Symantec Endpoint Encryption Removable Storage

Transcription

1 Symantec Endpoint Encryption Removable Storage Policy Administrator Guide Version 7.0

2 Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Symantec Corporation Symantec Corporation. All rights reserved. Authenti-Check is a registered trademark of GuardianEdge Technologies Inc. Microsoft, Active Directory, Windows, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation. Any other trademarks used herein are the property of their respective owners and are hereby acknowledged. Other product and company names mentioned herein may be the trademarks of their respective owners. Printed in the United States of America.

3 Contents Contents 1. Introduction Overview Directory Service Synchronization Active Directory and Native Policies Manager Console Basics Database Access Endpoint Containers SEE Roles Policy Administrators Client Administrators User Reporting Overview Basics Client Computer Reports Directory Services Synchronization Reports Symantec Endpoint Encryption Users and Computers Symantec Endpoint Encryption Server Reports Basics Active Directory Forests Synchronization Status Computer Status Report Computers not Encrypting to Removable Storage Computers with Decrypted Drives Computers with Expired Certificates Computers with Specified Users Computers without Full Disk Installed Computers without Removable Storage Installed Non-Reporting Computers Novell edirectory Synchronization Status Resultant Set of Policy (RSoP) Windows System Events Policy Creation & Editing Overview Active Directory Policies Native Policies Policy Options Client Administrators Registered Users Password Authentication Token Authentication Authentication Message Communication Single Sign-On Authenti-Check One-Time Password Symantec Endpoint Encryption Removable Storage iii

4 Contents Security Level Encryption Method Master Certificate Group Key Executables Policy Deployment Overview Active Directory Policies Basics Order of Precedence Forcing a Policy Update Native Policies Basics SEE Managed Computer Groups Policy Assignment Order of Precedence Forcing a Policy Update Appendix A. System Event Logging Framework System Events List Removable Storage System Events List Appendix B. CD/DVD Command Line Overview Basics Operational Steps Temporary Data Folder Command Syntax CD/DVD Errors Appendix C. Atypical Client Settings Overview Atypical Client Settings Itemized Glossary Index Symantec Endpoint Encryption Removable Storage iv

5 Figures Figures Figure 1.1 Sample Network Configuration Figure 1.2 SQL Server Logon Prompt Figure 2.1 Group Policy Results Wizard, User Selection Figure 2.2 RSoP Report From an SEE Client Figure 3.1 Framework Computer Policy, Client Administrators Options Figure 3.2 Add New Client Administrator Dialog Figure 3.3 Framework Computer Policy, Registered Users Options Figure 3.4 Framework Computer Policy, Password Authentication Options Figure 3.5 Framework Computer/User Policy, Authenti-Check Options Figure 3.6 Framework Computer/User Policy, One-Time Password Options Figure 3.7 Removable Storage Computer Policy, Security Level Options Figure 3.8 Removable Storage Computer Policy, Encryption Method Options Figure 3.9 Removable Storage Computer Policy, Group Key Options Figure 4.1 Symantec Endpoint Encryption Managed Computers, Add New Group Figure 4.2 Name New Group Dialog Figure 4.3 SEE Unassigned, Computer Highlighted Figure 4.4 Symantec Endpoint Encryption Managed Computers Groups Dialog Figure 4.5 Symantec Endpoint Encryption Managed Computers Group Selected Figure 4.6 Policy Selection Dialog Figure 4.7 Native Policy Assignment Confirmation Figure 4.8 Symantec Endpoint Encryption Managed Computers Policy Assigned Symantec Endpoint Encryption Removable Storage v

6 Tables Tables Table 1.1 Active Directory and Native Policies Compared Table 2.1 Client Computer Data Table 2.2 Directory Services Synchronization Data Table A.1 Framework System Events Table A.2 Removable Storage System Events Table B.1 CD/DVD Command Line Parameters Table B.2 CD/DVD Messages and Error Codes Table C.1 Atypical Client Settings Symantec Endpoint Encryption Removable Storage vi

