EMBASSY Remote Administration Server (ERAS) Administrator Manual

Transcription

1 EMBASSY Remote Administration Server (ERAS) Administrator Manual Part III BitLocker, Trusted Platform Module, SafeNet ProtectDrive and Dell BIOS & CV Management ERAS Version 2.8 Document Version ERAS v 2.8 Wave Systems Corp. 2011

2 Contents Contents Remote Administration of BitLocker BitLocker Management Wizard... 4 Additional Management Features BitLocker Requirements BitLocker by Default BitLocker Decryption in ERAS BitLocker without a TPM BitLocker ERAS Limitations Recovery User Forgot PIN User Motherboard Broken Move Data Drive to Other PC TPM Management using ESC with BitLocker FIPS Compliance Remote Administration of TPM-enabled Clients... 9 ERAS identities and authorizations... 9 ERAS to provision TPM-enabled clients ERAS TPM management functions...10 TPM Activation...10 TPM enrollment & ownership...10 Managing TPM...10 TPM Management Wizard...11 Managing Multiple TPMs TPM Management Tab...13 Adding delegated owner...14 Remove a Delegated Owner...15 TPM Status...15 Query a TPM / Update Status...15 TPM Enable / TPM Disable...15 Change ownership...16 TPM Physical Presence authorized operations commands SafeNet ProtectDrive clients with ERAS Contents Wave Systems Corp. 2011

3 ProtectDrive Connector installation...17 ProtectDrive Management...18 Get Recovery Password...19 ProtectDrive Backup and Recovery Procedure...20 Backup Procedure...20 Recovery Procedure BIOS and ATA Hard Drive passwords management...23 System BIOS Management Tab...23 BIOS ATA HDD Password Setup ControlVault Management...27 CV User Management...28 Contents 3 Contents Wave Systems Corp. 2011

4 1. Remote Administration of BitLocker ERAS 2.8 will manage BitLocker Ready clients with Windows 7 Ultimate or Enterprise installed. The client will also be required to have the ERASService account added as a local administrator account. This is not a requirement if the management is done as a workgroup or non-trusted domain machine; instead the requirement is to have the installation of the ERASConnector. To enable BitLocker management from ERAS, go to the Server Settings UI and enabled BitLocker management by setting the value of Enable BitLocker Management to True. It may also be necessary to enable BitLocker Group Policy Settings (i.e. to use 256 bit key encryption or use of no TPM and changes to characters or character length are a few that will require editing of these policies) for modifying the default deployment. 1.1 BitLocker Management Wizard BitLocker has the ability to encrypt an OS or data partitions. Management can be performed by the use of the Computer Management Wizard or from the BitLocker Management Tab. First right-click on the device to be managed and select the Manage Devices Menu, then select Manage BitLocker Volume(s)... this will display the Computer Management Wizard as seen on the left. At this point one is free to add additional computer(s) by clicking the Add computers button, then click on Continue. Note that at the bottom one can check the box to skip device management. Enable Auto Unlock box can also be checked to enable this feature. The left dropdown next to Initialization Type of the following volume types : OS Volume First Data Volume Then the right dropdown menu provide for different authentication methods: Startup Key Startup Password TPM TPM w/pin TPM w/startup Key TPM w/pin & Startup Key 4 Remote Administration of BitLocker Wave Systems Corp. 2011

5 The BitLocker Management Tab can be accessed by highlighting the computer on the ERAS console and performing right-click then select properties then choose BitLocker Management tab. This tab displays the volume(s) currently being managed by BitLocker. The drive, volume type and encryption status are displayed along with the total size of the partition and available free space. The disk can be selected and refreshed with the Refresh button and the Uninitialized and Managed button reside above where BitLocker Volume information is displayed, at the bottom. It is possible to right-click and pauses / resume during the encryption process on the chosen volume. In order to access BitLocker Volume Key Management one must click on the Mange button. The BitLocker Volume Key Management Tab allows for the management of security settings of the BitLocker drive. The following buttons allow for changes for the descriptions noted on the left of the management window. The top portion of the window allows for the reset of pin or passphrase, enabling of auto unlock and suspension of key. Below allows for key recovery and reset of the recovery password key. This also allows the Administrator to retrieve the recovery password key by clicking on Get Password. Please note that you will not be able to retrieve passwords for a drive in FIPS mode. 5 Remote Administration of BitLocker Wave Systems Corp. 2011

