Symantec Endpoint Encryption Full Disk

Transcription

1 Symantec Endpoint Encryption Full Disk User Guide Version 6.0

2 Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Symantec Corporation Symantec Corporation. All rights reserved. Authenti-Check is a registered trademark of GuardianEdge Technologies Inc. Microsoft, Active Directory, Windows, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation. Any other trademarks used herein are the property of their respective owners and are hereby acknowledged. Other product and company names mentioned herein may be the trademarks of their respective owners. Printed in the United States of America.

3 Contents Contents 1. Introduction Overview Basic Concepts Registration Encryption Single Sign-On The Client Console Policy Administrators Client Administrators Best Practices Password/PIN Strength Password/PIN Secrecy Authenti-Check Questions and Answers Computer Shutdown Trusted Software Backups Registration & Re-Registration Overview Registration Prompts Grace Restarts Available Registration Mandate Multiple Users Registration Wizard Basics Registration Password Password Registration Token Registration Re-Registration Basics Re-Registration Notification Re-Registration Mandate Pre-Windows Authentication Overview Password-Based Authentication Getting Started Logging On Logon Delay Logon Assistance Token-Based Logon Basics Token Insertion at Startup Screen Logging On Token Error Messages and Logon Assistance Logon Assistance Overview Symantec Endpoint Encryption Full Disk iii

4 Contents Forgotten Password or Token Basics Authenti-Check One-Time Password (OTP) Forgotten PIN Basics One-Time Password (OTP) The Client Console Overview Logon Single Sign-On Enabled Single Sign-On Not Enabled Welcome Navigation Password Change Basics Instructions Authenti-Check Change Computer Check-In User Account Viewing Encrypting How To View Status Decrypting How To View Status About Appendix A. Supported Character Sets SEE Passwords Authenti-Check Questions and Answers Appendix B. Token Error Messages Overview Registration or Re-Registration Pre-Windows Logon Client Console Logon Glossary Index Symantec Endpoint Encryption Full Disk iv

5 Figures Figures Figure 2.1 Registration Prompt, Grace Restarts Available Figure 2.2 Registration Prompt, Mandate Figure 2.3 Registration Prompt, Multiple Users Figure 2.4 Registration, Registration Password Figure 2.5 Password Registration, SSO Enabled, Domain Account Figure 2.6 Password Registration, SSO Not Enabled Figure 2.7 Password Registration, Authenti-Check Figure 2.8 Password Registration, Account Is Active Figure 2.9 Token Registration, SSO Enabled Figure 2.10 Token Registration, SSO Not Enabled, Token Insertion Figure 2.11 Token Registration, PIN Entry Figure 2.12 Token Registration, Information Summary Figure 2.13 Select Certificate Figure 2.14 Token Registration, Account Is Active Figure 2.15 Re-Registration Notification Figure 2.16 Re-Registration Mandate Figure 3.1 Pre-Windows Startup, Default Figure 3.2 Pre-Windows Logon, Password Figure 3.3 Pre-Windows Logon, One-Minute Delay Figure 3.4 Pre-Windows Startup, Default Figure 3.5 Pre-Windows Logon, Token PIN Entry Figure 4.1 Pre-Windows Password Logon, Logon Assistance Figure 4.2 Pre-Windows Logon Assistance, No Methods Available Figure 4.3 Pre-Windows Logon Assistance, Default Message Figure 4.4 Pre-Windows Logon Assistance, Authenti-Check Figure 4.5 Pre-Windows Logon Assistance, Success Figure 4.6 Change Password, Windows Figure 4.7 Pre-Windows Logon Assistance, SEE Password Change Figure 4.8 SEE Password Change Success Figure 4.9 Pre-Windows Logon Assistance, Authenti-Check Incorrect, OTP Begins Figure 4.10 Pre-Windows Logon Assistance, OTP Figure 4.11 Change Password, Windows Figure 4.12 Password Change, SEE Figure 4.13 Pre-Windows Token Logon, Logon Assistance Figure 4.14 Pre-Windows Logon Assistance, Default Message Figure 4.15 Pre-Windows Logon Assistance, OTP Figure 5.1 Client Console Logon, Password Figure 5.2 Client Console Logon, Token Figure 5.3 Select Certificate Figure 5.4 Client Console Welcome Figure 5.5 Client Console User Interface Elements Figure 5.6 Client Console Password Figure 5.7 Client Console Authenti-Check Figure 5.8 Client Console Check-In, Check-In with No Enforcement Figure 5.9 Client Console Users Figure 5.10 Client Console Encryption Figure 5.11 Client Console Decryption Figure 5.12 Client Console About Symantec Endpoint Encryption Full Disk v

