Symantec Drive Encryption for Windows

Similar documents
Recovering Encrypted Disks Using Windows Preinstallation Environment. Technical Note

Yale Software Library

PGP CAPS Activation Package

Symantec Enterprise Security Manager Oracle Database Modules Release Notes. Version: 5.4

Symantec Drive Encryption for Windows Quick Start Guide Version 10.3

PGP Whole Disk Encryption for Windows Quick Start Guide Version 10.2

Patch Assessment Content Update Release Notes for CCS Version: Update

Backup Exec 15. Quick Installation Guide

PGP Whole Disk Encryption Quick Start Guide Version 9.8

Symantec Backup Exec 2010 R2. Quick Installation Guide

Enabling Windows Management Instrumentation Guide

Symantec Endpoint Encryption Device Control Release Notes

Symantec Security Information Manager - Best Practices for Selective Backup and Restore

Getting Started Guide for Symantec On-Demand Protection for Outlook Web Access 3.0

Symantec Endpoint Encryption Full Disk for Mac OS X

Veritas Operations Manager LDom Capacity Management Add-on User's Guide 4.1

Symantec Mobile Management for Configuration Manager

Policy Based Encryption Essentials. Administrator Guide

Veritas Cluster Server Getting Started Guide

Symantec Endpoint Protection Shared Insight Cache User Guide

Symantec NetBackup Backup, Archive, and Restore Getting Started Guide. Release 7.5

Quick Start Guide for Symantec Event Collector for ForeScout CounterACT

Symantec Protection Engine for Cloud Services 7.0 Release Notes

Symantec AntiVirus Corporate Edition Patch Update

Symantec Mail Security for Microsoft Exchange

Symantec Protection Center Enterprise 3.0. Release Notes

Norton Small Business. Getting Started Guide

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

Symantec Data Center Security: Server Advanced v6.0. Agent Guide

Symantec NetBackup for Microsoft SharePoint Server Administrator s Guide

Symantec Mail Security for Microsoft Exchange Management Pack Integration Guide

Symantec NetBackup for Microsoft SharePoint Server Administrator s Guide

How Endpoint Encryption Works

Symantec Mail Security for Microsoft Exchange Management Pack Integration Guide

Symantec Endpoint Encryption Full Disk Release Notes

Symantec NetBackup OpenStorage Solutions Guide for Disk

Symantec Enterprise Security Manager Modules for Sybase Adaptive Server Enterprise Release Notes 3.1.0

Veritas Operations Manager Package Anomaly Add-on User's Guide 4.1

2.6.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 12

Symantec Protection for SharePoint Servers Getting Started Guide

Getting Started with Symantec Endpoint Protection

White Paper: Whole Disk Encryption

Symantec Security Information Manager 4.8 Release Notes

Symantec Enterprise Vault.cloud Compatibility List. March 13, 2015

Backup Exec Cloud Storage for Nirvanix Installation Guide. Release 2.0

IBM Lotus Protector for Mail Encryption

Symantec Client Firewall Policy Migration Guide

IBM Lotus Protector for Mail Encryption

Symantec Enterprise Vault

Symantec Backup Exec Management Plug-in for VMware User's Guide

Symantec Endpoint Encryption Full Disk

Boundary Encryption.cloud Deployment Process Overview

Symantec Enterprise Vault Technical Note. Administering the Monitoring database. Windows

Symantec ESM Agent For IBM iseries AS/400

Symantec Critical System Protection Agent Event Viewer Guide

How Drive Encryption Works

Using Backup Exec System Recovery's Offsite Copy for disaster recovery

Symantec NetBackup Vault Operator's Guide

Veritas Operations Manager Release Notes. 3.0 Rolling Patch 1

Symantec NetBackup Desktop and Laptop Option README. Release 6.1 MP7

Altiris IT Analytics Solution 7.1 SP1 from Symantec User Guide

PGP Desktop for Windows Quick Start Guide Version 10.0

Symantec Mobile Management 7.2 MR1Quick-start Guide

Encryption. Administrator Guide

Enterprise Vault.cloud. Microsoft Exchange Managed Folder Archiving Guide

Symantec Encryption Desktop for Mac OS X

Symantec Managed PKI. Integration Guide for ActiveSync

Symantec LiveUpdate Administrator. Getting Started Guide

Symantec Backup Exec System Recovery Granular Restore Option User's Guide

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

Symantec System Recovery 2013 Management Solution Administrator's Guide

Symantec Event Collector 4.3 for Microsoft Windows Quick Reference

Symantec Critical System Protection Agent Guide

Symantec AntiVirus for Network Attached Storage Integration Guide

Acronis Backup & Recovery 11

Wise Package Studio 8.0 MR1 Release Notes

Acronis Backup & Recovery 11.5

Symantec Enterprise Vault Technical Note

Altiris Patch Management Solution for Windows 7.1 from Symantec Release Notes

Symantec Database Security and Audit 3100 Series Appliance. Getting Started Guide

