Symantec Endpoint Encryption Removable Storage

Transcription

1 Symantec Endpoint Encryption Removable Storage Policy Administrator Guide Version 7.0

2 Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Symantec Corporation Symantec Corporation. All rights reserved. Authenti-Check is a registered trademark of GuardianEdge Technologies Inc. Microsoft, Active Directory, Windows, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation. Any other trademarks used herein are the property of their respective owners and are hereby acknowledged. Other product and company names mentioned herein may be the trademarks of their respective owners. Printed in the United States of America.

3 Contents Contents 1. Introduction Overview Directory Service Synchronization Active Directory and Native Policies Manager Console Basics Database Access Endpoint Containers SEE Roles Policy Administrators Client Administrators User Reporting Overview Basics Client Computer Reports Directory Services Synchronization Reports Symantec Endpoint Encryption Users and Computers Symantec Endpoint Encryption Server Reports Basics Active Directory Forests Synchronization Status Computer Status Report Computers not Encrypting to Removable Storage Computers with Decrypted Drives Computers with Expired Certificates Computers with Specified Users Computers without Full Disk Installed Computers without Removable Storage Installed Non-Reporting Computers Novell edirectory Synchronization Status Resultant Set of Policy (RSoP) Windows System Events Policy Creation & Editing Overview Active Directory Policies Native Policies Policy Options Client Administrators Registered Users Password Authentication Token Authentication Authentication Message Communication Single Sign-On Authenti-Check One-Time Password Symantec Endpoint Encryption Removable Storage iii

4 Contents Security Level Encryption Method Master Certificate Group Key Executables Policy Deployment Overview Active Directory Policies Basics Order of Precedence Forcing a Policy Update Native Policies Basics SEE Managed Computer Groups Policy Assignment Order of Precedence Forcing a Policy Update Appendix A. System Event Logging Framework System Events List Removable Storage System Events List Appendix B. CD/DVD Command Line Overview Basics Operational Steps Temporary Data Folder Command Syntax CD/DVD Errors Appendix C. Atypical Client Settings Overview Atypical Client Settings Itemized Glossary Index Symantec Endpoint Encryption Removable Storage iv

5 Figures Figures Figure 1.1 Sample Network Configuration Figure 1.2 SQL Server Logon Prompt Figure 2.1 Group Policy Results Wizard, User Selection Figure 2.2 RSoP Report From an SEE Client Figure 3.1 Framework Computer Policy, Client Administrators Options Figure 3.2 Add New Client Administrator Dialog Figure 3.3 Framework Computer Policy, Registered Users Options Figure 3.4 Framework Computer Policy, Password Authentication Options Figure 3.5 Framework Computer/User Policy, Authenti-Check Options Figure 3.6 Framework Computer/User Policy, One-Time Password Options Figure 3.7 Removable Storage Computer Policy, Security Level Options Figure 3.8 Removable Storage Computer Policy, Encryption Method Options Figure 3.9 Removable Storage Computer Policy, Group Key Options Figure 4.1 Symantec Endpoint Encryption Managed Computers, Add New Group Figure 4.2 Name New Group Dialog Figure 4.3 SEE Unassigned, Computer Highlighted Figure 4.4 Symantec Endpoint Encryption Managed Computers Groups Dialog Figure 4.5 Symantec Endpoint Encryption Managed Computers Group Selected Figure 4.6 Policy Selection Dialog Figure 4.7 Native Policy Assignment Confirmation Figure 4.8 Symantec Endpoint Encryption Managed Computers Policy Assigned Symantec Endpoint Encryption Removable Storage v

6 Tables Tables Table 1.1 Active Directory and Native Policies Compared Table 2.1 Client Computer Data Table 2.2 Directory Services Synchronization Data Table A.1 Framework System Events Table A.2 Removable Storage System Events Table B.1 CD/DVD Command Line Parameters Table B.2 CD/DVD Messages and Error Codes Table C.1 Atypical Client Settings Symantec Endpoint Encryption Removable Storage vi

7 Introduction 1. Introduction Overview Symantec Endpoint Encryption Removable Storage allows enterprise organizations and government agencies to enjoy the benefits of removable storage devices while eliminating the liability, customer service, and brand erosion costs associated with data breach incidents. As part of Symantec Endpoint Encryption, SEE Removable Storage leverages existing IT infrastructures for seamless deployment, administration, and operation. SEE Removable Storage secures data in one of the following ways: By allowing no access to removable storage devices, By allowing only read access to removable storage devices, By encrypting data written to removable storage devices, or By encrypting all data written to or accessed on removable storage devices. SEE Removable Storage enforces access control and encryption policies on devices that use USB or FireWire ports to attach a file system. This includes flash drives (e.g., SanDisk Cruzer and M-SysT5 Dell Memory Key), memory cards (e.g., SanDisk CompactFlash), and USB hard drives (e.g., Samsung HM100JC 100GB). SEE is comprised of SEE Full Disk, SEE Removable Storage, and Symantec Endpoint Encryption Framework. SEE Framework includes all the functionality that is extensible across SEE. It allows behavior that is common to both SEE Removable Storage and SEE Full Disk to be defined in one place, thus avoiding potential inconsistencies. The following diagram depicts a sample network configuration of SEE. SOAP over HTTP Group Policy LDAP Database Server TDS TLS/SSL Domain Controller Client Manager Computer edirectory Server SEE Management Server Client your-org.com Client your_tree Client Figure 1.1 Sample Network Configuration Symantec Endpoint Encryption Removable Storage 1

8 Introduction The Active Directory domain controller and SEE Management Server are required. Multiple domains, forests, trees, and SEE Management Servers are supported. A database server is recommended, but the SEE database can also reside on the SEE Management Server. If a database server is chosen to host the SEE database, the database server can be located inside or outside of Active Directory. The Manager Console can be installed on multiple Manager Computers. It can also be installed on the SEE Management Server. It must reside on a computer that is a member of Active Directory. The Novell edirectory tree, Active Directory group policy communications, and TLS/SSL encryption are optional. Directory Service Synchronization Synchronization with Active Directory and/or Novell edirectory is an optional feature. If enabled, then the SEE Management Server will obtain the organizational hierarchy of the specified forest, domain, and/or tree and store this information in the SEE database. It also keeps this information up to date. This improves performance during Client Computer communications with the SEE Management Server, as the SEE Management Server will be able to identify the Client Computer without having to query the Active Directory domain controller and/or the Novell edirectory server. When you open the SEE Manager, you will have your Active Directory and/or Novell endpoints organized just the way that they are in the directory service, easing your deployment activities. In addition, you will have records of computers that reside in the designated forest, domain, or tree, even if these computers do not have any SEE products installed and/or have never checked in with the SEE Management Server. This will allow you to run reports to assess the success of a given deployment and gauge the risk that your organization may face due to unprotected endpoints. The timing of the synchronization event differs according to the directory service. Whereas Novell informs the SEE Management Server of any changes that may occur, the SEE Management Server needs to contact Active Directory to obtain the latest information. Synchronization with Active Directory is set to occur once every fifteen minutes. Active Directory and Native Policies Active Directory policies are designed for deployment to the users and computers residing within your Active Directory forest/domain. Active Directory policies can be created and deployed whether synchronization with Active Directory is enabled or not. Native policies are designed for deployment to computers that are not managed by Active Directory. Should you wish to deploy native policies to computers that are managed by Active Directory, you must turn synchronization with Active Directory off. Symantec Endpoint Encryption Removable Storage 2

9 Introduction The following table itemizes the differences between Active Directory and native policies. Table 1.1 Active Directory and Native Policies Compared Active Directory Policies Certain policies are deployed to users and others are deployed to computers. Policies applied in Local, Site, Domain, OU (LSDOU) order of precedence. Single pane policy creation/deployment. Policies are obtained from the domain controller and applied at each reboot. An immediate policy update can be forced using the gpupdate \force or secedit command. Native Policies Policies can only be applied to computers. Policies are applied in Computer, Subgroup, Group (CSG) order of precedence. Each pane must be visited when creating the policy. Policies are applied when the client checks in with the SEE Management Server. An immediate policy update can be forced by clicking Check In Now from the User Client Console. Manager Console Basics The Manager Console contains the following SEE snap-ins: Symantec Endpoint Encryption Management Password allows you to change the Management Password. The Management Password controls administrator access to two SEE Full Disk help desk functions: Recover /B and the One-Time Password Program. It is not relevant to SEE Removable Storage. Symantec Endpoint Encryption Software Setup is used to create client installation/migration packages. Symantec Endpoint Encryption Native Policy Manager escorts you through the process of creating a computer policy for clients not managed by Active Directory, such as Novell and other clients. Symantec Endpoint Encryption Users and Computers displays the organizational structure of your Active Directory forest and/or Novell tree; allows you to organize clients not managed by either Active Directory or Novell into groups. Symantec Endpoint Encryption Server Reports includes Computer Status, Computers not Encrypting to Removable Storage, Computers with Decrypted Drives, Computers with Expired Certificates, Computers with Specified Users, Computers without Full Disk Installed, Computers without Removable Storage Installed, and Non-Reporting Computers reports. It also contains the following Microsoft snap-ins to help you manage your Active Directory computers: Active Directory Users and Computers allows you to both view and modify your Active Directory organizational hierarchy. Group Policy Management lets you manage group policy objects and launch the Group Policy Object Editor (GPOE). Within the GPOE you will find SEE snap-in extensions that allow you to create and modify SEE user and computer policies for Active Directory managed computers. Depending on your responsibilities, you may not have access to all of these snap-ins. These restrictions, if any, will be effected as part of the privileges associated with your Windows account. Database Access Your Windows account may have been provisioned with rights to access the SEE database. If so, ensure that you are logged on to Windows with this account before launching the Manager Console. Symantec Endpoint Encryption Removable Storage 3

10 Introduction If you are not logged on to Windows with read and write access to the SEE database at the time that you launch the Manager Console, you will be prompted for your SQL credentials. Figure 1.2 SQL Server Logon Prompt The Server name and Initial catalog fields will contain the information that was provided when this Manager Console was installed. In general, you should not modify the default contents of these fields. Circumstances that require you to edit these entries would be unusual, such as the loss of your primary SEE database. In such a situation, you could edit the Server name and Initial catalog fields to connect to a disaster recovery site. The syntax used in the Server name field is as follows: computer name,port number\instance name While the computer name of the server machine hosting the SEE database will always be required, the TCP port number will only be necessary if you are using a custom port, and the instance name will only be needed if you are using a named instance. The custom port number would need to be preceded by a comma and the instance name by a backslash. Type the user name of your SQL account in the User name field. Type the password of your SQL account in the Password field. Click Connect to authenticate. If you don t wish to authenticate to the SEE database at this time, click Cancel. You may receive one or more error messages following cancellation. You will receive additional prompts upon attempting to access the individual SEE snap-ins in the console. Endpoint Containers Basics The SEE Manager will place each endpoint into one or more of the following containers: Active Directory Computers, Novell edirectory Computers, or Symantec Endpoint Encryption Managed Computers. Active Directory/Novell edirectory Computers No computers will be placed in the Active Directory Computers or Novell edirectory Computers containers unless synchronization with the directory service is enabled. If synchronization with Active Directory is enabled, the Active Directory Computers container will be populated with the computers in the Active Directory forest/domain. If synchronization with Novell is enabled, the Novell edirectory Computers container will hold the computers in the Novell tree. If synchronization with both directory services is enabled and the computer is managed by both, it will appear in both containers. Computer and user objects located within the Active Directory and/or Novell containers cannot be moved or modified with SEE snap-ins. Symantec Endpoint Encryption Removable Storage 4

11 Introduction SEE Managed Computers Computers located within the Active Directory Computers and/or Novell edirectory Computers containers will not be shown in the Symantec Endpoint Encryption Managed Computers container. Only computers that have checked in with the SEE Management Server will be shown in the Symantec Endpoint Encryption Managed Computers container. Whether a computer is placed in the Symantec Endpoint Encryption Managed Computers container or not following check in will vary depending on whether synchronization is enabled or not. If synchronization is not enabled, all Client Computers that have checked in will be placed in the Symantec Endpoint Encryption Managed Computers container. If synchronization is enabled, only Client Computers that have checked in that do not reside within the designated Active Directory forest/domain and/or Novell tree will be placed in the Symantec Endpoint Encryption Managed Computers container. Computers located within the Symantec Endpoint Encryption Managed Computers container should be grouped into the organizational structure that you desire. SEE Roles Policy Administrators As the Policy Administrator, you perform centralized administration of SEE. Using the Manager Console and the Manager Computer, you perform one or more of the following tasks: Update and set client policies. Run reports. Client Administrators Client Administrators provide local support to SEE users. Each Client Computer must have at least one Client Administrator account and can have up to As Policy Administrator, you are responsible for creating and maintaining Client Administrator accounts using the SEE Manager. Client Administrator accounts are managed entirely by SEE and independent of Windows, allowing Client Administrators to support users who are not a part of an Active Directory domain. One of three privilege levels will be assigned to each Client Administrator account. At least one Client Administrator account with a privilege level of high must exist on each workstation. Client Administrators with a privilege level of high can unregister users. The low and medium privilege levels are not applicable to SEE Removable Storage. The Client Administrator is also responsible for recovering SEE Removable Storage encrypted files when the user has forgotten their password and a Master Certificate was used. This responsibility is not controlled by privilege level. Client Administrators should be trusted in accordance with their assigned level of privilege. Client Administrators may be configured to authenticate with either a password or a token. At least one Client Administrator on each workstation must authenticate with a password. Client Administrator passwords are managed by you and cannot be changed at the Client Computer. This single-source password management allows Client Administrators to remember only one password as they move among many Client Computers. If password(s) were local to each computer, then remembering multiple passwords would become unwieldy. Client Administrators cannot use Single Sign-On. Client Administrators must register as a user to make use of removable storage devices at the SEE Removable Storage protected workstation. User At least one user is required to register with SEE on each Client Computer. A wizard guides the user through the registration process, which involves a maximum of four screens. The registration process can also be configured to Symantec Endpoint Encryption Removable Storage 5

12 Introduction occur without user intervention. Users will not be able to access their removable storage devices until they have registered. To ensure the success of this product in securing your encrypted assets, do not define users as local administrators or give users local administrative privileges. Symantec Endpoint Encryption Removable Storage 6

13 Reporting 2. Reporting Overview Basics The SEE Manager features a number of reporting tools that will allow you to: Assess the success of a deployment. Gauge the risk that your organization may face due to unsecured endpoints. Identify computers that have not checked in within a certain number of elapsed days. Find out all of the computers that a user has registered on. Determine the SEE policy currently being enforced by protected endpoints. Spot clients with client-side TLS/SSL certificates nearing expiration. Discover the current status of synchronization. If Active Directory and/or Novell synchronization is enabled, you will be able to obtain the computer names and directory service location of any computer located on your forest(s), domain(s), and/or tree(s) even if the computer has never checked in with the SEE Management Server. While only the computer and directory service location of these computers will be available, the absence of additional data will allow you to identify computers that are unprotected or have not checked in. Client Computer Reports At the time that a Client Computer succeeds in checking in with the SEE Management Server, it sends information about itself that is stored in the SEE database. Any one of the following reporting tools can be used to retrieve the data that pertains to the Client Computer(s) of interest: Symantec Endpoint Encryption Users and Computers on page 9; Computer Status Report on page 10; Computers not Encrypting to Removable Storage on page 10; Computers with Decrypted Drives on page 10; Computers with Expired Certificates on page 10; Computers with Specified Users on page 10; Computers without Full Disk Installed on page 10; Computers without Removable Storage Installed on page 10; and Non-Reporting Computers on page 11. The following table itemizes the data available about each of the Client Computers that has checked in. Columns that will be displayed but not populated by SEE Removable Storage are identified as not applicable (N/A). Table 2.1 Client Computer Data Column Heading Data Displayed Explanation Computer name computer name Computer name Group name* group name Location of the computer within Symantec Endpoint Encryption Users and Computers Symantec Endpoint Encryption Removable Storage 7

14 Reporting Table 2.1 Client Computer Data (Continued) Column Heading Data Displayed Explanation Last Check-in time/date stamp The time and date of the last connection that the Client Computer made with the SEE Management Server Decrypted N/A N/A Decrypting N/A N/A Encrypted N/A N/A Encrypting N/A N/A FR Version n.n.n The three digit version number of SEE Framework that is currently installed FR Installation Date time/date stamp The time and date on which SEE Framework was installed FD Version N/A N/A FD Installation Date N/A N/A Serial Number Asset Tag Part Number RS Encryption Policy serial number asset tag part number encrypt all files encrypt new files Write unencrypted The System Management BIOS (SMBIOS) serial number from WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank. The System Management BIOS (SMBIOS) asset tag from WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank. The System Management BIOS (SMBIOS) asset tag from WMI_SystemEnclosure class. This data may not exist on the client, in which case it will be blank. The encryption policy currently being enforced by SEE Removable Storage RS Encryption Method password certificate any The encryption method(s) currently allowed by SEE Removable Storage RS Executables RS Access Utility RS Master Cert RS Group Key RS Password Aging True False True False serial number True False Enabled Disabled True will be displayed if the user has the option to save file(s)/folder(s) to a self-extracting executable; False if the user does not If the Removable Storage Access Utility is being automatically copied to removable storage devices, True will be displayed. If not, False will be displayed If a Master Certificate is in effect at the Client Computer, its serial number will be displayed. Otherwise, the field will be blank If a group key is in use, True will be displayed. If not, False will be displayed If password aging is being applied to Default Passwords, Enabled will be displayed. If not, Disabled will be displayed RS Version n.n.n The three digit version number of SEE Removable Storage that is currently installed RS Installation Date time/date stamp The time and date on which SEE Removable Storage was installed SSL Certificate Expiration Date time/date stamp The time and date of the client-side TLS/SSL certificate s expiration * This column is not shown in the Symantec Endpoint Encryption Users and Computers snap-in. Symantec Endpoint Encryption Removable Storage 8

