Symantec Endpoint Encryption Full Disk

Transcription

1 Symantec Endpoint Encryption Full Disk Policy Administrator Guide Version 6.0

2 Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Symantec Corporation Symantec Corporation. All rights reserved. Authenti-Check is a registered trademark of GuardianEdge Technologies Inc. Microsoft, Active Directory, Windows, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation. Any other trademarks used herein are the property of their respective owners and are hereby acknowledged. Other product and company names mentioned herein may be the trademarks of their respective owners. Printed in the United States of America.

3 Contents Contents 1. Introduction Overview SEE Administrator Roles Policy Administrators Client Administrators SEE Architecture Architecture Services and Associated Ports/Protocols Client Monitor Overview Initial Encryption of the Hard Disk Client Monitor Watchlist Creation Auto Refresh Interval Watchlists Based on Group Membership Selecting All Members of the Domain Admins Group Client Computer Check-In Verification Ensuring That Recently Deployed Clients Check In Ensuring That Recently Recovered Clients Check In Client Policy Settings Overview Policy Only Policy Updates to Installation Settings Forcing a Policy Update Windows XP Clients Windows 2000 Clients SEE Framework Creating Client Administrator Accounts Users Upgraded to Client Administrators Authentication Methods Changing User Authentication Methods Full Disk Recovery CD Creation Full Disk Recovery Data File Generation Auditing and Logging Exporting Watchlist Data Windows System Event Viewer Monitoring The Management Password Setting the Management Password Changing the Management Password SEE Full Disk Remote Decryption Creating a Remote Decryption Policy Monitoring Encryption Status Symantec Endpoint Encryption Full Disk iii

4 Contents Autologon Basics Policy Creation SEE Server Overview ADAM Account Password Changes SEE Server Backup and Restore SEE Server Backup and Restore Basics Authoritative Restore vs. Non-Authoritative Restore ADAM Components to be Backed up Example Scenarios for SEE Server Backup and Restore Backup and Restore of the OTP Keys OTP Key Backup OTP Key Restore Appendix A Framework System Events List Full Disk System Events List Glossary Index Symantec Endpoint Encryption Full Disk iv

5 Figures Figures Figure 1.1 Architectural Overview Figure 2.1 Connecting to the Client Monitor Figure 2.2 Client Monitor Watchlists Figure 2.3 Creating a New Query Figure 2.4 Find Custom Search LDAP Query String Figure 2.5 Domain Admins Properties, Members Figure 2.6 SEE Manager, Watchlist Members Added Figure 4.1 Framework Computer Policy Client Administrators Figure 4.2 Exporting HD Recovery Data from a Watchlist Figure 4.3 RSoP Report From an SEE Client Figure 4.4 SEE System Events Figure 4.5 The Management Password Snap-in Figure 5.1 Full Disk Computer Policy Remote Decryption Figure 5.2 Full Disk Computer Policy Autologon Figure 6.1 RecoverOTP Batch File, Usage Figure 6.2 RecoverOTP Batch File, Command Line for Export Figure 6.3 RecoverOTP Batch File, Export Completed Figure 6.4 Recover OTP Keys Utility Figure 6.5 Recover OTP Keys Utility, Connected to ADAM Figure 6.6 Recover OTP Keys Utility, Check OTP keys Figure 6.7 Recover OTP Keys Utility, OTP Key Pair Missing Figure 6.8 Confirm OTP Creation Figure 6.9 Recover OTP Keys Utility, OTP Key Pair Created Figure 6.10 RecoverOTP Batch File, Usage Figure 6.11 RecoverOTP Batch File, Command Line for Import Figure 6.12 RecoverOTP Batch File, Import Completed Figure 6.13 ADAM ADSI Edit, Bind to the ADAM Instance Figure 6.14 ADAM ADSI Edit, Delete AdminsPassRecovery Object Symantec Endpoint Encryption Full Disk v

6 Introduction 1. Introduction Overview The duties of configuring and maintaining Symantec Endpoint Encryption (SEE) are split between two roles that have progressively fewer privileges: the Policy Administrator role and the Client Administrator role. As a pre-requisite to reading this Guide, it is assumed that the SEE Server, SEE Manager, and SEE Clients have already been deployed. For instructions on creating client installation packages, refer to the Installation Guide. For information relevant to help desk personnel, such as emergency recovery procedures or clearing a lockout condition on the client, refer to the Client Administrator Guide. For information documenting the user experience of the SEE Client, refer to the User Guide. This Guide provides you with: Descriptions of the SEE administrator roles, An overview of the SEE architecture, A list of services used by the system, along with their associated ports and protocols. SEE Administrator Roles Policy Administrators Policy Administrators are created by a domain or higher-level administrator who delegates the necessary privileges to allow Policy Administrators to define end-point encryption policies for one or more OUs. Symantec recommends that Policy Administrators be allowed to create, edit, and apply GPOs to the specific OUs they are responsible for supporting. Policy Administrators create Client Administrators by assigning domain user accounts to the Client Administrator role using a policy. Access to SEE snap-ins can be restricted on a per snap-in basis, giving the domain or higher-level administrator flexibility when assigning specific Policy Administrator duties. A list of typical duties that a Policy Administrator might perform: Create SEE installer packages for deployment to clients; Create and apply software installation policies for deploying SEE installer packages; Create, edit, and apply SEE policies to specific OUs; Create or remove Client Administrator accounts; Remotely decrypt all disk partitions of selected SEE Clients; Track encryption status of selected SEE Clients and export the status information; Create files used by Client Administrators to perform data recovery for SEE Clients; and Change the SEE Client Management Password. Client Administrators Client Administrators are created when a Policy Administrator assigns domain user accounts to the Client Administrator role using a policy. Client Administrators provide local support to SEE users and guarantee that SEE protected computers are always accessible even when all SEE users have been removed from those computers. Depending on the settings currently in effect, a particular Client Administrator may be allowed to perform the following operations on a local computer: Remove (unregister) SEE users from a local computer. Symantec Endpoint Encryption Full Disk 1

7 Introduction Unlock an SEE protected computer which has been locked as a result of failing to check-in with the SEE Server within a specified number of days. Extend the client check-in due date so as to defer a scheduled lockout condition. Decrypt a partition or partitions. For details on how a Client Administrator can unregister users, extend the due date, unlock a computer, or decrypt partitions on the client, refer to the Client Administrator Guide. Single Sign-On Client Administrator accounts do not possess Single Sign-On (SSO). If an existing SEE user account that has Single Sign-On gets upgraded to a Client Administrator role, that account will no longer have Single Sign-On capability until the Client Administrator role is removed and the user registers again as a user. Passwords Client Administrators logging on to SEE protected Client Computers using password authentication must first type their SEE passwords at the SEE logon screen, then type their Windows account passwords at the Windows logon screen. SEE maintains its own password for a Client Administrator separate from the Windows password, and these two passwords are never synchronized. While it may seem convenient to set both passwords to the same value, default Windows policies will eventually cause the Windows password to expire, causing the Windows password to become out of sync with the SEE password. To mitigate potential confusion, we recommend that you avoid using the same Client Administrator password for logging on at both the SEE logon screen as well as the Windows logon screen. Tokens Client Administrators logging on to SEE protected Client Computers using token authentication must insert their token and type their PIN once at the SEE logon screen, then re-insert their token and type their PIN again at the Windows logon screen. SEE Architecture SEE is based on a modular design that contains three functional components: SEE Framework, SEE Full Disk, and the SEE Server. SEE Framework includes all the functionality that is extensible across the SEE suite. The Framework allows behavior that is common to SEE Full Disk and SEE Removable Storage to be defined in one place, thus avoiding potential inconsistencies. SEE Full Disk secures a hard disk by encrypting it and requiring that users authenticate before allowing Windows to start. SEE Full Disk can lock out users if a required time-sensitive network connection a check-in performed for security reasons does not take place. The SEE Server stores the status information, encrypted keying material, and hard disk recovery data transmitted by each SEE Client Computer. The status information is retrieved and displayed by the SEE Manager console. SEE has four main user interfaces: The SEE Manager console; The SEE Client console; The SEE Full Disk pre-windows authentication process; and The One-Time Password Program. Symantec Endpoint Encryption Full Disk 2

8 Introduction SEE Full Disk is installed on and protects the Client Computers, where two kinds of SEE accounts exist: registered user accounts and Client Administrator accounts. The SEE Client software: Is installed when a Policy Administrator pushes out the software and installation settings from the Manager and the Client Computer installs them; Contains panels and behavior that reflect (are customized by) the installation settings and the policy updates chosen by Policy Administrators; Provides the user interface (UI) to locally encrypt and decrypt hard disk partitions; and Can optionally connect to the SEE Server over the network, thus checking in as well as reporting important data about user accounts and disk encryption. Architecture Refer to Figure 1.1 to view the SEE components, communications protocols between components, and their interrelationships. Included in this diagram are the protocols used for communication between SEE Client Computers, the SEE Server, and Active Directory. While the diagram shows all clients as members of the same domain, multi-domain configurations within a single Active Directory forest are supported. Domain Controller Client Group Policy (RPC / SMB) LDAP SEE Server Manager Computer Client Monitor LDAP Data Multimaster Replication SEE Server Replica LDAP LDAP Firewall VPN Client Tunnel LDAP LDAP Client your-org.com Client your-org.com Figure 1.1 Architectural Overview Services and Associated Ports/Protocols Refer to the following table to see a list of each service, and its associated default port(s) and protocol(s), as shown in Figure 1.1. Table 1.1 Service Ports and Protocols Service Server Message Block (SMB) over IP (Microsoft-DS) Lightweight Directory Access Protocol (LDAP) Port/Protocol 445/TCP, 445/UDP 389/TCP Symantec Endpoint Encryption Full Disk 3

9 Introduction Table 1.1 Service Ports and Protocols (Continued) Service LDAP ping RPC Endpoint Mapper Global Catalog LDAP Global Catalog LDAP over SSL Kerberos* Domain Name Service (DNS)* Windows Internet Naming Service (WINS) resolution* WINS replication* * Optional Port/Protocol 389/UDP 135/TCP, 135/UDP 3268/TCP 3269/TCP 88/TCP, 88/UDP 53/TCP, 53/UDP 1512/TCP, 1512/UDP 42/TCP, 42/UDP Symantec Endpoint Encryption Full Disk 4

10 Client Monitor 2. Client Monitor Overview The SEE Client Monitor snap-in retrieves encryption status and other information stored in the SEE Server by SEE Client Computers. The Client Monitor snap-in allows you to set up custom Watchlists to monitor the status of selected users and computers. Initial Encryption of the Hard Disk The initial encryption process is typically configured to begin immediately following installation. It begins with the first hard disk partition and other partitions are queued to encrypt one after the other automatically. Encryption occurs transparently in the background, allowing the user to continue using the computer normally during the process. If the user performs a normal shutdown of the computer before the initial encryption process has completed, initial encryption automatically resumes when the computer is powered on again. Depending on the installation or policy settings, the SEE Client Computer can attempt to store important data in the SEE Server immediately upon installation and again at a specified interval. The SEE Client then attempts to store status updates at a specified interval in the SEE Server, again depending on the installation or policy settings. The following information is transmitted by the SEE Client Computer in encrypted form to the SEE Server: Computer name; User name(s); Account name (i.e., complete Windows domain or local account name); Role (i.e., Client Administrator or registered user); Last check-in date; Encryption status for each partition (encrypting, encrypted, decrypting, decrypted); One-Time Password and Recover /B information; Version of SEE Framework installed; and Version of SEE Full Disk installed. The Client Monitor snap-in of the SEE Manager retrieves this information and displays the status in a Client Monitor Watchlist. Client Monitor Watchlist Creation 1. Open the SEE Manager, expand the Active Directory Users and Computers container to your-org.com, and then Users. Click and drag to select, or hold the CTRL key down and click to highlight individual user and/or computer objects in their respective containers. 2. Drag the selected users and/or computers and drop them onto the SEE Client Monitor module in the console tree. The first time you drag a user or computer and drop them onto the SEE Client Monitor snap-in, the ADAM Connection Data dialog box will prompt you for your ADAM Administrator account credentials. Symantec Endpoint Encryption Full Disk 5