6 Additional Management Features BitLocker Volume Security Setting Reset PIN Enable Auto-Unlock Suspend Key Protectors BitLocker Recovery Settings Reset Password Reset Key Export Key Allows Administrator to reset PIN Allows for volume unlock at startup Authentication to volume can be toggled off Allows Administrator to reset password Allows a reset of TPM BEK in cases of recovery Allows the export of a BEK recovery file 1.2 BitLocker Requirements ERAS 2.8 Please reference ERAS Installation Guide for requirements and environment BitLocker Domain Clients with either Windows 7 Ultimate or Windows 7 Enterprise (with BitLocker ready partition) Ensure ERASService account is added to Administrator group on the client machine for WMI communication such as with ERAS clients on the domain. o This requirement is not needed for Foreign Client since this is resolved with the ERASConnector.msi during client initiated management Windows 2008 R2 Domain Controller to deploy BitLocker GPO *Using BitLocker default setting 1.3 BitLocker by Default ERAS does add Startup Key option to BitLocker Data Volume as a default setting. Below is a table summary of BitLocker default settings as seen both by ERAS versus Windows 7. Volume Type TPM Password PIN Startup Key ERAS OS TPM Only Startup Key Data Password Startup Key WINDOWS 7 (Ultimate or Enterprise) OS TPM Only No PIN No Startup Key Data Password Only By default it uses the AES encryption algorithm in CBC mode with a 128 bit key, combined with a diffuser for additional disk encryption specific security not provided by AES. The diffuser layer is termed by Microsoft as an Elephant diffuser There is a policy for fixed data drive called "Configure use of passwords for fixed data drives. Passwords will be supported with the default settings, which do not include password complexity requirements and require only 8 characters. 1.4 BitLocker Decryption in ERAS ERAS still owns the volume while it is decrypting. You can still get recovery pin and password. It s only after volume is fully decrypted that the volume is free from its ownership of ERAS. As an artifact of this behavior, when one uninitializes a BitLocker drive the following message will appear Un-initialize has been successful. Yet ERAS ownership is only released once the volume is fully decrypted. 6 Remote Administration of BitLocker Wave Systems Corp. 2011

7 1.5 BitLocker without a TPM If the client computer does not have a TPM, BitLocker can only be used with the Startup key on USB flash drive as the only authentication method to the OS volume. This will also require editing of the BitLocker Group Policy Setting. 1.6 BitLocker ERAS Limitations No remote management of BitLocker To Go BitLocker Data Recovery Agent (DRA) option is not supported by ERAS TPM must be enabled & activated as a pre-requisite for ERAS management of the TPM DCOM error message: ""Unable to set up DCOM connection between ERAS server and the client platform." can be caused by the Windows BitLocker wizard running on the client. 1.7 Recovery ERAS helpdesk provides recovery password and recovery key in case users need to recover the BitLocker enabled disk. 1.8 User Forgot PIN User must obtain recovery password or recovery key to unlock drive. User asks ERAS operator or Helpdesk to reset his/her PIN. 1.9 User Motherboard Broken User can connect the hard disk to other motherboard, get recovery password or key, start the OS. Then ERAS operator shall disable or delete the TPM protector and recreate a new TPM protector with the new motherboard (TPM) by use of the Reset Key button Move Data Drive to Other PC The auto unlock will not work anymore. User must obtain recovery password or recovery key to unlock drive from Helpdesk TPM Management using ESC with BitLocker As mentioned earlier, BitLocker management does not require Wave software to be installed on the client. In the case where TPM management is a requirement, Wave ETS software can be used for management of the TPM and as key protector. This also requires the ERASConnector or ERASProvider to be installed prior to initializing the OS Volume with BitLocker. If this is done after BitLocker has already initialized the OS volume then ERAS will not be able to manage the TPM. It is highly recommended that one reviews the ERAS BitLocker Deployment Guide and Microsoft documentation that has been referenced in ERAS Admin Manual prior to BitLocker deployment 7 Remote Administration of BitLocker Wave Systems Corp. 2011

