DriveLock Installation Guide 7.5
Contents
1. Connection test detected server version rein 5 050 Select an installation action O Install a new DriveLock database 1 Check Update an existing DriveLock database Select the database server type Microsoft SQL Server or Oracle Type the name of the database server and if required the name of the database instance To confirm that DES can connect to the server click Test Connection Select Import a DriveLock 5 5 R2 database as the installation action and then click Next The target database is automatically selected from the current DES settings Type the server name and the database name of the source database and then click Check connection Both connections must be successfully validated before you can proceed Click Next Select the data types to be imported into the new database e Accounts and permissions Existing accounts and general permissions e Device Scanner data Information about computers drives and devices that was created by the Device Scanner DriveLock Installation Guide 7 5 56 2015 CenterTools Software GmbH x rive Lock Migrating a Legacy Database e Events All event information e SRC File Cache path The folder used for the Security Reporting Center file cache By default this is C Program Files CenterTools DriveLock Security Reporting Center SRCFileCache e Container recovery data Data that is required to reset passwords of encrypted removable medi2. HTTP Type the path and file name for the configuration file You can use a local path ora UNC path When using a local path you must copy the configuration file to all client computers MFileserver Share ConfigFile cfg lt Back Cancel Specify the location from which the DriveLock Agent will retrieve the configuration file You can specify a UNC path an FTP location or an HTTP location You can also specify a local path that can be accessed by the local System account for example C Windows DLConfig After entering the location of the configuration file click Next Specify the user credentials that are used to access the configuration file e Local System DriveLock will connect to the configuration file by using the local System account on the client computer This is the recommended setting if the configuration file is stored locally on client computers e Service Account DriveLock will use the account you specify This account must have permissions to access the file on the remote server The account password will be stored in an encrypted format e Anonymous If you have selected either an FTP or HTTP path tyoe Anonymous as the name of the service account and leave the password blank The FTP or HTTP server must allow anonymous access to the configuration file DriveLock Installation Guide 7 5 36 2015 CenterTools Software GmbH W rivelock stro oct DriveLock Agent service account pas Choose the acco
3. CADriveLock DriveLockAgent msi a Target MS package C DriveLock DriveLockAgentCSP msi Type the name and location for both files and then click Next to generate the new MSI file You can use the modified installer package you created to install the Agent manually or to deploy it using third party deployment software To generate a Microsoft Installer Transform mst file you must provide the location and name original DriveLockAgent msi file and the MST file DriveLock Agent deployment preparation ED Software deployment Fes Please select ns Source MSI package located on distribution media Cc DrveLock DriveLockAgent msi a Target Window Installer Transform MST C DriveLock DriveLockAgentCSP mst eBox JL nos canoa Type the name and location for both files and then click Next to generate the new MST file After you have completed the Agent Deployment Wizard you continue the deployment by using the Microsoft Installer package or the command line DriveLock Installation Guide 7 5 43 O 2015 CenterTools Software GmbH W rivelock stro oct 5 4 4 Installation from a Command Prompt Silent Installation If you install the Agent from a command prompt or a script you can specify additional options The options allow you to specify from where the Agent will get its configuration settings and where the Agent retrieves the configuration To silentl
4. 7 Download files only do not install To only download the selected components but not install them select the checkbox Download files only To use local versions of the selected components without downloading newer versions select the checkbox Do not download files Click Next to start the download or installation When the process has complete a notification is displayed Please review the status of the downloaded components The files were downloaded successfully and stored in the same folder as this application resides Package Status amp Documentation and manuals Downloaded 2 DriveLock Control Center Downloaded Borivetock Management Console Downloaded w a q Finish Click Finish to complete the installation or download 5 4 Installing the DriveLock Agent The DriveLock Agent must be installed on each client computer where you want to control access to removable drives and devices Standalone Windows Installer packages are provided for installing the DriveLock Agent on client computers that are not administrative workstations These installation packages DriveLockAgent msi and DriveLockAgent AMD64 msi install the DriveLock Agent service without creating any entries in the Start menu and without requiring any user input silent installation DriveLock Installation Guide 7 5 31 2015 CenterTools Software GmbH XD veLlock O Ansaling Diveloch The packages for the D
5. Alternatively you can use the command line to uninstall DriveLock but you have to ensure that there is no remaining GPO that assigns DriveLock to the computer DriveLock Installation Guide 7 5 53 2015 CenterTools Software GmbH 4 riveLock Part VIII Migrating a Legacy Database DON T GAMBLE WITH YOUR DATA x rive Lock Migrating a Legacy Database 8 Migrating a Legacy Database Starting with DriveLock 6 the Security Reporting Center components have been replaced by the DriveLock Enterprise Server and the DriveLock Control Center It is not possible to update an existing database and the Security Reporting Center Instead you need to migrate the contents of the existing DriveLock 5 5 R2 database into the new DriveLock 6 database You need to perform this process using the Database Migration Wizard after you have installed the DriveLock Enterprise Service and the new database For details about the DES installation refer to the chapter Installing the DriveLock Enterprise Service If the existing version of the SRC server is older than DriveLock 5 5 R2 you must upgrade your existing SRC Server to version 5 5 R2 before you can migrate data by using the Database Migration Wizard The Database Migration Wizard is installed together with the DriveLock Enterprise Service To start the program click Start gt Programs gt CenterTools DriveLock gt DriveLock DES Database Installation J Dr
6. FDE system files directory C Securdsk must not be compressed Do not install DriveLock FDE to a compressed system drive Doing this leads to compression of the C Securdsk directory interfering with normal operations of DriveLock FDE The directory C Securdsk is a hidden system directory that can t be viewed by regular users e Windows System Restore Utility After DriveLock FDE has been installed Windows system restore points that were created prior to the installation can no longer be used to restore a computer to a previous state You can only restore the system to a restore point created following the installation of DriveLock FDE e Windows Fast User Switching DriveLock FDE disables the standard Windows Welcome screen along with its fast user switching functionality DriveLock Installation Guide 7 5 19 2015 CenterTools Software GmbH 4 riveLock Part V Installing DriveLock DON T GAMBLE WITH YOUR DATA Oe rivelbock _ _ mmm 5 Installing DriveLock The following sections describe the steps that are required to install the DriveLock components T e Evaluation Installation e Installing the DriveLock Enterprise Service e Installing the DriveLock Management Components e Installing the DriveLock Agent 5 1 Evaluation Installation In this type of installation all DriveLock components are installed on a single computer running Windows Vista or later This is the recommended in
7. TCP 6064 HTTP TCP 6065 HTTPS perating Temporarily Unlock DriveLock Management Console MMC Editing Agent configuration Group Policy GPO Centrally stored policies DB Configuration file via HTTP FTP or UNC Default communications ports These ports can be customized if required 6065 TCP Incoming APS DriveLock Agent 6067 Te TCP Incoming HTTPS e TCP HTTP optional Access to configuration file on a server using HTTP Incoming 445 TCP 139 TCP Incoming SMB NetBIOS optional Access to 137 UDP 138 UDP configuration file on a server using UNC DriveLock Installation Guide 7 5 9 2015 CenterTools Software GmbH Oe rivebocke is voto win oi 2 2 1 Service Communications in Mixed Mode with Legacy Agents The following diagram illustrates communications paths and the role of the DriveLock Enterprise Service in the operations of DriveLock In addition to the DriveLock 6 DriveLock 7 environment the diagram contains a legacy SRC server and an SRC console During the migration from DriveLock 5 to DriveLock 6 or DriveLock 7 additional communications channels are used Legacy communications channels are displayed in red or orange in the diagram TCP 6064 HTTP TCP 6065 HTTPS Events and upload of recovery information shadow copies TCP 6067 HTTPS I Operating Temporarily Unlock DriveLock Enterprise Service DES Database DriveLock 6 x 7 x Applying Ev
8. The Agent is a lightweight Windows service that runs in the background and maintains control over hardware ports and interfaces and enforces your security policy To prevent unauthorized access or bypassing of the security settings regular users can t stop the service only users who are specifically authorized by you can access and control the service 2 1 2 DriveLock Management Console You use the DriveLock Management Console to configure the security settings for your clients manage your environment and access other DriveLock components This console is a Microsoft Management Console MMC snap in so you can easily integrate it into existing MMC console files that administrators may have already f configured The DriveLock Management Console lets you create a local configuration for the computer the console is running on o define configurations by creating and changing Active Directory Group Policy settings or to save your settings to a configuration file that you can import on another computer You can also monitor the status of clients or access the DriveLock Agent on clients You can use the Management Console to remotely unlock an Agent by accessing it remotely or if the Agent is not connected to a network by creating an offline access code that a user can enter on the client computer In addition the Device Scanner is integrated into the DriveLock Management Console DriveLock Instal