6 Introduction 1. Introduction Overview Symantec Endpoint Encryption Full Disk (SEE Full Disk) protects your data while it is at rest through pre-boot authentication and FIPS-validated encryption. As part of Symantec Endpoint Encryption (SEE), it accomplishes this from a central point of control. This Guide is written for the registered user and includes chapters on registering for an account, authenticating in pre- Windows with a password or a token, using the Client console, and accessing logon assistance methods for forgotten passwords, PINs, or tokens. This chapter provides you, the user, with an introduction to basic concepts such as registration, encryption, authentication, and the Client console. The roles of Policy Administrator and Client Administrator are also described. In addition, this chapter includes Best Practices, which provide direction on how to secure the computer work environment. The sections are as follows: Basic Concepts on page 1 Best Practices on page 2 Basic Concepts Registration SEE Full Disk protects the data stored on your hard disk by requiring you to authenticate before it allows Windows to load. This prevents unauthorized users from accessing your data. You must register for an account before you can authenticate. The first user will be forced to register once their grace restarts expire, if they have any. Additional users are allowed to defer registration but must also register to be able to boot to Windows. If your Policy Administrator has pushed out a policy to upgrade you from a password to a token user, you will have to re-register. During registration, you set your SEE password or identify your token and PIN. Encryption SEE Full Disk also protects the data stored on your hard disk by encrypting it so that unauthorized users cannot access it. Encryption is the process by which an algorithm renders data unreadable to anyone who does not have the proper credentials. Most likely the encryption was configured to happen immediately following the installation of SEE Full Disk. Encryption is transparent to you. You can continue to work normally during and after the encryption of your hard disk. Single Sign-On If Single Sign-On (SSO) is enabled, you will have to log on only once with your Windows user name and password or token. If SSO is not enabled, you will need to log on to SEE Full Disk and then to Windows. Though it requires an extra step, not having SSO enabled is the more secure configuration. The Client Console The Client console is available once Windows has loaded and allows you to: View the encryption status of your hard disk partitions. View the other registered users and the Client Administrator accounts on your computer. Symantec Endpoint Encryption Full Disk 1

7 Introduction View the last time your computer checked in with the Symantec Endpoint Encryption Server (SEE Server), if at all. View product version information. Encrypt hard disk partitions that are decrypted, if any. In addition, you might be able to: Change your SEE password. Change your Authenti-Check questions and answers. Decrypt hard disk partitions. These additional functions may or may not have been enabled by your administrator. Policy Administrators The Policy Administrator performs centralized administration activities that include pushing out policy updates. An organization s centralized point of control for SEE is one or more Policy Administrators. A Policy Administrator defines installation settings and policies that are pushed out to Client Computers through Active Directory. Client Administrators The Client Administrator is your primary SEE administrator contact. The administrator can help you if you get locked out of your computer, forget your password, or if your computer fails to boot. Best Practices Password/PIN Strength Define a password or PIN that you can remember, so that you don t have to write it down. Try to choose passwords and PINs that are closer to the maximum length allowed rather than to the minimum length allowed. Include a variety of characters, including upper and lowercase letters mixed with numbers and special characters, if allowed. When you create a password or PIN, think of one that is hard to guess; for example, don t use a commonly known fact, such as your spouse s name, or a fact that can be easily researched, such as your mother s maiden name. Password/PIN Secrecy You are responsible for your password or PIN s security. Change your password or request a new PIN if you feel that your password or PIN may have become compromised. Some situations to be mindful of are: You wrote your password or PIN on a piece of paper but now you can t find that paper. Someone looked over your shoulder and watched you type your password or PIN. Authenti-Check Questions and Answers If you have Authenti-Check available as a password-recovery method, you define up to three question-answer pairs during registration. Then if you forget your SEE password, you can authenticate to SEE Full Disk by correctly answering the questions. These questions and answers, therefore, are just as important as your password. Follow similar guidelines for your questions and answers that you would for your password. That is, create pairs that do not contain commonly known information, that are longer rather than shorter, and that you can remember. Also, do not let others watch you enter them. Unlike passwords, the question-answer pairs are not displayed as asterisks or dots on your screen; they display in plain text. Therefore, be especially mindful of anyone looking over your shoulder. Also, even if only one question-answer pair is required, define all three. The more information that is required to authenticate you to SEE Full Disk, the more secure your access is. Computer Shutdown Once you have authenticated to SEE Full Disk and Windows has loaded, SEE Full Disk cannot protect your data anymore. For this reason, it s best not to leave your computer unattended, particularly in an insecure location, such as Symantec Endpoint Encryption Full Disk 2