8 1.12 FIPS Compliance Federal Information Processing Standard (FIPS) Group Policy settings in Windows 7 to require FIPS compliance: Please keep in mind if your organization is FIPS-compliant, Bitlocker-protected removable drives cannot be opened by computers running Windows XP or Windows Vista. To use Bitlocker in a FIPS-compliant environment, you must enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, which can be found in the Local Group Policy Editor under: \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, before turning on Bitlocker. When the drive is initialized as a BitLocker drive using FIPS the password recovery capabilities are removed meet FIPS compliance. Expect to see the following message upon trying to retrieve a password for a FIPS compliant BitLocker drive. This means to recover a drive one needs to export a recovery key for that device from the ERAS database using the Export Key from the BitLocker Volume Key Management UI. 8 Remote Administration of BitLocker Wave Systems Corp. 2011

9 2. Remote Administration of TPM-enabled Clients A TPM (Trust Platform Module) is embedded silicon that functions like an embedded smart card. It can be used to generate keys, store certificates and digitally sign. ERAS enables remote management of these TPMs that are embedded in the motherboards of the TPM-enabled PCs across the enterprise. ERAS enables the digital identities in these TPMs to be linked to Active Directory identities and used as a strong cryptographic root of trust for a range of security applications, including: Strong network authentication Machine identification Data protection Secure messaging Network access control ERAS identities and authorizations The TPM delegation model allows the primary TPM Owner to delegate the ownership privileges to other individuals (entities) with the right to use a subset of authorized TPM commands TPM Owner This is the entity that owns and has the title to the platform. A TPM can only have one owner. In an enterprise environment it is recommended that TPM ownership be taken by Domain user account name allocated for ERAS Service and ERAS Administrator TPM User The user has access to TPM objects such as TPM keys. A TPM user is any entity that can present the authentication data for an object. A TPM user is any user that can present the authentication data for an object on that specific unit. ERAS Administrator A trustworthy person that performs ERAS administration functions. Can be TPM Owner, TPM User ERAS to provision TPM-enabled clients Provisioning of TPM-enabled clients using ERAS consists of the following steps: 1. Enrolling the TPM-enabled client in the ERAS management database 2. Taking ownership of the TPM on the client PC, this is the root of trust. In normal applications, ERAS will be the proxy owner of all the TPMs 3. Delegating ownership rights on the client platforms. This creates a user account on the TPM that is linked to a user identity as defined in Active Directory 4. Setting owner and user passwords. Establishing TPM authentication credentials for the owner and the user Using ERAS for management of deployed TPM-enabled clients consists of the following major steps: 1. Updating the configurations in the management database 2. Running queries 3. Generating reports 4. Adding and deleting users 5. Enabling or disabling TPMs 6. Changing owner passwords 7. Enrolling and managing delegated owners Password Complexity The ERAS validates passwords against domain policy 9 Remote Administration of TPM-enabled Clients Wave Systems Corp. 2011

10 2.1 ERAS TPM management functions TPM Activation TPM is an OPT-IN technology; the platform owner has to perform certain deliberate steps to enable TPM usage. On most machines, this requires a certain sequence of KEYs to be executed in BIOS mode. For this reason, TPM activation cannot be executed remotely from ERAS. Newer machines have a feature called remote physical presence, which allows remote activation. Remote Physical Presence has to be supported both in the BIOS and the OS, in order for ERAS to perform remote activation. BIOS support and software support for remote physical presence is a property of the PC platform dependent on the PC vendor. TPM enrollment & ownership TPM enrollment and ownership are ERAS functions that enable central IT to have exclusive ownership and administrative privileges over a TPM. Delegated owners can be added after the ownership is taken. Delegated owners can use the TPM but do not have administrative privileges. To remotely manage TPMs, it is first necessary to enroll them in ERAS. The enrollment process results in the creation of an entry, corresponding to the target client computer in the ERAS. Managing TPM The following screenshots will allow the administrator to take ownership of the TPM on the remote machine via ERAS Console. For the purposes of this discussion the focus will be on a unit that does not contain a Trusted Drive, therefore only tabs pertaining to the TPM identification and management will be present when viewing the machine properties. Of course, the same steps would apply for a unit that had both a TPM and Trusted Drive. Expand EMBASSY Remote Administration Server, expand Domain and then expand Computers in the left-hand pane. Highlight Computers on left, displaying a list of computers on the right. Right-click and Select Manage Device then select TPM... Note that this same path can be used to manage all device items as mentioned earlier starts the Manage Device Wizard. Step A. First window of Manage Device with client to be managed displayed Step B. Window where one selects to take ownership 10 Remote Administration of TPM-enabled Clients Wave Systems Corp. 2011