7 Introduction 1. Introduction Overview Symantec Endpoint Encryption Removable Storage allows enterprise organizations and government agencies to enjoy the benefits of removable storage devices while eliminating the liability, customer service, and brand erosion costs associated with data breach incidents. As part of Symantec Endpoint Encryption, SEE Removable Storage leverages existing IT infrastructures for seamless deployment, administration, and operation. SEE Removable Storage secures data in one of the following ways: By allowing no access to removable storage devices, By allowing only read access to removable storage devices, By encrypting data written to removable storage devices, or By encrypting all data written to or accessed on removable storage devices. SEE Removable Storage enforces access control and encryption policies on devices that use USB or FireWire ports to attach a file system. This includes flash drives (e.g., SanDisk Cruzer and M-SysT5 Dell Memory Key), memory cards (e.g., SanDisk CompactFlash), and USB hard drives (e.g., Samsung HM100JC 100GB). SEE is comprised of SEE Full Disk, SEE Removable Storage, and Symantec Endpoint Encryption Framework. SEE Framework includes all the functionality that is extensible across SEE. It allows behavior that is common to both SEE Removable Storage and SEE Full Disk to be defined in one place, thus avoiding potential inconsistencies. The following diagram depicts a sample network configuration of SEE. SOAP over HTTP Group Policy LDAP Database Server TDS TLS/SSL Domain Controller Client Manager Computer edirectory Server SEE Management Server Client your-org.com Client your_tree Client Figure 1.1 Sample Network Configuration Symantec Endpoint Encryption Removable Storage 1

8 Introduction The Active Directory domain controller and SEE Management Server are required. Multiple domains, forests, trees, and SEE Management Servers are supported. A database server is recommended, but the SEE database can also reside on the SEE Management Server. If a database server is chosen to host the SEE database, the database server can be located inside or outside of Active Directory. The Manager Console can be installed on multiple Manager Computers. It can also be installed on the SEE Management Server. It must reside on a computer that is a member of Active Directory. The Novell edirectory tree, Active Directory group policy communications, and TLS/SSL encryption are optional. Directory Service Synchronization Synchronization with Active Directory and/or Novell edirectory is an optional feature. If enabled, then the SEE Management Server will obtain the organizational hierarchy of the specified forest, domain, and/or tree and store this information in the SEE database. It also keeps this information up to date. This improves performance during Client Computer communications with the SEE Management Server, as the SEE Management Server will be able to identify the Client Computer without having to query the Active Directory domain controller and/or the Novell edirectory server. When you open the SEE Manager, you will have your Active Directory and/or Novell endpoints organized just the way that they are in the directory service, easing your deployment activities. In addition, you will have records of computers that reside in the designated forest, domain, or tree, even if these computers do not have any SEE products installed and/or have never checked in with the SEE Management Server. This will allow you to run reports to assess the success of a given deployment and gauge the risk that your organization may face due to unprotected endpoints. The timing of the synchronization event differs according to the directory service. Whereas Novell informs the SEE Management Server of any changes that may occur, the SEE Management Server needs to contact Active Directory to obtain the latest information. Synchronization with Active Directory is set to occur once every fifteen minutes. Active Directory and Native Policies Active Directory policies are designed for deployment to the users and computers residing within your Active Directory forest/domain. Active Directory policies can be created and deployed whether synchronization with Active Directory is enabled or not. Native policies are designed for deployment to computers that are not managed by Active Directory. Should you wish to deploy native policies to computers that are managed by Active Directory, you must turn synchronization with Active Directory off. Symantec Endpoint Encryption Removable Storage 2