8 Introduction a cafe. If you must step away, you should invoke the Windows screensaver that requires Windows credentials before it allows you to get back into Windows. To achieve the peace of mind that comes with SEE Full Disk protection, shut down your computer all the way. Trusted Software Be familiar with the software that is authorized to run on your computer. Be careful if you download software from the Internet. This software could contain spyware, viruses, malware, Trojan horses, or worms. Also use caution when opening attachments. Backups If your organization does not perform automated backups, you should do so yourself on a regular basis. This will allow you to recover from theft or hard disk failure. Store your backups in a physically secure location, such as a locked cabinet. Symantec Endpoint Encryption Full Disk 3

9 Registration & Re-Registration 2. Registration & Re-Registration Overview The registration of the first user greatly improves the ability of SEE Full Disk to protect your computer. Therefore, you should register as soon as you are prompted, even if you have the option to wait. During registration your password or PIN is set. In addition, you may need to set your Authenti-Check question-answer pairs. If your Policy Administrator has pushed out a policy to upgrade you from a password to a token user, you will have to re-register. Both registration and re-registration are accomplished by the same Registration wizard. Registration Prompts After SEE Full Disk is installed and your computer reboots, SEE Full Disk will prompt you to register for your SEE account. Grace Restarts Available Grace restarts are the number of times you can reboot without having to register. The following figure shows a sample of a message you may receive if your administrator has given you grace restarts. Figure 2.1 Registration Prompt, Grace Restarts Available The prompt informs you that you can restart a set number of times without having to register. While you can click Cancel and continue working normally, it s best to click Register Now and begin the registration process. Registration Mandate Once your grace restarts expire, or if your administrator did not give you any grace restarts, you will be forced to register. The following figure shows a sample of a message you will receive if your administrator has not given you grace restarts. Figure 2.2 Registration Prompt, Mandate Symantec Endpoint Encryption Full Disk 4

10 Registration & Re-Registration Registration takes only a few moments. Click Register to begin the registration process. If you can t complete registration now, click Log Off Windows. The next time you boot up, you will receive the same registration mandate. Multiple Users Your administrator may have set up your computer to allow more than one user to register to SEE. You can check to see if this is allowed by using the Client console (see Chapter 5 User Account Viewing on page 42). As the first user, you will need to power the machine up from an off state and authenticate to SEE Full Disk before additional users can register. If you have Single Sign-On, log off Windows and have the additional user log on to Windows. If you do not have Single Sign-On, have the additional user log on at the Windows prompt. Once Windows boots, a prompt similar to the following is shown: Figure 2.3 Registration Prompt, Multiple Users The additional user should click Register Now to begin the registration process. The additional user will also have the option to click Ask Me Later or Don t Ask me Again. If the user chooses not to register, then that user will be unable to authenticate in pre-windows. This could be appropriate if the new user only needs to use the computer this one time or will never need to boot it up from a powered-off state. Registration Wizard Basics The Registration wizard guides you through the registration process. This wizard is the same for both registration and re-registration. The steps in this process will vary according to how your computer has been configured. Registration Password You may need a password to begin the registration process. If you don t see the following window (Figure 2.4), you don t need to enter a registration password. Skip to the section on Password Registration on page 6 or on Token Registration on page 11, as appropriate. Symantec Endpoint Encryption Full Disk 5