9. The login will be used to create the DriveLock databases on the server To confirm that DES can connect to the server click Test Connection Finally select whether to create a new DriveLock database update an existing DriveLock database or to import an existing DriveLock 5 5 R2 database and then click Next An upgrade of an existing DriveLock 5 5 R2 database cannot be performed in place Instead you need to create a new database and import the contents of the old database For more information about such an upgrade refer to the section Migrating a Legacy Database DriveLock Installation Guide 7 5 27 2015 CenterTools Software GmbH W rivelock _ _ mmm Configure installation action Database name DriveLock DES service account DL svc_des ste pe Type the following information e Database name If usin g an Oracle server also specify the tablespace which needs to match the name of the database files During the installation the database user and tablespace name user TS will be created using scripts e Path to the database files on the server Oracle only The service account that the DES services use to connect to the database was specified during the installation Click Next to continue Setup accounts This step will setup the DriveLock Control Center and DriveLock Management Console administrator accounts DriveLock Control Center administrator DL administrator le T
10. computer e Component available locally Available online Management components E Management Console n a 7 0 3 8298 34 1 MB E Control Center n a 7 0 3 82988 19 0 MB F Documentation Manuals n a 7 0 3 8298 22 4MB Agent components CD Agent n a 7 0 3 8298 30 4MB E Full Disk Encryption n a 7 0 3 8298 37 1MB Server EQ Enterprise Services n a 7 0 3 8298 15 3 MB To install DES select the last checkbox The Installer will check whether an installation package is already present and whether a newer version is available DriveLock Installation Guide 7 5 22 O 2015 CenterTools Software GmbH Oe rivelbock stirs ost Click Next CenterTools DriveLock components ae 2 The selected components will be downloaded and or installed RA Package Version Status DriveLock Enterprise Services 7 0 3 8298 Will be downloaded F Do not download updated files use locally stored files only 7 Download files only do not install To only download the selected components but not install them select the checkbox Download files only To use local versions of the selected components without downloading newer versions select the checkbox Do not download files Click Next to start the download or installation When the process has complete a notification is displayed Click Finish to complete installation Unless you selected the option to only download the installation package the DriveLock Enterprise Servi
11. events to the database Instead DES servers in Cache amp Linked mode forward the event data in compressed form to a central DES server at preconfigured intervals The central DES Server which is running in the standard Cache amp Process mode is connected to a database server and writes the event data it receives from linked servers and clients to the DriveLock database WAN Site DriveLock Enterprise Service DES Mode Central Server ____ Upload only during scheduled _____ times and compress data Database Events and uploading of recovery information shadow copies DriveLock 7 x DriveLock Enterprise Service DES Agents Mode Linked server DriveLock 7 x Agents WAN Site Upload only during scheduled A 4 times and compress data Reports and Forensics DriveLock Control Center DCC DriveLock 7 x DriveLock Enterprise Service DES Agents Mode Linked Server To change the mode in which a DES Server is running use the Database Installation Wizard which is included with DriveLock Installation Guide 7 5 11 2015 CenterTools Software GmbH Or velock sentra vouroso with omero the DES DriveLock Installation Guide 7 5 12 2015 CenterTools Software GmbH 4 riveLock Part Ill Preparing to Install DriveLock DON T GAMBLE WITH YOUR DATA Oe rivebock _______ cron 3 Preparing to Install Drive
12. to deploy DiveLock Agents Windows Installer File MSI Generates a Windows Installer Package MSI containing your settings Windows Installer Transform MST Generates a Windows Installer Transform File MST containing your settings Command Line Displays the syntax for installing from a command line using your settings Click Next If you selected Command Line the next page displays the command you must use to install the DriveLock Agent When using this command line you must change lt DriveLockAgent msi gt to the full path of DriveLockAgent msi file Software deployment Please select Use the following command to install DriveLock Agents msiexec I lt DriveLockAgent msi gt qb USESERVERCONFIG 1 CONF IGID f ca9b04f e461 47 3c bd63 65de84913c3c CONFIGSERVER http ADMIN 6066 The command can be used for a manual Agent installation For more information about this refer to the section Installation from a Command Prompt Silent Installation If you selected the option to generate anew MSI file you must provide the location and name of the original DriveLockAgent msi file and the customized MSI file to be created DriveLock Installation Guide 7 5 42 2015 CenterTools Software GmbH W rivelock stro ost DriveLock Agent deployment preparation lese eisen Software deployment Please select E Source MSI package located on distribution media
13. und Ereignisse sind frei erfunden Jede hnlichkeit mit bestehenden Firmen Organisationen Produkten Personen oder Ereignissen ist rein zuf llig Die Verantwortung f r die Beachtung aller geltenden Urheberrechte liegt allein beim Benutzer Unabh ngig von der Anwendbarkeit der entsprechenden Urheberrechtsgesetze darf ohne ausdr ckliche schriftliche Erlaubnis der CenterTools Software GmbH kein Teil dieser Unterlagen f r irgendwelche Zwecke vervielf ltigt oder bertragen werden unabh ngig davon auf welche Art und Weise oder mit welchen Mitteln elektronisch oder mechanisch dies geschieht Es ist m glich dass CenterTools Software GmbH Rechte an Patenten bzw angemeldeten Patenten an Marken Urheberrechten oder sonstigem geistigen Eigentum besitzt die sich auf den fachlichen Inhalt dieses Dokuments beziehen Das Bereitstellen dieses Dokuments gibt Ihnen jedoch keinen Anspruch auf diese Patente Marken Urheberrechte oder auf sonstiges geistiges Eigentum es sei denn dies wird ausdr cklich in den schriftlichen Lizenzvertr gen von CenterTools Software GmbH einger umt Weitere in diesem Dokument aufgef hrte tats chliche Produkt und Firmennamen k nnen gesch tzte Marken ihrer jeweiligen Inhaber sein 2015 CenterTools Software GmbH Information in this document including URL and other Internet Web site references is subject to change without notice Unless otherwise noted the example companies organizations products d
14. 4 riveLock DriveLock Installation Guide 7 5 DON T GAMBLE WITH YOUR DATA CDI vekock_ 2 prize Table of Contents Part I Document Conventions 4 Part I Securing Your Data with DriveLock 6 1 The DriveLock Components J DriveLock Agent 7 DriveLock Management Console 7 DriveLock Control Center 8 DriveLock Enterprise Service 8 2 Service Communications 8 Service Communications in Mixed Mode with Legacy Agents 10 Linked DES Servers 11 Part II Preparing to Install DriveLock 14 1 Quick Configuration Using mDNS DNS SD 15 Deactivating mDNS DNS SD 16 Pat IV System Requirements 18 Part V Installing DriveLock 21 1 Evaluation Installation 21 2 Installing the DriveLock Enterprise Service 21 3 Installing the DriveLock Management Components 29 4 Installing the DriveLock Agent 31 nstalling DriveLock by using Active Directory Group Policy 32 nstalling the Agent by Using Configuration Files 34 nstalling the Agent with a Centrally Stored Policy without Quick Configuration 39 nstallation from a Command Prompt Silent Installation 44 nstalling the DriveLock FDE Component 45 Part VI Updating DriveLock 47 1 Updating the DriveLock Enterprise Service 47 2 Updating the DriveLock Control Center 50 3 Updating DriveLock Management Components 50 4 Updating the Agent 50 Updating the DriveLock FDE Component 51 Part VIE Uninstalling the DriveLock Agent 53 Part VII Migrating a Legacy Database 55 DriveLock Installation Gu
15. Active Directory for example Novell The auditing capabilities of DriveLock coupled with its file shadowing functionality give you the information you need to monitor and enforce policy compliance By using the DriveLock Device Scanner you can detect any drive or device that has been used in your network even if it is no longer connected to the computer The DriveLock Agent doesn t need to be installed on the target computers to use the Device Scanner Encryption is another main feature of DriveLock DriveLock that can help you secure sensitive information by enforcing encryption when data is copied to removable drives You can use the DriveLock Full Disk Encryption option to encrypt hard disks including the system partition and to perform pre boot authentication with single sign on to Windows DriveLock can also erase sensitive data permanently and securely by overwriting data multiple times using one of several industry standard algorithms DriveLock s application control enables easy control over which applications run on a computer You can allow or deny the starting of applications based on several criteria such as the current user network connection or computer DriveLock Antivirus adjusts to the current environment and your security policies For example you can enforce the most thorough scanning for removable drives before a user is allowed access to such a drive The Dri