9 Introduction The following table itemizes the differences between Active Directory and native policies. Table 1.1 Active Directory and Native Policies Compared Active Directory Policies Certain policies are deployed to users and others are deployed to computers. Policies applied in Local, Site, Domain, OU (LSDOU) order of precedence. Single pane policy creation/deployment. Policies are obtained from the domain controller and applied at each reboot. An immediate policy update can be forced using the gpupdate \force or secedit command. Native Policies Policies can only be applied to computers. Policies are applied in Computer, Subgroup, Group (CSG) order of precedence. Each pane must be visited when creating the policy. Policies are applied when the client checks in with the SEE Management Server. An immediate policy update can be forced by clicking Check In Now from the User Client Console. Manager Console Basics The Manager Console contains the following SEE snap-ins: Symantec Endpoint Encryption Management Password allows you to change the Management Password. The Management Password controls administrator access to two SEE Full Disk help desk functions: Recover /B and the One-Time Password Program. It is not relevant to SEE Removable Storage. Symantec Endpoint Encryption Software Setup is used to create client installation/migration packages. Symantec Endpoint Encryption Native Policy Manager escorts you through the process of creating a computer policy for clients not managed by Active Directory, such as Novell and other clients. Symantec Endpoint Encryption Users and Computers displays the organizational structure of your Active Directory forest and/or Novell tree; allows you to organize clients not managed by either Active Directory or Novell into groups. Symantec Endpoint Encryption Server Reports includes Computer Status, Computers not Encrypting to Removable Storage, Computers with Decrypted Drives, Computers with Expired Certificates, Computers with Specified Users, Computers without Full Disk Installed, Computers without Removable Storage Installed, and Non-Reporting Computers reports. It also contains the following Microsoft snap-ins to help you manage your Active Directory computers: Active Directory Users and Computers allows you to both view and modify your Active Directory organizational hierarchy. Group Policy Management lets you manage group policy objects and launch the Group Policy Object Editor (GPOE). Within the GPOE you will find SEE snap-in extensions that allow you to create and modify SEE user and computer policies for Active Directory managed computers. Depending on your responsibilities, you may not have access to all of these snap-ins. These restrictions, if any, will be effected as part of the privileges associated with your Windows account. Database Access Your Windows account may have been provisioned with rights to access the SEE database. If so, ensure that you are logged on to Windows with this account before launching the Manager Console. Symantec Endpoint Encryption Removable Storage 3

10 Introduction If you are not logged on to Windows with read and write access to the SEE database at the time that you launch the Manager Console, you will be prompted for your SQL credentials. Figure 1.2 SQL Server Logon Prompt The Server name and Initial catalog fields will contain the information that was provided when this Manager Console was installed. In general, you should not modify the default contents of these fields. Circumstances that require you to edit these entries would be unusual, such as the loss of your primary SEE database. In such a situation, you could edit the Server name and Initial catalog fields to connect to a disaster recovery site. The syntax used in the Server name field is as follows: computer name,port number\instance name While the computer name of the server machine hosting the SEE database will always be required, the TCP port number will only be necessary if you are using a custom port, and the instance name will only be needed if you are using a named instance. The custom port number would need to be preceded by a comma and the instance name by a backslash. Type the user name of your SQL account in the User name field. Type the password of your SQL account in the Password field. Click Connect to authenticate. If you don t wish to authenticate to the SEE database at this time, click Cancel. You may receive one or more error messages following cancellation. You will receive additional prompts upon attempting to access the individual SEE snap-ins in the console. Endpoint Containers Basics The SEE Manager will place each endpoint into one or more of the following containers: Active Directory Computers, Novell edirectory Computers, or Symantec Endpoint Encryption Managed Computers. Active Directory/Novell edirectory Computers No computers will be placed in the Active Directory Computers or Novell edirectory Computers containers unless synchronization with the directory service is enabled. If synchronization with Active Directory is enabled, the Active Directory Computers container will be populated with the computers in the Active Directory forest/domain. If synchronization with Novell is enabled, the Novell edirectory Computers container will hold the computers in the Novell tree. If synchronization with both directory services is enabled and the computer is managed by both, it will appear in both containers. Computer and user objects located within the Active Directory and/or Novell containers cannot be moved or modified with SEE snap-ins. Symantec Endpoint Encryption Removable Storage 4