11 Client Monitor Figure 2.1 Connecting to the Client Monitor 3. In the ADAM Administrator Account window, type the credentials of the ADAM Administrator account established when the SEE Server was installed, then click OK. 4. Open the File menu and select Save. This saves the SEE Manager with the Watchlist, along with any computer or user objects you added to the Watchlist. If you are a member of the ADAM Administrators group, you will not be prompted for the ADAM Administrator credentials when you open the SEE Manager. To remove a user or computer object from the Watchlist, select the object or objects, right-click, and choose either Remove Selected Users from Watchlist or Remove Selected Computers from Watchlist. Figure 2.2 Client Monitor Watchlists Symantec Endpoint Encryption Full Disk 6

12 Client Monitor Auto Refresh Interval Each Watchlist can be set to periodically refresh at a preset interval. To do this, perform the following steps: 1. Select a Watchlist, right-click, and choose Auto Refresh Interval. 2. In the Auto Refresh Interval window, type the number of minutes at which you want the Watchlist contents to be refreshed, then click OK. The Auto Refresh Interval only controls how often the Watchlist reads status data from the SEE Server, and not how often the SEE Client reports status data to the SEE Server. The interval at which the client reports its status data to the SEE Server is controlled by installation settings and policy updates. Watchlists Based on Group Membership Although you cannot create a Watchlist by dragging an Active Directory group object and dropping it onto the Client Monitor snap-in, you can achieve the same result by executing a custom LDAP query using the Active Directory Users and Computers snap-in. This section details how to specify and execute a query string based on group membership. Once the query operation has completed and returned a list of user accounts meeting the search criteria, you can drag these accounts to the Client Monitor snap-in and create a new Watchlist whose contents reflect the group membership. Selecting All Members of the Domain Admins Group 1. Open the SEE Manager from the Windows Start menu. 2. In the navigation pane on the left, expand the Active Directory Users and Computers snap-in. Right-click on Saved Queries, point to New and select Query. Figure 2.3 Creating a New Query The New Query window appears. 3. Type descriptive names into the Name and Description fields, then click Define Query. The Find Common Queries window appears. Symantec Endpoint Encryption Full Disk 7

13 Client Monitor 4. From the Find drop-down list, select the option Custom Search. The Find Common Queries window changes to the Find Custom Search window. Figure 2.4 Find Custom Search LDAP Query String 5. Click the Advanced tab, and in the Enter LDAP Query field, type the following query string: (objectcategory=user)(memberof=cn=domain Admins,CN=Users,DC=your-org,DC=com) Table 2.1 LDAP Query String Description Query Term Description Syntax Examples objectcategory= memberof=cn= CN= DC= The category of the object you are searching for. The Active Directory group of which each user object is a member. The container or organizational unit in which the group resides. The name of your domain and forest. Each section should be separated by DC= 6. After verifying that you have entered the query string correctly, click OK. objectcategory=user objectcategory=computer memberof=cn=domain Admins memberof=cn=domain Users CN=Computers OU=Human Resources DC=your-org,DC=com 7. Click OK to save and execute your new query. The query results will display in the pane on the right. Symantec Endpoint Encryption Full Disk 8

14 Client Monitor Figure 2.5 Domain Admins Properties, Members Note that in this sample scenario, the Domain Admins Properties window indicates that all three selected accounts are located in the Users container. 8. You may execute a saved query again either by selecting the query and pressing F5, or by right-clicking the saved query and selecting Refresh. 9. Select the user objects returned by the query, then drag them and drop them onto the Client Monitor snap-in to create a new Watchlist, or drag them and drop them onto an existing Watchlist. Figure 2.6 SEE Manager, Watchlist Members Added Once the Watchlist has been populated with computers on which the SEE Client has been installed, the Watchlist will reflect encryption status and other information about the SEE Client Computers. If you add a new member to the Active Directory Group (in this example, the Domain Admins group), you must update the SEE Watchlist for it to accurately reflect the current state of the group. To do this, execute your saved query again and repeat the drag-and-drop operation of the Active Directory Objects as outlined previously. Symantec Endpoint Encryption Full Disk 9

15 Client Monitor Client Computer Check-In Verification Watchlists can also be use to verify Client Computer check-ins. This is especially important if a lock-out has been configured by installation settings or policy updates. At a minimum, Client Computers should check in at least once and recently recovered Client Computers should check in immediately following recovery. Ensuring That Recently Deployed Clients Check In When deploying SEE Full Disk, it is important that all Client Computers to which SEE Full Disk has been deployed make contact with the SEE Server at least one time. During the initial contact with the SEE Server, a Client Computer stores its client-specific keying and other information. If the hard disk of the Client Computer needs to be recovered later on, this client-specific information is extracted from the SEE Server and used by support personnel when performing Recover /B. If the Client Computer has SEE Full Disk installed but has not made contact with the SEE Server, the client-specific recovery information will be unavailable from the SEE Server, and hard disk recovery operations will be limited to Recover /A and /D. A Watchlist can be used to identify computers which may have not checked in. To check for these computers, create a Watchlist populated with the computers to which you have deployed SEE Full Disk. Because the SEE Server will contain no information from these computers, the Watchlist columns for these computers will be blank. Having now identified those computers which have failed to check in, you may now target them using other tools such as Resulting Set of Policies (RSoP) reports and system event logs to help determine if there were problems installing the SEE Client installer packages. Ensuring That Recently Recovered Clients Check In After a successful execution of Recover /D or /B on a Client Computer, make sure that the Client Computer checks in at least once so that the new data can be stored in the SEE Server. Symantec Endpoint Encryption Full Disk 10

16 Client Policy Settings 3. Client Policy Settings Overview You can create a new SEE policy to override and completely replace any existing SEE policies or installation settings that are below it in the Local, Site, Domain, OU (LSDOU) order. Two settings may only be defined by pushing out a policy update. The majority of the installation settings can be overridden with policy updates. Policy Only The following SEE Full Disk settings can only be defined using a policy: The window of time during which the Autologon feature remains active; and Whether to begin immediate decryption of all disk partitions of computers receiving this policy. Policy Updates to Installation Settings The following SEE Framework installation settings can be changed later by policy update: The custom message shown to users who are having trouble with authentication; Whether the One-Time Password and/or the Authenti-Check authentication assistance methods are available; Pre-defined Authenti-Check questions that users may be required to answer when they register; Client Administrator accounts; How often the SEE Client Computer reports its status to the SEE Server; The credentials used by the SEE Client Computer for accessing the SEE Server; Whether users use Single Sign-On (SSO); SEE password complexity, expiration, and reuse requirements (if SSO is disabled); How many times in succession a user can enter an incorrect password before incurring a 60-second delay; A password necessary to register as an SEE user; Whether users authenticate with passwords or tokens; The custom message shown to new users forced to register; The maximum number of SEE users that can register on a given computer; and Whether token users can use an expired certificate. The following SEE Full Disk installation settings can be changed later on with policy updates: Logon instructions and legal warning text shown to users who are logging on; Whether Client Administrators and/or registered users can decrypt disk partitions; Whether Client Computers are locked if they do not access the SEE Server within a specified number of days; and Whether to prefill the logon screen with the account information of the most recently logged on user. Symantec Endpoint Encryption Full Disk 11

17 Client Policy Settings Forcing a Policy Update Active Directory policy changes take approximately 90 minutes and no more than 120 minutes to push out to Client Computers. To accelerate this, you can force an immediate policy update. Windows XP Clients 1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER. A command prompt will open. 2. Type the following command at the command prompt: gpupdate /force and press ENTER. 3. A message will appear in the command prompt window after a few seconds indicating that the update has taken place. The message will prompt you to confirm a restart. Type Y and press ENTER to restart the Client Computer. Windows 2000 Clients 1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER. A command prompt will open. 2. Type the following command at the command prompt: secedit /refreshpolicy machine_policy /enforce and press ENTER. 3. The secedit command will not prompt you to restart. If the policy you are updating includes any computer policies, you will have to restart the computer manually to complete the update. Symantec Endpoint Encryption Full Disk 12

18 SEE Framework 4. SEE Framework Creating Client Administrator Accounts The initial list of Client Administrators is specified as part of the SEE installation settings. These settings represent the persistent, baseline list of Client Administrators. If you wish to change or update this baseline list, you must create a GPO containing a new set of Client Administrator settings. When a new Client Administrator policy is applied, it completely overrides the baseline Client Administrator installation settings, as well as any other Client Administrator GPOs beneath it in order of GPO precedence. If you wish to update the password of a single Client Administrator out of a list of 20 Client Administrators, you can load the list of Client Administrators from a previously created installation settings package. This will populate the GPO panel with the list of all Client Administrators account information (including password hashes) specified when the installation settings package was created. As with any SEE policy settings panel, you may, in the absence of other Client Administrator policies beneath it in the precedence chain, revert to the baseline Client Administrator installation settings by selecting the option Restore the installation settings. To specify Client Administrator accounts as part of a policy setting, you will create a new Group Policy Object (GPO) or edit an existing GPO. Inside the navigation tree of the Group Policy Object Editor (GPOE) window, expand Computer Configuration, expand Software Settings, expand Symantec Endpoint Encryption, expand Symantec Endpoint Encryption Framework, click on Client Administrators, and select the Change these settings option. The fields in the settings panel become available and allow you to specify Client Administrator accounts. Symantec Endpoint Encryption Full Disk 13

19 SEE Framework Figure 4.1 Framework Computer Policy Client Administrators Either the NetBIOS name or the DNS domain name must be entered in the Account Domain box when specifying a Client Administrator account. All Client Administrator accounts you specify must be valid Windows domain accounts and must be in the same forest as the SEE Client Computers. Up to 50 Client Administrator accounts can be specified. Your entries are validated when you click away from the Client Administrator Settings panel. If incorrect entries are found, the icon of the Client Administrator settings panel, as shown in the navigation tree of the GPOE window, will change to a warning icon to remind you to return to that panel and make the necessary corrections before closing the GPOE window. Users Upgraded to Client Administrators When an existing SEE user account is upgraded to Client Administrator status through a GPO, the existing SEE user account information is deleted from the local computer. Note that this only affects the SEE account on computers receiving the policy, and does not affect that user s Windows domain account. However, because Client Administrator passwords are specified as part of the GPO, the SEE password for the upgraded account will likely be Symantec Endpoint Encryption Full Disk 14