Symantec NetBackup Clustered Master Server Administrator's Guide

Symantec ApplicationHA agent for SharePoint Server 2010 Configuration Guide

Symantec Secure Proxy Administration Guide

NetBackup Backup, Archive, and Restore Getting Started Guide

Compatibility with Encryption Products

Symantec Event Collector for Kiwi Syslog Daemon version 3.7 Quick Reference

Symantec Protection for SharePoint Servers Implementation Guide

Symantec NetBackup for Lotus Notes Administrator's Guide

SafeGuard Enterprise Tools guide

Symantec Critical System Protection Configuration Monitoring Edition Release Notes

Symantec File Share Encryption Quick Start Guide Version 10.3

Symantec ESM agent for IBM AS/400

Symantec NetBackup PureDisk Deduplication Option Guide

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

Symantec Enterprise Vault. Upgrading to Enterprise Vault

Symantec Enterprise Vault

Transcription:

Symantec Drive Encryption for Windows Technical Note 10.3

Released January 2014. Legal Notice Copyright (c) 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton Zone, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Java is a registered trademark of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ("Third Party Programs"). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Licensed Software does not alter any rights or obligations you may have under those open source or free software licenses. For more information on the Third Party Programs, please see the Third Party Notice document for this Symantec product that may be available at http://www.symantec.com/about/profile/policies/eulas/, the Third Party Legal Notice Appendix that may be included with this Documentation and/or Third Party Legal Notice ReadMe File that may accompany this Symantec product. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. Commercial Computer Software and Commercial Computer Software Documentation, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 Symantec Home Page (http://www.symantec.com)

Contents Introduction 1 Scenario 1: Troubleshooting common Windows issues 1 Scenario 2: Booting and accessing the server 1 System Requirements 3 Recommended Best Practices 5 Perform regular backups and back up the disk before you encrypt it 5 Ensure the health of the disk before you encrypt it 5 Know your RAID hardware and software 5 Maintain separate test and production servers, and production processes and procedures 6 Build and test recovery procedures 6 Be certain that you will have AC power throughout the encryption process 7 Follow installation procedures to install only the Symantec Drive Encryption drivers 8 Run a pilot test to ensure software compatibility 8 Understand how performance is affected 9 Perform disk recovery on decrypted disks 9 Remote rebooting of the Windows Server 9

1 Introduction The purpose of this document is to define best practices for server system administrators before they install Symantec Drive Encryption on Microsoft Windows Servers. Symantec Drive Encryption for Windows Servers is intended for servers that are located in risky locations, such as kiosks or remote offices where server theft is possible. As an overall best practice, encrypt your Windows Server with Symantec Drive Encryption, to protect your operating system and file system. An encrypted server requires changes to normal operational, maintenance, and recovery procedures. Two scenarios follow that highlight some of those changes, in the areas of fixing typical Windows issues and rebooting and accessing the server. In the Recommended Best Practices (on page 5) chapter, specific tasks that are related to encrypted servers are described. Scenario 1: Troubleshooting common Windows issues On an unencrypted server: 1 Change a registry value or driver 2 Make file system changes For an encrypted server: 1 Before encryption, create a customized Microsoft Windows Preinstallation Environment (Windows PE) disc with the Symantec Drive Encryption drivers loaded. 2 After encryption, use the customized Windows PE disc to authenticate to the disk. Authentication gives you access to the encrypted file system. 3 Modify the registry values or drivers. Note: For information on how to create a Windows PE disc, go to the Symantec Knowledgebase (http://www.symantec.com/business/support/index?page=home) and search for TECH149060, Windows Preinstallation Environment & BartPE Tools. Scenario 2: Booting and accessing the server For an unencrypted server: 1 Install a service pack or updated driver. 2 Reboot. For an encrypted server:

2 Introduction Scenario 2: Booting and accessing the server 1 Authenticate at the PGP BootGuard login screen prior to starting the Windows Server OS. 2 Install a service pack or updated driver. 3 Reboot. Note: For remote access, use the provided PGP WDE Command Line "Boot Bypass" feature. This feature lets you reboot a system one or more times without authenticating. For more information, see Remote Booting of the Windows Server (see "Remote rebooting of the Windows Server" on page 9).