11 TPM Management Wizard Step B displays the area in which to place a check mark by clicking inside the box which starts the process of taking TPM ownership. It is on Domain user account name allocated for ERAS Service by default. As the Administrator clicks on Continue he/she will be directed through Step D, where communication is occurring between ERAS and the TPM on the remote client and finally completed in Step D. This management can also be performed from the properties window. Below is an example of properties window also being accessed from the ERAS console. In the diagram labeled TPM Management tab, the Domain user account name allocated for ERAS Service ownership, which have just been established, is shown in the TPM Management tab selected for the Machine LSM4300XP. The ownership can be changed or other non-administrative users (TPM User) of the TPM can be added as a delegated owner, such as the normal user of that machine to allow them their own credentials to access the TPM. Step C. Select from ERAS service account or domain user Step D. Process Manage Operation for TPM 11 Remote Administration of TPM-enabled Clients Wave Systems Corp. 2011

12 Managing Multiple TPMs An administrator can manage multiple clients with TPM at once. This is done by using the left pane of ERAS as seen below. Left pane view of ERAS Right-Click on Computers, and see multiple computers in the list. In this example there are only three clients connected to the ERAS server. Select Manage TPM and follow screen as seen below: Add Computer or Remove Computer is available on the right side of Select Computers UI. At this point one would follow the steps as seen above in Steps A through Steps D. Provisioning Model for Computers Not Reachable For all computers not reachable on the network the following is true: Foreign Clients are always unreachable and all management operations are postponed. Computer not connected to the domain are not reachable and will have operations postponed. For more clarification read section on Pending Operations. 12 Remote Administration of TPM-enabled Clients Wave Systems Corp. 2011

13 2.2 TPM Management Tab TPM Management TPM Management tab TPM Management tab contains the following buttons: Enable Disable Reset Auth Lock Out Manage WSKS feature is currently under development and is disabled Add Remove Change Ownership Clear Ownership Request Operation TPM Physical Presence authorized operations (drop-down menu) Overview of Step A through Steps D The steps to perform enrollment: 1. Right-click on Computers in the left pane of the ERAS console 2. Select Manage Device then TPM 3. In the Select Computers, user can: Select client platforms that are displayed Add computers that are not currently displayed Remove computers Click Continue 13 Remote Administration of TPM-enabled Clients Wave Systems Corp. 2011

14 TPM Management Tab 1. In the Manage TPM Options screen, users can: Take TPM Ownership with ERAS (Domain user account name allocated for ERAS Service) Assign ownership to a Domain User Click Next 2. Manage TPM Summary This screen will display all the actions that have been selected This screen will display all the target PCs Click Back to modify the scheduled action Click Finish to execute the scheduled actions 3. Manage TPM Status The status on this screen indicates processing or completed When the Status is completed, this screen summarizes the actions that have been performed by the ERAS server Clicking on computer names provides a summary status of the actions executed for that client Adding delegated owner A delegated user is allowed to use the TPM to create and protect keys. Wave ETS client software manages the TPM access privileges within the client. ETS supports the following TPM authentication mechanisms: Biometric, PKI or password/ PIN. The user must authenticate to the TPM before any TPM protected keys can be used. 1. Once a TPM-enabled PC has been enrolled, ERAS can be used to add delegated users 2. In the domain tree, select the target computer 3. Right-click and select the Properties 4. Select the TPM Management tab 5. Click Add and Next 6. Enter the users to be added 7. One or more users can be added to a PC in one step 8. Select password to choose whether a shared password or individual passwords will be set for the delegated users 9. The password must be conveyed to the user out of band (i.e., via ) 10. The delegated owner password set in ERAS is only meant for the purpose of transferring access control to the delegated owners. Delegated owners should be required to substitute a private password once they get TPM access. 11. Click Finish ERAS will enroll the selected users as delegated users. Before enrolling the users, ERAS verifies that they have valid accounts in Active Directory. If the user forgets their TPM password, ERAS can be used to reset the delegated user password to a new value. 14 Remote Administration of TPM-enabled Clients Wave Systems Corp. 2011