11 Introduction SEE Managed Computers Computers located within the Active Directory Computers and/or Novell edirectory Computers containers will not be shown in the Symantec Endpoint Encryption Managed Computers container. Only computers that have checked in with the SEE Management Server will be shown in the Symantec Endpoint Encryption Managed Computers container. Whether a computer is placed in the Symantec Endpoint Encryption Managed Computers container or not following check in will vary depending on whether synchronization is enabled or not. If synchronization is not enabled, all Client Computers that have checked in will be placed in the Symantec Endpoint Encryption Managed Computers container. If synchronization is enabled, only Client Computers that have checked in that do not reside within the designated Active Directory forest/domain and/or Novell tree will be placed in the Symantec Endpoint Encryption Managed Computers container. Computers located within the Symantec Endpoint Encryption Managed Computers container should be grouped into the organizational structure that you desire. SEE Roles Policy Administrators As the Policy Administrator, you perform centralized administration of SEE. Using the Manager Console and the Manager Computer, you perform one or more of the following tasks: Update and set client policies. Run reports. Client Administrators Client Administrators provide local support to SEE users. Each Client Computer must have at least one Client Administrator account and can have up to As Policy Administrator, you are responsible for creating and maintaining Client Administrator accounts using the SEE Manager. Client Administrator accounts are managed entirely by SEE and independent of Windows, allowing Client Administrators to support users who are not a part of an Active Directory domain. One of three privilege levels will be assigned to each Client Administrator account. At least one Client Administrator account with a privilege level of high must exist on each workstation. Client Administrators with a privilege level of high can unregister users. The low and medium privilege levels are not applicable to SEE Removable Storage. The Client Administrator is also responsible for recovering SEE Removable Storage encrypted files when the user has forgotten their password and a Master Certificate was used. This responsibility is not controlled by privilege level. Client Administrators should be trusted in accordance with their assigned level of privilege. Client Administrators may be configured to authenticate with either a password or a token. At least one Client Administrator on each workstation must authenticate with a password. Client Administrator passwords are managed by you and cannot be changed at the Client Computer. This single-source password management allows Client Administrators to remember only one password as they move among many Client Computers. If password(s) were local to each computer, then remembering multiple passwords would become unwieldy. Client Administrators cannot use Single Sign-On. Client Administrators must register as a user to make use of removable storage devices at the SEE Removable Storage protected workstation. User At least one user is required to register with SEE on each Client Computer. A wizard guides the user through the registration process, which involves a maximum of four screens. The registration process can also be configured to Symantec Endpoint Encryption Removable Storage 5

12 Introduction occur without user intervention. Users will not be able to access their removable storage devices until they have registered. To ensure the success of this product in securing your encrypted assets, do not define users as local administrators or give users local administrative privileges. Symantec Endpoint Encryption Removable Storage 6

13 Reporting 2. Reporting Overview Basics The SEE Manager features a number of reporting tools that will allow you to: Assess the success of a deployment. Gauge the risk that your organization may face due to unsecured endpoints. Identify computers that have not checked in within a certain number of elapsed days. Find out all of the computers that a user has registered on. Determine the SEE policy currently being enforced by protected endpoints. Spot clients with client-side TLS/SSL certificates nearing expiration. Discover the current status of synchronization. If Active Directory and/or Novell synchronization is enabled, you will be able to obtain the computer names and directory service location of any computer located on your forest(s), domain(s), and/or tree(s) even if the computer has never checked in with the SEE Management Server. While only the computer and directory service location of these computers will be available, the absence of additional data will allow you to identify computers that are unprotected or have not checked in. Client Computer Reports At the time that a Client Computer succeeds in checking in with the SEE Management Server, it sends information about itself that is stored in the SEE database. Any one of the following reporting tools can be used to retrieve the data that pertains to the Client Computer(s) of interest: Symantec Endpoint Encryption Users and Computers on page 9; Computer Status Report on page 10; Computers not Encrypting to Removable Storage on page 10; Computers with Decrypted Drives on page 10; Computers with Expired Certificates on page 10; Computers with Specified Users on page 10; Computers without Full Disk Installed on page 10; Computers without Removable Storage Installed on page 10; and Non-Reporting Computers on page 11. The following table itemizes the data available about each of the Client Computers that has checked in. Columns that will be displayed but not populated by SEE Removable Storage are identified as not applicable (N/A). Table 2.1 Client Computer Data Column Heading Data Displayed Explanation Computer name computer name Computer name Group name* group name Location of the computer within Symantec Endpoint Encryption Users and Computers Symantec Endpoint Encryption Removable Storage 7