11 Registration & Re-Registration Figure 2.4 Registration, Registration Password A registration password is a way for your administrator to identify ahead of time which users are intended to use SEE. The registration password is not your SEE password; the registration password admits you to the registration process. You should have received this password ahead of time. If the Registration password screen appears but you do not have the password, call your help desk or click Cancel. Enter the password and click Next. If the password is accepted, the next window in the registration process appears. If the password is not accepted, a message appears and you will need to correct the password then click Next to resubmit it, or click Cancel. The Back button is not enabled; you can only click Next or Cancel. If you click Cancel, your SEE account will not be created. You will be prompted to confirm that you really want to cancel. Password Registration Single Sign-On Enabled If Single Sign-On is enabled and you are using a domain account, you will see a window similar to the following. If you don t see this window, skip to the next section Single Sign-On Not Enabled on page 7. Symantec Endpoint Encryption Full Disk 6

12 Registration & Re-Registration Figure 2.5 Password Registration, SSO Enabled, Domain Account Your Windows name, domain, and password will be used for your SEE account. Click Next to continue. If you click Cancel, your SEE account will not be created. You will be prompted to confirm that you really want to cancel. Single Sign-On Not Enabled If Single Sign-On is not enabled, the registration window displays your Windows user name, and domain or computer name (Figure 2.6) and prompts you to enter and confirm an SEE password. Symantec Endpoint Encryption Full Disk 7

13 Registration & Re-Registration Figure 2.6 Password Registration, SSO Not Enabled Define a password that you can remember, so that you don t have to write it down. Try to choose passwords that are closer to the maximum length allowed rather than to the minimum length allowed. Include a variety of characters, including upper and lowercase letters mixed with numbers and special characters, if allowed. When you create a password, think of one that is hard to guess; for example, don t use a commonly known fact, such as your spouse s name, or a fact that can be easily researched, such as your mother s maiden name. Be sure to follow any guidelines shown below the Confirm password field. The password must be within the Password length specified. The Symbols allowed parameter identifies which of the symbols on your keyboard may be included in the password. The Include at least field identifies the number of required symbols, uppercase letters, lowercase letters, and/or digits that your password must contain, if any. Refer to Appendix A Supported Character Sets on page 46 for the characters that these Include at least fields include, because not all of the supported characters are shown on the screen. Uppercase and lowercase accented characters, for example, are not shown. Tab to or click on the Confirm password field and type your password again. Click Next. If the password does not meet the requirements, the requirement that the password does not meet such as the number of digits is displayed in red. If the Password field and Confirm password field do not match exactly, the password fields turn red. Authenti-Check Authenti-Check is a self-help recovery method that allows you to get into your computer if you forget your password. The method is not available to token users. If you have Authenti-Check enabled, then you will see a window similar to the following (Figure 2.7). If you don t see this window skip to the next section Completion on page 10. Symantec Endpoint Encryption Full Disk 8

14 Registration & Re-Registration Figure 2.7 Password Registration, Authenti-Check One Authenti-Check question is always required. Up to three questions may be required, depending on how your system is configured. Questions identified as required, must be entered and answered. If a question is identified as optional, you are encouraged to enter a question and an answer. The more questionanswer pairs you have, the more secure your SEE Full Disk access is. For maximum security, enter three questions and three answers. Sometimes your administrator predefines questions for you. These questions you cannot change and you must provide answers for. Try to choose answers that other people cannot guess easily, but that you can remember without writing down. See Table 2.1 for examples of secure and less secure questions. Table 2.1 Authenti-Check Sample Questions Secure Who was your favorite teacher? Who was your childhood hero? What is the street name where your favorite relative lived? Less Secure What is your social security number? Where were you born? What is your mother s maiden name? See Appendix A Supported Character Sets on page 46 to see the characters that are allowed in your Authenti- Check questions and answers. When you have entered all questions and answers, click the Next button to submit your information. If your questions and answers fall within established guidelines, your information will be accepted; otherwise, fields that contain errors will be highlighted in red. Correct any highlighted information then click Next. Symantec Endpoint Encryption Full Disk 9

