active Directory schema changes are forest wide gt Prepare configure each domain for remote client management by creating a Default Configuration Object By default all new clients in the domain will automatically be linked to the Default Configuration Object in the ADUC snap in in the ProtectDrive Management Console You must be logged in as the domain s administrator to perform this task For details on the Directory Preparation Utility refer to page 55 SafeNet Inc 9 ProtectDrive Administration Guide Chapter 2 ProtectDrive Functional Description ProtectDrive Recovery Files and Key Management During a ProtectDrive installation a recovery file set can be created These files are required to perform disaster key recovery and emergency logon procedures Alternatively these files can also be created prior to an installation by using the Certificate Wizard utility located in the Tools directory on the ProtectDrive distribution CD A recovery file set consists of the following gt Master Security Certificate MSC The PdMaster cer and PdMaster pfx files make up a public private key pair PdMaster pfx is used to extract Disk Key Recovery information using the Remote Recovery Console rpadmin The PdMaster pfx file is intended to be private and as such it must be securely stored and only accessible to individuals who can perform disaster recovery PdMaster cer is the public ke
222. t button to specify which partitions on the client will be encrypted Status Authentication Advanced m Fixed Disks Configured Algorithm Current Algorithm Sc None None Ge None None Gr None None G None None v None A4ES256 E5192 m Removable Drive Protection Progress 4E5128 Size MB Time Remaining 3DES DES m Update Status Last Configuration Change Last Client Update Client Status Message 3 6 2010 11 00 10 AM 3 8 2010 4 15 16 AM Update successful Status Authentication Advanced m Fixed Disks i Configured Algorithm Current Algorithm Ce None None Ge IDEA None F IDEA None a DES None None crypt 4ES256 AE5192 Removable Drive Protection Progress AES128 Time Remaining IDEA 3DES m Update Status Last Configuration Change Last Client Update Client Status Message 3 6 2010 11 00 10 AM 3 8 2010 4 15 16 AM Update successful e Ongoing encryption progress will be indicated in half shaded disk drive icons as follows drive F on the left and drive G on the right Status Authentication Advanced r Fixed Disks i Configured Algorithm Current Algorithm 5 None None E None None F None None amp G None None v None E5256 4E5192 r Removable Drive Protection Progress AES128 Time Remaining BEEN 3DES r Update Status Last Configuration Change Las
223. tDrive Administration Guide Chapter 10 Extraordinary Authentication Scenarios 2 Contact your System Administrator either in person or by phone and communicate to them the displayed Recovery Code Challenge 3 In return the Administrator will communicate to you to the Response Code Enter this code into the Enter response below field shown below Enter response below i a eel 4 At this point Windows will proceed to load normally and will either log you on to Windows automatically or manually depending on how the System Administrator configured ProtectDrive System Administrator Instruction The user will perform the procedure on the previous page and contact the System Administrator In turn the System Administrator will use the Recovery File Set originally created after the ProtectDrive install to perform the following steps to complete the emergency logon procedure 1 Run rpadmin exe located in Program Files SafeNet ProtectDrive on the server The ProtectDrive Remote Recovery Console window displays 2 Click the Emergency Logon tab 3 Inthe Recovery Support Certificate Key section select the appropriate Recovery Support Certificate Key option e Personal Store If you select this option you must have the user s private recovery key certificate copied from their Personal Store to your machine e PFX File TIf you select this option click and then browse to and open the user s private PARecov