15 Remove a Delegated Owner Removing a Delegated Owner may be required when a user no longer needs access to a given platform. This could occur when a user leaves an organization, or when a given computer is re-purposed for another department or is sold. 1. Select the target computer from the MMC view 2. Right-click and select Properties 3. Select the TPM Management tab 4. Select the Delegated Owner, or select multiple-delegated owners using the ctrl key 5. Click Remove TPM Status In case if in BIOS TPM Security is On and TPM Activation is deactivated it is still disabled, inactive. The reason for this status TPM is unable to respond on requests. TPM Security: Off means - no power to TPM chip TPM Security ON, TPM Activation - Disabled - power on, but not functioning (no response to requests), since it is unable to report status. TPM Security ON, TPM Activation - Enabled - fully functional, and then it will be able to report its status. Query a TPM / Update Status ERAS has a management database, which contains all TPM settings that are required for management of the TPM It is possible to view the current values of the management database, as well update the database, by querying the TPM on the client PC To view the status of PC enrolled in the ERAS repository Select the target computer from the MMC view Right-click and select Properties Select the various tabs to view the ERAS status entries, corresponding to the last status-refresh performed on the TPM To refresh the status of a PC record in the ERAS repository Select the target computer from the MMC view Right-click and select Refresh The new values in the ERAS database can then be viewed as outlined above TPM Enable / TPM Disable When a TPM is disabled using ERAS, none of the programmed settings are modified; however, all administrative and all user functions are blocked. If the TPM is later enabled, then all the original settings are preserved. This includes ownership, delegated users, etc. 15 Remote Administration of TPM-enabled Clients Wave Systems Corp. 2011

16 Change ownership Knowledge of the current owner password is required, in order to take ownership of a TPM that already has an owner. The following instructions assume that the TPM has not previously been enrolled into ERAS. 1. Locate the computer TPM status will be unknown, never refreshed 2. Right-click and select Refresh ERAS will detect the TPM and change the ICON 3. Right-click and select Properties 4. Select the TPM Management tab 5. There will be a Register owner button 6. Click Register owner. Click Next 7. Select the new owner type: ERAS administrator or domain user 8. Click Next, Enter the password of the existing owner 9. If a domain user is selected to be the new owner, then a new password must be entered 10. If ERAS administrator is selected, the password is automatically generated 11. Click Submit TPM Physical Presence authorized operations commands Activate the device Allow the installation of device owner Clear the device Clear, enable, and activate the device Deactivate the device Deactivate, disable, and prevent the installation of a device owner Disable the device Enable and activate the device Enable the device Enable, activate, and allow the installation of a device owner No request Prevent the installation of a device owner The following prerequisites are necessary for Physical Presence commands: 1. Supported client platform 2. ERASService account must be included in the client s local administrator group. 16 Remote Administration of TPM-enabled Clients Wave Systems Corp. 2011

17 3. SafeNet ProtectDrive clients with ERAS ERAS has the ability to remotely mange SafeNet ProtectDrive clients. ProtectDrive is a software-based FDE (Full Disk Encryption) solution which is provided for systems that do not support self-encrypting hard drives. The behavior of initialization and adding users will be the same as with self-encrypting hard drives. Enabling security from ERAS will start the software encryption process of the drive in the background on the client machine. Red lock will appear in Windows Gina indicates that ProtectDrive is installed ProtectDrive Management ERAS management of ProtectDrive FDE is the same as with self-encrypting hard drives. Initializing the drive takes ownership and adds a user(s) to the drive. To lock the drive go through the Manage buttons then click on Enable to begin the encryption process. Software FDE encryption takes several hours. For more information please refer to the ProtectDrive Administration Manual The installation of the ERAS client on these systems first requires the installation of the SafeNet ProtectDrive client software versions. Provided are the following general steps for the preparation of a ProtectDrive client to join ERAS. ProtectDrive Connector installation 1. Uninstall any pre-existing TDMRemoteConfig or Wave Embassy software on the client 2. Install SafeNet ProtectDrive. In order to disable local management, install SafeNet ProtectDrive using the remote option. This requires a pre-existing cert or one to be created. See SafeNet documentation for more details. 3. Install Embassy Security for ProtectDrive.msi 4. Install ERASConnector or ERASProvider depending on management prefrences. 5. If any change of default SafeNet options are required, perform the SafenetConfig.xml installation prior to initializing SafeNet ProtectDrive. ProtectDrive License File The ProtectDrive license file, received from SafeNet, is placed in the same folder as the PD installer package BEFORE the PD installation. 17 SafeNet ProtectDrive clients with ERAS Wave Systems Corp. 2011