20 SEE Framework different than the Windows password for that account. Additionally, the Authenti-Check and One-Time Password authentication assistance methods are not available to Client Administrators. When a registered user account is upgraded to Client Administrator status, any Authenti-Check questions and/or answers provided by that user are lost. Authentication Methods By default, all Client Administrator accounts use password authentication. When you specify each Client Administrator account, you must type and confirm the password for that account. If your SEE deployment has been designed to use token authentication, you may select the option to use a token for individual Client Administrator accounts in the Framework Installation Settings or policy settings panels. When you select the token option, you will be prompted to locate the P7B certificate file associated with that Client Administrator account. The selected P7B file will be validated, and you will be prompted to choose the desired certificate from the list of valid certificates found on the P7B file. All passwords, user names, and domain names typed into the recover.exe and SEEHD_Access_Utility.exe utilities must consist solely of US English characters. If non-us English characters are used, Client Administrators will not be able to use these utilities successfully. Changing User Authentication Methods You can force existing users to change how they authenticate to SEE. Users must successfully switch authentication methods by a date you specify. For example, a user who registered using password authentication can be forced to re-register using token authentication. Users who have not completed the re-registration process before the deadline will be denied access to Windows until they re-register. To force existing users to switch authentication methods, perform the following steps: 1. Create a new GPO. Right-click the GPO, and click Edit. 2. Inside the navigation tree of the Group Policy Object Editor (GPOE) window, expand Computer Configuration, expand Software Settings, expand Symantec Endpoint Encryption, expand Symantec Endpoint Encryption Framework, click on Registered Users, and select the Change these settings option. 3. In Authentication Method, select the authentication method you want to force users to switch to, either a password or a token. 4. Select the Enforce this choice on existing SEE accounts check box. Single-Sign On will be unavailable to users not using the same authentication method for both Windows and SEE. Single-Sign On works normally when the authentication methods used in both environments are identical. 5. Select a date (Month, Day, Year) from the drop-down lists. This date will be the deadline after which users will be forced to re-register using the new authentication method. 6. Close the GPOE window. In the GPMC inside the SEE Manager, link the GPO to the appropriate location in the Active Directory hierarchy. Once the policy has been processed by the client and the client has rebooted, users will be prompted to re-register when logging on to Windows. Re-registration is optional until the deadline has elapsed. After the deadline, users are forced to re-register using the new authentication method. Symantec Endpoint Encryption Full Disk 15

21 SEE Framework Full Disk Recovery CD Creation If a Client Computer running SEE Full Disk encounters a serious error and cannot load Windows, a Recover CD allows a Client Administrator to boot. The Recovery CD is a bootable medium that contains two recovery programs: Access.exe and Recover.exe, plus related files. Access.exe is a 16-bit version of the Access Utility that addresses possible Windows problems. If a Client Administrator succeeds in booting with the Access Utility, it indicates that the problem with the Client Computer is with its Windows installation. The 16-bit Access Utility is included in the SEE Full Disk download package. However, due to Microsoft licensing requirements, Symantec separately mails you a CD that contains a 32-bit version of the utility. The 16-bit version runs in DOS and the 32-bit version runs in Windows PE (WinPE). The 32-bit version is recommended. Recover.exe is a program that tries to regain access to the hard disk and runs with three options: The /A option attempts to repair damaged client database files. The /D option attempts to repair damaged client database files and then to decrypt the hard disk. The /B option is performed only if all other previous steps have failed and requires the assistance of Symantec Technical Support. This option reads from a computer-specific recovery file that contains an important cryptographic key. You create this data file for a particular Client Computer, usually when requested to do so by a Client Administrator. You add this DAT file to a Recover CD, but unlike the recovery programs on the CD, the data file is applicable only to the specific computer. See Full Disk Recovery Data File Generation on page 17 for details in creating the DAT file. You should create a Recover CD immediately after SEE Full Disk installation. Create a Recover CD for each version of SEE Full Disk that you install or upgrade to. Symantec Endpoint Encryption Full Disk 16

22 SEE Framework To create the Recover CD: 1. Make sure that you have CD-ROM burning software that supports the creation of bootable CDs. Some examples of this kind of software are Nero and Easy CD Creator. 2. Create a bootable CD. 3. Copy the following files from this directory C:\Program Files\Symantec\Symantec Endpoint Encryption Manager\Symantec Endpoint Encryption Full Disk\DOS to the bootable CD: access.exe ephdxlat.bin ephdxlat.ovl RECOVER.EXE The BIN file will not be visible unless you change your settings in Windows Explorer so you can view hidden files. 4. Label the CD as being the SEE Full Disk Recover CD and include the version number and the date. Any Client Administrator can use this Recover CD on any Client Computer (that is running that same version) and that fails to boot. Full Disk Recovery Data File Generation Prior to using the /B option of the recover.exe utility (Recover /B), you must first select the specific computer needing recovery from a Client Monitor Watchlist, authenticate using the Management Password, export the computerspecific Full Disk Recovery Data files, and finally transfer the recovery data files to removable media for use at the Client Computer. Typically, a Policy Administrator or other support person who has access to the Client Monitor snap-in and knows the credentials of the ADAM Administrator account can export the client-specific recovery data. If you have not yet created a Client Monitor Watchlist containing the computer that needs to be recovered, do so now, using the following steps: 1. Open the SEE Manager, and in the navigation pane on the left, click on and expand the Active Directory Users and Computers snap-in. 2. Within your Active Directory hierarchy, select the computer object needing recovery, and drag and drop it on top of the SEE Client Monitor snap-in to create a new Watchlist. Immediately after SEE Full Disk is installed on a Client Computer, Client Computers try to contact the SEE Server to store client-specific files necessary for hard disk recovery. If this contact does not occur, the only recovery options available will be Recover /A and /D. Recover /A and /D do not require the client-specific recovery files stored in the SEE Server. For this reason, it is critical to make sure when using Client Monitor Watchlists that each Client Computer succeeds in checking in at least once. 3. Select the new Watchlist. 4. In the Watchlist window on the right (see Figure 4.2 for an example): Symantec Endpoint Encryption Full Disk 17

23 SEE Framework Figure 4.2 Exporting HD Recovery Data from a Watchlist a) Select the computer of interest, right-click it, and choose Export HD Recovery Data. A window opens prompting you to enter the Management Password. b) Type the Management Password into the field. c) Click OK. 4. After successfully authenticating, a second window opens. At the prompt: a) Enter a Recovery Password containing only US English characters. If you specify a recovery password containing non-english characters, an error message will be displayed. This password is used for protecting the recovery files you are about to export. The Client Administrator must enter this password before they can run Recover /B on that computer. The recover.exe utility only provides support for passwords containing US English characters. b) At the next prompt, select a destination location for the recovery files. Navigate to the desired location and click OK. A success dialog displays after the files have been successfully saved. c) Click OK to continue. The recovery data consists of the following files: EPHDXLAT.BIN, recover.dat, recover.exe, ephdxlat.ovl, and access.exe. The recovery data files are always exported using these same filenames. To avoid confusion when exporting hard disk recovery data for multiple computers, be sure to save them to separate folders with unique names that are identifiable with their associated computers. Copy these files to bootable media, such as a bootable CD or a floppy formatted as a startup disk. The boot CD or floppy may now be given to the Client Administrator to perform the Recover /B operation at the Client Computer. Auditing and Logging Auditing and logging facilities allow you to verify that intended policy changes were actually received and successfully processed on Client Computers. You can also check for the occurrence of individual SEE events on a given Client Computer. This information is spread across three separate sources: Data exported from a Client Monitor Watchlist; A Resultant Set of Policy (RSoP) report generated using the Group Policy Management Console (GPMC); and Symantec Endpoint Encryption Full Disk 18

24 SEE Framework The Windows System Event viewer. Exporting Watchlist Data In the SEE Manager, create a new Client Monitor Watchlist by selecting the user and /or computer objects of interest, then dragging and releasing them on top of the Client Monitor snap-in. 1. Select New Watchlist, right-click, and choose Export. A window appears prompting you for a name and location for the exported text file. By default, it uses the name of the Watchlist as the name of the file. 2. Navigate to the desired location and click OK to save the file with the default name New Watchlist.txt. The export operation creates two files at the target location you selected: New Watchlist.txt and New Watchlist statistics.txt. The file New Watchlist.txt is a semicolon-delimited text version of the contents of the Watchlist. The same column headings visible in the Watchlist appear on the first line, with data for each user and computer object appearing on subsequent lines. The order in which the user and computer data appear reflect the sort order at the time the Watchlist data was exported. The default column headings exported are Computer, Name, Account, Role, Last Check-In (date and time), and HD Encryption (status). The file New Watchlist statistics.txt contains the following statistics about the user and computer objects in the Watchlist: Number of computers; Number of distinct SEE user accounts, including Client Administrators; Number of computers with SEE Full Disk installed; Number of computers with encrypted hard drives; and Number of computers with non-encrypted hard drives. You may import the exported Watchlist data text files into other applications for further processing, customized report generation, and output. Using the Group Policy Results Wizard The Group Policy Management snap-in features a reporting facility which allows you to verify that the SEE policies you assigned to Client Computers or users were actually processed as intended. This report is known as a Resultant Set of Policies (RSoP) or Group Policy Report. The initial SEE installation settings as deployed using the Framework and Full Disk client MSI packages will not appear in the RSoP report, and only those settings deployed using SEE GPOs will be shown in the RSoP. To generate an RSoP report, perform the following steps: 1. Open the SEE Manager, and in the left pane, expand Group Policy Management, then expand Group Policy Results. 2. With the Group Policy Results container selected, right-click and choose Group Policy Results Wizard. 3. The Group Policy Results Wizard launches. Click Next, then select the option Another Computer. 4. Type the name of the computer for which you wish to generate a Group Policy Report, then click Next. 5. In the screen that follows, select the specific user on the computer, then click Next. 6. Click Next at the summary screen, then click Finish. 7. The Group Policy Results snap-in connects to the Client Computer, gathers the policy information into a report, and displays the information in several tabs of the content pane on the right. Symantec Endpoint Encryption Full Disk 19

25 SEE Framework 8. Click on the Settings tab of the Group Policy Results window in the pane on the right. 9. This windows shows a collapsed view representing all the settings for the user/computer pair you selected. The view is divided into two sections: one section named Computer Configuration, and another section beneath it named User Configuration. 10. Within the section named Computer Configuration, locate the sub-section named Administrative Templates. The SEE uses registry-based policies, and any SEE computer policies you create and apply will show up within the sub-sections Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/ Framework, and Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/Full Disk. For user settings, this pattern is mirrored in the User Configuration section of the Group Policy Results window. 11. Expand the Administrative Templates and then expand the Symantec Endpoint Encryption/Framework section by clicking on the Show link on the right. That sub-section will expand to reveal all Framework policies currently in effect. Figure 4.3 RSoP Report From an SEE Client Figure 4.3 shows that a Client Administrator policy has been applied, and that both Client Administrators, mbrown and mwilliams, use password authentication and can unregister SEE accounts. Any level in the report hierarchy can be exported as an HTML file by right-clicking the name (for example, Symantec Endpoint Encryption/Framework), choosing Save Report, and selecting a target location in which to save the HTML report. Symantec Endpoint Encryption Full Disk 20