14 Reporting Table 2.1 Client Computer Data (Continued) Column Heading Data Displayed Explanation Last Check-in time/date stamp The time and date of the last connection that the Client Computer made with the SEE Management Server Decrypted N/A N/A Decrypting N/A N/A Encrypted N/A N/A Encrypting N/A N/A FR Version n.n.n The three digit version number of SEE Framework that is currently installed FR Installation Date time/date stamp The time and date on which SEE Framework was installed FD Version N/A N/A FD Installation Date N/A N/A Serial Number Asset Tag Part Number RS Encryption Policy serial number asset tag part number encrypt all files encrypt new files Write unencrypted The System Management BIOS (SMBIOS) serial number from WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank. The System Management BIOS (SMBIOS) asset tag from WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank. The System Management BIOS (SMBIOS) asset tag from WMI_SystemEnclosure class. This data may not exist on the client, in which case it will be blank. The encryption policy currently being enforced by SEE Removable Storage RS Encryption Method password certificate any The encryption method(s) currently allowed by SEE Removable Storage RS Executables RS Access Utility RS Master Cert RS Group Key RS Password Aging True False True False serial number True False Enabled Disabled True will be displayed if the user has the option to save file(s)/folder(s) to a self-extracting executable; False if the user does not If the Removable Storage Access Utility is being automatically copied to removable storage devices, True will be displayed. If not, False will be displayed If a Master Certificate is in effect at the Client Computer, its serial number will be displayed. Otherwise, the field will be blank If a group key is in use, True will be displayed. If not, False will be displayed If password aging is being applied to Default Passwords, Enabled will be displayed. If not, Disabled will be displayed RS Version n.n.n The three digit version number of SEE Removable Storage that is currently installed RS Installation Date time/date stamp The time and date on which SEE Removable Storage was installed SSL Certificate Expiration Date time/date stamp The time and date of the client-side TLS/SSL certificate s expiration * This column is not shown in the Symantec Endpoint Encryption Users and Computers snap-in. Symantec Endpoint Encryption Removable Storage 8

15 Reporting Directory Services Synchronization Reports Your current synchronization parameters are stored in the SEE database and can be retrieved using the following Symantec Endpoint Encryption Server Reports: Active Directory Forests Synchronization Status on page 9, and Novell edirectory Synchronization Status on page 11. One row of data per forest or tree will be listed. The following table identifies the data that will be available from these reports. Table 2.2 Directory Services Synchronization Data Column Heading Data Displayed Explanation Forest/Tree Name Administrator Name Administrator Domain* Last Synchronization forest or tree name user name domain time date stamp The name of the forest or tree that you are synchronizing with will be identified in this column. The user name that is being used to authenticate to the directory service server of this forest or tree will be provided in this column. This corresponds to the Active Directory or Novell synchronization account. The Active Directory domain of the Active Directory synchronization account for this forest will be identified. The time and date of the last successful synchronization with this forest or tree will be supplied. Total Computers number The total number of computers in this forest or tree as of the last synchronization will be noted here. This includes all of the computers, not just the SEE protected endpoints. * This column is not shown in the Novell edirectory Synchronization Status report. Symantec Endpoint Encryption Users and Computers The Symantec Endpoint Encryption Users and Computers snap-in allows you to obtain data about a specific group. This data can be printed or exported into a comma-delimited format (CSV). This can be useful for generating reports on a per-group basis. You might also want to consider your reporting needs when you create your groups ( SEE Managed Computer Groups on page 27). Symantec Endpoint Encryption Server Reports Basics The Symantec Endpoint Encryption Server Reports snap-in contains a number of reports that will assist you in managing your endpoints and your synchronization(s). After obtaining the data, you can export it into comma-delimited format (CSV) for further manipulations in the tool of your choice. Alternatively, you can print the report directly from the Manager Console. Should you choose to print the report, you can choose which columns to include by right-clicking the report in the console tree and selecting Configure Columns Displayed. Alternatively, select Configure Columns Displayed from the Action menu. Active Directory Forests Synchronization Status The Active Directory Forest Synchronization Status report provides the latest details of your Active Directory synchronization parameters and status. Symantec Endpoint Encryption Removable Storage 9

16 Reporting Computer Status Report The Computer Status Report is used to retrieve the records of specific computers when you know their computer name. Following deployment of client installation packages, you can use this report to ensure that each client checks in. Type or paste the computer names in the Enter Computer Names field. Each should be on a separate line. The % character can be used as a wildcard. Once you have entered the computer names that you want to retrieve the records of, click Run. To refresh the data, click Run again. Computers not Encrypting to Removable Storage The Computers not Encrypting to Removable Storage report will retrieve the records of the following computers on your network: Did not have SEE Removable Storage installed as of the time of last check-in. Was not protected by a SEE Removable Storage Encrypt all or Encrypt new policy as of the time of last check in. Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not be allowing users to write unencrypted files to removable devices. Computers with Decrypted Drives The Computers with Decrypted Drives report will retrieve the records of the following computers on your network: Had one or more decrypted or decrypting partitions as of the time of last check-in. Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not have a decrypted or decrypting partition. Computers with Expired Certificates The Computers with Expired Certificates report will retrieve the records of the clients with client-side TLS/SSL certificates due to expire within the specified number of days from the current day. Enter the number of days until expiration in the Days the Certificate Will Expire field and click Run. For example, to see all of the clients with certificates due to expire within the next ninety days, type 90 in the Days the Certificate Will Expire field and click Run. Computers with Specified Users The Computers with Specified Users report allows you to find out all of the computers that one or more users have registered on. Type the user names in the Enter User Names field. If you enter more than one user name, they should be separated by carriage returns. The % wildcard character is supported. Once the desired report parameters have been entered, click Run. The records of the computers on which one or more of the specified users has registered will be retrieved and listed in the report results. Computers without Full Disk Installed The Computers without Full Disk Installed report will retrieve the records of the following computers on your network: Did not have SEE Full Disk installed as of the time of last check-in. Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not have SEE Full Disk installed. Computers without Removable Storage Installed The Computers without Removable Storage Installed report will retrieve the records of the following computers on your network: Did not have SEE Removable Storage installed as of the time of last check-in. Symantec Endpoint Encryption Removable Storage 10