16. DriveLock TA Device Scanner b Product updates and suppor IE Polici Policy name Central DriveLock Policy Policy type Centrally stored Spf DriveLock Group Policy Settings Active Directory Configuration file Storage location 192168212 LDAP CN C3325049 3DB admin DriveLock Date modified 2 14 2012 6 31 22 2 14 2012 6 29 13 2 14 2012 6 30 56 Add Group Policy Object Open Configuration file gt Drivel gt By Oper Local policy lt Registry gt 2 14 2012 6 27 17 New All Tasks Deploy configuration file Deploy centrally stored policy View New Window from Here Refresh Export List Properties Help To launch the wizard right click Configuration files point to All Tasks and then click Deployment wizard Agent deployment This wizard will guide you through the steps that are required to prepare for deploying the DriveLock Agent to client computers You do not need to complete this wizard f you will be configuring Agents using Active Directory Group Policy Click Next to continue DriveLock Installation Guide 7 5 35 2015 CenterTools Software GmbH Oe rrivelbock stro oct DriveLock Age t dep oyment prepara Configuration deployment mode i ay Choose a configuration deployment method te Configuration files will be deployed using Local file or shared folder UNC path FTP
17. E installation package The FDE installation package is named DLFde pkg resp DLFdeX64 pkg and part of the DriveLock installation CD To deploy the FDE installation package with the DriveLock Enterprise Service DES upload and publish the package by using DriveLock Management Console For more information about publishing installation packages refer to the DriveLock Administration manual User interface configure whether and how a user will be informed during FDE installation and whether he has to confirm the messages Options select how the pre boot authentication will behave and look like The configured background image must be PNG the resolution and aspect ratio should be 1024x768 4 3 It will only be installed during a new installation or when updating the FDE component to a new version The other options will be activated after a each reboot of the computer If you disable the 32 bit PBA a 16 bit version of the PBA with restricted functionality will be used which boots faster especially on older or low performance computers For more information about configuring the DriveLock FDE refer to the DriveLock Administration manual DriveLock Installation Guide 7 5 45 2015 CenterTools Software GmbH 4 riveLock Part VI Updating DriveLock DON T GAMBLE WITH YOUR DATA XD velock usmmax 6 Updating DriveLock Before updating DriveLock to a newer version always review the curre
18. Lock You can install DriveLock from compact disc or using files downloaded from the CenterTools Web site All DriveLock components are available as separate 32 bit and 64 bit Microsoft Installer MSI packages A separate installation package is available for the DriveLock documentation The easiest way to install DriveLock components is by using the DriveLock Installer DL Setup exe This program can check whether the most current installation packages for all components are already present and download missing ackages from the Internet The DriveLock Installer runs both on 32 bit and 64 bit computers To As an alternative you can download an ISO image containing the DriveLock Installer all installation packages Q ocumentation and additional information from www drivelock com You can burn a CD from this ISO image Before starting the installation it is recommended that you decide which type of configuration you will be using to Q eploy DriveLock settings to clients because this will determine how you will deploy DriveLock Agents to client computers The following configuration matrix can help you decide which of these methods is the most appropriate for your environment Yes AD No Very good No Yes UNC No Limited http ftp When using DriveLock for the first time it is recommended to use a local configuration to become familiar with DriveLock before deploying configuration settings to multiple clients ac
19. Lock databases are created and maintained Before you start the DES installation create a service account that the DES will use for database access Unless the DES server is also the database server this must be a domain DriveLock Installation Guide 7 5 21 2015 CenterTools Software GmbH B rrivelbock stro ost account with the password set to never expire You don t need to assign any special permissions or rights to the account You can install DES using the DriveLock Installer which can check whether a more recent version is available via the Internet To start the installation copy the DriveLock Installer DL Setup exe to a folder on your hard drive All installation packages that the Installer downloads will be stored in the same folder and can later be used for additional installations To start the DriveLock Installer double click it in Windows Explorer TA DriveLeck 6 CenterTools DriveLock Welcome to the CenterTools DriveLock installation wizard This wizard will guide you through all steps necessarry to download and install DriveLock components on your computer If a newer version of the Installer is available a notification appears and you can select to download the newest version Click Next accept the license agreement and then click Next again nterlools Loc CenterTools DriveLock components Select the components of DriveLock you want to install on this
20. Settings in a GPO as DriveLock is a computer focused application DriveLock configuration settings are not installed automatically with the software package These settings including a valid license file must be provided separately as part of the same or a separate GPO The use of separate GPOs for installing the Agent and distributing policy settings is recommended If you install the DriveLock Agent by using Group Policy it can t be uninstalled from the Add Remove Programs application in Control Panel Instead remove the software package from the GPO 5 4 2 Installing the Agent by Using Configuration Files When you use a configuration file to deploy your DriveLock policy to client computers copy this file to a shared folder Web server or FTP server and specify the network path or URL during the Agent installation For information about using a configuration file refer to the DriveLock Administration Guide The DriveLock Deployment Wizard assists you in deploying the DriveLock Agent to computers in your network so that they use the correct configuration file The wizard helps you create the correct command line for Windows Installer generates a modified Microsoft Installer msi package or creates a Microsoft Installer Transform mst file for your installation DriveLock Installation Guide 7 5 34 2015 CenterTools Software GmbH M rvelock ooo moma Maicol to 2 0 Gel A CenterTools
21. a or encrypted containers e Full Disk Encryption recovery data Data that is required to recover encrypted disks or to assist users who forgot a pre boot authentication password Access permissions on reports will not be imported from the DriveLock 5 5 R2 database You need to configure these permissions manually after the import has completed Click Next twice to view a summary of the installation steps to be performed Review the summary of the migration settings and the click OK to start the migration If the import was successful a green icon is displayed In case of an error review the file C Documents and Settings All Users Application Data CenterTools DriveLock Log DatabaselnstallWizard log or C ProgramData CenterTools DriveLock Log DatabaselnstallW izard log to identify the reasons for the failure TT DriveLock Database Installation Wizard Tala ea w Completing the wizard To configure further DES settings please run the DriveLock Configuration Console The DES service was restarted Click Finish to close the Database Import Wizard DriveLock Installation Guide 7 5 57 2015 CenterTools Software GmbH 4 riveLock DriveLock Installation Guide Die in diesen Unterlagen enthaltenen Angaben und Daten einschlieBlich URLs und anderen Verweisen auf Internetwebsites k nnen ohne vorherige Ank ndigung ge ndert werden Die in den Beispielen verwendeten Firmen Organisationen Produkte Personen
22. age before you proceed with the DriveLock 7 installation due to technical reasons 6 4 1 Updating the DriveLock FDE Component After the DriveLock Agent has been updated an existing DriveLock FDE installation will be updated automatically and without re encryption to the most current version After updating the FDE components a reboot may be required DriveLock Installation Guide 7 5 51 2015 CenterTools Software GmbH 4 riveLock Part VII Uninstalling the DriveLock Agent DON T GAMBLE WITH YOUR DATA Or velock_ sana i petor aen 7 Uninstalling the DriveLock Agent Unless you assigned the DriveLock Agent by using Group Policy you can remove a DriveLock Agent from a computer by using the Add Remove Programs application in Control Panel DriveLock Agents can also be uninstalled using the following command line specifying the original installation package msi msiexec x DriveLockagent msi If you have configured DriveLock to require a password for uninstalling you must use one the following commands msiexec x DriveLockagent msi UNINSTPWD password msiexec x DriveLockagent msi UNINSTPWDENC encrypted password To create the encrypted password use the DriveLock Deployment Wizard If you installed the DriveLock Agent by using Group Policy you can t use the Add Remove Programs application to uninstall DriveLock Instead remove DriveLock from the GPO to un assign DriveLock from the computer
23. and Line the next page displays the command you must use to install the DriveLock Agent When using this command line you must change lt DriveLockAgent msi gt to the full path of DriveLock Installation Guide 7 5 37 2015 CenterTools Software GmbH W rivelock stro ost DriveLockAgent msi file A pi a D La ge dep ent p x DriveLock Agent deployment preparation let Software deployment rs Please select Pu Use the following command to install DriveLock Agents msiexec I lt DriveLockAgent msi gt qb USECONFIGFILE 1 CONFIGFILE Fileserver Share Xconfigrile cfg USESVCACCT 1 SVCACCOUNT Domain User SVCPASSWORD UCNEQVHZ3LLYXIDYASV JT6EZPCB3RBQOOSRC7RP7 SK60AGDE JPD E372T04G4GV7CH7 5SK3UOATIV5J6A26KU 67 6U7 TT7QK22XRP6LBVYFZFHAGKFAWUE F7XL4L7BSCCO5AQV42 IZ YEQ The command can be used for a manual Agent installation For more information about this refer to the section Installation from_a Command Prompt Silent Installation If you selected the option to generate a new MSI file you must provide the location and name of the original DriveLockAgent msi file and the customized MSI file to be created Software deployment Please select Source MSI package located on distribution media CiDriveLock DriveLockAgent msi a Target MS package CADriveLock DLCustomlgent msi Type the name and location for both files and then click Next to generate the new MSI fi