15 Registration & Re-Registration If you click Cancel, your SEE account will not be created. You will be prompted to confirm that you really want to cancel. Completion Once you complete the Registration wizard, the final window notifies you that your SEE user account is active (Figure 2.8). Figure 2.8 Password Registration, Account Is Active The Launch the SEE Client when I click Finish check box is selected by default to provide an easy means for you to access the primary control point for your SEE Full Disk protection. You should launch the Client console to view status and ensure that the encryption of your hard disk has begun or completed. Click Finish to complete the wizard and dismiss the window. If you leave the check box selected, when you click Finish: If you have Single Sign-On enabled, the Client console launches with the Welcome panel; you are already authenticated. If you do not have Single Sign-On enabled, the Client console launches with the Logon panel. Log on using the password that you just created for your account. See Chapter 5 The Client Console on page 33 for information about using the console. Symantec Endpoint Encryption Full Disk 10

16 Registration & Re-Registration Token Registration Token and Reader General Usage When the Registration wizard instructs you to insert your token: If you are using an RSA token, connect the USB-connector end of your token to a USB port or into a USB extension cable attached to your computer. Wait until you see the RSA icon in your system tray change to include a plus sign. If you are using a smart card, hold the card so that the side containing the gold chip is on top and the card end containing the chip is closest to the reader. If your token has a light or the reader has a light, it blinks when information from your token is being read. If you are using an Axalto smart card, the icon s computer screen changes from black to blue while the icon s golden token blinks, then returns to black when the blinking stops. Wait until the blinking stops before taking the next action, such as clicking Next. If you encounter token, certificate, or PIN errors during registration, refer to Appendix B Token Error Messages and check the section Registration or Re-Registration on page 48 for possible causes and resolution. Single Sign-On Enabled If Single Sign-On (SSO) is enabled, a window similar to the following will be shown. If you don t see this window, skip to the next section Single Sign-On Not Enabled on page 12. If your token is not yet inserted, your registration screen prompts you to insert your token (Figure 2.9). If you have already inserted your token, the window does not prompt you to insert it. Figure 2.9 Token Registration, SSO Enabled Symantec Endpoint Encryption Full Disk 11

17 Registration & Re-Registration To register your token for your SEE account, insert the token that you use to log on to Windows. The Next button becomes enabled. The token or reader light should blink as the card is read. When the token or reader light stops blinking, click Next. You continue to the next window in the Registration wizard. See PIN Entry on page 12. If you click Cancel, your SEE account will not be created. You will be prompted to confirm that you really want to cancel. Single Sign-On Not Enabled If Single Sign-On is not enabled, you will see the following window: Figure 2.10 Token Registration, SSO Not Enabled, Token Insertion When you insert your token, the token or reader light should blink as the card is read. When the light stops blinking or if you have no light but several seconds have passed click Next. You proceed to the next window in the Registration wizard. If you click Cancel, your SEE account will not be created. You will be prompted to confirm that you really want to cancel. PIN Entry A window similar to Figure 2.11 prompts you for your PIN. If you don t see this window, either SSO is not enabled or the Registration wizard has accessed your PIN from your token; skip to the next section Confirmation on page 13. Symantec Endpoint Encryption Full Disk 12

18 Registration & Re-Registration Figure 2.11 Token Registration, PIN Entry The User name and Domain fields are filled from the information stored on your token. If you are a local user, your computer name appears in the Domain field. Type your PIN in the PIN field, then click Next. If you click Cancel, your SEE account will not be created. You will be prompted to confirm that you really want to cancel. If you click Back, you return to the previous window (Figure 2.10) in the Registration wizard. Confirmation The next registration window confirms the token information that SEE Full Disk will use to authenticate you. Figure 2.12 shows an example. Symantec Endpoint Encryption Full Disk 13

19 Registration & Re-Registration Figure 2.12 Token Registration, Information Summary Verify the information and click Next. Certificate Selection If the Select Certificate screen (Figure 2.13) does not appear, skip to the next section Completion on page 15. Figure 2.13 Select Certificate Your administrator probably set up your SEE certificate with the values listed immediately below. These are the values that the SEE software uses to identify your certificate automatically for authentication. For RSA SID800: DATA_ENCIPHERMENT and KEY_ENCIPHERMENT (Key Usage) _PROTECTION (Enhanced Key Usage) Symantec Endpoint Encryption Full Disk 14