17 Reporting Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not have SEE Removable Storage installed. Non-Reporting Computers The Non-Reporting Computers report allows you to obtain a list of computers that have not checked in with the SEE Management Server within a specified number of elapsed days. This report will help you ensure that the data in the SEE database remains fresh. Enter the number of elapsed days in the Days Since Last Check-In field and click Run. The records of the computers on your network that have not checked in with the SEE Management Server within the specified number of days will be retrieved and listed. Novell edirectory Synchronization Status The Novell edirectory Synchronization Status report provides the latest details of your Novell synchronization parameters and status. Resultant Set of Policy (RSoP) The Group Policy Management snap-in features a reporting facility which allows you to verify that the Active Directory policies you assigned to Client Computers or users were actually processed as intended. This report is known as a Resultant Set of Policies (RSoP) or Group Policy Report. The initial SEE installation settings as deployed using the Framework and Removable Storage client MSI packages (even if the MSI packages were deployed as GPOs) will not appear in the RSoP report. Only the results of Active Directory policy updates will be shown in the RSoP report. To generate an RSoP report, perform the following steps: 1. Open the SEE Manager, and in the left pane, expand Group Policy Management, then expand Group Policy Results. 2. With the Group Policy Results container selected, right-click and choose Group Policy Results Wizard. 3. The Group Policy Results Wizard launches. Click Next, then select the option Another Computer. 4. Browse to or type the name of the computer for which you wish to generate a Group Policy Report. 5. Click Next. Symantec Endpoint Encryption Removable Storage 11

18 Reporting Figure 2.1 Group Policy Results Wizard, User Selection 6. To view both user and computer policies, select the user that you want to see the user policies of. If you are only interested in computer policies, select Do not display user policy settings in the results. 7. Click Next. 8. Click Next at the summary screen, then click Finish. 9. The Group Policy Results snap-in connects to the Client Computer, gathers the policy information into a report, and displays the information in several tabs of the content pane on the right. 10. Click on the Settings tab of the Group Policy Results window in the pane on the right. 11. This windows shows a collapsed view representing all the settings for the user/computer pair you selected. The view is divided into two sections: one section named Computer Configuration, and another section beneath it named User Configuration. 12. Within the section named Computer Configuration, locate the subsection named Administrative Templates. SEE uses registry based policies, and any SEE computer policies you create and apply will show up within the subsections Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/ Framework, and Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/ Removable Storage. For user settings, this pattern is mirrored in the User Configuration section of the Group Policy Results window. 13. Expand the Administrative Templates and then expand the Symantec Endpoint Encryption/Framework section by clicking on the Show link on the right. That subsection will expand to reveal all Framework policies currently in effect. Symantec Endpoint Encryption Removable Storage 12

19 Reporting Figure 2.2 RSoP Report From an SEE Client Figure 2.2 shows that a Client Administrator policy has been applied. The Client Administrator mbrown authenticates using a password and has a high level of privilege. The Client Administrator mwilliams authenticates using a password and has a high level of privilege. Any level in the report hierarchy can be exported as an HTML file by right-clicking the name (for example, Symantec Endpoint Encryption/Framework), choosing Save Report, and selecting a target location in which to save the HTML report. Some SEE Active Directory policies create other settings in the client registry that are shown in the RSoP as Extra Registry Settings. These represent internal registry values used by the particular SEE policy and can be ignored. Windows System Events All security-related system events are logged on the SEE Client Computer where they may be viewed remotely by an administrator using the Windows System Event viewer. To view SEE Removable Storage specific system events logged on a specific computer, perform the following steps: 1. Open a Run dialog from the Windows Start menu. 2. Type eventvwr.msc and click OK. 3. An Event Viewer console window opens showing the events on your local computer. 4. In the navigation pane on the left, right-click the top-level folder named Event Viewer (Local), and choose Connect to another computer. Symantec Endpoint Encryption Removable Storage 13