224. tacted via the Internet connection and will in turn provide an authorization code to allow the installation to continue SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 7 Choose the appropriate ProtectDrive configuration method Select Client Configuration for stand alone installations or select Remote Configuration for remote configuration using Active Directory ADAM and then click Next i SafeNet ProtectDrive InstallShield Wizard X SafeNet ProtectDrive Configuration Method SafeNet ProtectDrive Select Remote Configuration if you wish to administer ProtectDrive using Microsoft Active Directory or Active Directory Application Mode ADAM Client Configuration O Remote Configuration LE If you select the Client Configuration method then the Advanced gt Management update options in the Local Management Console will be unavailable because those options only apply to Active Directory ADAM 8 Choose the appropriate recovery file set option and then click Next lSafeNet ProtectDrive InstallShield Wizard X Recovery File Options SafeNet ProtectDrive A recovery file set can be generated once and used in subsequent installations Generate new Recovery File Set Select existing Recovery File Set lt Back Next gt Cancel If the client installation is to be remotely configured as determined in step 7 then the Recovery File Set must have alrea
225. tallation If you want to review or change any of your installation settings click Back Click Cancel to exit the wizard Ready to Install the Program 9 When the installation is complete the following screen displays et ProtectDrive InstallShield Wizard SEE InstallShield Wizard Completed The InstallShield Wizard has successfully installed SafeNet ProtectDrive Click Finish to exit the wizard M Launch Directory Preparation Utility SafeNet ProtectDrive gt Leave the Launch Directory Preparation Utility check box enabled if you want PDDirPrep to run immediately after the installation is complete Refer to the next section for more information on this utility gt De select the Launch Directory Preparation Utility check box if you do not want PDDirPrep to run immediately after the installation is complete 10 Click Finish When the installation completes a D shortcut named ProtectDrive Management Console is added to the Windows desktop 54 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive What are the ProtectDrive Administrative Management Tools Make sure you have configured the schema and domain by using Directory Preparation Utility PDDirPrep prior to installing the Administrative Management Tools Otherwise errors will occur when they are run such as oject not found or attribute does not exist The ProtectDrive Administrative Manage
226. tems members of a Windows Domain When deploying ProtectDrive Client Side components on systems containing multiple hard disks disk0 must be the drive where ProtectDrive is installed Custom Graphics File In addition to the installation files shown in the example below a custom graphics file named ACSGIF or hiresgif for example may also be placed in the Vnstall directory This graphics file created by SafeNet includes the customer specific artwork that will appear as part of the various ProtectDrive pre boot authentication and or system recovery display screens If this file is present the ProtectDrive installer will automatically include this file as part of the Client Side Component installation Install the ProtectDrive Client Side Components w If you are deploying ProtectDrive on a Windows 7 Windows Vista or Windows Server 2008 client run Setup exe located in the same directory instead of SafeNet ProtectDrive msi Name Size Type Date Modified E 1031 mst German 103KB MST File 1 5 2011 5 41 PM ef 1033 mst English 4KB MST File 1 5 2011 5 41 PM e 1041 mst Japanese 98KB MST File 1 5 2011 5 41 PM jp Safenet ProtectDrive msi 23 317KB Windows Installer Package 1 5 2011 5 42 PM Setup exe 56KB Application 1 5 2011 5 39 PM 64 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Changing the Default Language The default language for the ProtectDrive installation wi
227. the current ProtectDrive installation the following message displays Found super block at sector 1893443 Incorrect super block Continuing search If a valid super block is located RMBR will display the version and ask the user for verification as shown below Found super block at sector 1893443 ProtectDrive v8 1 Is this the correct version of ProtectDrive Y N If the version is not correct enter N and rmbr will continue If the version is correct enter Y and the following displays ProtectDrive MBR restored Current MBR is the ProtectDrive MBR SafeNet Inc 179 ProtectDrive Administration Guide Chapter 11 RapidRecovery Disaster Recovery Tools Restoring the Original MBR rver o This option replaces the current MBR with the original system MBR that ProtectDrive saved during installation This is only supported if there are no currently encrypted drives present on the system Otherwise decrypt before proceeding 180 SafeNet Inc ProtectDrive Administration Guide Chapter 12 Troubleshooting and Reporting Information Chapter 12 Troubleshooting and Reporting Information Switch from the Default to Legacy Pre boot Temporary In the unlikely event that you wish to temporarily change from the default pre boot environment to the legacy pre boot environment perform the following steps to adjust the ProtectDrive settings 1 While rebooting the system press and hold the Shift key 2 When th