20 Registration & Re-Registration For Smart Card: DATA_ENCIPHERMENT and KEY_ENCIPHERMENT (Key Usage) _PROTECTION (Enhanced Key Usage) For Common Access Card (CAC): KEY_ENCIPHERMENT (Key Usage) However, if more than one certificate or no certificate exists with these values, the Select Certificate window (Figure 2.13) opens and you must manually identify your SEE certificate. Select your SEE certificate by clicking on the appropriate row, then clicking OK. In the Figure 2.13 example, the administrator created two certificates with the expected Key Usage settings, so this user identifies their certificate based on Expiration Date. If you don t know which certificate to choose, contact your administrator. If you select a certificate that is not valid, you will receive an error message. Refer to Appendix B Token Error Messages and check the section Registration or Re-Registration on page 48 for possible resolution. Completion The final Registration window (Figure 2.14) notifies you that your SEE user account is active. Figure 2.14 Token Registration, Account Is Active The Launch the SEE Client when I click Finish check box is selected by default to provide an easy means for you to access the primary control point for your SEE Full Disk protection. You should launch the Client console to view status and ensure that the encryption of your hard disk has begun or completed. Click Finish to complete the wizard and dismiss the window. Symantec Endpoint Encryption Full Disk 15

21 Registration & Re-Registration If you leave the check box selected, when you click Finish: If you have Single Sign-On enabled, the Client console launches with the Welcome panel; you are already authenticated. If you do not have Single Sign-On enabled, the Client console launches with the Logon panel. Log on using the token and PIN that you just identified for your account. See Chapter 5 The Client Console on page 33 for information about using the Client console. Re-Registration Basics Your Policy Administrator may issue a policy requiring you to convert your SEE account authentication method, either from a password to a token, or from a token to a password. Should this occur, you will be prompted to reregister. This prompting can also happen if this authentication-conversion setting is in place following an upgrade of SEE Full Disk. Re-Registration Notification If your Policy Administrator requires that you convert your account, you will be notified. Your re-registration prompt message contains a date by which you must re-register. Figure 2.15 shows a sample notification prompt for users moving from password-based to token-based authentication. Figure 2.15 Re-Registration Notification You are encouraged to click Re-register Now to begin the re-registration process. If your prompt states, You need to re-register for a token-based account, follow the instructions under Token Registration on page 11. If you are converting to a token-based account, be sure you have been issued your token. You will need it for the re-registration process. If Single Sign-On is enabled, use the token that you use to log on to Windows. If your prompt states, You need to re-register for a password-based account, follow the instructions under Password Registration on page 6. Click Cancel to re-register later, but you must re-register prior to the date shown in the message or you will be locked out of Windows until you do re-register. If you cancel for now and the enforcement date arrives, you will still be able to authenticate in pre-windows with your current account; then when you authenticate to Windows, you will again be prompted to re-register. As long as the date has not yet arrived, you can delay re-registration and work normally. Re-Registration Mandate Once the enforcement date arrives, you will be forced to re-register. The following figure shows the sample prompt for re-registering for a token authentication method. Symantec Endpoint Encryption Full Disk 16

22 Registration & Re-Registration Figure 2.16 Re-Registration Mandate Click Re-register to launch the Registration wizard. If you need to re-register for a password-based account, follow the instructions under Password Registration on page 6. If you need to re-register for a token-based account and you have been issued your token, follow the instructions under Token Registration on page 11. If you can t complete re-registration, click Log Off Windows. This could occur if you receive the prompt before you receive your token. The next time you boot up, you can authenticate in pre-windows with your existing SEE account, but when you try to log on to Windows, you will receive the same re-registration mandate. Symantec Endpoint Encryption Full Disk 17

23 Pre-Windows Authentication 3. Pre-Windows Authentication Overview Pre-Windows authentication ensures that only authorized users can access the encrypted disk. If you have Single Sign-On (SSO), you will only have to log on once with your Windows user name and password or token. If you do not have SSO, you will need to log on to SEE Full Disk and then to Windows. Though it requires an extra step, not having SSO enabled is the more secure configuration. Authentication is accomplished with either a token or a password, according to how your administrator configured your account. The Symantec Startup screen and the pre-windows logon screen may not be displayed if the Policy Administrator is running Autologon. Autologon allows the Administrator to install software without having users authenticate. If Autologon is running, you will skip the SEE Full Disk logon and log on to Windows only. If you are a password-based user, proceed to read the next section. Token users skip to Token-Based Logon on page 20. Password-Based Authentication Getting Started Once you have registered, each time you turn on your computer, you will be greeted by the Symantec Startup screen. The figure below shows the default Startup screen distributed with Symantec Endpoint Encryption. Figure 3.1 Pre-Windows Startup, Default Symantec Endpoint Encryption Full Disk 18