18 1. Place SafenetConfig.xml on a file system accessible by clients, such as a network share 2. Modify SafenetConfig.xml to include the ProtectDrive options desired. 3. Configure the Protected Drive Configuration Policy, (part of the ESDGPO package) to point to the file location of SafenetConfig.xml 4. Deploy the Protected Drive Configuration Policy to clients. As with any ERAS client, the same requirements for remote administration apply here: 1. Verify that DCOM port: TCP 135 is open on the client machine 2. If WMI is already used for other systems management functions, the required ports are already open 3. Vista and Windows 7 clients require that Remote Administration is a selected exception in the firewall ProtectDrive Management In order to manage ProtectDrive client machine from ERAS please make sure that ProtectDrive management is enabled from the Server Settings UI. ProtectDrive remote functionality is supported through ERAS including support enabling encryption for more than one partition or volume on a client computer using a single management license, smart card support and backup of drive recovery keys. The various ProtectDrive configurations and enablement and control of particular features such as FIPS mode is supported in conjunction by enabling the above Wave policy that points to the SafenetConfig.xml file as discussed above. From ERAS upon initializing the drive one is provided the choice to enable for smartcard support. Please reference the ProtectDrive Administration Manual provided with the particular version of the deployed ProtectDrive for any additional details. 18 ProtectDrive Connector installation Wave Systems Corp. 2011

19 Initialization experience for ProtectDrive can be done From the ERAS console one can navigate to the properties of the ProtectDrive client. There are additional options that allow to Disable/Enable Encryption or Refresh the volume by performing a right-click on the particular volume. Also when one navigates to the Manage UI, there is an Export button to allow for the exporting of Backup Credential keys for ProtectDrive. This allows for drive restoration. One will need to review the SafeNet ProtectDrive Administration Manual to determine steps needed to use these files. Get Recovery Password This action displays an ASCII string that can be used by a remote user to get access to a locked Trusted Drive. It can be used in the case where a user forgets their drive password. The reported value can be passed out-of band. ( or TXT) The Recovery Password is used with the User name: Recovery_Agent SafeNet ProtectDrive encrypted drives must login to local machine in order to use the recovery password View from client machine of pre-boot screen 19 ProtectDrive Connector installation Wave Systems Corp. 2011

20 ProtectDrive Backup and Recovery Procedure All details can be found in SafeNet ProtectDrive Enterprise Version Administration Guide under the following: Review Chapter 10 Extraordinary Authentication Scenarios for Create the Recovery Disk Key. Review Chapter 11 RapidRecovery TM Disaster Recovery Tools for Backup.exe The Backup.exe must be run after each disk encryption status change or license update. Backup Procedure A. Install SafeNet ProtectDrive with Master Key 1. On ERAS, create Master Security Key (PdMaster.pfx) and Recovery Support Key. 2. ERAS provides the keys from Step 1 above to client. When installing SafeNet PD software on client machine, ERAS will pass these keys as parameters to the client for installation. 3. On Client, install SafeNet PD with the keys provided. B. Create EFS backup files 1. ERAS admin initializes the PD and encrypts drive. 2. After each encryption status change or license update, ERAS Admin should store backup files by click the Backup button. Backup button should do the following steps: i. ERAS calls GetUserStoreXmlFile() to get UserStore.xml file. ii. ERAS calls GetBackupFileNames() to get a list of backup file names. Each file name included full file path and name. A comma is used as a delimiter between each file. iii. ERAS calls GetBackupFile() with the file name (including the full file path) to get the backup file. C. Create a Recovery Disk Key 1. Please see SafeNet Admin Guide chapter 10 Creating a Disaster Recovery Disk Key section for details. 2. Run rpadmin.exe (available from SafeNet installation CD, \Tools folder) 20 ProtectDrive Connector installation Wave Systems Corp. 2011