228. ting for the client to update to the state that is currently set on the server Deactivated Pre boot authentication is turned off When deactivated previously encrypted drives will be decrypted When reactivated ProtectDrive resets all user passwords to the configured initial pre boot password which may be explicitly defined in PD Settings gt Advanced gt Password Policy where the default password is set to be equal to the username or set to a designated default the pre set default is password lt Deactivating Pre boot Authentication will remove all users from the client system s ProtectDrive Pre boot User database When Pre boot Authentication is reactivated all users Windows Domain users and local Windows users will be re added automatically Authentication Methods To gain access to a system protected by ProtectDrive authentication at both the Pre boot and Windows access levels is mandatory One or a combination of local user password domain and token domain authentication methods will be available to users at the Pre boot and Windows access levels as determined by the settings made in the Authentication Methods group box These authentication methods are described in detail below To make an authentication method available to users select either the Windows the Pre boot or both check boxes next to the method according to the security policy requirements that apply in the organization At least one check box
229. tion is enabled at the Windows level if the Allow Local User Access and or Allow Password Domain User Access check boxes is are selected lt Single sign on is currently not supported with fingerprint logon SafeNet Inc ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy Allow Emergency Logon Without Username Allow Emergency Logon for Token Users When enabled newly created Windows Domain or Local Windows users may invoke the Emergency Logon Without Username Procedure This allows for one time only pre boot access to the system for all users who do not yet have a ProtectDrive Pre boot user account This option is available only if at least one of the following Pre boot Authentication Method options is selected Allow Token Domain User Access or Allow Shared Key Access If this option is enabled smart card token users who have misplaced their token or forgotten their PIN are permitted to invoke the Emergency Logon for Token Users Procedure This procedure allows for a one time only pre boot access to the system without the need of a token Allow Users to Register Shared Key When this option is enabled users are allowed to Local Management Console register a shared key for authentication Lock Computer In addition this option must be enabled to display Shared Key About SafeNetProtectDrive the Shared Key menu selection shown right when the ProtectDrive icon
230. tions not recommended for third party disk recovery as this option may decrypt the wrong disk Estimates the region intended for decryption and forces the r option Uses Recovery Files for the decryption operation Specifies the path to the Recovery File points to the backup file set created with backup exe This option must always be used It specifies the encrypted diskkey file used for disk key recovery Can be used in conjunction with the r option Allows the user to read the diskkey from the encrypted dke file Restores original MBR Selects the installation partition Default User specified Current directory SafeNet Inc ProtectDrive Administration Guide Chapter 11 RapidRecovery Disaster Recovery Tools Decdisk will initially display a Partition Information section for all known hard disks The output will be similar to the example shown on the next page If you notice an incorrect disk number in the Encryption Information section in the decdisk output exit decdisk and re run it with the e option to enter the correct information manually Partition Information Disk Start Sector End Sector Megabytes Type 1 63 16771859 8189 Primary Boot 1 16771923 78140159 29964 Logical 2 63 417689 203 Primary z 417690 10217339 4784 Primary 2 10217403 12498569 1113 Logical Area Disk Start Sector End Sector Algorithm Megabytes Enc ed Type Pi 1 63 16771859 3DES CBC 8183 100 00 Primary