24 Pre-Windows Authentication Your organization may have created a different screen altogether or they may have chosen to customize the text. At a minimum, the Startup screen should provide you with instructions on how to log on. As a password user, press CTRL+ALT+DEL. Logging On Figure 3.2 shows an example of the pre-windows Logon screen. Figure 3.2 Pre-Windows Logon, Password SEE Full Disk shows the active keyboard layout in a bar displayed in the lower right-hand corner of your computer screen, similar to this:. If your administrator defined multiple keyboards and you need a keyboard layout different than the one identified in the bar, you can press Left ALT+SHIFT or CTRL+SHIFT the key sequence depends on which sequence was defined to Windows to toggle to another keyboard. To log on to SEE Full Disk, type your user name or UPN into the User name field. The UPN syntax is username@domain.topleveldomain; for example, jjones@your-org.com. Select your domain from the Domain drop-down menu. If you used UPN syntax, no domain selection is necessary. Type your password into the Password field. Click OK. Logon Delay If you provide incorrect logon information, you may be forced to wait 60 seconds before trying again. Figure 3.3 shows an example of the message you see on the Logon screen, if logon delay is active. Symantec Endpoint Encryption Full Disk 19

25 Pre-Windows Authentication Figure 3.3 Pre-Windows Logon, One-Minute Delay This forced delay prevents unauthorized users from breaking in to your system with automated guessing tools. Logon Assistance If you continue to have trouble logging on and you need help, provide your user name and domain, then click Logon Assistance. See Chapter 4 Logon Assistance on page 23 for more information. Token-Based Logon Basics If you are using an RSA token, connect the USB-connector end of your token to a USB port or into a USB extension cable attached to your computer. When you insert your token, hold the card so that the side containing the gold chip is on top and the card end containing the chip is closest to the reader. If your token has a light or the reader has a light, it blinks when information from your token is being read. Wait until the blinking stops before taking the next action, such as clicking OK from the Logon screen. This wait time allows the system to recognize your token. Token Insertion at Startup Screen Once you have registered, each time you turn on your computer, you will be greeted by the Startup screen, if your token is not yet inserted. If your token is already inserted, the Startup screen will not appear or will appear only briefly. If you do not see this screen (Figure 3.4), skip to the next section Logging On on page 21. Symantec Endpoint Encryption Full Disk 20

26 Pre-Windows Authentication Figure 3.4 Pre-Windows Startup, Default The figure shows the default Startup screen distributed with Symantec Endpoint Encryption. Your administrator may have created a different screen altogether or may have chosen to customize the text. At a minimum, the Startup screen should provide you with instructions on how to log on. If you have not inserted your token yet, insert it now. The pre-windows Logon screen appears. If you encounter token errors, refer to Appendix B Token Error Messages and check the section Pre-Windows Logon on page 51 for possible causes and resolution. Logging On Figure 3.5 shows an example of the pre-windows token Logon screen. Figure 3.5 Pre-Windows Logon, Token PIN Entry Symantec Endpoint Encryption Full Disk 21

27 Pre-Windows Authentication SEE Full Disk defaults to the keyboard defined to Windows when the computer was set up. The active keyboard is identified on a bar in the lower right-hand corner of your screen, similar to this:. If your administrator defined multiple keyboards and you need a keyboard layout different than the one identified in the bar, you can press Left ALT+SHIFT or CTRL+SHIFT the key sequence depends on which sequence was defined to Windows to toggle to another keyboard. To authenticate, type your PIN into the PIN field then click OK. Do not remove your token until processing completes. The first time this pre-windows Logon screen appears, it may display only the PIN field. Enter your PIN and click OK. Once you log on the first time, the next time you reboot, this Logon screen displays your User name and Domain as well. Token Error Messages and Logon Assistance If you encounter token, certificate, or PIN errors while trying to log on, refer to Appendix B Token Error Messages and check the section Pre-Windows Logon on page 51 for possible causes and resolution. If you have forgotten your PIN and you need help authenticating, click Logon Assistance, then refer to Chapter 4 Logon Assistance on page 23. Symantec Endpoint Encryption Full Disk 22