15 Reporting Directory Services Synchronization Reports Your current synchronization parameters are stored in the SEE database and can be retrieved using the following Symantec Endpoint Encryption Server Reports: Active Directory Forests Synchronization Status on page 9, and Novell edirectory Synchronization Status on page 11. One row of data per forest or tree will be listed. The following table identifies the data that will be available from these reports. Table 2.2 Directory Services Synchronization Data Column Heading Data Displayed Explanation Forest/Tree Name Administrator Name Administrator Domain* Last Synchronization forest or tree name user name domain time date stamp The name of the forest or tree that you are synchronizing with will be identified in this column. The user name that is being used to authenticate to the directory service server of this forest or tree will be provided in this column. This corresponds to the Active Directory or Novell synchronization account. The Active Directory domain of the Active Directory synchronization account for this forest will be identified. The time and date of the last successful synchronization with this forest or tree will be supplied. Total Computers number The total number of computers in this forest or tree as of the last synchronization will be noted here. This includes all of the computers, not just the SEE protected endpoints. * This column is not shown in the Novell edirectory Synchronization Status report. Symantec Endpoint Encryption Users and Computers The Symantec Endpoint Encryption Users and Computers snap-in allows you to obtain data about a specific group. This data can be printed or exported into a comma-delimited format (CSV). This can be useful for generating reports on a per-group basis. You might also want to consider your reporting needs when you create your groups ( SEE Managed Computer Groups on page 27). Symantec Endpoint Encryption Server Reports Basics The Symantec Endpoint Encryption Server Reports snap-in contains a number of reports that will assist you in managing your endpoints and your synchronization(s). After obtaining the data, you can export it into comma-delimited format (CSV) for further manipulations in the tool of your choice. Alternatively, you can print the report directly from the Manager Console. Should you choose to print the report, you can choose which columns to include by right-clicking the report in the console tree and selecting Configure Columns Displayed. Alternatively, select Configure Columns Displayed from the Action menu. Active Directory Forests Synchronization Status The Active Directory Forest Synchronization Status report provides the latest details of your Active Directory synchronization parameters and status. Symantec Endpoint Encryption Removable Storage 9

16 Reporting Computer Status Report The Computer Status Report is used to retrieve the records of specific computers when you know their computer name. Following deployment of client installation packages, you can use this report to ensure that each client checks in. Type or paste the computer names in the Enter Computer Names field. Each should be on a separate line. The % character can be used as a wildcard. Once you have entered the computer names that you want to retrieve the records of, click Run. To refresh the data, click Run again. Computers not Encrypting to Removable Storage The Computers not Encrypting to Removable Storage report will retrieve the records of the following computers on your network: Did not have SEE Removable Storage installed as of the time of last check-in. Was not protected by a SEE Removable Storage Encrypt all or Encrypt new policy as of the time of last check in. Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not be allowing users to write unencrypted files to removable devices. Computers with Decrypted Drives The Computers with Decrypted Drives report will retrieve the records of the following computers on your network: Had one or more decrypted or decrypting partitions as of the time of last check-in. Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not have a decrypted or decrypting partition. Computers with Expired Certificates The Computers with Expired Certificates report will retrieve the records of the clients with client-side TLS/SSL certificates due to expire within the specified number of days from the current day. Enter the number of days until expiration in the Days the Certificate Will Expire field and click Run. For example, to see all of the clients with certificates due to expire within the next ninety days, type 90 in the Days the Certificate Will Expire field and click Run. Computers with Specified Users The Computers with Specified Users report allows you to find out all of the computers that one or more users have registered on. Type the user names in the Enter User Names field. If you enter more than one user name, they should be separated by carriage returns. The % wildcard character is supported. Once the desired report parameters have been entered, click Run. The records of the computers on which one or more of the specified users has registered will be retrieved and listed in the report results. Computers without Full Disk Installed The Computers without Full Disk Installed report will retrieve the records of the following computers on your network: Did not have SEE Full Disk installed as of the time of last check-in. Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not have SEE Full Disk installed. Computers without Removable Storage Installed The Computers without Removable Storage Installed report will retrieve the records of the following computers on your network: Did not have SEE Removable Storage installed as of the time of last check-in. Symantec Endpoint Encryption Removable Storage 10

17 Reporting Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not have SEE Removable Storage installed. Non-Reporting Computers The Non-Reporting Computers report allows you to obtain a list of computers that have not checked in with the SEE Management Server within a specified number of elapsed days. This report will help you ensure that the data in the SEE database remains fresh. Enter the number of elapsed days in the Days Since Last Check-In field and click Run. The records of the computers on your network that have not checked in with the SEE Management Server within the specified number of days will be retrieved and listed. Novell edirectory Synchronization Status The Novell edirectory Synchronization Status report provides the latest details of your Novell synchronization parameters and status. Resultant Set of Policy (RSoP) The Group Policy Management snap-in features a reporting facility which allows you to verify that the Active Directory policies you assigned to Client Computers or users were actually processed as intended. This report is known as a Resultant Set of Policies (RSoP) or Group Policy Report. The initial SEE installation settings as deployed using the Framework and Removable Storage client MSI packages (even if the MSI packages were deployed as GPOs) will not appear in the RSoP report. Only the results of Active Directory policy updates will be shown in the RSoP report. To generate an RSoP report, perform the following steps: 1. Open the SEE Manager, and in the left pane, expand Group Policy Management, then expand Group Policy Results. 2. With the Group Policy Results container selected, right-click and choose Group Policy Results Wizard. 3. The Group Policy Results Wizard launches. Click Next, then select the option Another Computer. 4. Browse to or type the name of the computer for which you wish to generate a Group Policy Report. 5. Click Next. Symantec Endpoint Encryption Removable Storage 11

18 Reporting Figure 2.1 Group Policy Results Wizard, User Selection 6. To view both user and computer policies, select the user that you want to see the user policies of. If you are only interested in computer policies, select Do not display user policy settings in the results. 7. Click Next. 8. Click Next at the summary screen, then click Finish. 9. The Group Policy Results snap-in connects to the Client Computer, gathers the policy information into a report, and displays the information in several tabs of the content pane on the right. 10. Click on the Settings tab of the Group Policy Results window in the pane on the right. 11. This windows shows a collapsed view representing all the settings for the user/computer pair you selected. The view is divided into two sections: one section named Computer Configuration, and another section beneath it named User Configuration. 12. Within the section named Computer Configuration, locate the subsection named Administrative Templates. SEE uses registry based policies, and any SEE computer policies you create and apply will show up within the subsections Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/ Framework, and Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/ Removable Storage. For user settings, this pattern is mirrored in the User Configuration section of the Group Policy Results window. 13. Expand the Administrative Templates and then expand the Symantec Endpoint Encryption/Framework section by clicking on the Show link on the right. That subsection will expand to reveal all Framework policies currently in effect. Symantec Endpoint Encryption Removable Storage 12

19 Reporting Figure 2.2 RSoP Report From an SEE Client Figure 2.2 shows that a Client Administrator policy has been applied. The Client Administrator mbrown authenticates using a password and has a high level of privilege. The Client Administrator mwilliams authenticates using a password and has a high level of privilege. Any level in the report hierarchy can be exported as an HTML file by right-clicking the name (for example, Symantec Endpoint Encryption/Framework), choosing Save Report, and selecting a target location in which to save the HTML report. Some SEE Active Directory policies create other settings in the client registry that are shown in the RSoP as Extra Registry Settings. These represent internal registry values used by the particular SEE policy and can be ignored. Windows System Events All security-related system events are logged on the SEE Client Computer where they may be viewed remotely by an administrator using the Windows System Event viewer. To view SEE Removable Storage specific system events logged on a specific computer, perform the following steps: 1. Open a Run dialog from the Windows Start menu. 2. Type eventvwr.msc and click OK. 3. An Event Viewer console window opens showing the events on your local computer. 4. In the navigation pane on the left, right-click the top-level folder named Event Viewer (Local), and choose Connect to another computer. Symantec Endpoint Encryption Removable Storage 13

20 Reporting 5. In the Select Computer dialog, make sure that the Another computer option is selected, then click Browse. 6. In the Select Computer dialog, type the name of a computer you wish to inspect the events of, and click OK. 7. In the navigation pane on the left, right-click the item named Application, and choose Connect to another computer. 8. Choose View and click Filter to open the Application Properties window. 9. From the Event Source drop-down list box, choose Removable Storage Service and click Apply. 10. This filters the event log for that computer to show SEE Removable Storage events. Drag the Application Properties window away from the Event Viewer window, but leave it open. 11. In the right pane of the Event Viewer window, double-click the top-most event entry to open the Event Properties window for that event. The Description field contains information about that particular SEE Removable Storage event. To inspect other events in the log, use the up and down arrow buttons in the upper right of the Event Properties window. To filter out all events other than a desired event, click on the Application Properties window. In the Event ID field, type the number of the event you are interested in, then click Apply. The Event Viewer window will update and filter out all event IDs other than the one you specified. For a complete list of all SEE specific system events, their event code numbers, and descriptions of the events, refer to Framework System Events List on page 32 and Removable Storage System Events List on page 45. Symantec Endpoint Encryption Removable Storage 14

21 Policy Creation & Editing 3. Policy Creation & Editing Overview While each contains identical options, Active Directory policies are created and edited in quite a different manner from native policies. This chapter discusses the following: How to create and/or edit Active Directory policies using Symantec Endpoint Encryption snap-in extensions in the Group Policy Object Editor (GPOE) ( Active Directory Policies on page 15); How to create and/or edit native policies using the Symantec Endpoint Encryption Native Policy Manager ( Native Policies on page 16); and The individual policy options themselves ( Policy Options on page 16). Active Directory Policies To create or edit an Active Directory policy, expand the Group Policy Management snap-in, expand your forest, expand Domains, expand the domain, and expand Group Policy Objects. To edit an existing GPO, right-click the GPO and select Edit. To create a new GPO, right-click Group Policy Objects and select New. The Group Policy Object Editor (GPOE) will launch. To edit or create a computer policy, expand Computer Configuration, expand Software Settings, and expand Symantec Endpoint Encryption. Then expand Symantec Endpoint Encryption Framework and/or Symantec Endpoint Encryption Removable Storage, according to your needs. To edit or create a user policy, expand User Configuration, expand Software Settings, and expand Symantec Endpoint Encryption. Then expand Symantec Endpoint Encryption Framework and/or Symantec Endpoint Encryption Removable Storage, according to your needs. Each Active Directory policy panel features three option buttons at the top: Do not change these settings this option is the default option. It specifies that no changes to existing policies or installation settings will be made. Change these settings click this option if you want to specify a policy update. When this option is selected, the fields below it will become available. These fields will not be defaulted to the policies currently in effect, they will just display generic defaults. Restore the installation settings click this option to apply a policy that instructs the client to disregard any existing policies and return to the settings that were specified in its installation package. When the Change these settings option is selected, your entries are validated when you click away from the panel. Any incorrect entries will be highlighted in red, and the icon for the panel, as shown in the navigation tree of the GPOE window, will change to a warning icon to remind you to return to that panel and make the necessary corrections before closing the GPOE window. For a detailed discussion of the options that will become available when the Change these settings option is selected, refer to Policy Options on page 16. Symantec Endpoint Encryption Removable Storage 15

22 Policy Creation & Editing Native Policies To create a native policy, right-click the Symantec Endpoint Encryption Native Policy Manager and select Create New Policy. When naming a policy, observe the following: Each name must be unique and cannot have been assigned to any other native policy. Names are case-insensitive. Leading and trailing spaces will be deleted. To edit a native policy, expand the Symantec Endpoint Encryption Native Policy Manager. Locate the policy that you want to edit and highlight it. For a detailed discussion of the options available for modification within the Symantec Endpoint Encryption Native Policy Manager, continue to the next section. Policy Options Client Administrators When creating a Client Administrator policy, it must contain all Client Administrator accounts that are authorized to access the workstation. Any Client Administrator accounts not listed in this policy will not be able to authenticate to the Client Computer. Figure 3.1 Framework Computer Policy, Client Administrators Options At least one Client Administrator account must be specified. You can import a list of Client Administrators from a previously created installation settings package. Click Load from installation settings, select the previously created SEE Framework client installer package, then click Open. The GPO panel will populate with the Client Administrator account information specified when the installation settings package was created. Click Add to add a Client Administrator. Highlight an existing Client Administrator and click Edit to edit the account. Symantec Endpoint Encryption Removable Storage 16

23 Policy Creation & Editing Figure 3.2 Add New Client Administrator Dialog Only the names of the Add New Client Administrator and Edit Client Administrator dialogs differ. Each Client Administrator account must have credentials and a specified level of privilege. If this is a native policy and you selected None (password authentication only) when installing the Framework Manager, the drop-down list box will display Password and be unavailable. Otherwise, the drop-down list box will have both Password and Token options available. If you select the token option, you will be prompted to locate the P7B certificate file associated with that Client Administrator account. The selected P7B file will be validated, and you will be prompted to choose the desired certificate from the list of valid certificates found in the P7B file. Symantec Endpoint Encryption Removable Storage 17

24 Policy Creation & Editing Registered Users Basics The Registered Users panel can be used to change the way that users authenticate to, register with, or get unregistered from SEE. Figure 3.3 Framework Computer Policy, Registered Users Options Authentication Method In Authentication Method, select the authentication method you want SEE to effect. Clicking on Require registered users to authenticate with ensures that users type their credentials before gaining access to the User Client Console. Select Password to have users authenticate with a password. Select Token to have users authenticate with a token. Clicking on Do not require registered users to authenticate to SEE selects automatic authentication and allows all registered users to access the User Client Console without providing any credentials. The registration process itself will also be automatic and occur without user intervention unless a registration password is specified. Coupling automatic authentication with a registration password could serve to limit the number of users able to use removable storage devices from the workstation, as only registered users can use removable storage devices. Select the Enforce this choice on existing SEE accounts check box to force users that are currently registered using a different authentication method to re-register using the new authentication method. Single-Sign On will be unavailable to users not using the same authentication method for both Windows and SEE. For Single-Sign On to work, the authentication methods used in both environments must be identical. Symantec Endpoint Encryption Removable Storage 18

25 Policy Creation & Editing Select a date (month, day, year) from the drop-down lists. This date will be the deadline after which users will be forced to re-register using the new authentication method. Once the policy has been processed and the Client Computer has rebooted, users will be prompted to re-register when logging on to Windows. Re-registration is optional until the deadline has elapsed. After the deadline, users are forced to re-register using the new authentication method. When a computer has been running with automatic authentication, and a policy is applied that switches to password- or token-based authentication, all existing user accounts subject to automatic authentication are immediately unregistered. By contrast, when a policy changes from password- or token-based authentication to automatic authentication, all existing password- or token-based registered user accounts are now subject to automatic authentication. Registration To allow any Windows user the ability to register, click the option Any Windows user can register for a SEE account. To allow only those users who know a special registration password to be able to register, click Users must know this password to register, and type the password in the adjacent field and again to confirm. Each user will be required to know the administrator-defined registration password before they can register for an SEE account. Specify the maximum number of SEE registered user accounts which can be created on each computer. New users will not be permitted to register after the maximum number of accounts has been reached. Specify a custom message users will see when they are forced to register after grace restarts expire. The custom message can be from characters in length, or you can use the default message. Note that the custom registration message field ignores any carriage returns you type or paste in. Specify the number of grace restarts, i.e., the number of times, from 0 99, that the computer can restart before the first user who logs on will be forced to register for an SEE account and see the custom registration message. This setting can effectively allow users to defer registration. To force the first user to register immediately, set this value to zero. Unregistration Unregistration selects whether to allow users to only be unregistered manually by Client Administrators, or whether to also automatically unregister users who do not log on after a specified period, from days. This setting is useful in a kiosk environment where many infrequent users can fill up the maximum number of available SEE accounts on a given computer. Use caution with this setting so that users do not have their accounts deleted unexpectedly. Symantec Endpoint Encryption Removable Storage 19