231. to import during the installation Set it to 1 to only import users from the file specified in ERA CONFIG FILE XML PATH Set it to 2 to only import data from the file specified in ERA CONFIG FILE XML PATH Set it to 3 to import users and data from the file specified in ERA CONFIG FILE XML PATH This property defines the absolute path that contains the xml file of the ProtectDrive client configuration settings This file can be imported to each client that shares the same salt cid The ProtectDrive installation looks for the xml file in the current folder where SafeNet ProtectDrive msi is located Refer to page 91 for more on importing the client configuration xml file This property is intended for use in upgrades only to save restore the FIPS flag during the upgrade This property is set to 1 by default to use the FIPS approved crypto Set it to 0 to use the non FIPS approved crypto If set to 0 performance is enhanced and a secure Common Criteria EAL 4 approved non FIPS library is used This property is set to 0 by default Set it to 1 to install the Active Directory ADAM Computer Object snap in the Active Directory ADAM User Object snap in and the ProtectDrive Management Console SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive ERA_INSTALL_ADMIN_GUIDE ERA_INSTALL_CLIENT ERA_INSTALL_KEY_RECOVERY ERA_INSTALL_LOCAL_MC ERA_INSTALL_USER_MANUAL ERA_KM_
232. to save these settings in Active Directory ADAM clicking OK or Apply will not save these permissions in Active Directory ADAM 132 SafeNet Inc ProtectDrive Administration Guide Chapter 7 Configuring Default System and User Policy License Manager Tab View Install Update License ProtectDrive ships with a 30 day evaluation trial license The trial license or full license is installed during the ProtectDrive installation You must have a valid license to install a full license Features for example Removable Media are enabled or disabled based on the installed license or authorization code The License Manager tab in the Local Management Console displays information about the ProtectDrive license s that are currently installed After ProtectDrive is installed use the License Manager tab shown below left to upgrade from the trial version or upgrade an expired license When a license expires a nag screen shown below right will continue to display periodically until a valid license is installed PD Settings PD Users License Manager License Information Feature name ProtectDrive_Base ID SafeNet License type Trial Standalone License start date Mon Jan 01 00 00 00 2011 Trial period 30 day s 15 day s 4 hour s 57 min s left 1 License Manager License Status Normal Your license has expired You have 1 license s installed 1 1 Please install a valid license License Information
233. tomizing the MSI Package If silent installation is desired GPO deployment for example the System Administrator must set all the required parameters of the Property to require no user interaction during installation This may be achieved by modifying the MSI package MSI is a database table and the System Administrators can tune or customize the SafeNet ProtectDrive msi as needed There are a number of tools publicly available that can be used to customize the MSI package For example Microsoft provides a free database editor called Orca Refer to the following Web site for more information on Orca http support microsoft com kb 255905 EN US 1 SafeNet Inc 41 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive ProtectDrive MSI Properties The MSI properties described below can be added if not already present in the msi file and or modified for a ProtectDrive installation ERA_CLIENT_CONFIGURATION_ONLY ERA_CONFIG_FILE_IMPORT_FLAGS ERA_CONFIG_FILE_XML_PATH ERA_ENCRYPT_USE_FIPS ERA_INSTALL_AD_MC 42 This property defines the type of client configuration to install Set it to 1 to configure the client locally via the Local Management Console this will disable Active Directory ADAM updates Set it to 0 to remotely configure the client via Active Directory ADAM on the server this will disable local changes via the Local Management Console This property defines the XML file