24. ation wizard starts automatically after the DES installation has completed Select the option to upgrade an existing database and then click Next ug TUE ee Lie VALE E DriveLock Database Installation Wizard IoIxI im Tas Connect database and select installation action Select the database type enter the connection parameters run the connection test and iow syst select an installation action dd or re hange Server VCT LBO Srci Microsoft SQL Server Place Type the full Microsoft SQL Server instance name for example localhostisglexpress ly Netw J Oracle Server ly Docur ontrol P Connection test detected server version Test connection Is Select an installation action omput R n Foldei J Install a new DriveLock database J Import a DriveLock 5 5 R2 database The wizard automatically searches for existing databases Select the existing DES 6 x database and then click Next DriveLock Installation Guide 7 5 48 2015 CenterTools Software GmbH Oe rrivelbock nim EE i route Free DESSE P DriveLock Database Installation Wizard Ta sys Configure installation action lorr inge Mace Select database to upgrade DriveLock ud Nety Detected DriveLock database version 6 0 0 18 Doct Target DriveLock database version 7 0 0 18 trol ee The selected database is already up to date Update is not required npul Pode Create a database backup und
25. ce Setup Wizard starts pagane Re terTools ock Enterprise Service Setup iveLeck Enterprise Servi Welcome to the CenterTools DriveLock Enterprise Service Setup Wizard Please wait while the Setup Wizard prepares to quide you through the installation e CenterTools lt Back Next Click Next DriveLock Installation Guide 7 5 23 2015 CenterTools Software GmbH W rivelock _ _ mmma Service Account Information Specify a user name and password Specify the user name and password of the service account that will be used to run the service The user account must be in the form DOMAIN Username User name di svc_des Browse Password Continue without validation gt Advanced Installer Cei Type the user name and password of the service account used to run the DriveLock Enterprise Service or click Browse to select an existing account Click Next to continue installation Use the Continue without validation checkbox only if the user account can t be verified but you are certain that the account exists and that you want to proceed with the installation Encrypted communications SSL certificate Select the SSL certificate to use for the client server communication U Select existing certificate You can select an existing certificate stored in the local machine s certificate store If you want to use a certificate issued by an
26. e grooming jobs to run for the second database The name of the second database is lt database gt DATA where lt database gt is the name of the main database 6 2 Updating the DriveLock Control Center You can perform an in place upgrade over the old version You can find additional information about this process in the section Installing DriveLock Management Components of this manual 6 3 Updating DriveLock Management Components To update the DriveLock Management Console or the DriveLock Control Center follow the instructions in the section Installing DriveLock Management Components The installation process detects if an older version of these components is installed and will update them automatically For DriveLock 7 1 and 7 0 If you update the DriveLock Management Console make sure the DriveLock Agent on the same computer is already updated to the newest version 64 Updating the Agent In most cases you can perform an in place upgrade of the DriveLock Agent and don t need to de install the older version first For more information about the Agent installation refer to the section Installing the DriveLock Agent of this manual Before installing an updated Agent by using Group Policy select the existing GPO that you used for the initial deployment and add the new installation file MSD After adding the installation file on the Properties page of the software deployment policy under Updates se
27. e in large corporate networks The following sections describe each installation method for the DriveLock Agent 5 4 1 Installing DriveLock by using Active Directory Group Policy A convenient way to deploy DriveLock Agents to target machines is by using Active Directory Group Policy Deploying DriveLock Agents by using Group Policy requires that the DriveLockAgent msi Windows installer package for 64 bit operating systems use DriveLockAgent_X64 msi is located in a shared folder that the client computer can access Additional information about using Group Policy Objects is available on the Microsoft TechNet Web site To configure a software deployment policy for 32 bit computers open an existing Group Policy Object or create a new one In the Windows Group Policy Object Editor in the console tree navigate to Computer Configuration gt Software Settings gt Software installation DriveLock Installation Guide 7 5 32 2015 CenterTools Software GmbH Oe rivelbock stro ost E Group Policy Management File Action View Window Help alm ola amp Group Policy E A Forest g Group Policy Management Editor 53 Dor File Action View Help SICE i PIE E ge Computer Configuration Policies There are no item Software Settings a New b Package aB SEE EN gt Packs Administrativ view gt Pr
28. e on one or more administrator workstations 2 Installing the DriveLock Enterprise Service on a central server database required 3 Creating an initial DriveLock policy for example an initial policy that blocks no access until further testing is complete 4 Installing the DriveLock Agent on selected client computers according to the selected deployment method This document describes these steps in detail Additional sections cover manually updating DriveLock de installing DriveLock and migrating from an older version Version 5 5 R2 or older 3 1 Quick Configuration Using mDNS DNS SD The easiest and quickest option for configuring DriveLock is by using the multicast DNS m DNS and DNS based Service Discovery DNS SD protocols These complementary technologies enable servers and clients to register themselves in the network using multicasts This allows a DriveLock Agent to dynamically discover its DES server and to download its policy that has been configured by an administrator and stored in the DES Only minimal configuration is required to enable this but it requires that a DES server is running in the network environment The process of DES server discovery and downloading of the policy is illustrated in the following diagram Centrally stored policy Network Switch 2 Registration using DNS S 1 Registration using DNS SD 3 Server discovery using
29. e solution that helps you secure your desktop computers It has a ultilingual User Interface MUI allowing you to select the desired language during installation or when running he program DriveLock offers dynamic configurable access control for mobile drives floppy disk drives CD ROM drives USB memory sticks etc DriveLock also lets you control the use of most other device types such as Bluetooth ransmitters Palm Windows Mobile BlackBerry cameras smartphones media devices and many more By configuring whitelist rules based on device type and hardware ID you can define exactly who can access which device at which time Removable drives can be controlled based on the drive s manufacturer model and even serial number This lets you define and enforce very granular access control policies Additional features let you unlock specific authorized media and define time limits or computers for whitelist rules Authorized administrators can even temporarily suspend device blocking on a computer if required even when the computer is offline and not connected to a network Installation of the client software the DriveLock Agent and policy deployment can be achieved easily by using existing software deployment mechanisms or by using the Group Policy feature of Active Directory Alternatively you can distribute policies using configuration files for standalone computers or in environments without
30. eLock Enterprise Service you also need to change the DriveLock Management Console connection settings to connect to DES using port 6067 instead of port 6066 This change is automatically performed when you upgrade the DriveLock Management Console to version 7 1 After upgrading the database click Finish to close the wizard While the Database Installation Wizard displays a second smaller progress bar under the main progress bar the wizard is still migrating the data Do not cancel the process until it has completely finished After the database migration has completed the DriveLock Enterprise Service is restarted DriveLock Installation Guide 7 5 49 2015 CenterTools Software GmbH W rivelock tative ost It is recommended to shrink the database after an update to free space that was used by the migration process The method for shrinking depends on the database server you use Microsoft SQL e Microsoft SQL Server Management Studio http msdn microsoft com en us library ms189035 aspx e TSQL http msdn microsoft com de de library ms190488 aspx Oracle e http Imgtfy com q oracle shrink datafile After shrinking the database you should also update the database indexes by using one of the following database commands icrosoft SQL EXEC ctsp maintenance Oracle EXEC DRIVELOCK CTSP MAINTENANCE If you configured event grooming jobs to run on the database server you will need to also creat
31. eferences User Configuration Paste Policies Refresh Preferences Export List Properties Help APRA eee ee ee i You can also use the DriveLock Management Console to open or create a Group Policy Object Right click Software installation and then click New gt Package Navigate to the shared folder that contains the installation package select the DriveLockAgent msi file and then click Open Ensure that the file name is displayed in Universal Naming Convention UNC format for example Server drivelock DriveLock Agent msi Select deployment method Published C Assigned Advanced Select this option to configure the Published or Assigned options and to apply modifications to a package a ces Select Advanced as the deployment method and then click OK DriveLock Installation Guide 7 5 33 2015 CenterTools Software GmbH W rivelock stro oct E Group Policy Management Editor File Action View Help esse gt 0E 15 DDL Install YCT MUC LDC2 MUC LABOR CT Name version Deployme E HE Computer Configuration There are no items to show in this view E DI Policies El Software Settings CenterTools DriveLock Agent Properties 21x Software installation C Windows Settings General Deployment Upgrades Categori