26 SEE Framework Some SEE policies create other settings in the client registry which show up in the RSoP as Extra Registry Settings. These represent internal registry values used by the particular SEE policy and can be ignored. Windows System Event Viewer Monitoring All security-related system events are logged on the SEE Client where they may be viewed remotely by an administrator using the Windows System Event viewer. To view SEE specific system events logged on a specific computer, perform the following steps: 1. Open a Run dialog from the Windows Start menu. 2. Type eventvwr.msc and click OK. 3. An Event Viewer console window opens showing the events on your local computer. 4. In the navigation pane on the left, right-click the top-level folder named Event Viewer (Local), and choose Connect to another computer. 5. In the Select Computer dialog, make sure that the Another computer option is selected, then click Browse. 6. In the Select Computer dialog, type the name of a computer you wish to inspect the events of, and click OK. 7. In the navigation pane on the left, right-click the item named Application, and choose Connect to another computer. 8. Choose View and click Filter to open the Application Properties window. 9. From the Event Source drop-down list box, choose Encryption Anywhere and click Apply. 10. This filters the event log for that computer to show only SEE events. Drag the Application Properties window away from the Event Viewer window, but leave it open. 11. In the right pane of the Event Viewer window, double-click the top-most event entry to open the Events Properties window for that event. The Description field contains information about that particular SEE event. To inspect other events in the log, use the up and down arrow buttons in the upper right of the Events Properties window. To filter out all events other than a desired event, click on the Application Properties window. In the Event ID field, type the number of the event you are interested in, then click Apply. The Event Viewer window will update and filter out all event IDs other than the one you specified. Symantec Endpoint Encryption Full Disk 21

27 SEE Framework Figure 4.4 SEE System Events For a complete list of all SEE specific system events, their event code numbers, and descriptions of the events, refer to Framework System Events List on page 40 and Full Disk System Events List on page 50. The Management Password The Management Password is used by SEE to control administrator access to two help desk functions: Recover /B and the One-Time Password Program. These two functions use the Management Password in the following ways: SEE Policy Administrators or other support personnel who have access to the Management Password snap-in must type the Management Password before they can export computer-specific hard disk recovery files (see Full Disk Recovery Data File Generation on page 17). SEE Client Administrators must type the Management Password before they are allowed to run the One-Time Password Program. Because the Management Password is shared among support personnel, you should establish a protocol for all Management Password changes. This will avoid the situation of one administrator changing the Management Password and preventing other administrators from performing help desk functions which require the Management Password. The Management Password should be backed up in safe location, as there is no mechanism available for recovering a lost Management Password. Setting the Management Password During the initial installation of the SEE Manager, you will be prompted to type the Management Password. Thereafter, and for subsequent installations of the SEE Manager, the fact that the Management Password has already been set will be detected by the installer, and you will not be prompted to set the Management Password again. When the Management Password is first set, a hash of the password is stored in the SEE Server. Therefore, the sequence of SEE Manager installation screens will be different depending on whether or not the SEE Manager has already been installed and the Management Password has already been set. Symantec Endpoint Encryption Full Disk 22

28 SEE Framework Changing the Management Password To change the Management Password, perform the following steps: 1. Open the SEE Manager. Figure 4.5 The Management Password Snap-in 2. In the navigation pane on the left, click on the Management Password snap-in. 3. In the pane on the right, type the existing Management Password, type a new Management Password between characters in length, and type the new Management Password again to confirm. 4. Click OK. A dialog will appear confirming that the new password was accepted. Click OK. If you are not a member of the ADAM Admins group, you will be prompted to authenticate to the SEE Server. Symantec Endpoint Encryption Full Disk 23

29 SEE Full Disk 5. SEE Full Disk Remote Decryption The remote decryption policy is used by Policy Administrators to decrypt all encrypted disk partitions on computers protected by SEE Full Disk without having to physically send a Client Administrator to the location(s) of the computers. Client computers receiving this policy will commence decryption once the policy has been processed. Processing of the policy takes approximately five minutes. Creating a Remote Decryption Policy To create a remote decryption policy, perform the following steps: 1. Right-click Group Policy Objects on the navigation tree. 2. Click New. The New GPO (Group Policy Object Editor) window displays. 3. Type the name of the Group Policy Object you wish to create. 4. Click OK. The new Group Policy Object you created will be displayed in the navigation tree. 5. Right-click the new Group Policy Object on the navigation tree. 6. Click Edit. The Group Policy Object Editor (GPOE) displays. 7. Click Software Settings, expand Symantec Endpoint Encryption, expand Symantec Endpoint Encryption - Full Disk Edition, then click Remote Decryption. Figure 5.1 Full Disk Computer Policy Remote Decryption 8. Choose the Change this Setting radio button. 9. Select the Decrypt all disk partitions check box. Symantec Endpoint Encryption Full Disk 24

30 SEE Full Disk 10. Click Save. 11. Close the GPOE window. 12. Drag and drop to link the policy to the target location containing the computers you wish to decrypt. 13. Monitor decryption progress using the Client Monitor. Monitoring Encryption Status After you have deployed a remote decryption policy, you can monitor decryption progress of the computers in your Watchlist by examining the HD Encryption column of the Watchlist. The status of computer hard drive encryption states may be Decrypted, Mixed, Encrypted, or Encrypting. These states are defined in the following table. Table 5.1 Partition Encryption States Status Definition Decrypted The partitions are in a decrypted state. Mixed The partitions are in mixture of neither fully encrypted nor fully decrypted states. Encrypted The partitions are in an encrypted state. Encrypting The partitions are in the process of being encrypted. Decrypting The partitions are in the process of being decrypted. Autologon Basics Autologon is used by Policy Administrators for remotely deploying software to computers protected by SEE Full Disk. Many software installation packages require one or more restarts of the target computer, and Autologon will automatically authenticate without user or administrator intervention. The Policy Administrator defines a window of time during which Autologon remains active, along with the total number of restarts that may occur within the defined period. When either the total number of restarts has been reached, the defined time window has elapsed, or the computer shuts down for more than five minutes, the Autologon feature terminates. Once Autologon initiated by a given Full Disk Computer Policy Autologon GPO has terminated, subsequent invocations of the Autologon feature require that you either update the existing GPO and select new Autologon settings or create a new Full Disk Computer Policy Autologon GPO with the desired settings. The Autologon policy will take effect approximately five minutes after receipt. Because this policy temporarily bypasses the normal logon process for SEE Full Disk, computers receiving this policy will be in a state of heightened vulnerability while Autologon remains active. To minimize the associated risks, make certain that you carefully review the number of reboots allowed and the inclusive dates and times that Autologon will remain active before linking a GPO containing this policy. Symantec Endpoint Encryption Full Disk 25

31 SEE Full Disk Policy Creation This section explains the options found on the Full Disk Computer Policy - Autologon panel shown in Figure 5.2. Figure 5.2 Full Disk Computer Policy Autologon When the default option Boot only after user authentication to SEE is selected, the Autologon feature is deactivated, and Client Computers receiving the policy will only boot after user authentication. To activate the Autologon feature, select the Boot up to radio button and type the maximum number of Autologon restarts you wish to occur, from 1 999, in the text box. Autologon will deactivate itself if either the specified number of restarts has been reached or the specified active period has elapsed. Autologon will also automatically deactivate itself five minutes after the computer has been shut down, thus limiting exposure should the computer be stolen while an Autologon policy is in effect. When the Autologon feature is activated, use the eight controls provided to define the inclusive starting and ending period during which the Autologon feature will be active. The start and end dates and times must be within a valid range in order for the Autologon feature to function as intended. If a Client Computer has a pending lock out condition due to a failure to communicate within the period of time specified in either the Full Disk Installation Settings Client Monitor or Full Disk Computer Policy Client Monitor panels, an Autologon policy applied will pre-empt the lockout condition for as long as the Autologon policy is in effect. This is to ensure that a communication lockout condition does not disrupt the completion of the Autologon process. Indefinite Autologon Autologon can also be used to suppress SEE Full Disk authentication indefinitely. To turn on this indefinite Autologon mode, choose an ending year of --- in the drop-down list box. In this mode, it is recommended that good security practices to secure the computer be followed, such as setting a Windows administrator password and requiring token-based Windows authentication. Remove this policy to restore the secure authentication provided by Symantec Endpoint Encryption Full Disk 26

32 SEE Full Disk SEE Full Disk. Note that the five minute self-deactivation behavior is suppressed when indefinite Autologon mode is used. Symantec Endpoint Encryption Full Disk 27

33 SEE Server 6. SEE Server Overview This chapter discusses various aspects of administration of the SEE Server instance(s), including details about the ADAM client account and ADAM Administrator account, instructions on how to back up and restore the SEE Server instance(s), as well as use of the Recover OTP Keys Utility and batch file. ADAM Account Password Changes The two domain user accounts created during the installation of the SEE Server are: An ADAM Administrator domain user account which is used by the SEE snap-ins for communication with the SEE Server, and An ADAM client domain user account which is used by the SEE Client Computers for communication with the SEE Server. Additionally, when the SEE Server is installed on a domain controller, a domain account is created for use by the SEE Server instance. Good security practice dictates that account passwords be changed regularly. For regular Windows user accounts, users are typically prompted to change their passwords in response to a Windows password policy. Because the ADAM accounts are not associated with specific users but instead are used by the SEE snap-ins and SEE Client application, any changes to the passwords for these accounts could cause an interruption in operation to either or both the administrative functions of SEE, or result in a communication failure between the SEE Server and the SEE Client Computers. To prevent such failures from taking place while allowing for regular password changes for the ADAM accounts, you should observe the following if you plan to change the password or expire the account of the ADAM client account. Create a new GPO, enter the new ADAM client credentials in the Framework Computer Policy - Client Monitor settings panel, and apply this GPO containing the updated ADAM client information to all SEE Client Computers. This will ensure that the SEE Client Computers will have uninterrupted communication with the SEE Server. SEE Server Backup and Restore The need for a comprehensive back-up strategy goes beyond the obvious immediate goal of maintaining a high availability system. Making frequent backups provides the ability to quickly restore previously deleted objects or to roll back a set of modifications to a previous version with minimum impact on users. Although the scenarios presented here use the Windows backup utility, you may use any backup utility capable of doing a System State back-up. The various data comprising the SEE system is stored in two places: Active Directory holds the user, group, and policy information. The SEE Server is the repository for all keying material, Full Disk recovery data, status, and other information generated by client workstations. A full backup or restore of an SEE installation requires that all data files associated with both the Active Directory and the SEE Server environments be backed up or restored separately. Because most organizations already perform a regular backup of Active Directory, backing up the SEE Server is the only additional task necessary. This section shows the individual steps necessary for accomplishing a back-up and restore of the SEE data stored in the SEE Server. Symantec Endpoint Encryption Full Disk 28

34 SEE Server SEE Server Backup and Restore Basics Both Active Directory and the SEE Server may be backed up in place while they are running, however, they may be restored only when they are offline. Taking Active Directory off-line entails restarting in Directory Restore Mode. Because ADAM runs as a system service, taking the SEE Server offline only requires stopping the ADAM instance while the back-up is executing. The SEE Server instance may be restarted at the end of the back-up or restore operation. Back-ups made while the SEE Server or Active Directory is running may not reflect any changes written to them while the back-up operation is executing. Authoritative Restore vs. Non-Authoritative Restore Multiple 2003 Servers used together offer built-in load balancing and fault tolerance by replicating any directory changes between domain controllers. A server containing a current copy of data is said to be authoritative, while a non-authoritative domain controller would be one containing older data, such as one that has just been restored from a back-up and has not yet been updated. It s a good idea to run multiple domain controllers to take advantage of this fault-tolerant behavior, but if you are only operating a single domain controller and thus cannot update a restored server from a second one via replication, you will instead need to perform a partial or full authoritative restore using the ntdsutil command line utility. A partial or full authoritative restore may also be necessary in cases where objects or subtrees have been deleted or corrupted, or if you wish to roll back object modifications to a previous version. ADAM Components to be Backed up Database and log files specific to the SEE Server instance reside in the path: \%ProgramFiles%\Microsoft ADAM\Instance Name where Instance Name is the SEE Server instance name. ADAM application files and administration tools reside in the path: \windir\adam Example Scenarios for SEE Server Backup and Restore The following scenario demonstrates a backup followed by an authoritative restore and verify. Backing up an ADAM Instance 1. Click Start, point to All Programs, point to Accessories, point to System Tools, then click Backup. 2. In the Backup or Restore Wizard, click the link for Advanced Mode. 3. Click the Backup tab, and then, on the Job menu, click New. 4. From the Tools menu, click Options. In the Restore tab of Options, click Always replace the file on my computer. 5. To select an instance of ADAM folders to back up, select the check box to the left of the folders. The following table lists default ADAM file directories: DirectoryContents \%ProgramFiles%\Microsoft ADAM\Instance Name where Instance Name indicates the ADAM instance name Database files and log files The application files and administration tools are stored in \%windir%\adam. To back up the system state, select the System State check box. 1. In Backup destination: To back up files and folders to a file, click File. To back up files and folders to a tape, select a tape drive. Symantec Endpoint Encryption Full Disk 29