234. tory server to be unresponsive There are several reasons why an SCP is not removed Some possible causes are Active Directory was unavailable during un installation or the SCP was created manually An SCP must be removed before a new ProtectDrive ADAM instance can be created or before ProtectDrive can use Active Directory for storage The procedure on page 33 requires the ADSIEdit utility to remove the ADAM SCP Network administrators can use this utility to view and make changes to Active Directory ADSIEdit features are similar to the Active Directory Users and Computers ADUC MMC snap in but the ADSIEdit utility provides a lower level view of Active Directory information Install ADSI Edit The ADSIEdit utility is included when Windows Server 2003 Support Tools are installed from the product CD Alternatively you can download ADSIEdit from the Microsoft Download Center at http go microsoft com fwlink LinkId 100114 For details on how to install ADSI Edit on various operating systems refer to the following Microsoft Web page http technet microsoft com en us library cc773354 WS 10 aspx For more information on ADAM SCPs refer to the Administering ADAM service publication at http technet microsoft com en us library cc736338 WS 10 aspx 32 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Remove the ADAM Instance 1 From the Windows Start menu go to Add Remove Programs
235. ubcomponents will be installed which may cause errors Windows Components Wizard x Windows Components You can add or remove components of Windows To add or remove a component click the checkbox 4 shaded box means that only Paton the component will be installed To see what s included in a component click Components Accessories and Utilitie E amp Active Directory Services Application Server 33 4 MB A Certificate Services 1 4MB Es Distributed File Sustem 77MR ZI Description Active Directory Services Total disk space required 154 4 MB e x Space available on disk 6214 1 MB Css lt Back Next gt Cancel Help 4 Click Details SafeNet Inc 37 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 5 Select the Active Directory Application Mode ADAM check box Do not select the other subcomponents Active Directory Services a Active Directory Application Mode ADAM C es Active Directory Federation Services ADFS O i Identity Management for UNIX 6 Click OK 7 Click Next The components will be installed Windows Components Wizard Configuring Components Setup is making the configuration changes you requested Insert Disk gt 38 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 9 Click Finish to complete the procedure Completing the Windows C
236. uide Chapter 5 Deploying ProtectDrive 10 The system will proceed to collect entropy to generate the recovery files Move the mouse and then click OK when it is completed SafeNet ProtectDrive Key Generation Please move the mouse while entropy is collected SafeNet ProtectDrive Key Generation Please move the mouse while entropy is collected ITIMAN Select OK to continue OK 11 A prompt similar to the one shown below will display if the recovery files were successfully created Click OK to continue SafeNet ProtectDrive InstallShield Wizard i SafeNet ProtectDrive InstallShield Wizard SafeNet The wizard is ready to begin installation P r ot ec tD riv e Click Install to begin the installation IF you want to review or change any of your installation settings click Back Click Cancel to exit the wizard Ready to Install the Program SafeNet Inc T1 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 13 When the following screen displays click Finish i SafeNet ProtectDrive InstallShield Wizard InstallShield Wizard Completed The InstallShield Wizard has successfully installed SafeNet ProtectDrive Click Finish to exit the wizard SafeNet ProtectDrive 14 When prompted click Yes to restart the PC i SafeNet ProtectDrive Installer Information You must restart your system For the configuration changes made to SafeNet ProtectDrive to take effe
237. user is then responsible for ensuring that the computer is treated in accordance with organizational security policies for the level of information available Administrators of ProtectDrive are responsible for ensuring that the underlying operating system is correctly configured and complies with organizational security policies If the computer on which ProtectDrive is installed is a part of a network domain then the domain security policies must be correctly configured and comply with organizational security policies Password Policy The operating system password policy must be configured in accordance with organizational policies and be consistent with ProtectDrive requirements The following minimum settings should be used Enforce Password History 7 passwords Maximum Password Age In accordance with organizational policy Minimum Password Age 1 day or greater if required by organizational policy Minimum Password Length 6 characters or greater if required by organizational policy Passwords Must Meet Complexity Requirements Enabled Store Password Using Reversible Encryption Disabled Screen Lock Feature The operating system Screen Lock feature must be enabled and configured in accordance with organizational requirements If the Screen Lock feature is not enabled and configured correctly ProtectDrive security features may be subverted 206 SafeNet Inc ProtectDrive Administration Guide Appendix E Additional Guidance Rega