26 Policy Creation & Editing Password Authentication Use the Password Authentication panel to set or change the logon delay and/or to set the criteria that new passwords must meet, if Single Sign-On is not enabled. Figure 3.4 Framework Computer Policy, Password Authentication Options Under Password Attempts, select the Limit password and Authenti-Check attempts check box to set the number of incorrect passwords or Authenti-Check answers a user can type in succession before the system will introduce a one minute delay between further logon attempts. You can also specify the time in minutes that must elapse after the last incorrect attempt occurred, after which the one minute delay behavior is lifted. Note that the Password Attempts settings are enforced for the SEE password, passwords used to decrypt selfextracting executables, passwords used to decrypt files, and passwords used to decrypt files using the Removable Storage Access Utility. Password Complexity These include the minimum number of characters users SEE passwords must contain, the set of non-alphanumeric characters users may have in their passwords, as well as the minimum number of non-alphanumeric characters, uppercase letters, lowercase letters, and digits users must have in their passwords. Note that the Password Complexity settings are enforced for the SEE password, the Removable Storage Default Password, passwords used to encrypt self-extracting executables, passwords used to encrypt files from SEE Removable Storage protected computers, and passwords used to encrypt files using the Removable Storage Access Utility. Maximum Password Age Leave this option at the default to not set an expiration date on user passwords. If you select the option to set an expiration date on user passwords, type the number of days after which users passwords will expire, and type the number of days in advance users will be prompted to change their expiring passwords. Symantec Endpoint Encryption Removable Storage 20

27 Policy Creation & Editing Password History allow users to use any previously-used SEE password, or select the other option and type the number of different passwords users must use before reverting to old passwords. Minimum Password Age Leave this option at the default to allow users to change their SEE passwords as frequently as they wish, or select the other option and type the minimum number of days that must pass before users can change their passwords. Note that leaving this option at the default will effectively override the password history feature, since a user could quickly cycle through the required number of new passwords in order to keep an old, favorite password. Note that the Maximum Password Age, Password History, and Minimum Password Age settings can optionally be used by SEE Removable Storage to enforce password aging restrictions on the SEE Removable Storage Default Password chosen by users. See Encryption Method on page 24 Token Authentication If token authentication is in effect and you want to allow expired certificates, check the Users can authenticate to SEE with expired certificates check box. Authentication Message To change the message shown to users who are having trouble authenticating, edit the text within the Instructions for users who are having trouble with authentication field. For example, the phone number of your help desk may have been provided in the message and you may need to update it. Communication Use the Communication panel to modify the interval at which the recipient computers will attempt to make contact with the SEE Management Server. Single Sign-On Select or deselect the Enable Single Sign-On check box for the desired effect. Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s). Authenti-Check Authenti-Check is a self-help password recovery method for SEE Full Disk passwords. It does not recover SEE Removable Storage passwords. Symantec Endpoint Encryption Removable Storage 21

28 Policy Creation & Editing Use the Authenti-Check panel to enable or disable Authenti-Check and/or to change the question-answer pair requirements. Figure 3.5 Framework Computer/User Policy, Authenti-Check Options Select or deselect the Enable Authenti-Check check box according to the policy that you wish to effect. You can also adjust the other settings to your needs. Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s). One-Time Password One-Time Password is a help-desk-assisted means for SEE Full Disk users to regain access to Windows. It is not relevant to SEE Removable Storage. Use the One-Time Password panel to modify the availability of One-Time Password assistance, change the default message, update the personal identifier explanatory text, or adjust the availability of the OTP Communication Unlock feature. Figure 3.6 Framework Computer/User Policy, One-Time Password Options Select the Enable One-Time Password check box to make this Pre-Windows authentication assistance method available to SEE Full Disk users. Symantec Endpoint Encryption Removable Storage 22

29 Policy Creation & Editing Within the Default method area, select the default method that the Client Computers will begin with when initiating a One-Time Password recovery attempt. Select Online if the clients are configured to connect to the SEE Management Server. Select Offline if the clients are silent. Type the instructions to be displayed to users when prompted to enter their One-Time Password personal identifier. Select the OTP Communication Unlock check box to allow users who have been locked out of their computers for a failure to communicate to regain access using the One-Time Password Program. Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s). Security Level Use the Security Level panel to modify the encryption, access, and/or portability policies currently being enforced by SEE Removable Storage. Figure 3.7 Removable Storage Computer Policy, Security Level Options Access Policy Choose Do not allow access to files on removable storage devices to deny read and write access to files and folders stored on removable storage devices. Allow read-only access to files on removable storage devices allows registered SEE users to read, but not write, files and folders stored on removable storage devices. Allow read and write access to files on removable storage devices allows registered SEE users to read and write files and folders stored on removable storage devices. Selecting this option allows you to set an encryption policy. Encryption Policy Choose Encrypt all files written to or accessed on removable storage devices to automatically encrypt both new and pre-existing files on removable devices. Choose Encrypt new files written to removable storage devices to automatically encrypt all files newly added to removable storage devices. Choose Do not encrypt files on removable storage devices to not encrypt files newly added to removable storage devices. Portability Select the Copy the Removable Storage Access utility to all removable storage devices check box to ensure that the Removable Storage Access Utility will be placed on all removable devices automatically. Symantec Endpoint Encryption Removable Storage 23

30 Policy Creation & Editing Considered munitions by many countries, encryption software is often subject to regulations. The United States, for example, prohibits the export of strong encryption products to the following countries: Cuba, Iran, Libya, North Korea, Sudan, and Syria. Legal repercussions could ensue should someone in your organization fail to comply with national and/or international statutes. Visit for more information. Encryption Method Use the Encryption Method panel to modify the encryption methods currently allowed by SEE Removable Storage. These methods will be available to users encrypting files and creating self-extracting executables from a SEE Removable Storage protected computer, as well as users encrypting files with the Removable Storage Access Utility from computers not protected by SEE Removable Storage. Figure 3.8 Removable Storage Computer Policy, Encryption Method Options Select the appropriate option to restrict the encryption method to a password, restrict the encryption method to one or more certificates that the user chooses, or let each user choose the encryption method. Select the Apply password aging to Removable Storage default passwords check box to ensure that the Default Password set by the user will conform to the restrictions set in the Maximum Password Age, Password History and Minimum Password Age sections of the SEE Framework Password Authentication panel ( Password Authentication on page 20). Leaving this box unchecked will allow any previous Removable Storage Default Password to be reused. This setting can be used to ensure that users change their Default Password at a designated interval. Keep in mind that availability issues could arise. Such a policy should be accompanied by clear instructions to the user to prevent availability issues. See the User Guide for more information. Specifying a Master Certificate is also recommended. Master Certificate Use the Encryption Method panel to change the Master Certificate used by SEE Removable Storage or to stop using a Master Certificate. The Master Certificate is used by SEE Removable Storage and the Removable Storage Access Utility to encrypt files. Choose Do not encrypt files with a master certificate if you do not want to use a master certificate. Choose Encrypt files with a master certificate if you want to use a master certificate. You will be prompted for the location of the PKCS#7 format certificate file (.p7b). Once you have chosen a certificate file, the Select Certificate dialog will show information about the certificate you have chosen. Symantec Endpoint Encryption Removable Storage 24

31 Policy Creation & Editing Group Key Use the Group Key panel to stop using, set, or modify a group key. The group key is used by SEE Removable Storage and the Removable Storage Access Utility to encrypt files. Figure 3.9 Removable Storage Computer Policy, Group Key Options Click Do not encrypt or decrypt files with a group key if you do not want the computers receiving this policy to use a group key. Click Encrypt and decrypt files with this group key to deploy a group key to the computers receiving this policy. Clicking Generate new key will fill the key box with a randomly generated number. If you type or paste the key in, ensure that this value is random, 64 digits, hexadecimal format, and that alphanumeric characters are lowercase. Descriptive optional text you type in the Memo box will be displayed in RSoP reports. Executables Use the Executables panel to change the self-extracting file policy on the recipient computer. To permit users to avail of this feature, select the Allow users to save files as password-encrypted self-extracting executables check box. Symantec Endpoint Encryption Removable Storage 25

32 Policy Deployment 4. Policy Deployment Overview Policy deployment differs according to the type of policy that you are deploying. Deployment of Active Directory policies is discussed in the next section. Deployment of native policies is discussed in Native Policies on page 27. Active Directory Policies Basics Active Directory policies are deployed using the Group Policy Management Console (GPMC) snap-in of the SEE Manager. Order of Precedence When a single computer or user object has two or more policies assigned to it, the Local, Site, Domain, OU (LSDOU) order of precedence and link order will be considered. Policies specific to a single computer or user object are considered local and have the highest order of precedence in the LSDOU chain. If the policies are at the same LSDOU level, they will then be applied according to their link order. Those lowest in the link order will have the highest order of precedence. Forcing a Policy Update Basics Active Directory policy changes take approximately 90 minutes and no more than 120 minutes to push out to Client Computers. To accelerate this, you can force an immediate policy update. Windows XP Clients 1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER. A command prompt will open. 2. Type the following command at the command prompt: gpupdate /force and press ENTER. 3. A message will appear in the command prompt window after a few seconds indicating that the update has taken place. The message will prompt you to confirm a restart. Type Y and press ENTER to restart the Client Computer. Windows 2000 Clients 1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER. A command prompt will open. 2. Type the following command at the command prompt: secedit /refreshpolicy machine_policy /enforce and press ENTER. 3. The secedit command will not prompt you to restart. If the policy you are updating includes any computer policies, you will have to restart the computer manually to complete the update. Symantec Endpoint Encryption Removable Storage 26

33 Policy Deployment Native Policies Basics Native policies are applied at the computer level: they cannot be assigned on a per user basis. Each policy will be comprehensive and contain all of the possible configurable settings. Only one policy can be applied to a computer at a time. If no policy is assigned to a computer, it will revert to the settings specified in its original installation package. Native policies are applied at the time that the Client Computer checks in with the SEE Management Server. An immediate check-in can be performed by the user from the User Client Console on the endpoint computer. If synchronization with Novell is enabled, the Novell computers will already be organized within the Novell edirectory Computers container, just as they are organized within the Novell edirectory tree. Native policies can be assigned to Novell computers, even if they have not checked in. Clients in the Symantec Endpoint Encryption Managed Computers container cannot be assigned policies until: They have checked in with the SEE Management Server. They have been placed in a group other than SEE Unassigned. The following section discusses the process of creating groups and placing Client Computers inside of them. SEE Managed Computer Groups Basics Before you can assign policies to your SEE managed computers, they need to be organized into groups. This can be done from any Manager Computer. The structure will be saved in the SEE database and available to all other Manager Computers. The Symantec Endpoint Encryption Managed Computers container will only have two groups in by default: SEE Unassigned and Deleted Computers. Clients located within the SEE Unassigned group do not have any policies assigned to them. Clients will be placed in the SEE Unassigned group if: Synchronization with its directory service is not enabled. The computer does not reside within the Active Directory forest/domain or Novell tree that you are synchronizing with. In general, the Client Computer will appear in SEE Unassigned at the time that it checks in. However, if the Client Computer is manually deleted from the Active Directory domain or Novell tree, it will not appear in SEE Unassigned until the time of the next synchronization. Client Computers within the SEE Unassigned group do not have any policies assigned to them. Such Client Computers are enforcing the settings specified within their original installation package. Symantec Endpoint Encryption Removable Storage 27

34 Policy Deployment Group Creation The first step in organizing your SEE managed computers is to create the groups that they will reside in. To add a group, right-click Symantec Endpoint Encryption Managed Computers. Figure 4.1 Symantec Endpoint Encryption Managed Computers, Add New Group Select Add New Group. Figure 4.2 Name New Group Dialog Enter the name of the new group. This name must be unique within its group. For example, the Finance group can have two subgroups named Laptops and Desktops and the Human Resources group can also have two subgroups named Laptops and Desktops. But there cannot be two top-level groups just below Symantec Endpoint Encryption Managed Computers named Human Resources. Each name must be at least one character. Leading and trailing spaces will be deleted. Enter the desired name of the group and click OK. Continue to add groups and subgroups until you have the desired structure. Move Computers Client Computers can be moved from any Symantec Endpoint Encryption Managed Computers group to another Symantec Endpoint Encryption Managed Computers group. This section will discuss the process of moving a Client Computer out of the SEE Unassigned group and into one of the manually created groups. Symantec Endpoint Encryption Removable Storage 28

35 Policy Deployment Highlight SEE Unassigned. Locate the computer that you want to move and highlight it. Figure 4.3 SEE Unassigned, Computer Highlighted Click Move. Figure 4.4 Symantec Endpoint Encryption Managed Computers Groups Dialog Navigate to the desired destination group of the Client Computer. Highlight it and click OK. Each Client Computer can only reside in one group at a time. Policy Assignment Native policies can be assigned to individual computers, subgroups, or groups located within either the SEE Managed Computers container or the Novell edirectory Computers container. This section describes how to assign a policy to a group within the SEE Managed Computers container, but the instructions are fully extensible to your individual circumstance. Symantec Endpoint Encryption Removable Storage 29

36 Policy Deployment Begin by locating the recipient computer, subgroup, or group of the policy. Highlight the name of the recipient. Figure 4.5 Symantec Endpoint Encryption Managed Computers Group Selected Click Policy. Figure 4.6 Policy Selection Dialog Locate the native policy to be assigned to this group within the dialog and highlight it. Click OK. Figure 4.7 Native Policy Assignment Confirmation A confirmation message will be displayed. Click OK. Symantec Endpoint Encryption Removable Storage 30

37 Policy Deployment Figure 4.8 Symantec Endpoint Encryption Managed Computers Policy Assigned Following the successful assignment of the policy, the Manager Console will display the name of the policy now assigned to the group. The next time the Client Computers in this group check in with the SEE Management Server, they will download this policy and apply it. Order of Precedence Each computer can only have one policy assigned to it at any given time. Policies can be assigned to individual computers, subgroups, or entire groups. The rules of precedence are as follows: (1) Computer, (2) Subgroup, and (3) Group. Computer policies have the highest precedence. For example, if a policy is applied to computer D9HCPD3, and another policy is applied to the Laptops subgroup in which it resides, the policy applied to the computer will take precedence over the policy that was applied to the Laptops subgroup. Forcing a Policy Update Registered users can force an immediate policy update by launching the User Client Console, opening the Check-In panel, and clicking Check in Now. Symantec Endpoint Encryption Removable Storage 31

38 System Event Logging Appendix A. System Event Logging Framework System Events List The following table lists the individual SEE Framework generated windows system events logged on the Client Computer. The column headings indicate the Event ID, the severity of the event (Error, Info, or Warning), and a description of the event indicating the type, source, or policy that generated the event (Internal, Program Action, Initial Setting, Settings Change, or Utility). Table A.1 Framework System Events Event Severity Description Explanation ID 0 Error Internal: Cannot map event ID to string. Framework The Framework event ID cannot be mapped to the string in the Framework. 1 Info Internal: Audit functions started. Framework The Framework audit functions have started. 2 Info Internal: Audit functions ended. Framework The Framework audit functions have ended. 3 Info 4 Warning 5 Info 6 Warning 7 Info 8 Warning 9 Info 10 Warning 11 Warning 12 Info 13 Info 14 Warning 15 Info Program Action: Successful client logon/authentication attempted with password. Framework [user name] Program Action: Unsuccessful client logon/ authentication attempted with password. Framework [user name] Program Action: Successful client logon/authentication attempted with token. Framework [user name] Program Action: Unsuccessful client logon/ authentication attempted with token. Framework Program Action: Successful logon/authentication attempted with One-Time Password. Framework Program Action: Unsuccessful logon/authentication attempted with One-Time Password. Framework Program Action: Successful logon/authentication attempted with Authenti-Check. Framework Program Action: Unsuccessful logon/authentication attempted with Authenti-Check. Framework Program Action: Number of client logon attempts exceeded the maximum allowed. Framework Program Action: User password changed successfully. Framework [user name] Program Action: User password changed unsuccessfully. Framework Program Action: User program uninstallation attempted. Framework Program Action: User changed Authenti-Check questions and answers successfully. Framework An attempt to logon at Pre-Windows with a password has succeeded. An attempt to logon at Pre-Windows with a password has failed. An attempt to logon at Pre-Windows with a token has succeeded. An attempt to logon at Pre-Windows with a token has failed. The One-Time Password process has succeeded in authenticating the user. The One-Time Password process has failed to authenticate the user. The Authenti-Check process has succeeded in authenticating the user. The Authenti-Check process has failed to authenticate the user. The number of Pre-Windows logon attempts allowed before a delay has been exceeded. The user has successfully changed their SEE password. The user attempted to change their SEE password, but failed. This could be because it did not meet the password requirements. An attempt to uninstall SEE Framework has been made. The user has succeeded in changing their Authenti- Check question(s) and/or answer(s). 16 Info Program Action: User has been unregistered. Framework The user has successfully been unregistered. 17 Info 18 Warning Program Action: User password resynchronized with Windows password. Framework Program Action: Computer locked due to failure to communicate with SEE server. Framework The user s SEE password has been resynchronized with their Windows password to enable the Single Sign-On feature. The Client Computer has failed to communicate with the SEE Management Server within the mandatory interval and, as a result, has been locked. Symantec Endpoint Encryption Removable Storage 32