32. ents and uplbad of recovery information dhadow copies Agents 7 Cc Pperating Temporarily Unlock Security Reporting Center SRC Database Encryption Recovery Encryption Recovery Reports and Forensics N Reports Applying g Editing DriveLock Group Policy GPO Management Console MMC Configuration file 5 via HTTP FTP or UNC SS DriveLock Control Center DCC Security Reporting Center SRC Console Central configuration Version 5 x format S S legacy connection Default communications ports Ports can be customized if required Incoming HTE 6064 TCP Incoming HTTP DriveLock Agent 6066 TCP Incoming HTTP 135 TCP Outgoing optional MMC GPO editing DriveLock Installation Guide 7 5 10 2015 CenterTools Software GmbH Oe riveboche _ _ somova oreo 21 TCP Incoming FTP optional Access to configuration file on a server using FTP 445 TCP 139 TCP 137 UDP 138 UDP For additional information about the upgrade process refer to the DriveLock Technical Article Upgrading to DriveLock 6 222 Linked DES Servers In large DriveLock deployments you can minimize the use of system resources and network bandwidth by linking DES servers In a linked deployment one or more DES servers at branch offices are running in Cache amp Linked mode These servers collect events from DriveLock Agents but dont write the
33. er C Program Files Microsoft SQL Server MSSQL 1 MSSQLIDATA Starting with DriveLock 7 1 the DriveLock Enterprise Service uses two databases The second database holds all event data and linked entities For example it may store the user who connected a flash drive information about the flash drive and other data If your policy settings require anonymous storage of event data certain fields are automatically encrypted During an update existing data is automatically migrated The migration process can take a long time depending on the size of the existing data Migration speed depends on your hardware but a general guideline is to assume the processing of one m lion events per hour Also starting with DriveLock 7 1 communications between the Management Console and the DriveLock Enterprise Service are always secured Only encrypted communications using SSL are used and the DriveLock Enterprise Service always checks and enforces access permissions During an update of the DriveLock Enterprise Service the Database Installation Wizard prompts for a user of group that will initially be assigned permissions to configure the DriveLock Enterprise Service This user or members of a group you specify can then assign permissions to additional users and groups If required user rights are missing the wizard prompts you to select a user to assign the administrative role to After upgrading the Driv
34. es Modifications Security Advanced Deployment Options xi E Administrative Templates Policy E E Preferences r Deployment type Advanced deployment options E 38 User Configuration C Published TT Ignore language when deploying this package E I Policies gt Preferences Assigned TT Make this 32 bit X86 application available to Win64 machines r Deployment options F Auto install this application by file extension activation TT Include OLE class and product information TT Uninstall this application when it falls out of the scope of Advanced diagnostic information management Product code 4414E8D9 1524 4401 B78B 509AG9FEABE9 e Add Remove Programs control Deployment Count 0 Script name Se on ct SysVol muc labor ct ol cies E i i je MCOD50C0C 4495 4493 BBED 8B2E 220307F5 Installation user interface options che ne Basic A3FO7BBA C043 4E7D ACBA 7ECFDAC3BF29 aas Masimum Advanced Select the Deployment tab and click Advanced Uncheck the option Make this 32 bit X86 application available to Win64 machines Click OK twice The Group Policy Object is now configured and the Agent rollout will start after the policy is replicated to domain controllers and applied to the target machines Repeat these steps for 64 bit computer use the DriveLockAgent_X64 msi file instead and don t change the advanced deployment options DriveLock should not be assigned to the User
35. external authority import it to the certificate to the store first O Create self signed certificate Create a self signed certificate This certificate will be stored in the local machine s certificate store Advanced Installer Cesi A certificate is required for the encrypted client server communication Click Select existing certificate if the SSL certificate you want to use is already in the computer s certificate store and select the Drivelock Enterprise Service certificate Click Next select the certificate from the list and then click OK to confirm To have DriveLock create a certificate click Create self signed certificate and then click Next DriveLock Installation Guide 7 5 24 2015 CenterTools Software GmbH W rivelock ooo mmma MATE LEN Ready to Install The Setup Wizard is ready to begin the CenterTools DriveLock Enterprise Service installation Click Install to begin the installation If you want to review or change any of your installation settings click Back Click Cancel to exit the wizard Advanced Installer Cei Click Install je See SER a ock Enterprise Service Setup RER Ric riveLeck Enterprise Service Completing the CenterTools DriveLock Enterprise Service Setup Wizard Click the Finish button to exit the Setup Wizard When the installation has completed click Finish to close the wizard When the installation is complete
36. he DriveLock Control Center administrator has the ownership of all default reports and forensics He can administrate Control Center users and manage access rights to reports and forensics DriveLock Management Console administrator DL administrator aa The DriveLock Management Console administrator configures the DriveLock Enterprise Service and manages DriveLock policies installation packages and antivirus updates Select the initial accounts for the following two security roles e DriveLoc Control Center administrator and SID A group or user and corresponding security identifier SID that will i nitially be assigned Full Control permissions to use the DriveLock Control Center You can change this account or add additional users and groups in the Control Center after the database installation has completed e DriveLock Management Console administrator and SID A group or user and corresponding security identifier SID that will initially be assigned permissions to configure the DriveLock Enterprise Service using the DriveLock Installation Guide 7 5 28 2015 CenterTools Software GmbH W rivelock stair ost Management Console You can change this account or add additional users and groups in the DriveLock Management Console after the database installation has completed Click Next to continue A summary of the installation settings is displayed Review these settings and then click Next to start the nsta
37. he centrally stored policy server and tenant to be used on the Agents tI The policy will ba deployed from the DriveLock Enterprise Services infra structure The selected server will be used for initial deployment Policy Standard DriveLock Configuration Policy ID fca9b04 e461 473c bd63 65de 84913c3c E Use non default tenant name Server ADMIN gt Specify the centrally stored policy that the DriveLock Agent will use and the server where the central DriveLock Enterprise Service is running If you are using multiple DriveLock configuration environments tenants select the tenant from the drop down list After entering the location of the configuration file click Next Click Next On the next page select the type of installation package that will be created by the wizard e Microsoft Installer File MSI Creates a new Microsoft Installer package that contains your settings e Microsoft Installer Transform file MST Creates a Microsoft Installer Transform mst file that contains your settings An MST file must be used in conjunction with the original MSI package that is included in the DriveLock installation e Command line Shows the Microsoft Installer command line options for implementing the settings you have selected DriveLock Installation Guide 7 5 41 O 2015 CenterTools Software GmbH W rivelock ooo ro Agent deployment type Select how to deploy agents SS How do you want
38. ide 7 5 2 2015 CenterTools Software GmbH 4 riveLock Part Document Conventions DON T GAMBLE WITH YOUR DATA Xi veklock_ ecient carers 1 Document Conventions Throughout this document the following conventions and symbols are used to emphasize important points that you should read carefully or menus items or buttons you need to click or select Caution This format means that you should be careful to avoid unwanted results such as potential damage to operating system functionality or loss of data Hint Useful additional information that might help you save time Italics represent fields menu commands and cross references Bold type represents a button that you need to click A fixed width typeface represents messages or commands typed at a command prompt A plus sign between two keyboard keys means that you must press those keys at the same time For example ALT R means that you must hold down the ALT key while you press R A comma between two or more keys means that you must press them consecutively For example ALT R U means that you must first press the Alt key then the R key and finally the U key DriveLock Installation Guide 7 5 4 2015 CenterTools Software GmbH 4 riveLock Part Il Securing Your Data with DriveLock DON T GAMBLE WITH YOUR DATA Or velock ano var baton onto 2 Securing Your Data with DriveLock CenterTools DriveLock is a lightweight softwar
39. ion Guide 7 5 26 2015 CenterTools Software GmbH Oerrivelbock stirs oct Connect database and select installation action Select the database type enter the connection parameters run the connection test and select an installation action Server ADMIN Microsoft SQL Server Type the full Microsoft SQL Server instance name for example localhost sglexpress O Oracle Server Connection test detected server version Select an installation action Install a new DriveLock database XD Check Update an existing DriveLock database XD Import a DriveLock 5 5R2 database Select the database server type Microsoft SQL Server or Oracle Type the name of the database server and if required the name of the database instance If you use an Oracle database select Oracle Server Connect database and select installation action Select the database type enter the connection parameters run the connection test and select an installation action Oracle TNS Name DLSERVER D Microsoft SQL Server Orade Admin Login SYSTEM Orade Server f p Password Connection test detected server version _Testeonmecton Select an installation action Install a new DriveLock database O Check Update an existing DriveLock database 4 Import a DriveLock 5 5 R2 database Specify the Oracle TNS name administrator login and password