238. ust be a member of the Schema Admins group to perform this task Perform this task to extend the Active Directory or ADAM schema to include attributes needed for ProtectDrive data storage For Active Directory extend the directory schema on the primary domain It is automatically replicated to all child domains Only Active Directory schema changes are forest wide If ADAM is being used this task cannot be performed until an ADAM instance has been created on the domain 1 Click Extend Directory Schema 2 The system will verify whether an ADAM configuration set exists If one exists then the unique ADAM instance is extended If one does not exist then the user administrator is prompted to confirm the extension of the Active Directory schema If this prompt displays click Yes to continue SafeNet ProtectDrive Directory Preparation Utility No SafeNet ProtectDrive ADAM instance Found For this domain Active Directory Schema will be extended NOTE IF you have recently installed a SafeNet ProtectDrive ADAM instance its existence may not have replicated through AD yet You should cancel and retry later Would you like to proceed and extend Active Directory Schema No 3 The status window displays the action s being performed Information is also logged to the PDDirPrep log file 4 Proceed to the Prepare Domain task SafeNet Inc 49 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 50 P
239. utes ninietan aa anni taadadin lve uses ation etes 98 Configuring After ProtectDrive Installation Over an Existing System 98 Configuring After Installing Additional Software to the ProtectDrive System 98 Changing Chained GINA er Sartre sante dre tdi hea 99 Setting GINA Configuration durant cha shies E EREA T 99 Creating a Post Authentication Account 238828 8 dents ad D dde dr 100 Modifying a Post Authentication Account tels tait tata tan lattes de 102 Removing a Post Authentication ACCOUNE wis snntetu nds de a ve a Sede da Rn es 102 Creating a Post Authentication Account Field 103 Modifying a Post Authentication Account Field 104 Removing a Post Authentication Account Field 105 Exporting SSO SERIES nn epeatasteiasvolsivarian sabes athena eis agen Wake a ee 105 Chapter 7 Configuring Default System and User Policy scccsccscscsssssssscsccecsescsscssscseseeee 106 Configure Default Settings in Active Directory Users and Computers ADUC MMC Snap in 106 Configure Default Settings in ProtectDrive Management Snap in 108 PD Settings Tab Configure the Default System Policy 109 A th nticaton Settings anniina asana a ecaisisiay cilia die stat ete ieo iaieiiea ostini ariaa 109 Advanced Settings Accessibility ODHONS 2 edit au de ee a tes PR se ds 114 Advanced Settings Allowed Certificate Usages ss 116 Advanced Settings Default Permissions Device ACCESS 118 Advan
240. ve Minimize X Close Alt F4 nager Import Users and Data Import Users Only Size MB Percent E Time Re Import Data Only 152531 0 0 00 About lt gt Encrypt Decrypt Removable Drive Protection Progress Dri Size MB Percent E Time Remaining Update Status Last Configuration Change Never Cancel SafeNet Inc 89 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 4 Select a location to save the xml file and then click Save The default filename is PDConfig xml Save in CQ PD Client Settings My Recent Documents File name PDContig xl My Network Save as type XML File xml X Places Cancel 5 Click OK when the file is successfully exported and saved You can now import this file its user or data settings or both to multiple clients as needed Refer to the next section for step by step instructions Local Management Console Export to C PD Client Settings PDConfig xml successful 90 SafeNet Inc ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Importing the Client Configuration Settings XML file If you have saved the ProtectDrive client settings from another client PC to an xml file you can import the user or data settings or both to other client PCs that should have the same configuration This xml file is encrypted using the salt cid file used for