39 System Event Logging Table A.1 Framework System Events (Continued) Event ID 19 Warning Program Action: User password expired. Framework The user s SEE password has expired. 20 Info Program Action: User registration completed. Framework [user name] 21 Warning Program Action: Final grace logon reached. Framework 22 Info 23 Info Program Action: User logged on after Hibernation or/ and Stand by. Framework [user name] Program Action: Client program installation attempted. Framework The user has successfully completed the registration process. The number of grace restarts is now zero and the next user to log on to Windows will be forced to register. A hibernation or standby process was initiated and ended when the user logged on to Windows. An attempt to install SEE Framework was made. 24 Info Program Action: Client program upgrade attempted. Framework An attempt to upgrade SEE Framework was made. 25 Info Program Action: Grace logon attempted. Framework An attempt to exercise a grace restart was made. 26 Info 27 Info 28 Info 29 Info 30 Error 31 Info 32 Error 33 Info 34 Error 35 Info 36 Error 37 Info 38 Error Severity Description Explanation Program Action: Authenti-Check questions and answers created. Framework Program Action: User password created. Framework [user name] Program Action: Token account created. Framework [user name] Initial Setting: One-Time Password [default server] method enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: One-Time Password [default server] method enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: One-Time Password not enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: One-Time Password not enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: Authenti-Check enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: Authenti-Check enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: Authenti-Check not enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: Authenti-Check not enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: Authentication Assistance message; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: Authentication Assistance message; policy failed. Framework Installation Settings - Authentication Assistance. The user has set their Authenti-Check questions and answers as a part of the registration process. The user has set their SEE password as a part of the registration process. A token user has created their SEE account during the registration process. The One-Time Password recovery method has been enabled as an installation setting. The default method will be [default server], as indicated in the audit event. The installation package specified that the One-Time Password recovery method should be enabled, but this setting failed to be applied. The One-Time Password recovery method is not enabled for this workstation, as per the installation setting. The installation package specified that the One-Time Password recovery method should not be enabled, but this setting failed to be applied. The Authenti-Check recovery method has been enabled as an installation setting. The installation package specified that the Authenti- Check recovery method should be enabled, but this setting failed to be applied. The Authenti-Check recovery method is not enabled for this workstation, as per the installation setting. The installation package specified that the Authenti- Check recovery method should not be enabled, but this setting failed to be applied. The authentication assistance message specified in the installation package was set successfully. The authentication assistance message specified in the installation package failed to be set. Symantec Endpoint Encryption Removable Storage 33

40 System Event Logging Table A.1 Framework System Events (Continued) Event ID 39 Info 40 Error 41 Info 42 Error 43 Info 44 Error 45 Info 46 Error 47 Info 48 Error 49 Info 50 Error 55 Info 56 Error 57 Info 58 Error Severity Description Explanation Initial Setting: Client Administrator [account name] account created with [low medium high] privileges; policy applied successfully. Framework Installation Settings - Client Administrators. Initial Setting: Client Administrator [account name] account created with [low medium high] privileges; policy failed. Framework Installation Settings - Client Administrators. Initial Setting: the SEE Management Server communication interval was set successfully. Framework Installation Settings - Communication. Initial Setting: the SEE Management Server communication interval failed to be set. Framework Installation Settings - Communication. Initial Setting: the user name of the SEE Management Server client account was set successfully. Framework Installation Settings - Communication. Initial Setting: the user name of the SEE Management Server client account failed to be set. Framework Installation Settings - Communication. Initial Setting: the SEE Management Server client account password was set successfully. Framework Installation Settings - Communication. Initial Setting: the SEE Management Server client account password failed to be set. Framework Installation Settings - Communication. Initial Setting: Limit password attempts enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Limit password attempts enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Limit password attempts not enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Limit password attempts not enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Maximum password age enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Maximum password age enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Maximum password age not enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Maximum password age not enabled; policy failed. Framework Installation Settings - Password Authentication. The Client Administrator account specified in the installation package and described in the audit log description was created successfully. The Client Administrator account specified in the installation package and described in the audit log description failed to be created. The SEE Management Server communication interval specified in the installation package was set successfully. The SEE Management Server communication interval specified in the installation package failed to be set. The user name of the SEE Management Server client IIS account specified in the installation package was set successfully. The user name of the SEE Management Server client IIS account specified in the installation package failed to be set. The SEE Management Server client IIS account password specified in the installation package was set successfully. The SEE Management Server client IIS account password specified in the installation package failed to be set. The limitation on the number of password authentication attempts specified in the installation package has been set successfully. The limitation on the number of password authentication attempts specified in the installation package failed to be set. No limitation to the number of password authentication attempts, as specified in the installation package, has been set successfully. No limitation to the number of password authentication attempts, as specified in the installation package, failed to be set. The user s passwords will expire at the interval designated in the installation package; this was set successfully. The user s passwords will not expire at the interval designated in the installation package; this failed to be set. The user s passwords will not expire. This was set successfully, as specified in the installation package. Although the installation package specified that the user s passwords would not expire, this failed to be set. Symantec Endpoint Encryption Removable Storage 34

41 System Event Logging Table A.1 Framework System Events (Continued) Event ID 59 Info 60 Error 61 Info 62 Error 63 Info 64 Error 65 Info 66 Error 67 Info 68 Error 69 Info 70 Error 71 Info 72 Error Severity Description Explanation Initial Setting: Password history (any previous password can be reused) enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password history (any previous password can be reused) enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password history (limit password reuse and days between changes) enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password history (limit password reuse and days between changes) enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum password length met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum password length met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Non-alphanumeric characters allowed in password setting; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Non-alphanumeric characters allowed in password setting; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of non-alphanumeric characters met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of non-alphanumeric characters not met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of uppercase characters met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of uppercase characters not met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of lowercase characters met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of lowercase characters not met; policy failed. Framework Installation Settings - Password Authentication. The user will be able to reuse previous passwords, this installation setting was applied successfully. The installation package specified that the user should be able to reuse previous passwords, but this setting failed to be applied. The user will not be able to use previous passwords, the limitations specified in the installation package were applied successfully. Even though the installation package specified certain limitations on the ability of users to use previous passwords, these settings failed to be applied. The installation package specified that users must set their passwords to be of a minimum length. This was set successfully. The installation package specified that users must set their passwords to be of a minimum length. This setting failed to be applied. The installation package specified that users will be able to use non-alphanumeric characters in their passwords. This was set successfully. The installation package specified that users should be able to use non-alphanumeric characters in their passwords. This setting failed to be applied. The installation package specified that a minimum number of non-alphanumeric characters must be present in the user s passwords. This was set successfully. The installation package specified that a minimum number of non-alphanumeric characters must be present in the user s passwords. This setting failed to be applied. The installation package specified that a minimum number of uppercase characters must be present in the user s passwords. This was set successfully. The installation package specified that a minimum number of uppercase characters must be present in the user s passwords. This setting failed to be applied. The installation package specified that a minimum number of lowercase characters must be present in the user s passwords. This was set successfully. The installation package specified that a minimum number of lowercase characters must be present in the user s passwords. This setting failed to be applied. Symantec Endpoint Encryption Removable Storage 35

42 System Event Logging Table A.1 Framework System Events (Continued) Event ID 73 Info 74 Error 75 Info 76 Error 77 Info 78 Error 79 Info 80 Error 81 Info 82 Error 83 Info 84 Error 85 Info 86 Error 87 Info 88 Error 89 Info Severity Description Explanation Initial Setting: Password complexity requirements for minimum number of digits met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of digits not met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Require registration password enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Require registration password enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: Require registration password not enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Require registration password not enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: Number of allowed user accounts setting; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Number of allowed user accounts setting; policy failed. Framework Installation Settings - Registered Users. Initial Setting: User authentication with password only setting enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: User authentication with password only setting enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: User authentication with token only setting enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: User authentication with token only setting enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: User can select authentication method setting enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: User can select authentication method setting enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: Registration Wizard custom message; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Registration Wizard custom message; policy failed. Framework Installation Settings - Registered Users. Initial Setting: Grace restarts before registration setting; policy applied successfully. Framework Installation Settings - Registered Users. The installation package specified that a minimum number of digits must be present in the user s passwords. This was set successfully. The installation package specified that a minimum number of digits must be present in the user s passwords. This setting failed to be applied. The installation package specified that the user must provide the registration password to be able to register. This was set successfully. The installation package specified that the user must provide the registration password to be able to register. This setting failed to be applied. The installation package specified that no registration password is required to allow a user to register. This was set successfully. The installation package specified that no registration password is required to allow a user to register. This setting failed to be applied. The installation package specified the maximum number of user accounts allowed on the Client Computer. This was set successfully. The installation package specified the maximum number of user accounts allowed on the Client Computer. This setting failed to be applied. The installation package specified that users will authenticate only using passwords. This was set successfully. The installation package specified that users will authenticate only using passwords. This setting failed to be applied. The installation package specified that users will authenticate only using tokens. This was set successfully. The installation package specified that users will authenticate only using tokens. This setting failed to be applied. The installation package specified that users will authenticate using the method of their choice. This was set successfully. The installation package specified that users will authenticate using the method of their choice. This setting failed to be applied. The installation package specified that users will see a custom message during registration. This was set successfully. The installation package specified that users will see a custom message during registration. This setting failed to be applied. The installation package specified the number of grace restarts that users will have before being forced to register. This was set successfully. Symantec Endpoint Encryption Removable Storage 36

43 System Event Logging Table A.1 Framework System Events (Continued) Event ID 90 Error 91 Info 92 Error 93 Info 94 Error 95 Info 96 Error 97 Info 98 Error 99 Info 100 Error 101 Info 102 Error 103 Info 104 Error 105 Info 106 Error Severity Description Explanation Initial Setting: Grace restarts before registration setting; policy failed. Framework Installation Settings - Registered Users. Initial Setting: User can authenticate with expired certificates setting enabled; policy applied successfully. Framework Installation Settings - Token Authentication. Initial Setting: User can authenticate with expired certificates setting enabled; policy failed. Framework Installation Settings - Token Authentication. Initial Setting: User can authenticate with expired certificates setting not enabled; policy applied successfully. Framework Installation Settings - Token Authentication. Initial Setting: User can authenticate with expired certificates setting not enabled; policy failed. Framework Installation Settings - Token Authentication. Initial Setting: Single Sign-On enabled; policy applied successfully. Framework Installation Settings - Single Sign-On. Initial Setting: Single Sign-On enabled; policy failed. Framework Installation Settings - Single Sign-On. Initial Setting: Single Sign-On not enabled; policy applied successfully. Framework Installation Settings - Single Sign-On. Initial Setting: Single Sign-On not enabled; policy failed. Framework Installation Settings - Single Sign-On. Initial Setting: Encryption strength setting; policy applied successfully. Framework Installation Settings - Encryption. Initial Setting: Encryption strength setting; policy failed. Framework Installation Settings - Encryption. Initial Setting: Default log file location enabled; policy applied successfully. Framework Installation Settings - Installer Customization. Initial Setting: Default log file location enabled; policy failed. Framework Installation Settings - Installer Customization. Initial Setting: Custom log file location enabled; policy applied successfully. Framework Installation Settings - Installer Customization. Initial Setting: Custom log file location enabled; policy failed. Framework Installation Settings - Installer Customization. Settings Change: Authentication Assistance message modified; policy applied successfully. Framework Computer Policy - Authentication Assistance. Settings Change: Authentication Assistance message modified; policy failed. Framework Computer Policy - Authentication Assistance. The installation package specified the number of grace restarts that users will have before being forced to register. This setting failed to be applied. The installation package specified that users with expired certificates will be allowed to authenticate. This was set successfully. The installation package specified that users with expired certificates will be allowed to authenticate. This setting failed to be applied. The installation package specified that users with expired certificates will not be allowed to authenticate. This was set successfully. The installation package specified that users with expired certificates will not be allowed to authenticate. This setting failed to be applied. The installation package specified that users will authenticate using Single Sign-On. This was set successfully. The installation package specified that users will authenticate using Single Sign-On. This setting failed to be applied. The installation package specified that users will not authenticate using Single Sign-On. This was set successfully. The installation package specified that users will not authenticate using Single Sign-On. This setting failed to be applied. The installation package specified the encryption strength. This was set successfully. The installation package specified the encryption strength. This setting failed to be applied. The installation package specified that the client database files will be stored in the default location. This was set successfully. The installation package specified that the client database files will be stored in the default location. This setting failed to be applied. The installation package specified that the client database files will be stored in a custom location. This was set successfully. The installation package specified that the client database files will be stored in a custom location. This setting failed to be applied. A policy specified that users will see a modified message when requesting authentication assistance. This was set successfully. A policy specified that users will see a modified message when requesting authentication assistance. This setting failed to be applied. Symantec Endpoint Encryption Removable Storage 37

44 System Event Logging Table A.1 Framework System Events (Continued) Event ID 107 Info 108 Error 109 Info 110 Error 111 Info 112 Error 113 Info 114 Error 115 Info 116 Error 117 Info 118 Error 119 Info 120 Error 121 Info Severity Description Explanation Settings Change: One-Time Password [default server] method enabled; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: One-Time Password [default server] method enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: One-Time Password not enabled; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: One-Time Password not enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check enabled; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check not enabled; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check not enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check settings modified; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check settings modified; policy failed. Framework User Policy - Authentication Assistance. Settings Change: Client Administrator [account name] account modified, privileges changed from [low medium high] to [low medium high]; policy applied successfully. Framework Computer Policy - Client Administrators. Settings Change: Client Administrator [account name] account modified, privileges changed from [low medium high] to [low medium high]; policy failed. Framework Computer Policy - Client Administrators. Settings Change: the SEE Management Server communication interval was modified successfully. Framework Computer Policy - Communication. Settings Change: a policy modifying the SEE Management Server communication interval failed to be applied. Framework Computer Policy - Communication. Settings Change: Settings Change: the SEE Management Server client account was modified successfully. Framework Computer Policy - Communication. A policy specified the One-Time Password method that users see when requesting authentication assistance: either default (offline method), or server (online method). This was set successfully. A policy specified the One-Time Password method that users see when requesting authentication assistance: either default (offline method), or server (online method). This setting failed to be applied. A policy specified that the One-Time Password method will not be available to users requesting authentication assistance. This was set successfully. A policy specified that the One-Time Password method will not be available to users requesting authentication assistance. This setting failed to be applied. A policy specified that Authenti-Check will be available to users requesting authentication assistance. This was set successfully. A policy specified that Authenti-Check will be available to users requesting authentication assistance. This setting failed to be applied. A policy specified that Authenti-Check will not be available to users requesting authentication assistance. This was set successfully. A policy specified that Authenti-Check will not be available to users requesting authentication assistance. This setting failed to be applied. A policy specified that the Authenti-Check settings were modified. This was set successfully. A policy specified that the Authenti-Check settings were modified. This setting failed to be applied. A policy specified that the privileges of Client Administrator account [account name] were changed from [low medium high] to [low medium high]. This was set successfully. A policy specified that the privileges of Client Administrator account [account name] were changed from [low medium high] to [low medium high]. This setting failed to be applied. A settings change specified a change in how often the Client Computer reports its status to the SEE Management Server. This was set successfully. A policy specified a change in how often the Client Computer reports its status to the SEE Management Server. This setting failed to be applied. A policy specified a change to the credentials of the SEE Management Server Client account that the Client Computer uses when reporting status to the SEE Management Server. This was set successfully. Symantec Endpoint Encryption Removable Storage 38

45 System Event Logging Table A.1 Framework System Events (Continued) Event ID 122 Error 123 Info 124 Error 125 Info 126 Error 127 Info 128 Error 129 Info 130 Error 135 Info 136 Error 137 Info 138 Error 139 Info 140 Error 141 Info Severity Description Explanation Settings Change: a policy modifying the SEE Management Server client account failed to be applied. Framework Computer Policy - Communication. Settings Change: the SEE Management Server client account password was modified successfully. Framework Computer Policy - Communication. Settings Change: a policy modifying the SEE Management Server client account password failed. Framework Computer Policy - Communication. Settings Change: Limit password attempts enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts not enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts settings modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age not enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age settings modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Password history (any previous password can be reused) enabled; policy applied successfully. Framework Computer Policy - Password Authentication. A policy specified a change to the credentials of the SEE Management Server Client account that the Client Computer uses when reporting status to the SEE Management Server. This setting failed to be applied. A policy specified a change to the password of the SEE Management Server Client account that the Client Computer uses when reporting status to the SEE Management Server. This was set successfully. A policy specified a change to the password of the SEE Management Server Client account that the Client Computer uses when reporting status to the SEE Management Server. This setting failed to be applied. A policy was specified that limits the number of times a user can attempt to authenticate with an incorrect password. This was set successfully. A policy was specified that limits the number of times a user can attempt to authenticate with an incorrect password. This setting failed to be applied. A policy was specified that does not limit the number of times a user can attempt to authenticate with an incorrect password. This was set successfully. A policy was specified that does not limit the number of times a user can attempt to authenticate with an incorrect password. This setting failed to be applied. A policy was specified that modified the settings controlling how often a user can attempt to authenticate with an incorrect password. This was set successfully. A policy was specified that modified the settings controlling how often a user can attempt to authenticate with an incorrect password. This setting failed to be applied. A policy was specified that forces the user s passwords to expire at the designated interval. This was set successfully. A policy was specified that forces the user s passwords to expire at the designated interval. This setting failed to be applied. A policy was specified that does not force the user s passwords to expire. This was set successfully. A policy was specified that does not force the user s passwords to expire. This setting failed to be applied. A policy was specified that modified the settings controlling how often a user s passwords will expire. This was set successfully. A policy was specified that modified the settings controlling how often a user s passwords will expire. This setting failed to be applied. A policy was specified that allows the user to reuse previous passwords. This was set successfully. Symantec Endpoint Encryption Removable Storage 39