40. isk partitions that have been assigned a drive letter including all IDE EIDE SATA and SCSI drives There is no support for hidden partitions or software RAID arrays e DriveLock FDE does not interfere with the normal operation of the storage subsystem with the following exceptions e It is not possible to format any partition on the system drive after DriveLock FDE has been installed e DriveLock FDE does not support post installation addition removal or substitution of hard drives During installation DriveLock FDE examines all partitions present on the computer Repartitioning resizing converting or activating partitions after DriveLock FDE has been installed is not supported including any manipulation of the Master Boot Record DriveLock FDE supports the use of FAT16 FAT32 and NTFS file systems DriveLock FDE does not support multi boot environments MS DOS can be used to start a computer to run DriveLock FDE disaster recovery tools Computers running DriveLock FDE with a hard disk that is inaccessible or corrupt can be booted to MS DOS from a floppy disk or a CD Drives that require special DOS drivers such as SCSI drives or TSRs are only accessible to the DriveLock FDE recovery tools if the required drivers are loaded Supported Networks DriveLock FDE fully supports Active Directory and Windows domains It does not interfere with normal operation of any Windows network services including Remote De
41. iveLock Database Installation Wizard Tele lea Welcome to the DriveLock Database Installation Wizard This Wizard will setup your service mode for your DriveLock Enterprise Service DES and optionally create or upgrade your DriveLock database Ensure that you have created a backup of both databases before you continue Click Next DriveLock Installation Guide 7 5 55 2015 CenterTools Software GmbH M0rivelock 0 sn Select DES role Select the role for the DriveLock Enterprise Service on this computer Central DriveLock Enterprise Service default Select this mode if this is the only DriveLock Enterprise Service in your organization or if it is the central service in a distributed installation A database server connection is required for this mode 1 Linked DriveLock Enterprise Service Select this mode if the DriveLock Enterprise Service on this computer reports to the central DriveLock Enterprise Service No database will be installed Select the server role Central DriveLock Enterprise Service because the migration requires a direct connection to the database server Connect database and select installation action Select the database type enter the connection parameters run the connection test and select an installation action Server ADMINISQLEXPRESS Microsoft SQL Server Type the full Microsoft SQL Server instance name for example O oracle Server localhost sglexpress
42. lation Guide 7 5 7 2015 CenterTools Software GmbH Or velock_ novus baton otc 2 1 3 DriveLock Control Center The DriveLock Control Center DCC let you create dynamic reports and forensic analysis reports from events that were reported by DriveLock Agents data to a central server running the DriveLock Enterprise Service DES You can use the DCC to monitor the use of mobile drives devices and data transfers in aggregate or in detail The DCC includes the option to assign granular permissions for data queries and report creation For example you can create reports about the use of removable media and device connection attempts both allowed and blocked In addition you can create reports about which files have been written to or read from removable media and execute a forensic analysis by using the data drill down capabilities of the DCC The settings in your DriveLock policy determine what types of data are recorded The DCC also lets you monitor your current DriveLock Agent environment and view the status of clients For example you can identify computers that don t have the Agent installed or that have not recently reported their status If you use the Full Disk Encryption option you can view the current status of the drive encryption for example Not installed or Currently encrypting You can also easily group and filter the list of Agents All of these functions and the ability to view statistics as graph
43. le You can use the modified installer package you created to install the Agent manually or to deploy it using third party deployment software DriveLock Installation Guide 7 5 38 2015 CenterTools Software GmbH W rivelock stro ost To generate a Microsoft Installer Transform mst file you must provide the location and name original DriveLockAgent msi file and the MST file DriveLock Agent deployment preparation Lele Software deployment Please select Source MS package located on distribution media CADrive Lock DriveLock gent msi a Target Window Installer Transform MST C DriveLock DriveLockAgenDeploy mst lt Back Nex gt Agent deployment This wizard will guide you through the steps that are required to prepare for deploying the DriveLock Agent to client computers You do not need to complete this wizard f you will be configuring Agents using Active Directory Group Policy After you have completed the Agent Deployment Wizard you continue the deployment by using the Microsoft Installer package or the command line 5 4 3 Installing the Agent with a Centrally Stored Policy without Quick Configuration The DriveLock Deployment Wizard also assists you in deploying the DriveLock Agent to computers in your network by using a Centrally Stored Configuration The wizard helps you create the correct command line for Windows Installer generates a modified Mic
44. lect the option Update existing packages Then click Add and select the installation file for the previous version Ensure that the default option Uninstall the existing package then install the new package is selected DriveLock Installation Guide 7 5 50 2015 CenterTools Software GmbH W rivelock tivo ost If you install the new Agent by using a configuration file follow the instructions in the section Installing the Agent by using Using Configuration Files that matches the configuration method used The installation process will detect if an older version of the Agent is installed and will update it automatically If you configured an uninstall password when you installed the previous version you must provide this password for the update Use the DriveLock Deployment Wizard to generate the encrypted version of this password As an alternative you can remove the uninstall password from your DriveLock configuration before updating the Agent You can upgrade the DriveLock Agent even if an older version of the Full Disk Encryption FDE is installed on a computer Upgrading the Agent will not change the version of DriveLock FDE Upgrading DriveLock FDE is not required when upgrading the Agent If you have used the DriveLock 6 or DriveLock 6 1 Agent installation package including DriveLock Full Disk Encryption DriveLockAgent FDE msi or DriveLockAgent_AMD64_FDE msi it is necessary to uninstall this software pack
45. ling the DriveLock Enterprise Service The installation process will automatically detect an older version that is already installed and update the service and the database it uses Before updating the DriveLock Enterprise Service always perform a database backup because the update process may modify the database to work with the new version Before updating a database from DriveLock 7 0 or older it is recommended to manually perform database grooming to minimize the amount of data that needs to be migrated To start the grooming process run the ollowing SQL commands on the database server icrosoft SQL Server EXEC ctsp groomevents lt max Age of Events in Days gt z B EXEC ctsp_groomevents 30 Oracle DECLARE DriveLock Installation Guide 7 5 47 2015 CenterTools Software GmbH W rivelock etre ost DAYS NUMBER BEGIN DAYS lt max Age of Events in Days gt DRIVELOCK CTSP GROOMEVENTS DAYS gt DAYS END Upgrading from DES 60 and newer is easy and possible without losing any data If you are using DES 6 0 first uninstall old DriveLock Enterprise Service and then install the new one If you are using DES 6 1 you can perform an in place upgrade over the old one When performing an upgrade ensure that you use the same service account Whether you are performing a new installation or are doing an in place upgrade the database install
46. llation The configuration procedure may take several minutes depending on the database server you are using The installation wizard creates two databases based on the information you provided for example DriveLock and DriveLock Data if you use Microsoft SQL Server When the installation is complete click Next 5 Drivel ock Database Installation Wizard les Ww Completing the wizard To configure further DES settings please run the DriveLock Configuration Console The DES service was restarted To complete the installation click Finish 5 3 Installing the DriveLock Management Components You can install all DriveLock management components using the DriveLock Installer which can check whether a more recent version is available via the Internet To start the installation copy the DriveLock Installer DL Setup exe to a folder on your hard drive All installation packages that the Installer downloads will be stored in the same folder and can later be used for additional installations To start the DriveLock Installer double click it in Windows Explorer DriveLock Installation Guide 7 5 29 2015 CenterTools Software GmbH Oe rrivelbock stirs oct CenterTools DriveLock Welcome to the CenterTools DriveLock installation wizard This wizard will guide you through all steps necessarry to download and install DriveLock components on your computer If a newer version of the Installe