20 Reporting 5. In the Select Computer dialog, make sure that the Another computer option is selected, then click Browse. 6. In the Select Computer dialog, type the name of a computer you wish to inspect the events of, and click OK. 7. In the navigation pane on the left, right-click the item named Application, and choose Connect to another computer. 8. Choose View and click Filter to open the Application Properties window. 9. From the Event Source drop-down list box, choose Removable Storage Service and click Apply. 10. This filters the event log for that computer to show SEE Removable Storage events. Drag the Application Properties window away from the Event Viewer window, but leave it open. 11. In the right pane of the Event Viewer window, double-click the top-most event entry to open the Event Properties window for that event. The Description field contains information about that particular SEE Removable Storage event. To inspect other events in the log, use the up and down arrow buttons in the upper right of the Event Properties window. To filter out all events other than a desired event, click on the Application Properties window. In the Event ID field, type the number of the event you are interested in, then click Apply. The Event Viewer window will update and filter out all event IDs other than the one you specified. For a complete list of all SEE specific system events, their event code numbers, and descriptions of the events, refer to Framework System Events List on page 32 and Removable Storage System Events List on page 45. Symantec Endpoint Encryption Removable Storage 14

21 Policy Creation & Editing 3. Policy Creation & Editing Overview While each contains identical options, Active Directory policies are created and edited in quite a different manner from native policies. This chapter discusses the following: How to create and/or edit Active Directory policies using Symantec Endpoint Encryption snap-in extensions in the Group Policy Object Editor (GPOE) ( Active Directory Policies on page 15); How to create and/or edit native policies using the Symantec Endpoint Encryption Native Policy Manager ( Native Policies on page 16); and The individual policy options themselves ( Policy Options on page 16). Active Directory Policies To create or edit an Active Directory policy, expand the Group Policy Management snap-in, expand your forest, expand Domains, expand the domain, and expand Group Policy Objects. To edit an existing GPO, right-click the GPO and select Edit. To create a new GPO, right-click Group Policy Objects and select New. The Group Policy Object Editor (GPOE) will launch. To edit or create a computer policy, expand Computer Configuration, expand Software Settings, and expand Symantec Endpoint Encryption. Then expand Symantec Endpoint Encryption Framework and/or Symantec Endpoint Encryption Removable Storage, according to your needs. To edit or create a user policy, expand User Configuration, expand Software Settings, and expand Symantec Endpoint Encryption. Then expand Symantec Endpoint Encryption Framework and/or Symantec Endpoint Encryption Removable Storage, according to your needs. Each Active Directory policy panel features three option buttons at the top: Do not change these settings this option is the default option. It specifies that no changes to existing policies or installation settings will be made. Change these settings click this option if you want to specify a policy update. When this option is selected, the fields below it will become available. These fields will not be defaulted to the policies currently in effect, they will just display generic defaults. Restore the installation settings click this option to apply a policy that instructs the client to disregard any existing policies and return to the settings that were specified in its installation package. When the Change these settings option is selected, your entries are validated when you click away from the panel. Any incorrect entries will be highlighted in red, and the icon for the panel, as shown in the navigation tree of the GPOE window, will change to a warning icon to remind you to return to that panel and make the necessary corrections before closing the GPOE window. For a detailed discussion of the options that will become available when the Change these settings option is selected, refer to Policy Options on page 16. Symantec Endpoint Encryption Removable Storage 15