35 SEE Server If a tape drive is not connected to the computer, the Backup destination option is unavailable and is automatically set to File. 2. In Backup media or file name: When backing up files and folders to a file, type a path and file name for the backup (BKF) file, or click Browse to find a file. If backing up files and folders to a tape, select the tape to use. 3. To select another backup option, such as the backup type and the backup log type, on the Tools menu, click Options. 4. Click Start Backup, and then make any changes in the Backup Job Information dialog box. 5. To set advanced backup options, such as data verification or hardware compression, click Advanced. 6. Click Start Backup to start the backup operation. If data has been backed up from an NTFS volume, it is recommended that you restore the data to an NTFS volume which uses the same version of NTFS in order to prevent loss of data. Restoring an ADAM Instance To restore a backup of an ADAM instance, stop the ADAM instance using the Services Administrative Tool and then use the Windows interface of Backup to perform the restore operation. If objects in the directory are inadvertently deleted or modified and if those objects are replicated in a configuration set, you must authoritatively restore those objects so that the correct version of the objects are replicated. Non-Authoritative Restore of an ADAM Instance 1. After stopping the ADAM instance, open Backup. Click Start, point to All Programs, point to Accessories, point to System Tools, then click Backup. 2. In the Backup or Restore Wizard, click the link for Advanced Mode. 3. In Advanced Mode, click the Restore and Manage Media tab. 4. Select the backup file for the instance to restore by clicking its checkbox. 5. In Restore files to, click Original location. 6. From the Tools menu, click Options. In the Restore tab of Options, click Always replace the file on my computer. Click OK. 7. Click Start Restore. 8. When the Confirm Restore dialog appears, click OK. 9. When the restore is done, click Close in the Restore Progress dialog. After restoring a backup of an ADAM instance, perform the authoritative restore of the ADAM instance. Authoritative Restore of an ADAM Instance Open an ADAM tools command prompt. 1. Click Start, point to All Programs, point to ADAM, then click ADAM Tools Command Prompt. 2. At the command prompt, type dsdbutil. 3. At the dsdbutil prompt, type authoritative restore. Symantec Endpoint Encryption Full Disk 30

36 SEE Server 4. At the authoritative restore prompt, type one of the commands listed in the following table. Table 6.1 Authoritative Restore Commands Command Description restore database Performs authoritative restore of the entire directory database restore object [dn] Performs authoritative restore of the directory object whose distinguished name is represented by [dn] restore subtree [dn] Performs authoritative restore of the directory subtree whose distinguished name is represented by [dn] The ADAM instance has now been restored. Backup and Restore of the OTP Keys The OTP keys are critical key material used for various SEE tasks. These keys are created the very first time the SEE Framework is installed on a Manager Computer. The ability to restore an existing set of OTP keys from a backup is crucial to SEE Server recovery. OTP Key Backup When the OTP keys are created during the SEE Framework installation process, you are prompted to save a backup of the OTP keys. This backup, known as the random string backup, is encrypted using the Management Password. You can also perform a backup of the OTP keys after they have been created. Using a batch file, RecoverOTP.bat, you can extract the OTP key data from the SEE Server and save it in standard LDF format. Using the RecoverOTP Batch File Note that the RecoverOTP batch file uses the ldifde.exe utility installed as part of ADAM and must be run from the SEE Server. 1. Launch the RecoverOTP batch file to see the command syntax. Figure 6.1 RecoverOTP Batch File, Usage In this example, we are exporting a backup of the OTP keys that we can import later using the same batch file. Symantec Endpoint Encryption Full Disk 31

37 SEE Server 2. Invoke the RecoverOTP batch file with the following command-line parameters: RecoverOTP /export "[path]\filename.ldf" port username domain password where [path] is the actual path on the SEE Server where you want to save the exported key file filename.ldf, port is the port used by the SEE Server, and username, domain, and password are the credentials of the ADAM administrator account. Figure 6.2 RecoverOTP Batch File, Command Line for Export The export process is shown in the following screen shot. Figure 6.3 RecoverOTP Batch File, Export Completed 3. Once completed, press any key to exit the batch file. The OTP keys have now been exported and saved. OTP Key Restore Two methods are available for restoring OTP key data: Recover OTP Keys Utility, and RecoverOTP batch file. The Recover OTP Keys Utility is a stand alone application that restores the OTP Key data from a random string backup file. The RecoverOTP batch file restores a previously saved LDF format backup to the SEE Server. These tools are designed to be used in the following situations: You are restoring to a freshly prepared SEE Server, the SEE Framework has not been installed, and the OTP keys have not been generated. Any existing OTP keys have been manually deleted using ADAM ADSI Edit (see Remove Existing OTP Keys on page 37). Whether restoring using either the Recover OTP Keys Utility or the batch file, the target SEE Server you are restoring to should not contain OTP keys. Symantec Endpoint Encryption Full Disk 32

38 SEE Server Using the Recover OTP Keys Utility 1. Launch the Recover OTP Keys Utility, RecoverOTPKeys.exe. Figure 6.4 Recover OTP Keys Utility 2. In the ADAM admin username and ADAM admin password boxes, type the credentials of the ADAM administrator account. Click Connect to ADAM. The status window shows a list of discovered ADAM instances. Figure 6.5 Recover OTP Keys Utility, Connected to ADAM Symantec Endpoint Encryption Full Disk 33

39 SEE Server 3. Click Check OTP keys. This searches ADAM for an existing set of OTP keys. The status window shows the results of the search. Figure 6.6 Recover OTP Keys Utility, Check OTP keys In Figure 6.6, the status window indicates that existing OTP keys have been found and that they must be removed before continuing. If your ADAM instance contains existing OTP keys, see Remove Existing OTP Keys on page 37. If you are restoring to a fresh installation of the SEE Server that has not yet been populated with OTP keys, the status window indicates that the OTP key pair was not found in ADAM (see Figure 6.7). Symantec Endpoint Encryption Full Disk 34

40 SEE Server Figure 6.7 Recover OTP Keys Utility, OTP Key Pair Missing You are now ready to restore the OTP key pair from the random string backup you saved as part of the SEE Framework installation process. 4. Click Browse, navigate to the random string backup file and select it, then click OK. 5. In Management Password, type the character Management Password you established when saving the random string backup. Type the password again in Confirm Password. 6. Click Create new OTP keys. The Confirm OTP creation dialog displays showing the LDAP address of the AdminsStore object being created in ADAM. Click Yes. Figure 6.8 Confirm OTP Creation Symantec Endpoint Encryption Full Disk 35

41 SEE Server 7. The status window of the Recover OTP Keys Utility indicates that the OTP key pair was sucessfully restored. Figure 6.9 Recover OTP Keys Utility, OTP Key Pair Created 8. Click Close. The OTP keys have now been restored. If you are running multiple SEE Servers, you should initiate a manual replication operation to make sure that all SEE Servers in the system will use the OTP keys you have just restored. Using the RecoverOTP Batch File Note that the Recover OTP batch file uses the ldifde.exe utility installed as part of ADAM and must be run from the SEE Server. 1. Launch the RecoverOTP batch file to see the command syntax. Figure 6.10 RecoverOTP Batch File, Usage Symantec Endpoint Encryption Full Disk 36

42 SEE Server In this example, we are importing a backup of the OTP keys that we exported previously using the same batch file. 2. Invoke the RecoverOTP batch file with the following command-line parameters: RecoverOTP /import "[path]\filename.ldf" port username domain password where [path] is the actual path on the SEE Server where the previously exported file filename.ldf was saved, port is the port used by the SEE Server, and username, domain, and password are the credentials of the ADAM administrator account. Figure 6.11 RecoverOTP Batch File, Command Line for Import 3. The import process is shown in the following screen. Figure 6.12 RecoverOTP Batch File, Import Completed 4. Once completed, press any key to exit the batch file. The OTP keys have now been restored. If you are running multiple SEE Servers, you should initiate a manual replication operation to make sure that all SEE Servers in the system will use the OTP keys you have just restored. Remove Existing OTP Keys Use the following steps to manually remove the OTP keys from the SEE Server by binding to the ADAM instance and deleting the AdminsStore object. Exercise extreme caution when preforming this procedure, as objects deleted from ADAM can only be restored from a valid backup. Deleting other objects from the SEE Server can cause serious problems, such as loss of client connectivity and the ability to recover client data. 1. Click Start, point to All Programs, point to ADAM, then click ADAM ADSI Edit. The ADAM ADSI Edit snap-in opens. 2. In the left pane, select the top-level node named ADAM ADSI Edit, right-click, and choose Connect to. Symantec Endpoint Encryption Full Disk 37

43 SEE Server Figure 6.13 ADAM ADSI Edit, Bind to the ADAM Instance 3. In the Connection Settings window, use the following settings to bind to the SEE Server instance: In the Server name box, use the default value localhost. In the Port box, type 389 (or whatever LDAP port number you specified during ADAM installation) Click Distinguished name (DN) or naming context, and in the box type dc=encryptionanywhere,dc=com Click This account, select the domain user account of the ADAM Admin from the User name list, then type in the password for that account. 4. Click OK to bind to the SEE Server instance. 5. Once your credentials have been accepted, expand the My Connection object in the left navigation pane of the snap-in window. Expand the container named dc=encryptionanywhere,dc=com and click on the container OU=AdminsStore. In the right pane, right-click the CN=AdminPassRecovery object and choose Delete. Click Yes to confirm the delete operation. Symantec Endpoint Encryption Full Disk 38

44 SEE Server Figure 6.14 ADAM ADSI Edit, Delete AdminsPassRecovery Object The AdminPassRecovery object, including the OTP keys, have been deleted. You are now ready to restore the OTP keys using either the Recover OTP Utility or the RecoverOTP batch file. Symantec Endpoint Encryption Full Disk 39