46 System Event Logging Table A.1 Framework System Events (Continued) Event ID 142 Error 143 Info 144 Error 145 Info 146 Error 147 Info 148 Error 149 Info 150 Error 151 Info 152 Error 153 Info 154 Error 155 Info Severity Description Explanation Settings Change: Password history (any previous password can be reused) enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) settings modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Minimum password length setting modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Minimum password length setting modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Non-alphanumeric characters allowed in password setting modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Non-alphanumeric characters allowed in password setting modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of non-alphanumeric characters; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of non-alphanumeric characters; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of uppercase characters; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of uppercase characters; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of lowercase characters; policy applied successfully. Framework Computer Policy - Password Authentication. A policy was specified that allows the user to reuse previous passwords. This setting failed to be applied. A policy was specified that prevents the user from using previous passwords. This was set successfully. A policy was specified that prevents the user from using previous passwords. This setting failed to be applied. A policy was specified that modified the settings controlling how often the user is prevented from using previous passwords. This was set successfully. A policy was specified that modified the settings controlling how often the user is prevented from using previous passwords. This setting failed to be applied. A policy was specified that modified the minimum length for user passwords. This was set successfully. A policy was specified that modified the minimum length necessary for user passwords. This setting failed to be applied. A policy was specified that modified the number of nonalphanumeric characters allowed in user passwords. This was set successfully. A policy was specified that modified the number of nonalphanumeric characters allowed in user passwords. This setting failed to be applied. A policy was specified that changed the minimum number of non-alphanumeric characters that must be present in the user s passwords. This was set successfully. A policy was specified that changed the minimum number of non-alphanumeric characters that must be present in the user s passwords. This setting failed to be applied. A policy was specified that changed the minimum number of uppercase characters that must be present in the user s passwords. This was set successfully. A policy was specified that changed the minimum number of uppercase characters that must be present in the user s passwords. This setting failed to be applied. A policy was specified that changed the minimum number of lowercase characters that must be present in the user s passwords. This was set successfully. Symantec Endpoint Encryption Removable Storage 40

47 System Event Logging Table A.1 Framework System Events (Continued) Event ID 156 Error 157 Info 158 Error 159 Info 160 Error 161 Info 162 Error 163 Info 164 Error 165 Info 166 Error 167 Info 168 Error 169 Info 170 Error 173 Info Severity Description Explanation Settings Change: Change password complexity requirements for minimum number of lowercase characters; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of digits; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of digits; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Require registration password enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Require registration password enabled; policy failed. Framework Computer Policy - Registered Users. Settings Change: Require registration password not enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Require registration password not enabled; policy failed. Framework Computer Policy - Registered Users. Settings Change: Registration password modified; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Registration password modified; policy failed. Framework Computer Policy - Registered Users. Settings Change: Number of allowed user accounts setting modified; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Number of allowed user accounts setting modified; policy failed. Framework Computer Policy - Registered Users. Settings Change: User authentication with password only setting enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: User authentication with password only setting enabled; policy failed. Framework Computer Policy - Registered Users. Settings Change: User authentication with token only setting enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: User authentication with token only setting enabled; policy failed. Framework Computer Policy - Registered Users. Settings Change: Registration Wizard custom message modified; policy applied successfully. Framework Computer Policy - Registered Users. A policy was specified that changed the minimum number of lowercase characters that must be present in the user s passwords. This setting failed to be applied. A policy was specified that changed the minimum number of digits that must be present in the user s passwords. This was set successfully. A policy was specified that changed the minimum number of digits that must be present in the user s passwords. This setting failed to be applied. A policy was specified that the user must provide the registration password to be able to register. This was set successfully. A policy was specified that the user must provide the registration password to be able to register. This setting failed to be applied. A policy was specified that no registration password is required to allow a user to register. This was set successfully. A policy was specified that no registration password is required to allow a user to register. This setting failed to be applied. A policy was specified that modified the registration password users must know to be able to register. This was set successfully. A policy was specified that modified the registration password users must know to be able to register. This setting failed to be applied. A policy was specified that modified the maximum number of user accounts allowed on the Client Computer. This was set successfully. A policy was specified that modified the maximum number of user accounts allowed on the Client Computer. This setting failed to be applied. A policy was specified that users will authenticate only using passwords. This was set successfully. A policy was specified that users will authenticate only using passwords. This setting failed to be applied. A policy was specified that users will authenticate only using tokens. This was set successfully. A policy was specified that users will authenticate only using tokens. This setting failed to be applied. A policy was specified that modified the custom message users will see during registration. This was set successfully. Symantec Endpoint Encryption Removable Storage 41

48 System Event Logging Table A.1 Framework System Events (Continued) Event ID 174 Error 175 Info 176 Error 177 Info 178 Error 179 Info 180 Error 181 Info 182 Error 183 Info 184 Info 185 Info 186 Info 187 Error 188 Info 189 Error 190 Info Severity Description Explanation Settings Change: Registration Wizard custom message modified; policy failed. Framework Computer Policy - Registered Users. Settings Change: User can authenticate with expired certificates setting enabled; policy applied successfully. Framework User Policy - Token Authentication. Settings Change: User can authenticate with expired certificates setting enabled; policy failed. Framework User Policy - Token Authentication. Settings Change: User can authenticate with expired certificates setting not enabled; policy applied successfully. Framework User Policy - Token Authentication. Settings Change: User can authenticate with expired certificates setting not enabled; policy failed. Framework User Policy - Token Authentication. Settings Change: Single Sign-On enabled; policy applied successfully. Framework User Policy - Single Sign-On. Settings Change: Single Sign-On enabled; policy failed. Framework User Policy - Single Sign-On. Settings Change: Single Sign-On not enabled; policy applied successfully. Framework User Policy - Single Sign-On. Settings Change: Single Sign-On not enabled; policy failed. Framework User Policy - Single Sign-On. Program Action: The user was provided access to Windows using cached credentials and was not required to change their Windows password following successful completion of the password recovery process because there was no connectivity to a domain controller. Program Action: Client Administrator [account name] unregistered user [user name]. Framework Settings Change: Client Administrator [account name] was added with [low medium high] privileges; policy applied successfully. Initial Setting: Minimum password age enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Initial Setting: Minimum password age enabled; policy failed. Framework Computer Policy - Password Authentication. Initial Setting: Minimum password age not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Initial Setting: Minimum password age not enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age enabled; policy applied successfully. Framework Computer Policy - Password Authentication. A policy was specified that modified the custom message users will see during registration. This setting failed to be applied. A policy was specified that users with expired certificates will be allowed to authenticate. This was set successfully. A policy was specified that users with expired certificates will be allowed to authenticate. This setting failed to be applied. A policy was specified that users with expired certificates will not be allowed to authenticate. This was set successfully. A policy was specified that users with expired certificates will not be allowed to authenticate. This setting failed to be applied. A policy was specified that users will authenticate using Single Sign-On. This was set successfully. A policy was specified that users will authenticate using Single Sign-On. This setting failed to be applied. A policy was specified that users will not authenticate using Single Sign-On. This was set successfully. A policy was specified that users will not authenticate using Single Sign-On. This setting failed to be applied. After a user successfully completes the password recovery process in Pre-Windows, they will be forced to select a new password when they log on to Windows. If the Client Computer was offline and cached credentials were used, this password synchronization is deferred until after the Client Computer regains network connectivity. The Client Administrator [account name] has unregistered the user [user name] on the Client Computer. A policy was specified that added [account name] as a Client Administrator having [low medium high] privileges. This was set successfully. The installation package specified that users must wait the designated interval before changing their passwords. This was set successfully. The installation package specified that users must wait the designated interval before changing their passwords. This setting failed to be applied. The installation package specified that users will not be forced to wait before changing their passwords. This was set successfully. The installation package specified that users will not be forced to wait before changing their passwords. This setting failed to be applied. A policy was specified that forces users to wait the designated interval before allowing them to change their passwords. This was set successfully. Symantec Endpoint Encryption Removable Storage 42

49 System Event Logging Table A.1 Framework System Events (Continued) Event ID 191 Error 192 Info 193 Error 194 Info 195 Error 196 Info 197 Error 198 Info 199 Error 200 Info 201 Error 202 Info 203 Error 204 Info Severity Description Explanation Settings Change: Minimum password age enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age not enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age settings modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Do not require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Do not require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users. Settings Change: Require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users. Settings Change: Users can only be unregistered manually by client administrators; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Users can only be unregistered manually by client administrators; policy failed. Framework Computer Policy - Registered Users. Settings Change: Users who do not log on for [number] days will be automatically unregistered; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Users who do not log on for [number] days will be automatically unregistered; policy failed. Framework Computer Policy - Registered Users. Initial Setting: Do not require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users. A policy was specified that forces users to wait the designated interval before allowing them to change their passwords. This setting failed to be applied. A policy was specified that users will not be forced to wait before changing their passwords. This was set successfully. A policy was specified that users will not be forced to wait before changing their passwords. This setting failed to be applied. A policy was specified that modified whether users must wait the designated interval before being allowed to change their passwords. This was set successfully. A policy was specified that modified whether users must wait the designated interval before being allowed to change their passwords. This setting failed to be applied. A policy was specified that automatically authenticates SEE users. If SEE Full Disk has been installed, the Pre- Windows authentication will be bypassed. This was set successfully. A policy was specified that automatically authenticates SEE users. If SEE Full Disk has been installed, the Pre- Windows authentication will be bypassed. This setting failed to be applied. A policy was specified that SEE users will authenticate normally. If SEE Full Disk has been installed, the Pre- Windows authentication will not be bypassed. This was set successfully. A policy was specified that SEE users will authenticate normally. If SEE Full Disk has been installed, the Pre- Windows authentication will not be bypassed. This setting failed to be applied. A policy was specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This was set successfully. A policy was specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This setting failed to be applied. A policy was specified that inactive user accounts will be automatically unregistered after [number] days. This was set successfully. A policy was specified that inactive user accounts will be automatically unregistered after [number] days. This setting failed to be applied. The installation package specified that SEE users will be automatically authenticated. If SEE Full Disk has been installed, the Pre-Windows authentication will be bypassed. This was set successfully. Symantec Endpoint Encryption Removable Storage 43

50 System Event Logging Table A.1 Framework System Events (Continued) Event ID 205 Error 206 Info 207 Error 208 Info 209 Error 210 Info 211 Error 212 Info 213 Error 214 Info 215 Error 216 Info 217 Error Severity Description Explanation Initial Setting: Do not require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users. Initial Setting: Require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users. Initial Setting: Require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users. Initial Setting: Users can only be unregistered manually by client administrators; policy applied successfully. Framework Computer Policy - Registered Users. Initial Setting: Users can only be unregistered manually by client administrators; policy failed. Framework Computer Policy - Registered Users. Initial Setting: Users who do not log on for [number] days will be automatically unregistered; policy applied successfully. Framework Computer Policy - Registered Users. Initial Setting: Users who do not log on for [number] days will be automatically unregistered; policy failed. Framework Computer Policy - Registered Users. Initial Setting: the client will not communicate with the SEE Management Server and is a silent client; installation settingapplied successfully. Framework Installation Setting Initial Setting: the installation setting dictated that the client would not attempt to communicate with the SEE Management Server and was a silent client, but this failed to be applied. Framework Installation Setting Settings Change: this client will no longer attempt to communicate with the SEE Management Server and is now a silent client; policy applied successfully. Framework Computer Polic Settings Change: a policy dictating that this client would no longer communicate with the SEE Management Server and would become a silent client failed to be applied. Framework Computer Polic Program Action: User [user name]successfully modified their One-Time Password personal identifier. Framework [user name] Program Action: User [user name] failed to modify their One-Time Password personal identifier. Framework [user name] The installation package specified that SEE users will be automatically authenticated. If SEE Full Disk has been installed, the Pre-Windows authentication will be bypassed. This setting failed to be applied. The installation package specified that SEE users will authenticate normally. If SEE Full Disk has been installed, the Pre-Windows authentication will not be bypassed. This was set successfully. The installation package specified that SEE users will authenticate normally. If SEE Full Disk has been installed, the Pre-Windows authentication will not be bypassed. This setting failed to be applied. The installation package specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This was set successfully. The installation package specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This setting failed to be applied. The installation package specified that inactive user accounts will be automatically unregistered after [number] days. This was set successfully. The installation package specified that inactive user accounts will be automatically unregistered after [number] days. This setting failed to be applied. The installation package specified that the Client Computer will not communicate with the SEE Management Server. This was set successfully. The installation package specified that the Client Computer will not communicate with the SEE Management Server. This setting failed to be applied. A policy was specified that a Client Computer previously able to contact a SEE Management Server will now have all SEE Management Server communications suppressed. This was set successfully. A policy was specified that a Client Computer previously able to contact a SEE Management Server will now have all SEE Management Server communications suppressed. This setting failed to be applied. A user has successfully modified their One-Time Password personal identifier. This was set successfully. A user has successfully modified their One-Time Password personal identifier. This setting failed to be applied. Symantec Endpoint Encryption Removable Storage 44

51 System Event Logging Table A.1 Framework System Events (Continued) Event ID 218 Info 219 Error 220 Info 221 Error 222 Info 223 Info 224 Error 225 Info 226 Error 227 Info 228 Error Severity Description Explanation Settings Change: Client Administrator [account name] password modified; policy applied successfully. Framework Computer Policy - Client Administrators. Settings Change: Client Administrator [account name] password modified; policy failed. Framework Computer Policy - Client Administrators. Settings Change: Client Administrator [account name] certificate modified; policy applied successfully. Framework Computer Policy - Client Administrators. Settings Change: Client Administrator [account name] certificate modified; policy failed. Framework Computer Policy - Client Administrators. Settings Change: Client Administrator [account name] has unregistered. Framework Computer Polic Initial Setting: the address of the SEE Management Server was set successfully. Framework Installation Settings - Communication. Initial Setting: the address of the SEE Management Server failed to be set. Framework Installation Settings - Communication. Initial Setting: the domain of the SEE Management Server client account was set successfully. Framework Installation Settings - Communication. Initial Setting: the domain of the SEE Management Server client account failed to be set. Framework Installation Settings - Communication. Initial Setting: the certificate to be used for HTTPS communications with the SEE Management Server was set successfully. Framework Installation Settings - Communication. Initial Setting: the certificate to be used for HTTPS communications with the SEE Management Server failed to be set. Framework Installation Settings - Communication. A policy was specified that modified the SEE password of one or more Client Administrator accounts. This was set successfully. A policy was specified that modified the SEE password of one or more Client Administrator accounts. This setting failed to be applied. A policy was specified that modified the certificate associated with the token used to authenticate to one or more Client Administrator accounts. This was set successfully. A policy was specified that modified the certificate associated with the token used to authenticate to one or more Client Administrator accounts. This setting failed to be applied. The address of the SEE Management Server was successfully set during installation. The address of the SEE Management Server was not set during installation. The domain of the SEE Management Server client account was successfully set during installation. The domain of the SEE Management Server client account was not set during installation. The certificate for HTTPS communication with the SEE Management Server was successfully set. The certificate for HTTPS communication with the SEE Management Server was not set during installation. Removable Storage System Events List The following table lists the individual SEE Removable Storage generated Windows system events logged on the client. These events are logged in the Application section of the Windows Event Log. Table A.2 Removable Storage System Events Event ID Severity Description Explanation 100 Info The Removable Storage service was installed. SEE Removable Storage was installed. 101 Info The Removable Storage service was removed. SEE Removable Storage was uninstalled. 102 Error The Removable Storage service could not be removed. An uninstallation of SEE Removable Storage was attempted, but due to some problem with the MSI, the SEE Removable Storage Service was not removed during the uninstallation. Symantec Endpoint Encryption Removable Storage 45

52 System Event Logging Table A.2 Removable Storage System Events (Continued) Event ID 103 Error The control handler could not be installed. 104 Error The initialization process failed. 105 Info The service was started. 106 Error The service received an unsupported request. 108 Info The service was stopped. 109 Info 110 Info 111 Info 112 Error 113 Error 114 Info 115 Info 116 Info 117 Info 118 Info 119 Info 120 Info 121 Info Severity Description Explanation Detected logon by user [domain name or local machine name/user name]. Detected logoff by user [domain name or local machine name/user name]. Could not impersonate user [domain name or local machine name/user name]. Notification Package could not connect to service to load or unload user [domain name or local machine name/ user name]. Could not start the RS GUI process for user [domain name or local machine name/user name]. Successfully started the RS GUI process for user [domain name or local machine name/user name]. Could not connect to the RS GUI process for user [domain name or local machine name/user name]. The RS GUI process for user [domain name or local machine name/user name] has shut down. The service was unable to retrieve settings for user [domain name or local machine name/user name]. The service was unable to retrieve settings for the local machine. A [removable device type] was detected under user [domain name or local machine name/user name] and successfully activated. A [removable device type] was detected under user [domain name or local machine name/user name] and failed to activate. It is the normal behavior for media readers without inserted media (such as a floppy drive with no floppy inserted) to not activate. User [domain name or local machine name/user name] successfully created an XML header for [file name]. The SEE Removable Storage Service could not be started. SEE Removable Storage experienced problems with an important component of its operations, such as the Registry, device detection, named pipes, or the filter driver. This could be remedied by unplugging all devices and rebooting. This routine event should be logged each time the computer boots up. A request was made to the SEE Removable Storage service that is not supported. This routine event should be logged each time the computer is shut down. This routine event should be recorded each time a user logs on to Windows. This routine event should be recorded each time a user logs off of Windows. This event indicates a serious problem and should not occur. This event indicates an issue with the SEE Removable Storage Service. It should follow either Removable Storage event 109 or 110. If this message occurs, the machine should be rebooted. This event indicates a serious problem with the GUI or named pipes communications. This routine event should always follow Removable Storage event 109. The SEE Removable Storage Service attempted to display a GUI element to the user, but failed. This routine event should always follow Removable Storage event 110. SEE Removable Storage was unable to read the Registry and cannot determine user policy settings for the specified user. This could cause unexpected behavior. SEE Removable Storage was unable to read the Registry and cannot determine policy settings and/or the group key. This could cause unexpected behavior. This routine event should be logged each time a user inserts a device of interest. This event indicates a user inserted a device of interest, but it failed to be activated by SEE Removable Storage. The Removable Storage could not establish communication with the device. The user may have pulled the device out. If not, there may be a more serious problem. This routine event should be logged each time an encrypted file is placed on a device of interest. Symantec Endpoint Encryption Removable Storage 46