22 Policy Creation & Editing Native Policies To create a native policy, right-click the Symantec Endpoint Encryption Native Policy Manager and select Create New Policy. When naming a policy, observe the following: Each name must be unique and cannot have been assigned to any other native policy. Names are case-insensitive. Leading and trailing spaces will be deleted. To edit a native policy, expand the Symantec Endpoint Encryption Native Policy Manager. Locate the policy that you want to edit and highlight it. For a detailed discussion of the options available for modification within the Symantec Endpoint Encryption Native Policy Manager, continue to the next section. Policy Options Client Administrators When creating a Client Administrator policy, it must contain all Client Administrator accounts that are authorized to access the workstation. Any Client Administrator accounts not listed in this policy will not be able to authenticate to the Client Computer. Figure 3.1 Framework Computer Policy, Client Administrators Options At least one Client Administrator account must be specified. You can import a list of Client Administrators from a previously created installation settings package. Click Load from installation settings, select the previously created SEE Framework client installer package, then click Open. The GPO panel will populate with the Client Administrator account information specified when the installation settings package was created. Click Add to add a Client Administrator. Highlight an existing Client Administrator and click Edit to edit the account. Symantec Endpoint Encryption Removable Storage 16

23 Policy Creation & Editing Figure 3.2 Add New Client Administrator Dialog Only the names of the Add New Client Administrator and Edit Client Administrator dialogs differ. Each Client Administrator account must have credentials and a specified level of privilege. If this is a native policy and you selected None (password authentication only) when installing the Framework Manager, the drop-down list box will display Password and be unavailable. Otherwise, the drop-down list box will have both Password and Token options available. If you select the token option, you will be prompted to locate the P7B certificate file associated with that Client Administrator account. The selected P7B file will be validated, and you will be prompted to choose the desired certificate from the list of valid certificates found in the P7B file. Symantec Endpoint Encryption Removable Storage 17

24 Policy Creation & Editing Registered Users Basics The Registered Users panel can be used to change the way that users authenticate to, register with, or get unregistered from SEE. Figure 3.3 Framework Computer Policy, Registered Users Options Authentication Method In Authentication Method, select the authentication method you want SEE to effect. Clicking on Require registered users to authenticate with ensures that users type their credentials before gaining access to the User Client Console. Select Password to have users authenticate with a password. Select Token to have users authenticate with a token. Clicking on Do not require registered users to authenticate to SEE selects automatic authentication and allows all registered users to access the User Client Console without providing any credentials. The registration process itself will also be automatic and occur without user intervention unless a registration password is specified. Coupling automatic authentication with a registration password could serve to limit the number of users able to use removable storage devices from the workstation, as only registered users can use removable storage devices. Select the Enforce this choice on existing SEE accounts check box to force users that are currently registered using a different authentication method to re-register using the new authentication method. Single-Sign On will be unavailable to users not using the same authentication method for both Windows and SEE. For Single-Sign On to work, the authentication methods used in both environments must be identical. Symantec Endpoint Encryption Removable Storage 18

25 Policy Creation & Editing Select a date (month, day, year) from the drop-down lists. This date will be the deadline after which users will be forced to re-register using the new authentication method. Once the policy has been processed and the Client Computer has rebooted, users will be prompted to re-register when logging on to Windows. Re-registration is optional until the deadline has elapsed. After the deadline, users are forced to re-register using the new authentication method. When a computer has been running with automatic authentication, and a policy is applied that switches to password- or token-based authentication, all existing user accounts subject to automatic authentication are immediately unregistered. By contrast, when a policy changes from password- or token-based authentication to automatic authentication, all existing password- or token-based registered user accounts are now subject to automatic authentication. Registration To allow any Windows user the ability to register, click the option Any Windows user can register for a SEE account. To allow only those users who know a special registration password to be able to register, click Users must know this password to register, and type the password in the adjacent field and again to confirm. Each user will be required to know the administrator-defined registration password before they can register for an SEE account. Specify the maximum number of SEE registered user accounts which can be created on each computer. New users will not be permitted to register after the maximum number of accounts has been reached. Specify a custom message users will see when they are forced to register after grace restarts expire. The custom message can be from characters in length, or you can use the default message. Note that the custom registration message field ignores any carriage returns you type or paste in. Specify the number of grace restarts, i.e., the number of times, from 0 99, that the computer can restart before the first user who logs on will be forced to register for an SEE account and see the custom registration message. This setting can effectively allow users to defer registration. To force the first user to register immediately, set this value to zero. Unregistration Unregistration selects whether to allow users to only be unregistered manually by Client Administrators, or whether to also automatically unregister users who do not log on after a specified period, from days. This setting is useful in a kiosk environment where many infrequent users can fill up the maximum number of available SEE accounts on a given computer. Use caution with this setting so that users do not have their accounts deleted unexpectedly. Symantec Endpoint Encryption Removable Storage 19