45 Appendix A Framework System Events List The following table lists the 196 individual SEE Framework generated Windows system events logged on the client. The column headings indicate the Event ID, the severity of the event (Error, Info, or Warning), and a description of the event indicating the type, source, or policy that generated the event (Internal, Program Action, Initial Setting, Settings Change, or Utility). Table A.1 Framework System Events Event ID Severity Description 0 Error Internal: Cannot map event ID to string. Framework 1 Info Internal: Audit functions started. Framework 2 Info Internal: Audit functions ended. Framework 3 Info 4 Warning 5 Info 6 Warning 7 Info 8 Warning 9 Info 10 Warning 11 Warning Program Action: Successful client logon/authentication attempted with password. Framework Program Action: Unsuccessful client logon/authentication attempted with password. Framework Program Action: Successful client logon/authentication attempted with token. Framework Program Action: Unsuccessful client logon/authentication attempted with token. Framework Program Action: Successful logon/authentication attempted with One-Time Password. Framework Program Action: Unsuccessful logon/authentication attempted with One-Time Password. Framework Program Action: Successful logon/authentication attempted with Authenti- Check. Framework Program Action: Unsuccessful logon/authentication attempted with Authenti- Check. Framework Program Action: Number of client logon attempts exceeded the maximum allowed. Framework 12 Info Program Action: User password changed successfully. Framework 13 Info Program Action: User password changed unsuccessfully. Framework 14 Warning Program Action: User program uninstallation attempted. Framework 15 Info Program Action: User changed Authenti-Check questions and answers successfully. Framework 16 Info Program Action: Client Administrator has unregistered user. Framework 17 Info 18 Warning Program Action: User password resynchronized with Windows password. Framework Program Action: Computer locked due to failure to communicate with SEE Manager. Framework Symantec Endpoint Encryption Full Disk 40

46 Table A.1 Framework System Events (Continued) Event ID Severity Description 19 Warning Program Action: User password expired. Framework 20 Info Program Action: User registration completed. Framework 21 Warning Program Action: Final grace logon reached. Framework 22 Info Program Action: User logged on after hibernation. Framework 23 Info Program Action: Client program installation attempted. Framework 24 Info Program Action: Client program upgrade attempted. Framework 25 Info Program Action: Grace logon attempted. Framework 26 Info Program Action: Authenti-Check questions and answers created. Framework 27 Info Program Action: User password created. Framework 28 Info Program Action: Token account created. Framework 29 Info 30 Error 31 Info 32 Error 33 Info 34 Error 35 Info 36 Error 37 Info 38 Error 39 Info 40 Error 41 Info 42 Error Initial Setting: One-Time Password enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: One-Time Password enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: One-Time Password not enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: One-Time Password not enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: Authenti-Check enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: Authenti-Check enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: Authenti-Check not enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: Authenti-Check not enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: Authentication Assistance message; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: Authentication Assistance message; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: Client Administrator accounts created; policy applied successfully. Framework Installation Settings - Client Administrators. Initial Setting: Client Administrator accounts created; policy failed. Framework Installation Settings - Client Administrators. Initial Setting: Client Monitor reporting status interval; policy applied successfully. Framework Installation Settings - Client Monitor. Initial Setting: Client Monitor reporting status interval; policy failed. Framework Installation Settings - Client Monitor. Symantec Endpoint Encryption Full Disk 41

47 Table A.1 Framework System Events (Continued) Event ID Severity Description 43 Info 44 Error 45 Info 46 Error 47 Info 48 Error 49 Info 50 Error 51 Info 52 Error 53 Info 54 Error 55 Info 56 Error 57 Info 58 Error 59 Info 60 Error 61 Info Initial Setting: ADAM client account; policy applied successfully. Framework Installation Settings - Client Monitor. Initial Setting: ADAM client account; policy failed. Framework Installation Settings - Client Monitor. Initial Setting: ADAM client password; policy applied successfully. Framework Installation Settings - Client Monitor. Initial Setting: ADAM client password; policy failed. Framework Installation Settings - Client Monitor. Initial Setting: Limit password attempts enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Limit password attempts enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Limit password attempts not enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Limit password attempts not enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password management enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password management enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password management not enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password management not enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Maximum password age enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Maximum password age enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Maximum password age not enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Maximum password age not enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password history (any previous password can be reused) enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password history (any previous password can be reused) enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password history (limit password reuse and days between changes) enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Symantec Endpoint Encryption Full Disk 42

48 Table A.1 Framework System Events (Continued) Event ID Severity Description 62 Error 63 Info 64 Error 65 Info 66 Error 67 Info 68 Error 69 Info 70 Error 71 Info 72 Error 73 Info 74 Error 75 Info 76 Error Initial Setting: Password history (limit password reuse and days between changes) enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum password length met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum password length met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Non-alphanumeric characters allowed in password setting; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Non-alphanumeric characters allowed in password setting; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of nonalphanumeric characters met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of nonalphanumeric characters not met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of uppercase characters met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of uppercase characters not met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of lowercase characters met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of lowercase characters not met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of digits met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of digits not met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Require registration password enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Require registration password enabled; policy failed. Framework Installation Settings - Registered Users. Symantec Endpoint Encryption Full Disk 43

49 Table A.1 Framework System Events (Continued) Event ID Severity Description 77 Info 78 Error 79 Info 80 Error 81 Info 82 Error 83 Info 84 Error 85 Info 86 Error 87 Info 88 Error 89 Info 90 Error 91 Info 92 Error 93 Info 94 Error 95 Info 96 Error Initial Setting: Require registration password not enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Require registration password not enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: Number of allowed user accounts setting; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Number of allowed user accounts setting; policy failed. Framework Installation Settings - Registered Users. Initial Setting: User authentication with password only setting enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: User authentication with password only setting enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: User authentication with token only setting enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: User authentication with token only setting enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: User can select authentication method setting enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: User can select authentication method setting enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: Registration Wizard custom message; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Registration Wizard custom message; policy failed. Framework Installation Settings - Registered Users. Initial Setting: Grace restarts before registration setting; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Grace restarts before registration setting; policy failed. Framework Installation Settings - Registered Users. Initial Setting: User can authenticate with expired certificates setting enabled; policy applied successfully. Framework Installation Settings - Token Authentication. Initial Setting: User can authenticate with expired certificates setting enabled; policy failed. Framework Installation Settings - Token Authentication. Initial Setting: User can authenticate with expired certificates setting not enabled; policy applied successfully. Framework Installation Settings - Token Authentication. Initial Setting: User can authenticate with expired certificates setting not enabled; policy failed. Framework Installation Settings - Token Authentication. Initial Setting: Single Sign-On enabled; policy applied successfully. Framework Installation Settings - Single Sign-On. Initial Setting: Single Sign-On enabled; policy failed. Framework Installation Settings - Single Sign-On. Symantec Endpoint Encryption Full Disk 44

50 Table A.1 Framework System Events (Continued) Event ID Severity Description 97 Info 98 Error 99 Info 100 Error 101 Info 102 Error 103 Info 104 Error 105 Info 106 Error 107 Info 108 Error 109 Info 110 Error 111 Info 112 Error 113 Info 114 Error 115 Info 116 Error Initial Setting: Single Sign-On not enabled; policy applied successfully. Framework Installation Settings - Single Sign-On. Initial Setting: Single Sign-On not enabled; policy failed. Framework Installation Settings - Single Sign-On. Initial Setting: Encryption strength setting; policy applied successfully. Framework Installation Settings - Encryption. Initial Setting: Encryption strength setting; policy failed. Framework Installation Settings - Encryption. Initial Setting: Default log file location enabled; policy applied successfully. Framework Installation Settings - Installer Customization. Initial Setting: Default log file location enabled; policy failed. Framework Installation Settings - Installer Customization. Initial Setting: Custom log file location enabled; policy applied successfully. Framework Installation Settings - Installer Customization. Initial Setting: Custom log file location enabled; policy failed. Framework Installation Settings - Installer Customization. Settings Change: Authentication Assistance message modified; policy applied successfully. Framework Computer Policy - Authentication Assistance. Settings Change: Authentication Assistance message modified; policy failed. Framework Computer Policy - Authentication Assistance. Settings Change: One-Time Password enabled; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: One-Time Password enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: One-Time Password not enabled; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: One-Time Password not enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check enabled; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check not enabled; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check not enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check settings modified; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check settings modified; policy failed. Framework User Policy - Authentication Assistance. Symantec Endpoint Encryption Full Disk 45

51 Table A.1 Framework System Events (Continued) Event ID Severity Description 117 Info 118 Error 119 Info 120 Error 121 Info 122 Error 123 Info 124 Error 125 Info 126 Error 127 Info 128 Error 129 Info 130 Error 131 Info 132 Error 133 Info 134 Error 135 Info 136 Error Settings Change: Client Administrator accounts modified; policy applied successfully. Framework Computer Policy - Client Administrators. Settings Change: Client Administrator accounts modified; policy failed. Framework Computer Policy - Client Administrators. Settings Change: Client Monitor reporting status interval modified; policy applied successfully. Framework Computer Policy - Client Monitor. Settings Change: Client Monitor reporting status interval modified; policy failed. Framework Computer Policy - Client Monitor. Settings Change: ADAM client account modified; policy applied successfully. Framework Computer Policy - Client Monitor. Settings Change: ADAM client account modified; policy failed. Framework Computer Policy - Client Monitor. Settings Change: ADAM client password modified; policy applied successfully. Framework Computer Policy - Client Monitor. Settings Change: ADAM client password modified; policy failed. Framework Computer Policy - Client Monitor. Settings Change: Limit password attempts enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts not enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts settings modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Password management enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Password management enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Password management not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Password management not enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age enabled; policy failed. Framework Computer Policy - Password Authentication. Symantec Endpoint Encryption Full Disk 46

52 Table A.1 Framework System Events (Continued) Event ID Severity Description 137 Info 138 Error 139 Info 140 Error 141 Info 142 Error 143 Info 144 Error 145 Info 146 Error 147 Info 148 Error 149 Info 150 Error 151 Info 152 Error Settings Change: Maximum password age not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age not enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age settings modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Password history (any previous password can be reused) enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Password history (any previous password can be reused) enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) settings modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Minimum password length setting modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Minimum password length setting modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Non-alphanumeric characters allowed in password setting modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Non-alphanumeric characters allowed in password setting modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of non-alphanumeric characters; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of non-alphanumeric characters; policy failed. Framework Computer Policy - Password Authentication. Symantec Endpoint Encryption Full Disk 47

53 Table A.1 Framework System Events (Continued) Event ID Severity Description 153 Info 154 Error 155 Info 156 Error 157 Info 158 Error 159 Info 160 Error 161 Info 162 Error 163 Info 164 Error 165 Info 166 Error 167 Info 168 Error 169 Info 170 Error Settings Change: Change password complexity requirements for minimum number of uppercase characters; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of uppercase characters; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of lowercase characters; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of lowercase characters; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of digits; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of digits; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Require registration password enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Require registration password enabled; policy failed. Framework Computer Policy - Registered Users. Settings Change: Require registration password not enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Require registration password not enabled; policy failed. Framework Computer Policy - Registered Users. Settings Change: Registration password modified; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Registration password modified; policy failed. Framework Computer Policy - Registered Users. Settings Change: Number of allowed user accounts setting modified; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Number of allowed user accounts setting modified; policy failed. Framework Computer Policy - Registered Users. Settings Change: User authentication with password only setting enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: User authentication with password only setting enabled; policy failed. Framework Computer Policy - Registered Users. Settings Change: User authentication with token only setting enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: User authentication with token only setting enabled; policy failed. Framework Computer Policy - Registered Users. Symantec Endpoint Encryption Full Disk 48