21 3. Click Disk Key Recovery tab 4. For Master Security Ceritificate Key: i. Check the PFX file radio button, then browse to the Master Security Key (PdMaster.pfx) location ii. Enter the password for the Master Security Key 5. For Backup File-set Location: i. Browse to the backup file set location (The file set was saved on ERAS after running the Backup steps, ERAS should provide this file set). 6. For Disk Key Output: i. Browse to a location where you want to save the Disk Key file, then enter the Disk Key File name (e.g. diskkey.dke) ii. Enter and confirm passphrase 7. Click on the Generate Disk Key File button to generate the recovery disk key file. 21 ProtectDrive Connector installation Wave Systems Corp. 2011

22 Recovery Procedure 1. To recover the Disk, make sure you have i. decdisk.exe (available from SafeNet installation CD, \Tools folder) ii. the encrypted *.dke file generated from previous steps iii. the corresponding passphrase iv. the backup files 2. To recover a hard disk in the event that a ProtectDrive-encrypted computer fails to boot to Window: i. Boot the affected PC into DOS mode ii. From cmd, decrypt the hard disk using the ProtectDrive decdisk utility. Make sure you use the /dk option. i. e.g. decdisk dk diskkey.dke iii. Enter the passphrase iv. Select the disk to be decrypted v. After decrypting, run rmbr /o /r /rp <backup-files-path> (to remove the Protect Drive preboot authentication). vi. Reboot vii. Unplug network viii. After reboot, uninstall SafeNet ProtectDrive ix. Re-install SafeNet ProtectDrive x. Repair PD Connector xi. Plug network 22 ProtectDrive Connector installation Wave Systems Corp. 2011

23 4. BIOS and ATA Hard Drive passwords management System BIOS Management Tab This tab manages a machine's administrator, system, and ATA hard drive passwords remotely. Management actions include set, reset, clear, and view passwords. All actions are logged in ERAS server logs. Please note that in order to utilize remote BIOS management a minimum of ESC 2.5 (and higher) software is a requirement for the remote client. For the System BIOS management, ERAS shall randomly generate passwords to set the administrator password, BIOS password and ATA HDD Password. If a Trusted Drive user password is already set, this will disable the ATA HDD password. The Clear button shall set the password to empty. The View button shall display the generated password in the textbox adjacent to the type of password. The BIOS and ATA HDD password are viewable and all these operations are available on the command-line. The ERAS administrator has the ability to create a script to reset the viewable passwords and schedule the script to run after the password has been disclosed to the user. BIOS ATA HDD Password Setup BIOS ATA HDD Password operations require a reboot of local (client) machine. Following is a sample to demonstrate how to perform set operation of HDD password for a given machine. Domain Client connected to network 1. Open Properties select BIOS tab 2. Click on Set for HDD Password It will prompt you to reboot the machine after the operation is successfully executed. 3. Now, reboot the client machine 4. At pre-boot you will see the prompt [Ignore / Modify] dialog. --> Click on Modify. 23 BIOS and ATA Hard Drive passwords management Wave Systems Corp. 2011