241. will automatically take effect when a workstation is left unattended for at least 10 minutes If the 32 bit version is already installed and there is a need to revert to the legacy 16 bit version press the Shift key while the PC is booting on some machines the Shift key should not be pressed too early in the boot process The PC will start in 16 bit pre boot one time only until the next reboot occurs SafeNet Inc 3 ProtectDrive Administration Guide Chapter 2 ProtectDrive Functional Description ProtectDrive is capable of pre boot authenticating users on stand alone Local Windows only and Windows Domains systems In addition to local password or domain password logon the following user authentication credentials are supported by ProtectDrive Smart Card Token and This method of user authentication requires a token PIN Fingerprint or smart card and used for Windows smart card token logon in an Active Directory environment If fingerprint authentication is used then the smart card token must be initialized as PKI cards with BSEC middleware version 7 1 1 or higher prior to installing ProtectDrive If ProtectDrive was installed before BSEC middleware please contact SafeNet Technical Support For BSEC installation and configuration details refer to the Borderless Security PK and SSO Administration Guide Shared Key Token iKey 1000 and This method of user authentication requires the PIN presence of a sh
242. y component of the Master Security Certificate MSC and is intended to be used on each installation Recovery Support Certificate RSC The PdRecovery cer and PdRecovery pfx make up a public private key pair PdRecovery pfx is used for Emergency Logon in the Remote Recovery Console rpadmin The PdRecovery pfx file is intended to be private and as such it must be securely stored and only accessible to individuals who can perform password recovery for example Help Desk Support personnel PdRecovery cer is the public key component of the Recovery Support Certificate RSC and is intended to be used on each installation Salt The salt cid file is used to permit the sharing of removable media between ProtectDrive PCs Recovery Envelope This RecoveryEnvelope env file is created for every client PC and is required for Emergency Logon using the Remote Recovery Console utility rpadmin The client name is included in the file name as follows lt computer name gt _RecoveryEnvelope env For details on the Certificate Wizard utility refer to page 25 For details on the rpadmin utility refer to Chapter 10 10 SafeNet Inc ProtectDrive Administration Guide Chapter 2 ProtectDrive Functional Description ProtectDrive Disaster Recovery For stand alone ProtectDrive installations disaster recovery preparation begins with periodic ProtectDrive system data backups The ProtectDrive backup utility creates recovery files which
243. y logon procedures Refer to page 55 for more information on these tools Prepare the Windows Domain The Directory Preparation Utility PDDirPrep is used to prepare the Windows domain for ProtectDrive PDDirPrep is used to create a unique ADAM instance and replicas of the ADAM instance with a signed Master Security Certificate extend the Active Directory or ADAM schema and prepare the domains to remotely manage the ProtectDrive clients Run the PDDirPrep utility prior to running the ProtectDrive Administrative Management Tools Installation Otherwise the management tools will report errors such as Object Not Found until PDDirPrep has been used to prepare the domain SafeNet ProtectDrive Directory Preparation Utility Creates an ADAM Active Directory Aplca ion Mode instance on this machine to Teaia ADAMI nin ro eSa feNet Protes iv configuration inthe Do amain This ion alternative to te E Director ory natively Extends the dete schema wih SaleNet FroteciDrive paie atibutes te te p eei GARE ADAM ela E E EU AN o AD Passed Creates SaeNet ProtecDive management object igures J REIG OMAN secu iy desc criptors to allow computer ote cts to eee cones Sal ae an settings to from the die View Log File SafeNet Inc 45 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive It is only necessary to run PDDirPrep once per forest to extend the directory schema and once per domain to prepare the do
244. y system administrators only PEPREP enables an authorized user such as a Help Desk representative to boot from a WinPE recovery disk such as a USB drive or CD DVD configured for WinPE to a machine with ProtectDrive installed and allows transparent encryption decryption from the encrypted drive During the recovery process PEPREP copies files into a WinPE image before the image is bult and injects the appropriate disk key when WinPE is running Sample Scenario A user s encrypted laptop or PC can no longer boot through no fault of ProtectDrive and she needs immediate access to critical files PEPREP can assist an authorized Help Desk representative to recover the individual files within 30 minutes Once recovered these files can be copied over to a functional machine and the end user can quickly resume her work Later as time allows the Help Desk representative can take the time needed to recover the entire laptop or PC Currently ProtectDrive s WinPE support is intended only for systems with a uJ functional ProtectDrive installation If ProtectDrive files are corrupted then PEPREP will not correct the problem Create the WinPE Bootable Recovery Disk The following steps create a basic WinPE bootable ISO image For more information on creating a WinPE image go to http technet microsoft com en us default aspx 1 Download and install Microsoft s Windows Automated Installation Kit WAIK This can be downl