47. mDNS DNS SD Reply with default tenant and poli SS 5 Download of default policy DriveLock Enterprise Service DES Ss Publishing using mDNS DNS SD DriveLock Agents The process of registration and discovery includes the following steps 1 DES Registration using DNS SD 2 Agent Registration using DND SD 3 Agent DES server discovery using mDNS DNS SD 4 DES Reply with default tenant and policy 5 Agent Download of default policy In a network that is connected using routers it is possible that the routers are not configured to forward multicast traffic between network segments This prevents the use of mDNS DNS SD If you cannot change the router configuration you need to use one of the other methods that are available for distributing the DriveLock policy to Agents DriveLock Installation Guide 7 5 15 2015 CenterTools Software GmbH ear velock_ 0 Prepaingtoinstal onto For additional information about configuring centrally stored policies and assigning a standard policy refer to the DriveLock Administration Guide 3 1 1 Deactivating mDNS DNS SD In some instances you may want to deactivate mDNS DNS SD and the associated multicast traffic This will disable Quick Configuration but it minimizes network traffic which may be more important in large networks To deactivate mDNS DNS SD configure the following settings using the DriveLock Management Console e In the Agent configuration for example in a Gro
48. nt Release Notes Upgrading DriveLock components is generally a very easy process and can be performed using an in place upgrade Starting with DriveLock 7 an automatic update feature is available that can automatically upgrade the DriveLock Agent and management components to the most recent version from the DriveLock Enterprise Service For more information about this process refer to the DriveLock Administration Guide The recommended order for upgrading DriveLock components is 1 DriveLock Enterprise Service 2 DriveLock Management Console 3 DriveLock Control Center 4 DriveLock Agents Because the installed version of the DriveLock Enterprise Service and the DriveLock Control Center must match you need to upgrade both components at the same time to ensure a smooth transition When upgrading any DriveLock components no Group Policy Objects or configuration files are modified However as a precaution it is recommended to first export all local or Group Policy based DriveLock policies to a file For more information about exporting policies refer to the DriveLock Administration Guide The following sections describe the manual upgrade process For information about automatic updating refer to the DriveLock Administration Guide 6 1 Updating the DriveLock Enterprise Service To update the DriveLock Enterprise Service to a newer version perform the steps described in the section Instal
49. omain names e mail addresses logos people places and events depicted herein are fictitious and no association with any real company organization product domain name e mail address logo person place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user CenterTools and DriveLock and others are either registered trademarks or trademarks of CenterTools GmbH or its subsidiaries in the United States and or other countries The names of actual companies and products mentioned herein may be the trademarks of their respective owners DON T GAMBLE WITH YOUR DATA
50. r is available a notification appears and you can select to download the newest version Click Next accept the license agreement and then click Next again 6 Lenterlools DriveLoci CenterTools DriveLock components jr Select the components of DriveLock you want to install on this computer a Component Available locally Available online Management components Management Console n a 7 0 3 8298 34 1MB 7 Control Center n a 7 0 3 8298 19 0 MB V Documentation Manuals na 7 0 3 8298 22 4MB Agent components E agent n a 7 0 3 82988 30 4MB E Full Disk Encryption nja 7 0 3 8298 37 1MB Server E Enterprise Services nja 7 0 3 8298 15 3MB To install the management components and documentation select the first three checkboxes The Installer will check whether any of the components are already present and whether newer versions of these components are available When performing an evaluation installation select all components Click Next DriveLock Installation Guide 7 5 30 2015 CenterTools Software GmbH Oe rivelbock stirs oct CenterTools DriveLock components The selected components will be downloaded and or installed Package Version Status Documentation and manuals 7 0 3 8298 will be downloaded DriveLock Control Center 7 0 3 8298 Will be downloaded DriveLock Management Console 7 0 3 8298 Will be downloaded F Do not download updated files use locally stored files only
51. riveLock Agent installation are located on the DriveLock CD an ISO image for burning a CD is available for downloading or you can be downloaded by the DriveLock Installer from the Internet Before you install the Agent on client computers you must have created a policy that contains at least the basic configuration settings and whitelist entries that need to be applied on client computers when the Agent is installed This policy must be available to clients at the time of the installation via Group Policy centrally stored policy or configuration file As soon as the Agent installation has completed the Agent is started and applies either an available policy or the default settings If you install the Agent without providing configuration settings the default settings which block access to most removable drives are applied As a result devices or drives that are required for proper operation of client computers may be locked When using a configuration file you need to customize the Agent installation package before deployment to ensure that the Agent can find the configuration file When using Group Policy no customization is required When using or a centrally stored policy customization is only required if Quick Configuration is not available Quick Configuration is not available if you disabled the automatic discovery mechanism or if multicast communications using mDNS DNS SD are blocked which is frequently the cas
52. rosoft Installer msi package or creates a Microsoft Installer Transform mst file for your installation DriveLock Installation Guide 7 5 39 2015 CenterTools Software GmbH Oe rrivelbock stirs oct 2 2 0as H l 4 CenterTools DriveLock Policy name 2 Policy type Storage location Size Date modified TA Device Scanner gt 8 Product updates and suppor Central DriveLock Policy Centrally stored 192 168 2 12 1 21 KB 2 14 2012 6 31 22 gf DriveLock Group Policy Settings Active Directory LDAP CN C3325049 3DB 2 14 2012 6 29 13 a a Add Group Policy Object Configuration file admin DriveLock 26 9 KB 2 14 2012 6 30 56 gt Bm Op Open Cantata fle Local policy lt Registry gt 2 14 2012 6 27 17 New All Tasks Deploy configuration file Deploy centrally stored policy View New Window from Here Refresh Export List Properties Help policy Agent deployment This wizard will guide you through the steps that are required to prepare for deploying the DriveLock Agent to client computers You do not need to complete this wizard f you will be configuring Agents using Active Directory Group Policy Click Next to continue DriveLock Installation Guide 7 5 40 2015 CenterTools Software GmbH Oe rivelbock stro ost Woh aed pa DriveLock Agent deployment prepa 2 Be Select centrally stored policy ram Select t
53. ross your network e Local configuration When using a local configuration policy settings are only applied to the computer where you configure settings using the DriveLock Management Console A local configuration is only appropriate for evaluating DriveLock or testing a policy before deploying it The advantage of using a local configuration is that all changes take effect immediately on the local computer Group Policy You can store DriveLock configuration settings in a Group Policy Object in Active Directory Policy settings are deployed to client computers using the native Group Policy mechanism in Windows Configuration Files Configuration settings are stored in a file This file is stored in a shared folder or on an HTTP or FTP server from where it is retrieved by client computers When using HTTP client computers can retrieve the configuration settings over the Internet Centrally Stored Policies Centrally Stored Policy CSP CSPs are similar to configuration files but they are stored by the DriveLock Enterprise Service DES and retrieved from there by Agents Unlike other types of DriveLock Installation Guide 7 5 14 2015 CenterTools Software GmbH Be rrivelboch _ _ memonmanoo policies CSPs also automatically support versioning and change tracking and support Quick Configuration for effortless deployment A typical DriveLock deployment consists of four steps 1 Installing the DriveLock Management Consol
54. s UNC myserver share drivelock dlconfig cfg FTP myserver pub drivelock dlconfig cfg HTTP http myserver drivelock dlconfig cfg CONFIGPROTOCOL 0 1 0 lt path gt is a file location 2 1 lt path gt is an FTP location 2 lt path gt is an HTTP location USESVCACCT 1 This parameter is needed if a user account is used to access the configuration file SVCACCOUNT lt account Specifies the account that is used to access the configuration gt file DriveLock Installation Guide 7 5 44 2015 CenterTools Software GmbH M rivelocd o_o mes Pos Example SVCACCOUNT mydomain myuser SVCPASSWORD lt encp lt encpwd gt is the account s encrypted password that was created n wd gt by the wizard To create the encrypted password use the DriveLock Deployment Wizard You can also install DriveLock agents by using the original DriveLockAgent msi in conjunction with a wizard generated mst file msiexec i DriveLockagent msi qn TRANSFORMS Your MST file mst 5 4 5 Installing the DriveLock FDE Component The DriveLock Full Disk Encryption Component FDE is installed by the DriveLock Agent as soon as an valid FDE license is available To apply the necessary settings open the MMC policy Centertools Encryption Disk Protection Encryption certificats Create and administer the certificates required for the FDE Deployment Settings General define where the DriveLock agent will find the FD