54 Table A.1 Framework System Events (Continued) Event ID Severity Description 171 Info 172 Error 173 Info 174 Error 175 Info 176 Error 177 Info 178 Error 179 Info 180 Error 181 Info 182 Error 183 Info 184 Info 185 Info 186 Info 187 Error 188 Info 189 Error Settings Change: User can select authentication method setting enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: User can select authentication method setting enabled; policy failed. Framework Computer Policy - Registered Users. Settings Change: Registration Wizard custom message modified; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Registration Wizard custom message modified; policy failed. Framework Computer Policy - Registered Users. Settings Change: User can authenticate with expired certificates setting enabled; policy applied successfully. Framework User Policy - Token Authentication. Settings Change: User can authenticate with expired certificates setting enabled; policy failed. Framework User Policy - Token Authentication. Settings Change: User can authenticate with expired certificates setting not enabled; policy applied successfully. Framework User Policy - Token Authentication. Settings Change: User can authenticate with expired certificates setting not enabled; policy failed. Framework User Policy - Token Authentication. Settings Change: Single Sign-On enabled; policy applied successfully. Framework User Policy - Single Sign-On. Settings Change: Single Sign-On enabled; policy failed. Framework User Policy - Single Sign-On. Settings Change: Single Sign-On not enabled; policy applied successfully. Framework User Policy - Single Sign-On. Settings Change: Single Sign-On not enabled; policy failed. Framework User Policy - Single Sign-On. Program Action: The user was provided access to Windows using cached credentials and was not required to change their Windows password following successful completion of the password recovery process because there was no connectivity to a domain controller. Program Action: Client Administrator [user name] unregistered user [user name]. Settings Change: Client Administrator [user name] was added; policy applied successfully. Initial Setting: Minimum password age enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Initial Setting: Minimum password age enabled; policy failed. Framework Computer Policy - Password Authentication. Initial Setting: Minimum password age not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Initial Setting: Minimum password age not enabled; policy failed. Framework Computer Policy - Password Authentication. Symantec Endpoint Encryption Full Disk 49

55 Table A.1 Framework System Events (Continued) Event ID Severity Description 190 Info 191 Error 192 Info 193 Error 194 Info 195 Error Settings Change: Minimum password age enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age not enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age settings modified; policy failed. Framework Computer Policy - Password Authentication. Full Disk System Events List The following table lists the 121 individual SEE Full Disk-generated Windows system events logged on the client. The column headings indicate the Event ID, the severity of the event (Error, Info, or Warning), and a description of the event indicating the type, source, or policy that generated the event (Internal, Program Action, Initial Setting, Settings Change, or Utility). Table A.2 Full Disk System Events Event ID Severity Description 1000 Error Internal: Cannot map event ID to string. Hard Disk 1001 Info Internal: Audit functions started. Hard Disk 1002 Info Internal: Audit functions ended. Hard Disk 1003 Info 1004 Warning 1005 Info 1006 Warning 1007 Info 1008 Warning 1009 Info 1010 Warning Program Action: Successful pre-windows logon/authentication attempted with password. Hard Disk Program Action: Unsuccessful pre-windows logon/authentication attempted with password. Hard Disk Program Action: Successful client logon/authentication attempted with password. Hard Disk Program Action: Unsuccessful client logon/authentication attempted with password. Hard Disk Program Action: Successful pre-windows logon/authentication attempted with token. Hard Disk Program Action: Unsuccessful pre-windows logon/authentication attempted with token. Hard Disk Program Action: Successful client logon/authentication attempted with token. Hard Disk Program Action: Unsuccessful client logon/authentication attempted with token. Hard Disk Symantec Endpoint Encryption Full Disk 50

56 Table A.2 Full Disk System Events (Continued) Event ID Severity Description 1011 Info 1012 Warning 1013 Info 1014 Warning 1015 Warning 1016 Warning Program Action: Successful logon/authentication attempted with One-Time Password. Hard Disk Program Action: Unsuccessful pre-windows logon/authentication attempted with One-Time Password. Hard Disk Program Action: Successful logon/authentication attempted with Authenti- Check. Hard Disk Program Action: Unsuccessful pre-windows logon/authentication attempted with Authenti-Check. Hard Disk Program Action: Number of pre-windows logon attempts exceeded the maximum allowed. Hard Disk Program Action: Number of client logon attempts exceeded the maximum allowed. Hard Disk 1017 Info Program Action: User password changed successfully. Hard Disk 1018 Info Program Action: User password changed unsuccessfully. Hard Disk 1019 Warning Program Action: User program uninstallation attempted. Hard Disk 1020 Info Program Action: User changed Authenti-Check questions and answers successfully. Hard Disk 1021 Info Program Action: Client Administrator has unregistered user. Hard Disk 1022 Info 1023 Warning Program Action: User password resynchronized with Windows password. Hard Disk Program Action: Computer locked due to failure to communicate with SEE Manager. Hard Disk 1024 Warning Program Action: User password expired. Hard Disk 1025 Info Program Action: User registration completed. Hard Disk 1026 Warning Program Action: Final grace logon reached. Hard Disk 1027 Warning Program Action: Partition decryption initiated. Hard Disk 1028 Warning Program Action: Partition decryption completed. Hard Disk 1029 Info Program Action: Partition encryption initiated. Hard Disk 1030 Info Program Action: Partition encryption completed. Hard Disk 1031 Info Program Action: User logged on after hibernation. Hard Disk 1032 Info Program Action: Client program installation attempted. Hard Disk 1033 Info Program Action: Client program upgrade attempted. Hard Disk 1034 Info Program Action: Grace logon attempted. Hard Disk 1035 Info Program Action: Authenti-Check questions and answers created. Hard Disk 1036 Info Program Action: User password created. Hard Disk 1037 Info Program Action: Token account created. Hard Disk 1038 Info Initial Setting: Client Monitor minimum contact period not enforced, policy applied successfully. Hard Disk Installation Settings - Client Monitor. Symantec Endpoint Encryption Full Disk 51

57 Table A.2 Full Disk System Events (Continued) Event ID Severity Description 1039 Error 1040 Info 1041 Error 1042 Info 1043 Error 1044 Info 1045 Error 1046 Info 1047 Error 1048 Info 1049 Error 1050 Info 1051 Error 1052 Info 1053 Error 1054 Info 1055 Error 1056 Info 1057 Error 1058 Info Initial Setting: Client Monitor minimum contact period not enforced, policy failed. Hard Disk Installation Settings - Client Monitor. Initial Setting: Client Monitor minimum contact period enforced; policy applied successfully. Hard Disk Installation Settings - Client Monitor. Initial Setting: Client Monitor minimum contact period enforced; policy failed. Hard Disk Installation Settings - Client Monitor. Initial Setting: Encrypt all partitions upon installation enabled; policy applied successfully. Hard Disk Installation Settings - Encryption. Initial Setting: Encrypt all partitions upon installation enabled; policy failed. Hard Disk Installation Settings - Encryption. Initial Setting: Encrypt specified partitions enabled; policy applied successfully. Hard Disk Installation Settings - Encryption. Initial Setting: Encrypt specified partitions enabled; policy failed. Hard Disk Installation Settings - Encryption. Initial Setting: Let users choose partitions and start the encryption enabled; policy applied successfully. Hard Disk Installation Settings - Encryption. Initial Setting: Let users choose partitions and start the encryption enabled; policy failed. Hard Disk Installation Settings - Encryption. Initial Setting: Custom Encryption Method enabled; policy applied successfully. Hard Disk Installation Settings - Encryption. Initial Setting: Custom Encryption Method enabled; policy failed. Hard Disk Installation Settings - Encryption. Initial Setting: Fastest Encryption Method enabled; policy applied successfully. Hard Disk Installation Settings - Encryption. Initial Setting: Fastest Encryption Method enabled; policy failed. Hard Disk Installation Settings - Encryption. Initial Setting: Allow data recovery in case of power failure enabled; policy applied successfully. Hard Disk Installation Settings - Encryption. Initial Setting: Allow data recovery in case of power failure enabled; policy failed. Hard Disk Installation Settings - Encryption. Initial Setting: Allow data recovery in case of power failure not enabled; policy applied successfully. Hard Disk Installation Settings - Encryption. Initial Setting: Allow data recovery in case of power failure not enabled; policy failed. Hard Disk Installation Settings - Encryption. Initial Setting: Include unused disk space when encrypting enabled; policy applied successfully. Hard Disk Installation Settings - Encryption. Initial Setting: Include unused disk space when encrypting enabled; policy failed. Hard Disk Installation Settings - Encryption. Initial Setting: Include unused disk space when encrypting not enabled; policy applied successfully. Hard Disk Installation Settings - Encryption. Symantec Endpoint Encryption Full Disk 52

58 Table A.2 Full Disk System Events (Continued) Event ID Severity Description 1059 Error 1060 Info 1061 Error 1062 Info 1063 Error 1064 Info 1065 Error 1066 Info 1067 Error 1068 Info 1069 Error 1070 Info 1071 Error 1072 Info 1073 Error 1074 Info 1075 Error 1076 Info 1077 Error 1078 Info Initial Setting: Include unused disk space when encrypting not enabled; policy failed. Hard Disk Installation Settings - Encryption. Initial Setting: Client administrators can decrypt disk enabled; policy applied successfully. Hard Disk Installation Settings - Encryption. Initial Setting: Client administrators can decrypt disk enabled; policy failed. Hard Disk Installation Settings - Encryption. Initial Setting: Client administrators can decrypt disk not enabled; policy applied successfully. Hard Disk Installation Settings - Encryption. Initial Setting: Client administrators can decrypt disk not enabled; policy failed. Hard Disk Installation Settings - Encryption. Initial Setting: Registered users can decrypt disk enabled; policy applied successfully. Hard Disk Installation Settings - Encryption. Initial Setting: Registered users can decrypt disk enabled; policy failed. Hard Disk Installation Settings - Encryption. Initial Setting: Registered users can decrypt disk not enabled; policy applied successfully. Hard Disk Installation Settings - Encryption. Initial Setting: Registered users can decrypt disk not enabled; policy failed. Hard Disk Installation Settings - Encryption. Initial Setting: Default client database file location enabled; policy applied successfully. Hard Disk Installation Settings - Installer Customization. Initial Setting: Default client database file location enabled; policy failed. Hard Disk Installation Settings - Installer Customization. Initial Setting: Custom client database file location enabled; policy applied successfully. Hard Disk Installation Settings - Installer Customization. Initial Setting: Custom client database file location enabled; policy failed. Hard Disk Installation Settings - Installer Customization. Initial Setting: Prefill the logon form with the most recent user name and domain enabled; policy applied successfully. Hard Disk Installation Settings - Logon. Initial Setting: Prefill the logon form with the most recent user name and domain enabled; policy failed. Hard Disk Installation Settings - Logon. Initial Setting: Prefill the logon form with the most recent user name and domain not enabled; policy applied successfully. Hard Disk Installation Settings - Logon. Initial Setting: Prefill the logon form with the most recent user name and domain not enabled; policy failed. Hard Disk Installation Settings - Logon. Initial Setting: Custom logon image selected; policy applied successfully. Hard Disk Installation Settings - Logon. Initial Setting: Custom logon image selected; policy failed. Hard Disk Installation Settings - Logon. Initial Setting: Custom logon image not selected; policy applied successfully. Hard Disk Installation Settings - Logon. Symantec Endpoint Encryption Full Disk 53