53 System Event Logging Table A.2 Removable Storage System Events (Continued) Event ID 122 Info 123 Warning 124 Warning 125 Error 126 Warning 127 Warning 128 Warning 129 Warning 130 Info 135 Info 136 Error 139 Error 534 Info 535 Error User [domain name or local machine name/user name] failed to create an XML header for [file name]. The service was started manually. A user is already logged in. User [domain name or local machine name/user name] is not registered with the Framework and is being denied access to a removable volume. User [domain name or local machine name/user name] failed to parse the XML header for [file name]. A failure occurred generating the password node of the XML header. A failure occurred generating the group key node of the XML header. A failure occurred generating the certificate node of the XML header for Serial Number [serial number]. A failure occurred generating the certificate node of the XML header. The SEE-RS Access Utility has been copied to [drive letter]. The self-extracting file [file name] was successfully created. The file [file name] could not be decrypted because the current user's logon information was not received. The SEE-RS Access utility could not be copied to [drive letter]. [error] GPO and SEE Framework policy synchronization completed. A failure occurred during the device mount process for device [drive letter]. Applying a No Access policy to the device. Please disconnect and reconnect device to remount the device properly. 565 Info Encryption of a file [filename] completed successfully. 566 Info Encryption of a file [filename] did not complete successfully. 567 Info Decryption of a file [filename] completed successfully. 568 Info 569 Info 570 Info Severity Description Explanation Decryption of a file [filename] did not complete successfully. Threshold reached for failed authentication attempts to encrypt or decrypt a file. Delay instituted because threshold for failed authentication attempts to encrypt or decrypt a file was reached. Success. This event indicates a failed attempt to create a header for an encrypted file. This could occur for a variety of reasons, such as the failure of a cryptographic library or the XML library to initialize, or if the Master Certificate could not be found. This event indicates a user manually started the SEE Removable Storage Service and it will not function properly. A reboot of the machine should solve this problem. A user is attempting to access a removable storage device, but has not registered with the SEE Framework. This event indicates a failed attempt to parse the header for an encrypted file. This event indicates a failed attempt to create the password node of a header for an encrypted file. This event indicates a failed attempt to create the group key node of a header for an encrypted file. This event indicates a specific failure while creating the certificate key node of a header for an encrypted file. This event indicates a general failure while creating the certificate key node of a header for an encrypted file. This event indicates that the SEE Removable Storage Access Utility has been copied to the specified device. The specified self extracting file was created. The Removable Storage service did not receive login information about the user and cannot proceed. This event indicates a failed attempt to distribute the SEE Removable Storage Access Utility to a device. Policy synchronization has been completed. This event indicates a failed attempt to mount a removable storage device. The user will not be able to access the device. The user attempted to encrypt a file and the operation completed successfully. The user attempted to encrypt a file and the operation failed. The user attempted to decrypt a file and the operation completed successfully. The user attempted to decrypt a file and the operation failed. The user reached the maximum number of incorrect passwords allowed while attempting to encrypt or decrypt a file. The user exceeded the number of incorrect passwords allowed while attempting to encrypt or decrypt a file and must wait for 1 minute before further attempts. Symantec Endpoint Encryption Removable Storage 47

54 System Event Logging Table A.2 Removable Storage System Events (Continued) Event ID 571 Info 572 Info 573 Info 579 Info 2000 Info 2001 Error 2002 Info 2003 Error 2004 Info 2005 Error 2006 Info 2007 Error 2008 Info 2009 Error 2010 Info 2011 Error Severity Description Explanation Delay instituted because threshold for failed authentication attempts to encrypt or decrypt a file was reached. Failure. Expiration of the delay instituted because of failed authentication attempts. Success. Expiration of the delay instituted because of failed authentication attempts. Failure. The Default Password for user [user name] has reached maximum age. Initial Setting: Do not allow access to files on removable storage devices; policy applied successfully. Removable Storage Installation Settings - Security Level. Initial Setting: Do not allow access to files on removable storage devices; policy failed. Removable Storage Installation Settings - Security Level. Initial Setting: Allow read-only access to files on removable storage devices; policy applied successfully. Removable Storage Installation Settings - Security Level. Initial Setting: Allow read-only access to files on removable storage devices; policy failed. Removable Storage Installation Settings - Security Level. Initial Setting: Allow read and write access to files on removable storage devices; policy applied successfully. Removable Storage Installation Settings - Security Level. Initial Setting: Allow read and write access to files on removable storage devices; policy failed. Removable Storage Installation Settings - Security Level. Initial Setting: Encrypt all files read from or written to removable storage devices; policy applied successfully. Removable Storage Installation Settings - Security Level. Initial Setting: Encrypt all files read from or written to removable storage devices; policy failed. Removable Storage Installation Settings - Security Level. Initial Setting: Encrypt all files written to removable storage devices; policy applied successfully. Removable Storage Installation Settings - Security Level. Initial Setting: Encrypt all files written to removable storage devices; policy failed. Removable Storage Installation Settings - Security Level. Initial Setting: Do not encrypt files written to removable storage devices; policy applied successfully. Removable Storage Installation Settings - Security Level. Initial Setting: Do not encrypt files written to removable storage devices; policy failed. Removable Storage Installation Settings - Security Level. The one minute delay caused when a user exceeded the number of incorrect passwords allowed while attempting to encrypt or decrypt a file could not be instituted. The one minute delay caused when a user exceeded the number of incorrect passwords allowed while attempting to encrypt or decrypt a file has expired. The one minute delay caused when a user exceeded the number of incorrect passwords allowed while attempting to encrypt or decrypt a file could not be expired. Password Aging is enabled. The user must use the User Client Console to change their Default Password. The expired Default Password can still be used for decryption. An access policy of Do not allow access to files on removable storage devices has been applied successfully as an installation setting. An access policy of Do not allow access to files on removable storage devices has failed to be applied as an installation setting. An access policy of Allow read-only access to files on removable storage devices has been applied successfully as an installation setting. An access policy of Allow read-only access to files on removable storage devices has failed to be applied as an installation setting. An access policy of Allow read and write access to files on removable storage devices has been applied successfully as an installation setting. An access policy of Allow read and write access to files on removable storage devices has failed to be applied as an installation setting. An encryption policy of Encrypt all files accessed on removable storage devices has been applied successfully as an installation setting. An encryption policy of Encrypt all files accessed on removable storage devices has failed to be applied as an installation setting. An encryption policy of Encrypt new files written to removable storage devices has been applied successfully as an installation setting. An encryption policy of Encrypt new files written to removable storage devices has failed to be applied as an installation setting. An encryption policy of Do not encrypt files on removable storage devices has been applied successfully as an installation setting. An encryption policy of Do not encrypt files on removable storage devices has failed to be applied as an installation setting. Symantec Endpoint Encryption Removable Storage 48

55 System Event Logging Table A.2 Removable Storage System Events (Continued) Event ID 2012 Info 2013 Error 2014 Info 2015 Error 2016 Info 2017 Error 2018 Info 2019 Error 2020 Info 2021 Error 2022 Info 2023 Error 2024 Info 2025 Error 2026 Info Severity Description Explanation Initial Setting: Copy the Access Utility to all removable storage devices enabled; policy applied successfully. Removable Storage Installation Settings - Security Level. Initial Setting: Copy the Access Utility to all removable storage devices enabled; policy failed. Removable Storage Installation Settings - Security Level. Initial Setting: Copy the Access Utility to all removable storage devices not enabled; policy applied successfully. Removable Storage Installation Settings - Security Level. Initial Setting: Copy the Access Utility to all removable storage devices not enabled; policy failed. Removable Storage Installation Settings - Security Level. Initial Setting: Encrypt files on removable storage devices with password; policy applied successfully. Removable Storage Installation Settings - Encryption Method. Initial Setting: Encrypt files on removable storage devices with password; policy failed. Removable Storage Installation Settings - Encryption Method. Initial Setting: Encrypt files on removable storage devices with one or more certificates; policy applied successfully. Removable Storage Installation Settings - Encryption Method. Initial Setting: Encrypt files on removable storage devices with one or more certificates; policy failed. Removable Storage Installation Settings - Encryption Method. Initial Setting: Encrypt files on removable storage devices with password and/or one or more certificates; policy applied successfully. Removable Storage Installation Settings - Encryption Method. Initial Setting: Encrypt files on removable storage devices with password and/or one or more certificates; policy failed. Removable Storage Installation Settings - Encryption Method. Initial Setting: Do not encrypt files with a master certificate; policy applied successfully. Removable Storage Installation Settings - Master Certificate. Initial Setting: Do not encrypt files with a master certificate; policy failed. Removable Storage Installation Settings - Master Certificate. Initial Setting: Encrypt files with a master certificate; policy applied successfully. Removable Storage Installation Settings - Master Certificate. Initial Setting: Encrypt files with a master certificate; policy failed. Removable Storage Installation Settings - Master Certificate. Initial Setting: Do not encrypt or decrypt files with group key; policy applied successfully. Removable Storage Installation Settings - Group Key. A portability policy of Copy the Removable Storage Access utility to all removable storage devices has been applied successfully as an installation setting. A portability policy of Copy the Removable Storage Access utility to all removable storage devices has failed to be applied as an installation setting. The portability policy of not copying the SEE Removable Storage Access Utility to all removable storage devices has been applied successfully as an installation setting. The portability policy of not copying the SEE Removable Storage Access Utility to all removable storage devices has failed to be applied as an installation setting. Users will only be able to use a password to encrypt files written to removable storage devices; this installation setting was applied successfully. An installation setting of only allowing users to use a password to encrypt files written to removable storage devices was specified but failed to be applied. Users will only be able to use from one to ten certificates to encrypt files written to removable storage devices; this installation setting was applied successfully. An installation setting of only allowing users to use one or more certificates to encrypt files written to removable storage devices was specified but failed to be applied. Users can select a password, certificate(s), or both to encrypt files written to removable storage devices; this installation setting was applied successfully. An installation setting of allowing users to use a password, certificate(s), or both to encrypt files written to removable storage devices was specified but failed to be applied. A policy of Do not encrypt files with a master certificate has been applied successfully as an installation setting. A policy of Do not encrypt files with a master certificate has failed to be applied as an installation setting. A policy of Encrypt files with a master certificate has been applied successfully as an installation setting. A policy of Encrypt files with a master certificate has failed to be applied as an installation setting. A policy of Do not encrypt or decrypt files with a group key has been applied successfully as an installation setting. Symantec Endpoint Encryption Removable Storage 49

56 System Event Logging Table A.2 Removable Storage System Events (Continued) Event ID 2027 Error 2028 Info 2029 Error 2030 Info 2031 Error 2032 Info 2033 Error 2034 Info 2035 Error 2036 Info 2037 Error 2038 Info 2039 Error 2040 Info 2041 Error 2042 Info 2043 Error Severity Description Explanation Initial Setting: Do not encrypt or decrypt files with group key; policy failed. Removable Storage Installation Settings - Group Key. Initial Setting: Encrypt or decrypt files with a group key unique to each workstation; policy applied successfully. Removable Storage Installation Settings - Group Key. Initial Setting: Encrypt or decrypt files with a group key unique to each workstation; policy failed. Removable Storage Installation Settings - Group Key. Initial Setting: Encrypt or decrypt files with specified group key; policy applied successfully. Removable Storage Installation Settings - Group Key. Initial Setting: Encrypt or decrypt files with specified group key; policy failed. Removable Storage Installation Settings - Group Key. Initial Setting: Set group key memo; policy applied successfully. Removable Storage Installation Settings - Group Key. Initial Setting: Set group key memo; policy failed. Removable Storage Installation Settings - Group Key. Initial Setting: Allow users to save files as passwordencrypted self-extracting executables enabled; policy applied successfully. Removable Storage Installation Settings - Executables. Initial Setting: Allow users to save files as passwordencrypted self-extracting executables enabled; policy failed. Removable Storage Installation Settings - Executables. Initial Setting: Allow users to save files as passwordencrypted self-extracting executables not enabled; policy applied successfully. Removable Storage Installation Settings - Executables. Initial Setting: Allow users to save files as passwordencrypted self-extracting executables not enabled; policy failed. Removable Storage Installation Settings - Executables. Initial Setting: 128-bit encryption strength; policy applied successfully. Removable Storage Installation Settings - Encryption. Initial Setting: 128-bit encryption strength; policy failed. Removable Storage Installation Settings - Encryption. Initial Setting: 256-bit encryption strength; policy applied successfully. Removable Storage Installation Settings - Encryption. Initial Setting: 256-bit encryption strength; policy failed. Removable Storage Installation Settings - Encryption. Settings Changed: Do not allow access to files on removable storage devices; policy applied successfully. Removable Storage Computer Policy - Security Level. Settings Changed: Do not allow access to files on removable storage devices; policy failed. Removable Storage Computer Policy - Security Level. A policy of Do not encrypt or decrypt files with a group key has failed to be applied as an installation setting. A policy of Encrypt and decrypt files with a group key unique to each workstation has been applied successfully as an installation setting. A policy of Encrypt and decrypt files with a group key unique to each workstation has failed to be applied as an installation setting. A policy of Encrypt and decrypt files with this group key has been applied successfully as an installation setting. A policy of Encrypt and decrypt files with this group key has failed to be applied as an installation setting. An optional memo was added to identify the group key used to encrypt and decrypt files; this installation setting was applied successfully. The optional memo that was specified to identify the group key used to encrypt and decrypt files did not get added; this installation setting failed to be applied. A policy of Allow users to save files as passwordencrypted self-extracting executables has been applied successfully as an installation setting. A policy of Allow users to save files as passwordencrypted self-extracting executables failed to be applied as an installation setting. A policy of do not Allow users to save files as password-encrypted self-extracting executables has been applied successfully as an installation setting. A policy of do not Allow users to save files as password-encrypted self-extracting executables failed to be applied as an installation setting. An AES encryption strength of 128-bit has been applied successfully as an installation setting. An AES encryption strength of 128-bit failed to be applied as an installation setting. An AES encryption strength of 256-bit has been applied successfully as an installation setting. An AES encryption strength of 256-bit failed to be applied as an installation setting. An access policy of Do not allow access to files on removable storage devices has been applied successfully as a policy update. An access policy of Do not allow access to files on removable storage devices has failed to be applied as a policy update. Symantec Endpoint Encryption Removable Storage 50