55. s make the DCC a very powerful monitoring and reporting tool 2 1 4 DriveLock Enterprise Service The DriveLock Enterprise Service DES centrally stores events from all DriveLock Agents This service is not required for DriveLock to operate but it lets administrators easily monitor all DriveLock operations and user activities in the entire organization The DES replaces the Security Reporting Centers SRC which performed similar functions in DriveLock 5 The DES uses a new architecture and database structure to improve performance and add new functionality The DriveLock Control Center DCC is the reporting console that enables administrators to view events that are stored in the DES and create reports from the event data Organizations that use one or both encryption modules Encryption 2 Go or Full Disk Encryption can use the DES to centrally store recovery data to simplify and streamline data recovery operations 22 Service Communications The following diagram illustrates communications paths and the role of the DriveLock Enterprise Service in the operations of DriveLock DriveLock Installation Guide 7 5 8 2015 CenterTools Software GmbH Oe rivebock svn oto win oni Encryption Recovery x DriveLock Zn Database nterprise Service DES Reports and Forensics DriveLock Control Center DCC Operating Temporarily Unlock Events and upload of recovery information shadow copies
56. sktop connections Windows domain users and local Windows users can authenticate to computers that are secured by DriveLock FDE All hard disk partitions encrypted with DriveLock FDE can be shared on a network at the discretion of the system administrator DriveLock Installation Guide 7 5 18 2015 CenterTools Software GmbH rivelod 0 snom Software Compatibility DriveLock FDE has been tested and does not interfere with normal operation of most Windows compliant software applications services and utilities Some care needs to be taken however when using the following e DOS Drivers and TSRs When booted from a DOS floppy disk or CD DriveLock FDE can access hard disks that reguire DOS drivers and TSRs only if the appropriate drivers have been loaded Windows and Third Party Boot Managers At system start up DriveLock FDE manipulates the Master Boot Record MBR and verifies its integrity All software that needs to manipulate the MBR for its own purposes is incompatible with DriveLock FDE This includes the standard Windows boot manager Windows Disk Management Utility No disk repartitioning resizing and mirroring configuration changes can be performed after DriveLock FDE has been installed If any of the above operations are required decrypt all disks and uninstall DriveLock FDE before proceeding Windows File Compression Windows file compression is fully supported with the following exception The DriveLock
57. stallation type for evaluating DriveLock The use of Microsoft SQL Server Express 2008 is recommended to support this installation type To start the installation run the DriveLock Installer DLSetup exe to first download all installation packages from the nternet and then install them on the local computer For a complete installation on a computer where you want to evaluate DriveLock simply select all components A CenterTools DriveLock J Center Tools DriveLock components x Select the components of DriveLock you want to install on this computer CH Component Available locally Available online Management components V Management Console n a 7 0 3 8298 34 1MB 7 Control Center n a 7 0 3 8298 19 0 MB V Documentation Manuals nja 7 0 3 8298 22 4MB Agent components V Agent n a 7 0 3 8298 30 4MB Y Full Disk Encryption n a 7 0 3 8208 37 1MB Server A Enterprise Services n a 7 0 3 8298 15 3 MB lt Back Cancel The DriveLock Installer is described in more detail in the section Installing DriveLock Management Components ore details about installing the DriveLock Enterprise Service are available in the section Installing the DriveLock Enterprise Senice 5 2 Installing the DriveLock Enterprise Service The DriveLock Enterprise Service DES is the central component of the DriveLock product family that needs to be installed on a central server The DES requires a database server where the Drive
58. the Database Installation Wizard starts This wizard guides you through the process of installing configuring or updating the DES database You can also use the wizard to change the DES mode for branch offices deployments DriveLock Installation Guide 7 5 25 2015 CenterTools Software GmbH W rivelock _ _ mmm DriveLock Database tee Welcome to the DriveLock Database Installation Wizard This Wizard will setup your service mode for your DriveLock Enterprise Service DES and optionally create or upgrade your DriveLock database Each Click Next J Driv r ESTE Select DES role Select the role for the DriveLock Enterprise Service on this computer Central DriveLock Enterprise Service default Select this mode if this is the only DriveLock Enterprise Service in your organization or ifitis the central service in a distributed installation A database server connection is required for this mode O Linked DriveLock Enterprise Service Select this mode if the DriveLock Enterprise Service on this computer reports to the central DriveLock Enterprise Service No database will be installed Select the server role and then click Next If you are installing the first DES Server in your organization select the Central DriveLock Enterprise Service mode For more information about server modes refer to the Architecture chapter in the Drivelock Enterprise Service manual DriveLock Installat
59. unt to use forthe DriveLock Agent service Retrieve DriveLock configuration using this account Local System Use Local System if you deploy the configuration through Group Poli ora local configuration file se a service account if you use a configuration file located on a server UNC path User name Domain User Password 000000000000 0000 Confirmation u Click Next On the next page select the type of installation package that will be created by the wizard e Microsoft Installer File MSI Creates a new Microsoft Installer package that contains your settings e Microsoft Installer Transform file MST Creates a Microsoft Installer Transform mst file that contains your settings An MST file must be used in conjunction with the original MSI package that is included in the DriveLock installation e Command line Shows the Microsoft Installer command line options for implementing the settings you have selected Agent deployment type Select how to deploy agents How do you want to deploy DriveLock Agents Windows Installer File MSI Generates a Windows Installer Package MS containing your settings Windows Installer Transform MST Generates a Windows Installer Transform File MST containing your settings Command Line Displays the syntax for installing from a command line using your settings Click Next If you selected Comm
60. up Policy Object GPO under Extended configuration gt Global configuration gt Settings gt Agent remote control settings and permissions deselect the checkbox Enable automatic agent discovery using DNS SD e Under DriveLock Enterprise Services gt Servers gt lt DES server gt gt Properties on the Options tab select the checkbox Disable automatic server discovery using DNS SD DriveLock Installation Guide 7 5 16 2015 CenterTools Software GmbH 4 riveLock Part IV System Requirements DON T GAMBLE WITH YOUR DATA rivelod _ _ smen 4 System Requirements CenterTools DriveLock works in the background and therefore only uses minimal hardware resources The DriveLock Agent runs on all recent versions of the Windows operating system and requires no additiona infrastructure The DriveLock Enterprise Service also requires a database Microsoft SQL Server or Oracle CenterTools recommends that you install all available service packs and hotfixes for your operating system Detailed information of supported platforms and hardware requirements can be found in the DriveLock Release Notes Windows XP e Microsoft Native WLAN API f r Windows XP wird f r die Funktion WiFi sperren wenn mit LAN verbunden e Microsoft IMAPI 2 0 f r CD DVD Verschl sselung Fulldisk Encryption Supported Storage Hardware DriveLock FDE can encrypt all fixed non removable hard d
61. veLock Enterprise Service DES is a central component that consolidates all DriveLock events and Device Scanner results in a central database Administrators can then use this data to create dynamic reports for auditing and management purposes A single unified console is used to configure all DriveLock components which simplifies administration tasks DriveLock Installation Guide 7 5 6 2015 CenterTools Software GmbH M rivelock eto coro ih oi 2 1 The DriveLock Components The section describes the DriveLock components and how they communicate with each other TCP 6066 HTTP TCP 6067 HTTPS O DriveLock nterprise Service DES ncryption Recovery Encryption Recovery DriveLock Reports and Forensics Database DriveLock Control Center DCC Operating Temporarily Unlock Events and upload of recovery information shadow copies TCP 6064 HTTP TCP 6065 HTTPS Operating Temporarily Unlock DriveLock Management Console MMC Agents Editing Ss pplying da Agent configuration Group Policy GPO Centrally stored policies DB Configuration file via HTTP FTP or UNC 2 11 DriveLock Agent The DriveLock Agent is the most important component of the DriveLock infrastructure It implements and enforces your policy settings and must be installed on every computer where you want to control removable drives devices or other settings
62. y install the Agent without displaying the InstallShield Wizard and with the default configuration settings use the following command Msiexec i DriveLockAgent msi qn If you must specify a configuration file location for the Agent either use an installation package that has been modified by the wizard msi file or use a wizard generated command such as the following msiexec i DriveLockAgent msi qn USECONFIGFILE 1 CONFIGFILE fileserver share drivelock When installing the Agent to use a centrally stored policy the available options are USESERVERCOMFIG 1 Indicates that a centrally stored policy is used CONFIGID lt GUID gt lt GUID gt is the GUID of the centrally stored policy in the format XXXXXXXX XXXX XXXX XXXX XXXXXXXXXXXX CONFIGSERVER lt name gt lt name gt is the name of the server where the DriveLock Enterprise Service is running and from where the configuration will be downloaded TENANTNAME lt tenant gt In a multi tenant DES environment lt tenant gt is the name of the tenant the policy has been configured for If you are not using multiple tenants specify root as the tenant name When installing the Agent to use a configuration file the available options are USECONFIGFILE 1 Needed if you specify the location from where the Agent gets its configuration CONFIGFILE lt path gt lt path gt can be any valid UNC FTP of HTTP path to the configuration file Example
Download Pdf Manuals
Related Search