245. y your identity to peopie you communicate with aver the Web sign and encrypt messages and depending upon the type of certificate you request perform other security tasks You can also use this Web site to dawnload a certificate authority CA certificate certificate chain or certificate revocation list CRL of to view the status of a pending request For more information about Certificate Services see Certificate Services Documentation Select a task certificate request Download a CA certificate certificate chain of CRL 213 ProtectDrive Administration Guide Appendix F iKey Management 4 Click Request a certificate The following screen displays Go ehh 1 70 15 15 10 certarvicertrass Sie amp BMerosoft Certficate Services Request a Certificate Select the certificate type User Certificate Or submit an advanced certificate request Ga le htp 70 15 15 19 certerv certrand asp KOE BiMcrosoft Certificate Services Advanced Certificate Request The pobcy of the CA determines the types of certificates you can request Click one of the following options to Create and submit a request to this CA 214 SafeNet Inc ProtectDrive Administration Guide Appendix F iKey Management SafeNet Inc 6 Click Create and submit a request to this CA The following screen displays Go enon BiMrosoft Certificate Services 15 10 certs
246. you a license 1 Open the Local Management Console on the client 2 Click the License Manager tab SafeNet Inc ProtectDrive Administration Guide Chapter 2 ProtectDrive Functional Description 3 Click Lock Info 3 Local Management Console PD Settings PD Users License Manager License Information Feature name ProtectDrive_Base 9 2 Feature version ID SafeNet License type Trial Standalone License start date Mon Jan 01 00 00 00 2010 Trial period 30 day s 29 days 23 hour s 45 min s left Lock information Machine ID Selector xg License Status Normal Code Ox1F122 You have 1 license s installed 1 1 License or Authorization Lock Info Cancel Apply 4 Read the Lock Information to the SafeNet Support representative 5 The SafeNet Support representative will generate a license code and e mail it to you in SafeNet Inc the form of a license txt file Use this file to complete the full license ProtectDrive client installation Make sure you copy this file to a location that the client PC can browse to during the installation procedure lt Any time the license changes it is good practice to run the backup exe utility to ensure your recovery files are up to date Refer to Chapter 11 for details on the backup utility Upgrade to a full license Refer to page 133 for detailed step by step instructions to complete the li
247. zard is English Use a different MST file shown in the example above to change the language As an example to change the ProtectDrive installation to Japanese go to the DOS prompt and type the following command line msiexec exe i SafeNet ProtectDrive msi TRANSFORMS 1041 mst l 2 When the Welcome screen displays click Next 3 SafeNet Inc i SafeNet ProtectDrive InstallShield Wizard Welcome to the InstallShield Wizard for SafeNet ProtectDrive The InstallShield R Wizard will install SafeNet ProtectDrive on your computer To continue click Next WARNING This program is protected by copyright law and international treaties SafeNet ProtectDrive Read and accept the License Agreement and then click Next i SafeNet ProtectDrive InstallShield Wizard License Agreement SafeNet Please read the following license agreement carefully ProtectDrive SOFTWARE LICENSE AGREEMENT IMPORTANT READ THESE TERMS CAREFULLY BEFORE DOWNLOADING INSTALLING OR USING THIS SOFTWARE BY DOWNLOADING OR INSTALLING THIS SOFTWARE YOU ACKNOWLEDGE THAT YOU HAYE READ THIS LICENSE AGREEMENT THAT YOU UNDERSTAND IT AND THAT YOU AGREE TO BE BOUND BY ITS TERMS IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT YOU MAY NOT INSTALL OR USE THIS SOFTWARE 1 Grant of License for Personal Use z accept the terms in the license agreement O1 do not accept the terms in the license agreement
Download Pdf Manuals
Related Search