24 5. Now go back to ERAS console and open properties for desired machine the go to BIOS Tab. Click Refresh 6. You will see that your operation has executed successfully Domain Client disconnected from network 1. Open Properties select BIOS tab 2. Click on Set for HDD Password It will prompt you to reboot the machine after the operation is successfully executed. 3. Since the client is offline, operation goes to Postponed Operations Queue. 4. Client eventually comes online. 5. ECC from client machine will then connect to ERAS and pick up this pending operation. 6. ECC performs the HDD operation. 7. Now, reboot the client machine. 8. At pre-boot you will see the prompt [Ignore / Modify] dialog. --> Click on Modify. 9. Now go back to ERAS console and open properties for desired machine the go to BIOS Tab. 10. Click Refresh 11. You will see that your operation has executed successfully Non-Trusted Domain Client 1. Open Properties select BIOS tab 2. Set HDD Password It will prompt you to reboot the machine after the operation is successfully executed. 3. This is Foreign Client so operations are postponed. 4. ECC from client machine will eventually connect to ERAS and pick up this pending operation. 5. ECC performs the HDD operation. 6. Now, reboot the client machine 7. At pre-boot you will see the prompt [Ignore / Modify] dialog. --> Click on Modify. 8. Now go back to ERAS console and open properties for desired machine the go to BIOS Tab. 9. Click on Refresh Operation is postponed. 10. ECC from client machine will eventually connect to ERAS and pick up this pending operation. 11. ECC performs refresh BIOS operation. 12. Now open Properties again. 13. You will see that your operation has executed successfully. When the BIOS password has been changed locally, the newly defined password must be communicated to ERAS Administrator (out-of-band) and must be entered from ERAS updated from console. 24 BIOS and ATA Hard Drive passwords management Wave Systems Corp. 2011

25 Once the BIOS passwords are set, the Set button will transform to a Change button and the View and Clear buttons will be enabled. Also above the corresponding buttons will read a message (in green text here) indicating that the BIOS pass words are properly configured. Set the BIOS Administrator Password Click on the Set button to enter and confirm created password Note that Dell BIOS does not accept special characters. Also special characters cannot be used for Dell computers for auto-generated passwords. 25 BIOS and ATA Hard Drive passwords management Wave Systems Corp. 2011

26 View BIOS Administrator Password After the BIOS Administrator Password has been set Clear BIOS Administration Password The BIOS system and ATA HDD passwords are configured in the same fashion. Remote view BIOS management column BIOS tab on ERAS appears with disabled buttons on unsupported client machines and regardless of deployment of ERASProvider or ERASConnector. This extra tab appears with disabled buttons. If desired this tab can be removed if BIOS management is disabled from the Server Settings UI 26 BIOS and ATA Hard Drive passwords management Wave Systems Corp. 2011

27 5. ControlVault Management ControlVault (CV) management is isolated to select Dell platforms that contain CV hardware. Dell ControlVault, is a hardware-based security solution that secures passwords, biometric templates, and security codes within firmware and locked away from a malicious application attack. The CV is a storage device that allows the adding and removing of associated user information and the archiving and restoring of secure information as mentioned above. The BIOS system password is a pre-requisite to initializing the ControlVault. If the BIOS system password is not set first, the administrator will be prompted to do so. There are two types of passwords which can be managed for CV Administrator password and CV firmware upgrade password. These passwords are set during initialize of CV. They can be changed but cannot be cleared. However, during un-initialize of CV, these passwords are cleared automatically. All mentioned operations are available on the command-line so they can be scripted as well. Adding and removing CV user operations are available at the bottom of the window. There are no user accounts that can be created in a CV, though CV objects can be associated with a user. 27 ControlVault Management Wave Systems Corp. 2011

28 CV User Management Add User This operation associates the given user with the given machine s CV. The actual user action however, can happen only on local machine (e.g. finger print enrollment). Archive User This operation will archive all available CV objects for the given user from client machine to ERAS database. Any new object added on the local machine needs to re-archived to store it in ERAS database. Restore User This operation will transfer existing CV objects present in ERAS database for the given user to the given local machine. During this operation, existing CV objects (if any) will be over-written. Specific message will be given to the user to warn him about this operation. Remove User This operation will remove the association between given user and given local machine. It also deletes the existing CV objects for the given user on the given local machine. This is non-reversible. Specific message will be given to the user to warn him about this operation. CV Migration is not supported for Workgroup Foreign Client because the user is a local user linked to its client name. CV migration is limited to un-trusted and trusted domain users only. To perform any of the CV related operations, one needs to add following three tasks for the role: ViewCVPasswords ManageCVPasswords ManageCVUsers If a user's credentials are enrolled or restored to multiple machines, note that removing or adding credentials locally on one machine for a user will not change that same user's stored credentials in the ERAS database or on other machines. 28 Wave Systems Corp. 2011