59 Table A.2 Full Disk System Events (Continued) Event ID Severity Description 1079 Error 1080 Info 1081 Error 1082 Info 1083 Error 1084 Info 1085 Error 1086 Info 1087 Error 1088 Info 1089 Error 1090 Info 1091 Error 1092 Info 1093 Error 1094 Info 1095 Error 1096 Info 1097 Error 1098 Info Initial Setting: Custom logon image not selected; policy failed. Hard Disk Installation Settings - Logon. Settings Change: Client Monitor minimum contact period not enforced, policy applied successfully. Hard Disk Computer Policy - Client Monitor. Settings Change: Client Monitor minimum contact period not enforced, policy failed. Hard Disk Computer Policy - Client Monitor. Settings Change: Client Monitor minimum contact period enforced; policy applied successfully. Hard Disk Computer Policy - Client Monitor. Settings Change: Client Monitor minimum contact period enforced; policy failed. Hard Disk Computer Policy - Client Monitor. Settings Change: Client Monitor contact settings modified; policy applied successfully. Hard Disk Computer Policy - Client Monitor. Settings Change: Client Monitor contact settings modified; policy failed. Hard Disk Computer Policy - Client Monitor. Settings Change: Client administrators can decrypt disk enabled; policy applied successfully. Hard Disk User Policy - Local Decryption. Settings Change: Client administrators can decrypt disk enabled; policy failed. Hard Disk User Policy - Local Decryption. Settings Change: Client administrators can decrypt disk not enabled; policy applied successfully. Hard Disk User Policy - Local Decryption. Settings Change: Client administrators can decrypt disk not enabled; policy failed. Hard Disk User Policy - Local Decryption. Settings Change: Registered users can decrypt disk enabled; policy applied successfully. Hard Disk User Policy - Local Decryption. Settings Change: Registered users can decrypt disk enabled; policy failed. Hard Disk User Policy - Local Decryption. Settings Change: Registered users can decrypt disk not enabled; policy applied successfully. Hard Disk User Policy - Local Decryption. Settings Change: Registered users can decrypt disk not enabled; policy failed. Hard Disk User Policy - Local Decryption. Settings Change: Prefill the logon form with the most recent user name and domain enabled; policy applied successfully. Hard Disk Computer Policy - Logon. Settings Change: Prefill the logon form with the most recent user name and domain enabled; policy failed. Hard Disk Computer Policy - Logon. Settings Change: Prefill the logon form with the most recent user name and domain not enabled; policy applied successfully. Hard Disk Computer Policy - Logon. Settings Change: Prefill the logon form with the most recent user name and domain not enabled; policy failed. Hard Disk Computer Policy - Logon. Special Policy: Autologon (boot only after user authentication to SEE Manager) enabled; policy applied successfully. Hard Disk Computer Policy - Logon. Symantec Endpoint Encryption Full Disk 54

60 Table A.2 Full Disk System Events (Continued) Event ID Severity Description 1099 Error 1100 Info 1101 Error Special Policy: Autologon (boot only after user authentication to SEE Manager) enabled; policy failed. Hard Disk Computer Policy - Logon. Special Policy: Autologon (boot as specified) enabled; policy applied successfully. Hard Disk Computer Policy - Logon. Special Policy: Autologon (boot as specified) enabled; policy failed. Hard Disk Computer Policy - Logon Info Special Policy: Autologon terminated Info Special Policy: Pre-Windows Autologon success Error Special Policy: Pre-Windows Autologon failure Info 1106 Error Special Policy: Remote decryption of all disk partitions enabled; policy applied successfully. Hard Disk Computer Policy - Remote Decryption. Special Policy: Remote decryption of all disk partitions enabled; policy failed. Hard Disk Computer Policy - Remote Decryption Warning Utility: Access.exe initiated Warning Utility: Recover /a attempted Warning Utility: Recover /b attempted Warning Utility: Windows recovery process attempted Warning Utility: Recover /d attempted Warning Utility: Recover /a successfully completed Error Utility: Recover /a failed Warning Utility: Recover attempted Info Program Action: Logon delay of sixty seconds instituted Info Program Action: Logon delay of sixty seconds lifted Info Program Action: Normal operations resumed: logon delays will be instituted after [number] attempts, as per policy Info Program Action: Client Administrator successfully extended the check-in due date Warning Program Action: A Pre-Windows token logon failed because the PIN is blocked Warning Program Action: Failed token Symantec Endpoint Encryption Full Disk 55

61 Glossary Glossary Active Directory Active Directory is the directory service included with Windows 2000 Server and Windows Server This service stores information about objects on a network and makes that information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network. Active Directory provides network administrators with a hierarchical view of the network and a single point of administration for all network objects. Active Directory Application Mode (ADAM) Active Directory Application Mode (ADAM) is a Lightweight Directory Access Protocol (LDAP) directory service that runs as a user service on top of Windows, as opposed to a system service such as Active Directory. The SEE Manager console stores data in ADAM rather than Active Directory in order to avoid changing the Active Directory schema. Active Directory Users and Computers Snap-in The Users and Computers snap-in from Microsoft is used to find and organize the User and Computer objects in an Active Directory structure. Client Administrator The Client Administrator supports SEE users. Their responsibilities and privileges include: unregistering users, extending computer check-in dates, encryption/ decryption, One-Time Password recovery, and hard disk recovery. Each Client Computer must have at least one Client Administrator account and can have up to 50. At least one of these must authenticate with a password, to allow hard disk recovery. The remainder may authenticate with either password or token. The Policy Administrator creates and modifies the Client Administrator accounts and passwords on Client Computers through installation settings or policy updates. Client Administrators cannot change their own passwords or use any passwordrecovery methods. Containers The term containers is used to refer to organizational units (OUs) and domains. These are represented by folder icons in the left pane of the Microsoft Management Console. See also Objects. Domain Name System (DNS) Domain Name System (DNS) is a distributed database and name resolution system used for translating domain names into IP addresses. Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol (DHCP) is a system for automatically assigning IP addresses to Client Computers on a network. Expand, Expanded, to Expand To reveal the contents of a container. This action is initiated by clicking the plus sign to the left of the container as displayed in the left pane of the Microsoft Management Console. Symantec Endpoint Encryption Full Disk 56

62 Glossary Group Filtering Also known as Security Group Filtering or Security Filters. Security Filters applied to a Group Policy Object limit the scope for that Group Policy Object. Group Policy Management, Group Policy Management Console Snap-in A snap-in from Microsoft that an SEE Policy Administrator can use to assign SEE software and policies to users and computers. Group Policy Object (GPO) An object in Active Directory that contains user and/or computer policies, and possibly software deployment policies. LSDOU This acronym describes the order in which GPOs are applied: Local (1), Site (2), Domain (3), OU (4). The later policies are superior to the previous. Management Password, Management Password Snap-in A password used by support personnel for accessing various SEE data recovery functions. The SEE Management Password can be changed using the Management Password snap-in from the SEE Manager console. Microsoft Management Console (MMC) Microsoft Management Console is a container User Interface (UI) that provides no functionality by itself. Each Microsoft Management Console process can host a set of snap-ins displayed in one or more windows. The layout of a Microsoft Management Console can be saved as a file with an.msc extension. Microsoft Management Console Tree The folder-like structure of snap-ins in a Microsoft Management Console. Snap-ins can be standalone, i.e., added to the root of the MMC tree, or they can be extensions of other snap-ins. Microsoft Windows Installer (MSI) A format for self-contained database files containing the requirements and instructions that the Windows Installer uses when installing applications. MSI packages can be deployed via Group Policy Objects. Objects The term objects is used to refer to any Active Directory object. This includes individual Users, Computers, or Policies, as well as Groups of Users or Computers. See also Containers. OTP Keys A critical set of keys used for various purposes by SEE. The OTP keys are created and stored in the SEE Server as part of installation of the SEE Framework. See also Random String Backup. Symantec Endpoint Encryption Full Disk 57

63 Glossary Policy Administrator. An organization s centralized point of control for SEE is one or more Policy Administrators. A Policy Administrator defines installation settings and policies that are pushed out to Client Computers through Active Directory. In this way, Policy Administrators define the end-point encryption policies for one or more OUs. While a domain or higher level administrator can delegate any amount of control to a Policy Administrator, a recommended baseline capability is to allow Policy Administrators to create, edit, and apply Group Policy Objects (GPOs) to the specific OUs they are responsible for supporting. Random String Backup A file containing a backup of the OTP keys. This file is saved during of installation of the SEE Framework. The Random String Backup may be used to restore the OTP keys to the SEE Server using the Recover OTP Keys Utility. See also OTP Keys. Recover /B One of three recovery tools provided by Symantec that allow organizations to recover data from a computer that fails to boot. Registered User A user on an SEE protected computer who has registered for an SEE account. The Policy Administrator sets registered user rights through installation settings and policy updates. Registered users will always have the right to change their passwords and may also have the following: Single Sign-On, Authenti-Check, One-Time Password, decryption, and/or encryption privileges. Policy Administrators can view registered users with the Client Monitor snap-in. Schema The formal definition of all the object classes and attributes that can be stored in a directory. Active Directory includes a default schema that defines many object classes, such as users, groups, computers, domains, and organizational units. SEE Client Monitor Snap-in The Client Monitor snap-in from Symantec allows SEE Policy Administrators to check the encryption status of users or computers. SEE Framework The base module for SEE which is required by all current and future SEE products, such as SEE Full Disk, SEE Removable Storage, and others in development. Single Sign-On (SSO) A feature that allows SEE users to log on to both Windows and SEE with their Windows password. To activate an SSO policy, the Client Computer must reboot, which installs the SEE GINA into the GINA chain, allowing password synchronization to take place. Snap-in A Dynamic Link Library (DLL) file user interface module designed to be loaded into a Microsoft Management Console. Software Setup Snap-in A snap-in from Symantec that allows the SEE Policy Administrators to customize SEE software before deployment. Symantec Endpoint Encryption Full Disk 58

64 Glossary Watchlist A list created by the SEE Client Monitor snap-in which shows the current SEE status of selected users and/or computers. Watchlists appear in the SEE Manager console hierarchy within the SEE Client Monitor component, and can be refreshed according to an administrator-specified time interval. Symantec Endpoint Encryption Full Disk 59

65 Index Index A administration roles 1 architecture sample domain 3 Autologon using 25 B binding to the ADAM instance 38 C Client Administrator accounts creating 13 specifying as part of a policy setting 13 communication protocols 3 D Domain Name Service (DNS) port/protocol 4 E encryption status monitoring 5 F forcing an immediate policy update 12 gpupdate 12 G Global catalog LDAP port/protocol 4 Global catalog LDAP over SSL port/protocol 4 H Hard Disk Access Utility 15, 16 hard drive initial encryption 5 I initial encryption process 5 K Kerberos port/protocol 4 L LDAP over SSL port/protocol 4 LDAP ping port/protocol 4 LDAP query 7, 8 Local, Site, Domain, OU (LSDOU) 11, 57 M management password changing 1, 23 Manager installation 22 OTP keys backup 31 OTP keys restore 35 Recovery data file generation 17, 18 snap-in 57 monitoring encryption status 5 O OTP keys backup 31, 58 definition 57 remove 37, 38, 39 restore 33, 34, 35, 36 P Policy settings Hard Disk Autologon 25 Hard Disk Remote Decryption 24 policy update forcing an immediate update 12 protocols communications 3 R Recover Program 10, 15, 16, 58 watchlist 10, 17 Recovery data file 17 password 18 removing users or computer objects from a watchlist 6 re-registration forcing 15 restores authoritative vs. non-authoritative 29 Resultant Set of Policies (RSoP) 10, 19, 20 S sample domain architecture 3 SEE Server authoritative restore 30 backup 29, 30 non-authoritative restore 30 Symantec Endpoint Encryption architecture 2 main user interfaces 2 U user interfaces types 2 W watchlist auto refresh interval 7 creating 5, 7 Symantec Endpoint Encryption Full Disk 60

66 Index exporting data from 18, 19 removing users or computer objects from 6 WINS replication port/protocol 4 resolution port/protocol 4 Symantec Endpoint Encryption Full Disk 61