57 System Event Logging Table A.2 Removable Storage System Events (Continued) Event ID 2044 Info 2045 Error 2046 Info 2047 Error 2048 Info 2049 Error 2050 Info 2051 Error 2052 Info 2053 Error 2054 Info 2055 Error 2056 Info 2057 Error 2058 Info 2059 Error Severity Description Explanation Settings Change: Allow read-only access to files on removable storage devices; policy applied successfully. Removable Storage Computer Policy - Security Level. Settings Change: Allow read-only access to files on removable storage devices; policy failed. Removable Storage Computer Policy - Security Level. Settings Change: Allow read and write access to files on removable storage devices; policy applied successfully. Removable Storage Computer Policy - Security Level. Settings Change: Allow read and write access to files on removable storage devices; policy failed. Removable Storage Computer Policy - Security Level. Settings Change: Encrypt all files accessed on removable storage devices; policy applied successfully. Removable Storage Computer Policy - Security Level. Settings Change: Encrypt all files accessed to removable storage devices; policy failed. Removable Storage Computer Policy - Security Level. Settings Change: Encrypt new files written to removable storage devices; policy applied successfully. Removable Storage Computer Policy - Security Level. Settings Change: Encrypt new files written to removable storage devices; policy failed. Removable Storage Computer Policy - Security Level. Settings Change: Do not encrypt files written to removable storage devices; policy applied successfully. Removable Storage Computer Policy - Security Level. Settings Change: Do not encrypt files written to removable storage devices; policy failed. Removable Storage Computer Policy - Security Level. Settings Change: Copy the EARS Access utility to all removable storage devices enable. Removable Storage Computer Policy - Security Level. Settings Change: Copy the EARS Access utility to all removable storage devices enable; policy failed. Removable Storage Computer Policy - Security Level. Settings Change: The Removable Storage Access Utility will no longer be copied to all removable storage devices. Removable Storage Computer Policy - Security Level. Settings Change: The Removable Storage Access Utility will no longer be copied to all removable storage devices; policy failed. Removable Storage Computer Policy - Security Level. Settings Change: Users encrypt files on removable storage devices with password; policy applied successfully. Removable Storage Computer Policy - Encryption Method. Settings Change: Users encrypt files on removable storage devices with password; policy failed. Removable Storage Computer Policy - Encryption Method. An access policy of Allow read-only access to files on removable storage devices has been applied successfully as a policy update. An access policy of Allow read-only access to files on removable storage devices has failed to be applied as a policy update. An access policy of Allow read and write access to files on removable storage devices has been applied successfully as a policy update. An access policy of Allow read and write access to files on removable storage devices has failed to be applied as a policy update. An encryption policy of Encrypt all files accessed on removable storage devices has been applied successfully as a policy update. An encryption policy of Encrypt all files accessed on removable storage devices has failed to be applied as a policy update. An encryption policy of Encrypt new files written to removable storage devices has been applied successfully as a policy update. An encryption policy of Encrypt new files written to removable storage devices has failed to be applied as a policy update. An encryption policy of Do not encrypt files on removable storage devices has been applied successfully as a policy update. An encryption policy of Do not encrypt files on removable storage devices has failed to be applied as a policy update. A portability policy of Copy the Removable Storage Access utility to all removable storage devices has been applied successfully as a policy update. A portability policy of Copy the Removable Storage Access utility to all removable storage devices has failed to be applied as a policy update. The portability policy of not copying the SEE Removable Storage Access Utility to all removable storage devices has been applied successfully as a policy update. The portability policy of not copying the SEE Removable Storage Access Utility to all removable storage devices has failed to be applied as a policy update. Users will only be able to use a password to encrypt files written to removable storage devices; this policy update was applied successfully. A policy update of only allowing users to use a password to encrypt files written to removable storage devices was specified but failed to be applied. Symantec Endpoint Encryption Removable Storage 51

58 System Event Logging Table A.2 Removable Storage System Events (Continued) Event ID 2060 Info 2061 Error 2062 Info 2063 Error 2064 Info 2065 Error 2066 Info 2067 Error 2068 Info 2069 Error 2070 Info 2071 Error 2072 Info 2073 Error 2074 Info Severity Description Explanation Settings Change: Users encrypt files on removable storage devices with one or more certificates; policy applied successfully. Removable Storage Computer Policy - Encryption Method. Settings Change: Users encrypt files on removable storage devices with one or more certificates; policy failed. Removable Storage Computer Policy - Encryption Method. Settings Change: Users encrypt files on removable storage devices with password and/or one or more certificates; policy applied successfully. Removable Storage Computer Policy - Encryption Method. Settings Change: Users encrypt files on removable storage devices with password and/or one or more certificates; policy failed. Removable Storage Computer Policy - Encryption Method Settings Change: Do not encrypt files with a master certificate; policy applied successfully. Removable Storage Computer Policy - Master Certificate. Settings Change: Do not encrypt files with a master certificate; policy failed. Removable Storage Computer Policy - Master Certificate. Settings Change: Encrypt files with a master certificate; policy applied successfully. Removable Storage Computer Policy - Master Certificate. Settings Change: Encrypt files with a master certificate; policy failed. Removable Storage Computer Policy - Master Certificate. Settings Change: Encrypt files with a master certificate [issuer] changed; policy applied successfully. Removable Storage Computer Policy - Master Certificate. Settings Change: Encrypt files with a master certificate [issuer] changed; policy failed. Removable Storage Computer Policy - Master Certificate. Settings Change: Encrypt files with a master certificate [serial number] changed; policy applied successfully. Removable Storage Computer Policy - Master Certificate. Settings Change: Encrypt files with a master certificate serial number changed; policy failed. Removable Storage Computer Policy - Master Certificate. Settings Change: Encrypt files with a master certificate enable; policy applied successfully. Removable Storage Computer Policy - Master Certificate. Settings Change: Encrypt files with a master certificate enable; policy failed. Removable Storage Computer Policy - Master Certificate. Settings Change: Encrypt files with a master certificate not enable; policy applied successfully. Removable Storage Computer Policy - Master Certificate. Users will only be able to use one or more certificates to encrypt files written to removable storage devices; this policy update was applied successfully. A policy update of only allowing users to use one or more certificates to encrypt files written to removable storage devices was specified but failed to be applied. Users can select a password, certificate(s), or both to encrypt files written to removable storage devices; this policy update was applied successfully. A policy update of allowing users to use a password, certificate(s), or both to encrypt files written to removable storage devices was specified but failed to be applied. A policy of Do not encrypt files with a master certificate has been applied successfully as a policy update. A policy of Do not encrypt files with a master certificate has failed to be applied as a policy update. A policy of Encrypt files with a master certificate has been applied successfully as a policy update. A policy of Encrypt files with a master certificate has failed to be applied as a policy update. The master certificate has been changed successfully by policy update. The name of the issuer of the new master certificate is provided. An attempt to apply a policy update and change the master certificate failed. The name of the issuer of the new master certificate is provided. The master certificate has been changed successfully by policy update. The serial number of the new master certificate is provided in the log. An attempt to apply a policy update and change the master certificate failed. A policy of Encrypt files with a master certificate has been applied successfully as a policy update. A policy of Encrypt files with a master certificate has failed to be applied as a policy update. A policy of Do not encrypt files with a master certificate has been applied successfully as a policy update. Symantec Endpoint Encryption Removable Storage 52

59 System Event Logging Table A.2 Removable Storage System Events (Continued) Event ID 2075 Error 2076 Info 2077 Error 2078 Info 2079 Error 2080 Info 2081 Error 2082 Info 2083 Error 2084 Info 2085 Error 2086 Info 2087 Error 2088 Info 2089 Error 2090 Info 2091 Info 2092 Error Severity Description Explanation Settings Change: Encrypt files with a master certificate not enable; policy failed. Removable Storage Computer Policy - Master Certificate. Settings Change: Do not encrypt or decrypt files with group key; policy applied successfully. Removable Storage Computer Policy - Group Key. Settings Change: Do not encrypt or decrypt files with group key; policy failed. Removable Storage Computer Policy - Group Key. Settings Change: Encrypt or decrypt files with group key; policy applied successfully. Removable Storage Computer Policy - Group Key. Settings Change: Encrypt or decrypt files with group key; policy failed. Removable Storage Computer Policy - Group Key. Settings Change: Encrypt or decrypt files with group key and Memo; policy applied successfully. Removable Storage Computer Policy - Group Key. Settings Change: Encrypt or decrypt files with group key and Memo; policy failed. Removable Storage Computer Policy - Group Key. Settings Change: Memo for Group Key changed; policy applied successfully. Removable Storage Computer Policy - Group Key. Settings Change: Memo for Group Key changed. Removable Storage Computer Policy - Group Key. Settings Change: Memo for Group Key not changed; policy applied successfully. Removable Storage Computer Policy - Group Key. Settings Change: Memo for Group Key not changed. Removable Storage Computer Policy - Group Key. Settings Change: Allow users to save files as passwordencrypted self-extracting executables enable. Removable Storage Computer Policy - Executables. Settings Change: Allow users to save files as passwordencrypted self-extracting executables enable; policy failed. Removable Storage Computer Policy - Executables. Settings Change: Allow users to save files as passwordencrypted self-extracting executables not enable. Removable Storage Computer Policy - Executables. Settings Change: Allow users to save files as passwordencrypted self-extracting executables not enable; policy failed. Removable Storage Computer Policy - Executables. Program Action: Client program installation attempted. Removable Storage Program Action: Client program installation success. Removable Storage Program Action: Client program installation failed. Removable Storage A policy of Do not encrypt files with a master certificate has failed to be applied as a policy update. A policy of Do not encrypt or decrypt files with a group key has been applied successfully as a policy update. A policy of Do not encrypt or decrypt files with a group key has failed to be applied as a policy update. A policy of Encrypt and decrypt files with this group key has been applied successfully as a policy update. A policy of Encrypt and decrypt files with this group key has failed to be applied as a policy update. A policy of Encrypt and decrypt files with this group key identified by a certain memo has been applied successfully as a policy update. A policy of Encrypt and decrypt files with this group key identified by a certain memo has failed to be applied as a policy update. An existing memo was changed; this installation setting was applied successfully. An existing memo was changed; this installation setting was applied successfully. A policy update to change an existing memo failed to be applied; the memo was not changed. A policy update to change an existing memo failed to be applied; the memo was not changed. A policy of Allow users to save files as passwordencrypted self-extracting executables has been applied successfully as a policy update. A policy of Allow users to save files as passwordencrypted self-extracting executables failed to be applied as a policy update. A policy of do not Allow users to save files as password-encrypted self-extracting executables has been applied successfully as a policy update. A policy of do not Allow users to save files as password-encrypted self-extracting executables failed to be applied as a policy update. An attempt was made to execute a SEE Removable Storage client MSI package. The SEE Removable Storage client software was successfully installed. The SEE Removable Storage client software failed to be installed. Symantec Endpoint Encryption Removable Storage 53

60 System Event Logging Table A.2 Removable Storage System Events (Continued) Event ID 2093 Info 2094 Info 2095 Error 2096 Warning 2097 Warning 2098 Warning Severity Description Explanation Program Action: Client program upgrade attempted. Removable Storage Program Action: Client program upgrade success. Removable Storage Program Action: Client program upgrade failed. Removable Storage Program Action: User program uninstallation attempted. Removable Storage Program Action: User program uninstallation success. Removable Storage Program Action: User program uninstallation failed. Removable Storage An attempt was made to upgrade an existing installation of the SEE Removable Storage client software. The SEE Removable Storage client software was successfully upgraded. The SEE Removable Storage client software failed to be upgraded. An attempt was made to uninstall a SEE Removable Storage client installation. The SEE Removable Storage client software was successfully uninstalled. The SEE Removable Storage client software failed to be uninstalled. Symantec Endpoint Encryption Removable Storage 54

61 CD/DVD Command Line Appendix B. CD/DVD Command Line Overview Basics The SEE Removable Storage CD/DVD Burner application offers the ability to burn selected files and folders from the command line. This allows you to integrate SEE Removable Storage with your custom applications, such as backup programs or scripts. Requirements for running the CD/DVD Burner application from the command line include: SEE Removable Storage is installed on the Client Computer. The user logged on to Windows has registered to SEE. Sufficient temporary data storage space is available on a local hard disk volume. The required space can be estimated according to the following formula: ( 1.1 Total size of all files and folders to be burned) + ( 2 ( 1.1 Size of the largest individual file to be burned) ) The Client Computer is equipped with a CD/DVD disc recorder. The currently enforced installation and policy settings allow for read/write access. A blank write-once or rewritable CD or DVD disc is inserted into the disc recorder. Note that multi-session recording is not supported, and that previously recorded rewritable media will be erased before use. Any EFS-encrypted files will be decrypted, then re-encrypted by SEE Removable Storage prior to burning. These requirements are the same as running the CD/DVD Burner application from the GUI. To achieve a seamless experience, it is recommended that the user set a Default Password and/or Default Certificate(s). Depending on the particular application or script, a user may be required to be physically present to perform tasks requiring manual intervention. These include: Selecting individual files or folders for burning; Inserting media; Initiating the burn operation; Providing a password and/or a certificate(s) should a Default Password and/or Default Certificate(s) not be set; and Responding to error conditions. Operational Steps Once the list of source files and folders have been specified and the burn operation has been initiated, the CD/DVD Burner application performs the following steps: Verifies that sufficient temporary data storage space exists to allow encryption and burning. Copies all files and folders selected for burning to the temporary data folder. Encrypts the data according to the currently enforced encryption policy. Burns the encrypted files and folders to disc. Deletes the temporary data folder. Symantec Endpoint Encryption Removable Storage 55

62 CD/DVD Command Line Temporary Data Folder When run from the command line, the CD/DVD Burner application creates the following folder as a temporary location for data to be burned: C:\Documents and Settings\user name\local Settings\Temp\RSECTemp~1 Where user name is the user name of the currently logged on Windows user. By default, the drive will correspond to the system drive (often assigned the letter C). If the system drive lacks sufficient space, the CD/DVD Burner application searches other fixed hard disk partitions to try to locate sufficient space. The location of the temporary data folder is based on the value of the TMP or TEMP environment variables, and can be manually relocated by changing the environment variables TMP or TEMP from their default values of %USERPROFILE%\Local Settings\Tmp and %USERPROFILE%\Local Settings\Temp. Manual relocation of the temporary data folder may be necessary in cases when the default temporary data folder location cannot be used because it is EFS encrypted. The environment variables are changed from the command line by using the set command. For example, set temp=c:\temp relocates the temporary data folder to the root of the C drive. The CD/DVD Burner application will delete any previous temporary data folder it finds: When it launches; When it closes; When it begins the burn operation; and When it completes the burn operation. If the encryption/burn operation gets interrupted for example, because the user pressed CTRL+C, the user closed the command line window, or because the CD/DVD Burner application has crashed then the normal cleanup process that deletes the temporary data folder will not occur, resulting in the user s decrypted data remaining in the temporary data folder. If one of these conditions occurs, launching the application again will delete the temporary data folder. Command Syntax To run the CD/DVD Burner application from the command line, use a single string according to the following syntax: RSCDDVD.exe /P {Source [Source ] Directory} /D RecorderDrvRoot [/L VolumeLabel] Table B.1 CD/DVD Command Line Parameters Parameter Variable(s) Explanation Sample /P Source Directory /D RecorderDrvRoot /L VolumeLabel Specifies the file(s) and/or folder(s) to be burned to disc, where Source is the fully qualified path to one or more files, and Directory is the fully qualified path to one or more folders. File or folder names containing spaces must be enclosed in quotes. When using quotes, you cannot end the path in a backslash. Specifies the disc recorder, where RecorderDrvRoot is the root of the disc recorder. Specifies the volume label of the disc, where VolumeLabel is the volume label name. The volume label name can be up to 32 characters in length, and must contain only alphanumeric, hyphen, underscore or space characters. If you omit the /L parameter, the default volume label will be RS-Encrypted Disc YYYY-MM-DD, where YYYY-MM-DD is the year, month, and date the disc was burned. If the encryption policy is off, the default volume label will be YYYY-MM-DD. /P C:\Confidential Files /P c:\files\spreadsheet.xls /D F: /L Encrypted_Backups_1 Symantec Endpoint Encryption Removable Storage 56

63 CD/DVD Command Line Example Command Lines RSCDDVD /P C:\Confidential File Folder C:\Business Plan\HIF Business Plan.ppt /D E: RSCDDVD /P c:\files\spreadsheet.xls c:\files\presentation.doc /D E: /L Encrypted_Files_1 CD/DVD Errors The following table lists the individual SEE Removable Storage errors generated when executing the CD/DVD Burner application from the command line. The column headings indicate the error code (if any), the error message displayed in the UI, and an explanation of the error, along with possible ways to remediate the error. Table B.2 CD/DVD Messages and Error Codes Error Code Error Message Displayed in UI Explanation 0 Burned the disc successfully. 1 Disc volume label was not specified The CD/DVD Burner application has completed the burn process successfully. The /L parameter (volume label) was used without specifying a volume label. 2 Disc recordable drive was not specified. The /D parameter (recordable drive) was used without specifying the letter of the recordable drive, e.g. /D F: 3 The syntax of the command is incorrect. Incorrect command syntax was specified There is no hard disk drive on your system, so this application can not be used for burning disc. Logged in user is not SEE-RS registered user so this application can not be used for burning disc. Disc burning engine could not be initialized successfully. 105 Invalid disc recordable drive was specified. 106 There is no disc in the drive. 107 No disc recordable drive was found on your system. The CD/DVD Burner application requires a hard disk or partition for storing temporary files as part of the encryption and burn process. Verify that a hard disk or partition is accessible and try the operation again. The user currently logged on to Windows has not registered to SEE. The CD/DVD Burner application was unable to initialize the disc burning engine. The selected drive is not a recordable drive. Select a different drive capable of recording, then try the operation again. The CD/DVD Burner application didn t find a disc in the recorder. Insert a rewritable or write-once disc into the drive. The CD/DVD Burner application didn t find any disc recorders present. Verify that a disc recorder is attached and functioning, then try the operation again. 108 Disc could not be ejected successfully. The CD/DVD Burner application was unable to eject the disc successfully. 109 No data was specified to be burnt. No files or folders were selected for burning. 110 Your access policy does not allow write access to removable media, so you cannot use this application for burning data to disc. SEE Removable Storage is currently enforcing a read-only access policy. The policy must be changed to allow read and write access to removable media before the CD/DVD Burner application can be used. 111 Disc burner could not be found. The CD/DVD Burner application could not find the disc recorder. 112 The disc volume label can have only alphanumeric, hyphen, underscore and space characters. The disk volume label s length can not be more than 32 characters. Please type a valid disc volume label. 113 Disc could not be erased. 114 The disc that you have inserted is not writable. Please insert a blank or rewritable disc of type CD-R, CD-RW, DVD-R, DVD-RW, DVD+R, or DVD+R DL into drive. The volume label specified contains disallowed characters or is in excess of the 32 character maximum. Specify a new volume name of 32 characters or less containing only letters, numbers, hyphens, underscores, or spaces. An attempt to erase a rewritable disc was unsuccessful. Insert a different rewritable or write-once disc and try the operation again. The inserted disc cannot be written to. Insert a rewritable or write-once disc and try the operation again. Remove the disc from the drive and insert a disc that is writable. Symantec Endpoint Encryption Removable Storage 57