28 Logon Assistance 4. Logon Assistance Overview SEE Full Disk offers two automated methods of logon assistance for users who have forgotten their password or PIN. These methods may or may not have been enabled for you. If you are a token user, you will not have the Authenti- Check method available. Both methods are available in pre-windows and require either a token or a valid user and domain/computer name. If you successfully complete one of the methods and Single Sign-On is enabled, you are authenticated to Windows and prompted to change your password. If Single Sign-On is not enabled, you are prompted to change your SEE password, then you are prompted to enter your Windows credentials. If you are a token-based user, you will have to contact the appropriate administrator to change your PIN. If you do not have either method available, ask your Client Administrator to assist you. If you are a token user with your token, go to Forgotten PIN on page 31. If you are a password user or a token user who has forgotten their token, proceed to the next section. Forgotten Password or Token Basics Recover from a forgotten password or a forgotten token by invoking logon assistance from the pre-windows Logon screen. If you are not already on that screen, press CTRL+ALT+DEL from the Symantec Startup screen; the Logon screen appears (Figure 4.1). Figure 4.1 Pre-Windows Password Logon, Logon Assistance SEE Full Disk shows the active keyboard layout in a bar displayed in the lower right-hand corner of your computer screen, similar to this:. If your administrator defined multiple keyboards and you need a keyboard layout different than the one identified in the bar, you can press Left ALT+SHIFT or CTRL+SHIFT the key sequence depends on which sequence was defined to Windows to toggle to another keyboard. Symantec Endpoint Encryption Full Disk 23

29 Logon Assistance To log on to SEE Full Disk, type your user name or UPN into the User name field. The UPN syntax is for example, Select your domain from the Domain drop-down menu. If you used UPN syntax, no domain selection is necessary. Type your password into the Password field. Click Logon Assistance. If you have no automated logon assistance methods available, contact your administrator or follow any customized directions on the screen. Figure 4.2 shows the default message. You can skip the rest of this chapter. Figure 4.2 Pre-Windows Logon Assistance, No Methods Available Otherwise, you do have one or more authentication assistance methods available and the Logon Assistance wizard begins. Figure 4.3 shows the default message, but your organization may have customized the message with a contact name and phone number. Write down the information before clicking Next. You may need this information later. Figure 4.3 Pre-Windows Logon Assistance, Default Message Symantec Endpoint Encryption Full Disk 24

30 Logon Assistance Click Next. Authenti-Check If you have Authenti-Check, you will see a screen similar to the screen in Figure 4.4. If you don t see this screen, skip to the next section One-Time Password (OTP) on page 28. Figure 4.4 Pre-Windows Logon Assistance, Authenti-Check The Authenti-Check method involves up to three question-answer pairs, established during registration. If you forget your password, the questions are displayed and you are prompted to enter the answers. Correct answers authenticate you. You are then prompted to change your SEE password. In each box that appears below a question, type the correct answer. Make sure that you enter the answer exactly as you entered it when you defined it. Note that punctuation matters. Spaces matter if they precede or end the question. The answers are not case-sensitive. If an Authenti-Check answer is long (up to 99 characters may be allowed by policy), the characters that you type at the beginning of the answer may move out of view as you continue to type. You can press the arrow keys or HOME and END keys to scroll through your answer, or you can use SHIFT in combination with arrow keys to select text. If you need to delete some or all of the text of a long answer, use one of the methods below to ensure that the nonvisible characters are deleted: To delete the entire answer, press END, then SHIFT+HOME. All text becomes highlighted. Press DELETE. To delete part of the answer, use an arrow key to move to the right of the characters in question, then press BACKSPACE until all of the characters that you intended to delete are removed. You could also move to the left of the characters, then press DELETE. Replace any deleted text with correct information, as appropriate. Once you have entered your answers, click Next. Success, SSO Enabled If your Authenti-Check process ends successfully and SSO is enabled, Windows proceeds to load. A success message appears with instructions about changing your password (Figure 4.5). Symantec Endpoint Encryption Full Disk 25