64 CD/DVD Command Line Table B.2 CD/DVD Messages and Error Codes (Continued) Error Code Error Message Displayed in UI Explanation Application could not locate a fixed hard disk drive with enough free space for storage of temporary data, so application won't burn the disc. Selected file or folder file or folder name could not be copied at your temporary data location. Please check the file or folder again. An error occurred during the encryption of the data. Selected file could not be encrypted. Please free up some space on your temporary data drive and try again. Selected file to be burned could not be encrypted due to security reason. SEE-RS does not have a Password and/or certificate to encrypt this file. You must specify a Password and/or certificate or a Default Password and/or certificate before the data can be encrypted and burned to disc. SEE-RS does not have a certificate to encrypt this file. You must specify a certificate or a Default certificate before the data can be encrypted and burned to disc. SEE-RS does not have a password to encrypt this file. You must specify a Default Password before the data can be encrypted and burned to disc. 123 Temporary file could not be deleted. 124 Disc recordable drive could not be locked You have selected one or more files with very long file name. Application could not shorten file(s) name in temporary data location. If file encryption policy is set then file s name length can exceed 102 characters, otherwise it cannot exceed 106 characters. Please rename the file(s) with long name and try again. Selected file or folder [file/folder name] could not be copied at your temporary data location because path length is exceeding the limit (259 characters) imposed by Windows system. Please shorten the name of selected file/folder or sub folder(s) and try again. Selected file or folder [file/folder name] could not be found. Please check the file or folder and try again. Selected file or folder [file/folder name] can not be copied at your temporary data location because path length is exceeding the limit (259 characters) imposed by Windows system. Please shorten the name of selected file/folder or sub folder(s) and try again. The CD/DVD Burner application requires a hard disk or partition with enough free space for storage of temporary data. Free up some space and try the operation again There was a problem copying the selected file or folder to the temporary data folder. Verify that the temporary data folder is accessible and sufficient space is available, then try the operation again. The CD/DVD Burner application encountered an error during the encryption of the data. The CD/DVD Burner application found that the selected file could not be encrypted due to lack of space on the hard disk or partition. Delete some files on the hard disk or partition where the temporary folder is located (usually this is the system volume) and try the operation again. Verify that the account under which the CD/DVD Burner application is running has sufficient access rights to perform the operation. The user has not specified a Default Password and/or Default Certificate(s). When prompted to provide a password and/or certificate, the user clicked Cancel. The user has not specified one or more Default Certificate(s) and failed to provide a certificate when prompted. The user has not set a Default Password and failed to provide a password when prompted. The CD/DVD Burner application was unable to delete a temporary file. Verify that another application or process is not using this file. Another application or process has prevented the CD/DVD Burner application from gaining exclusive access to the disc recorder. Quit the other application or process and try the operation again. The operation failed because there were one or more files with names that exceeded characters and the application could not rename these files in the temporary location. Locate the files with long names, shorten them manually, and try again. If SEE Removable Storage is automatically encrypting files written to removable media, the file names must be no greater than 102 characters. If not, the file names should be no greater than 106 characters. The CD/DVD Burner application failed to copy the specified file or folder because its path exceeds the 259 character limit imposed by the Windows operating system. Relocate the file closer to the root or rename the file to shorten the total number of characters. The user has specified a file or folder to be burned to disc that could not be found by the CD/DVD Burner Application. The CD/DVD Burner application has calculated that the path to the file or folder that you specified to be burned exceeds the 259 character limit imposed by the Windows operating system. Relocate the file closer to the root or rename the file to shorten the total number of characters. Symantec Endpoint Encryption Removable Storage 58

65 CD/DVD Command Line Table B.2 CD/DVD Messages and Error Codes (Continued) Error Code Error Message Displayed in UI Explanation Application found a fixed hard disk drive with enough free space for storage of temporary data, but you do not have write access on temporary folder "TemporaryFolderPath", so application won't burn the disc. Please get the write access on this folder and try again. Path specified using the /P parameter can not have back slash character at the end of the path when quotes are used to enclose the path. Disc could not be used for burning data. Please try again with another disc. File SEERemovableStorageAccessUtility.exe cannot be specified using the /P parameter. It is SEE-RS Access Utility application, which will be burned automatically on the root of the burnt disc. The CD/DVD Burner application failed to complete the burning process because the user does not have write privileges to the Temp directory. Log in as a different user or increase the user s privileges. The CD/DVD Burner application failed to complete the burning process because the path enclosed in double quotes included a backslash at the end. Remove the backslash character and try again. Either a media error, media incompatibility, or other problem has resulted in the application being unable to write data to the disc. Try the operation again using another disc and/or brand of media. The user has specified that the Removable Storage Access Utility executable be burned at the root of the disc. However, SEE Removable Storage is currently enforcing the policy Copy the Removable Storage Access utility to all removable storage devices. The Removable Storage Access Utility specified in the input file list will be ignored, and the Removable Storage Access Utility will be copied to the root of the disc according to policy. 504 Disc could not be burned due to an error. There was an unknown error with the disc recorder. 505 The disc drive could not be used to burn the disc Disc could not be burned with selected data because your temporary data location is EFS enabled. File Autorun.inf cannot be specified using the / P parameter. File Autorun.inf will be burned automatically on the root of the burnt disc to run SEE-RS Access Utility application. File Platform.ico cannot be specified using the / P parameter. File Platform.ico will be burned automatically on the root of the burnt disc to run GERS Access Utility application. There was an error with the disc recorder. Try the operation again using a different disc recorder. The CD/DVD Burner application cannot use an EFS-encrypted temporary data folder. The user can either turn off EFS protection for the temporary data folder s parent folder, or the user can manually relocate the temporary data folder by editing the TMP or TEMP environment variables. The user has specified that the Autorun.inf file be burned at the root of the disc. However, SEE Removable Storage is currently enforcing the policy Copy the Removable Storage Access utility to all removable storage devices. The Autorun.inf specified in the input file list will be ignored, and the SEE Removable Storage Access Utility s Autorun.inf will be copied to the root of the disc according to policy. The user has specified that the Platform.ico file be burned at the root of the disc. However, SEE Removable Storage is currently enforcing the policy Copy the Removable Storage Access utility to all removable storage devices. The Platform.ico specified in the input file list will be ignored, and the SEE Removable Storage Access Utility s Platform.ico will be copied to the root of the disc according to policy. None Processing the burn request The application has started processing the disc burning request. None None None None None EFS-encrypted file(s) will be decrypted by EFS before being burned. The disc is not blank, disc data will be erased during disc burning process. The estimated size of data which will be burned on disc exceeds disc capacity. If this estimation is correct, the data will not be burned to disc successfully. Preparing data for burning to disc. Percentage: [percent of data prepared]% Encrypting data to be burned to disc. Percentage: [percent of data encrypted]% EFS-encrypted files have been selected for burning. The CD/DVD Burner application will attempt to decrypt them prior to burning. If an encryption policy is in effect, the CD/DVD Burner application will encrypt the files prior to burning. The CD/DVD Burner application has detected a rewritable disc that contains existing data. The CD/DVD Burner application will attempt to erase the disc prior to burning the new data. The estimated size of the data to be burned exceeds the capacity of the target disc, but the CD/DVD Burner application will attempt to burn the selected data anyway. The CD/DVD Burner application is copying the data to be burned to a temporary location prior to burning the disc. The CD/DVD Burner application is encrypting the data to be burned in the temporary location prior to burning the disc. Symantec Endpoint Encryption Removable Storage 59

66 CD/DVD Command Line Table B.2 CD/DVD Messages and Error Codes (Continued) Error Code Error Message Displayed in UI Explanation None Erasing disc... The CD/DVD Burner application is erasing re-writable media containing previously recorded data prior to burning. None Preparing to write data to the disc... The CD/DVD Burner application is preparing to burn the disc. None None None Writing sector [current sector] of [total sectors]. Percentage: [percent of data written]% Finalizing the disc. Percentage: [percent of finalized data]% You have selected one or more files with file name exceeding 106 characters. Files names will be shortened in temporary data location. The CD/DVD Burner application is currently writing data to disc. The CD/DVD Burner application is nearing the end of the burn process and is writing the table of contents to disc. One or more of the files specified to be burned had a file name of more than characters. (If SEE Removable Storage is automatically encrypting files written to removable media, four additional characters are needed for the.xml extension.) When this file or these files are written to the temporary location, their names will be shortened so that they are 106 characters or less. Symantec Endpoint Encryption Removable Storage 60

67 Atypical Client Settings Appendix C. Atypical Client Settings Overview While the majority of the client settings are specified when creating the client installation packages and updated later by policy, there are exceptions: Certain client settings can only be specified in the client installation package. Other client settings can only be set by policy. Most settings in the client upgrade package are ignored, but some are honored. This appendix itemizes these exceptions. Atypical Client Settings Itemized Table C.1 Atypical Client Settings Product/Component Panel Name Panel Area/Field Label Installation Upgrade Policy Framework Client Administrators All Yes Yes* Yes Framework Registered Users All Yes Yes Yes Framework Communication Communication Information Yes Yes No Framework Encryption All Yes Yes No * Only if the target client is being upgraded from SEE Framework or earlier. Only if the method of authentication specified when installing the Manager Console that created the original client installation package is different than the method of authentication specified when installing the Manager Console that created the upgrade package. Symantec Endpoint Encryption Removable Storage 61

68 Glossary Glossary Active Directory Active Directory is the directory service included with Windows 2000 Server and Windows Server This service stores information about objects on a network and makes that information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network. Active Directory provides network administrators with a hierarchical view of the network and a single point of administration for all network objects. Active Directory Policies Active Directory policies are one of two types of policies that can be created and deployed from the SEE Manager. They feature seamless integration with well-known Active Directory toolsets and include user as well as computer policies. Active Directory Users and Computers Snap-in The Users and Computers snap-in from Microsoft is used to find and organize the User and Computer objects in an Active Directory structure. Automatic Authentication If the Client Computer is set for automatic authentication, SEE Removable Storage will allow any registered user to launch the User Client Console. The registration process itself will also be automatic and occur without user intervention unless a registration password is required. Client Administrator Client Administrators provide local support to SEE users and guarantee that SEE protected computers are always accessible even when all SEE users have been removed from those computers. When creating or updating Client Administrator accounts, the Policy Administrator assigns one of three privilege levels. Client Administrators with a privilege level of high will be able to unregister users. The Client Administrator is also responsible for recovering SEE Removable Storage encrypted files. Client Administrators cannot change their own passwords or use any passwordrecovery methods. Client Administrators must register as a user to make use of removable storage devices at the SEE Removable Storage protected workstation. Default Password/ Certificate Registered users and Client Administrators have the option of setting a Default Password and/or Default Certificate(s) in the User Client Console. SEE Removable Storage will use Default Passwords and/or Default Certificates for encrypting files. In addition, if the Default Password and/or Default Certificate(s) set in the User Client Console match the password or certificate(s) that a file was encrypted under, SEE Removable Storage will decrypt the file without a prompt. Expand, Expanded, to Expand To reveal the contents of a container. This action is initiated by clicking the plus sign to the left of the container as displayed in the left pane of the Microsoft Management Console. Group Filtering Also known as Security Group Filtering or Security Filters. Security Filters applied to a Group Policy Object limit the scope for that Group Policy Object. Symantec Endpoint Encryption Removable Storage 62

69 Glossary Group Policy Management, Group Policy Management Console Snap-in A snap-in from Microsoft that an SEE Policy Administrator can use to assign SEE client MSI packages and policies to users and computers. Group Policy Object (GPO) An object in Active Directory that contains user and/or computer policies, and possibly software deployment policies. LSDOU This acronym describes the order in which GPOs are applied: Local (1), Site (2), Domain (3), OU (4). Local policies have the highest precedence. Management Password, Management Password Snap-in The Management Password controls administrator access to two SEE Full Disk help desk functions: Recover /B and the One-Time Password Program. It is not relevant to SEE Removable Storage. Microsoft Management Console (MMC) Microsoft Management Console is a container User Interface (UI) that provides no functionality by itself. Each Microsoft Management Console process can host a set of snap-ins displayed in one or more windows. The layout of a Microsoft Management Console can be saved as a file with an.msc extension. Microsoft Management Console Tree The folder-like structure of snap-ins in a Microsoft Management Console. Snap-ins can be standalone, i.e., added to the root of the MMC tree, or they can be extensions of other snap-ins. Microsoft Windows Installer (MSI) A format for self-contained database files containing the requirements and instructions that the Windows Installer uses when installing applications. MSI packages can be deployed via Group Policy Objects. Native Policies Native policies are one of two types of policies that can be created and deployed from the SEE Manager. Native policies do not rely on any existing directory service for managing SEE Client Computers. Unlike SEE Active Directory policies, native policies apply to computers only and cannot be applied to users. Novell edirectory An LDAP-based directory service from Novell. Computers that are members of an edirectory domain can be managed using SEE native policies. Information from edirectory can optionally be synchronized to the SEE Management Server, allowing SEE native policies to be applied according to the organizational structure maintained in edirectory. Objects The term objects is used to refer to any Active Directory object. This includes individual Users, Computers, or Policies, as well as Groups of Users or Computers. See also Containers. Symantec Endpoint Encryption Removable Storage 63

70 Glossary One-Time Password (OTP) The One-Time Password (OTP) Program allows SEE Full Disk users to recover from a forgotten password, PIN, or token with help desk assistance. It is not relevant to SEE Removable Storage. Policy Administrator Policy Administrators perform centralized administration of SEE. Using the Manager Console and the Manager Computer, the Policy Administrator: Updates and sets client policies. Runs reports. Access to SEE snap-ins can be restricted on a per snap-in basis, giving the domain or higher-level administrator flexibility when assigning specific Policy Administrator duties. SEE Framework SEE Framework provides SEE wide features, such as authentication methods and settings, as well as registered user and Client Administrator accounts and information. Self-Extracting Executables A feature of SEE Removable Storage that allows registered users to create encrypted self-extracting files for secure transport. Self-extracting files can be decrypted from any computer, without any need for SEE Removable Storage or the Removable Storage Access Utility. The ability to produce self-extracting executables is prescribed by installation setting or policy. Silent Client A silent client does not communicate with the SEE Management Server. Client installation packages generated from Manager Consoles that were installed in serverless mode will create silent clients. Single Sign-On (SSO) A feature that allows SEE users to log on to both Windows and SEE with their Windows password. To activate an SSO policy, the Client Computer must reboot. SSO is not relevant to automatically authenticated users. Snap-in A Dynamic Link Library (DLL) file user interface module designed to be loaded into a Microsoft Management Console. Symantec Endpoint Encryption Software Setup Snap-in A snap-in from Symantec that allows the SEE Policy Administrators to customize SEE client installation settings before deployment. User At least one user is required to register with SEE on each Client Computer. A wizard guides the user through the registration process, which involves a maximum of four screens. The registration process can also be configured to occur without user intervention. Users will not be able to access their removable storage devices until they have registered. Symantec Endpoint Encryption Removable Storage 64

71 Index Index A Active Directory policies 2, 3, 11, 13, 15, 21, 22, 23, 26, 62, 63 Authenti-Check 22 C Client Administrator policy 16 privilege levels 5 single-source passwords 5 Client Computers communication with 21 D Default Certificates 62 Default Passwords 20, 24 G gpupdate /force 26 grace restarts 19, 33, 36, 37 group key 25, 46, 47, 49, 50, 53 Group Policy Object Editor (GPOE) 3, 15 L Local, Site, Domain, OU (LSDOU) 3, 26, 63 M Management Password snap-in 3 use of 3, 63 Manager Console endpoint containers 4 location of 2 SQL prompt 3 Master Certificates 24, 49, 52, 53 N native policies 2, 3, 16, 27, 29 names of 16 Native Policy Manager 3, 15, 16 O One-Time Password about 64 offline method 23, 38 online method 23, 38 policy options 22 OTP communication unlock policy 23 P P7B files 17 policy update forcing an immediate update 3, 26, 27 R Recover Program /B option 3, 63 removable storage access policy 23 no access 1 read only 1 read write 1 Removable Storage Access Utility 8, 20, 23, 24, 25, 47, 49, 51, 64 removable storage encryption methods 24 removable storage encryption policy 23 encrypt all 1 removable storage portability policy 23 Resultant Set of Policy (RSoP) 11, 13 S SEE administrator roles 5 SEE Framework about 1 SEE Managed Computers 5, 27 self-extracting executables 25, 50, 53, 64 synchronization about 2, 7, 27 timing of 2 with both Active Directory and Novell 4 U users automatic unregistration of 19 local administrative rights and 6 registration password and 19 W Windows system events 32 Symantec Endpoint Encryption Removable Storage 65