2 System Requirements Symantec Drive Encryption is supported on the following Windows Server versions: Windows Server 2012 R2 64-bit Edition with internal RAID 1 and RAID 5 Windows Server 2012 64-bit Edition with internal RAID 1 and RAID 5 Windows Server 2008 R2 64-bit Edition with internal RAID 1 and RAID 5 Windows Server 2008 64-bit Edition (Service Pack 1 and Service Pack 2) with internal RAID 1 and RAID 5 Note: Dynamic disks and software RAID are not supported. A broad array of other hardware may work well with Symantec Drive Encryption. However, Symantec Drive Encryption has been tested and is compatible with the hardware that is listed in this table: OS tested RAID version Hardware tested Windows Server 2012 R2 RAID 1 and RAID 5 LSI M1015 RAID controller on IBM X3650 M3 server Windows Server 2012 RAID 1 and RAID 5 LSI M1015 RAID controller on IBM X3650 M3 server Windows Server 2008 R2 RAID 5 PERC 6i integrated RAID controller Windows Server 2008 Service Pack 2 RAID 1 LSI M1015 RAID controller on IBM X3650 M3 server

3 Recommended Best Practices Symantec Corporation recommends the best practices described in this chapter. They are useful for reviewing your server management operational business practices and for preparing to encrypt your disk with Symantec Drive Encryption. Follow the recommendations to prepare your server environment before encrypting your disk, to protect your data during and after encryption, and then follow them for normal server operations. Perform regular backups and back up the disk before you encrypt it Before you install Symantec Drive Encryption and encrypt your disk, back up your disk. This backup ensures that you will not lose any data if your system is lost, stolen, or you cannot decrypt the disk. Ensure the health of the disk before you encrypt it Cyclic redundancy check (CRC) errors are not uncommon to encounter while you encrypt a hard disk. In standalone installations of Symantec Encryption Desktop, if Symantec Drive Encryption encounters a hard drive or partition with bad sectors, it pauses the encryption process. This pause lets you remedy the problem before you continue with the encryption process, thus avoiding potential disk corruption and lost data. In a Symantec Encryption Management Server managed environment, Symantec Drive Encryption may encounter bad sectors on a hard drive or partition. If this situation happens, Symantec Drive Encryption logs an event in the server logs and the disk encryption continues. Before you run Symantec Drive Encryption, use a third-party scan disk utility that performs a low-level integrity check and repairs any inconsistencies with the drive that can lead to CRC errors. Third-party software, such as SpinRite or Norton Disk Doctor can correct errors that would disrupt the encryption of the disk. Note: As a best practice, highly fragmented disks should be defragmented before you encrypt the disk. Know your RAID hardware and software You are advised to read RAID documentation completely. Understand the RAID rebuilding process based on the hardware you are using, before installing Symantec Drive Encryption on the server.

6 Recommended Best Practices Maintain separate test and production servers, and production processes and procedures Before rebuilding RAID, take a backup of the data using a backup utility. Maintain separate test and production servers, and production processes and procedures Maintain a separate test and production environment. Modification of a production server should be strictly limited. Ensure that you use the test system to test software updates, driver updates, and Windows service packs before updating the production server. Build and test recovery procedures Be aware that changes to the normal server operations and maintenance procedures are required, due to encryption of the server file system. You are advised to: 1 Create and test a customized Windows PE disc with Symantec Drive Encryption drivers installed. 2 Create a Symantec Drive Encryption recovery disc. Create a customized Windows PE disc with the Symantec Drive Encryption drivers The Symantec Knowledge Base contains articles with instructions for creating a Windows PE Disc for Symantec Drive Encryption recovery. Creating a customized Windows PE CD or USB flash drive provides a bootable recovery tool that you can use for rescue purposes. For example, you can use the DOS commands to copy, edit, back up, and delete files. The Symantec Knowledge Base contains technical notes with instructions for creating a 32-bit Windows PE disc. While you can use the 32-bit Windows PE disc on a 64-bit system, you cannot create a 64-bit Windows PE disc. For information on how to create and use a Windows PE disc, go to the Symantec Knowledgebase (http://www.symantec.com/business/support/index?page=home) and search for TECH149060, Windows Preinstallation Environment & BartPE Tools. Note: The Technical Note includes instructions for customizing the BartPE or BartPE-based tools. Create a recovery disc While the chances are low that a master boot record can become corrupted on a boot disk or partition protected by Symantec Drive Encryption, corruption can happen. Before you encrypt a boot disk or partition using Symantec Drive Encryption create a recovery disc. For information on how to obtain the.iso images and create a recovery disc for Symantec Drive Encryption, go to the Symantec Knowledgebase (http://www.symantec.com/business/support/index?page=home) and refer to the KB articles as in the following table:

Recommended Best Practices 7 Be certain that you will have AC power throughout the encryption process KB article title TECH19905: Symantec Drive Encryption 10.3.0 for Windows Recovery Disk Images KB article link http://www.symantec.com/docs/tech 199905 TECH19906: Symantec Drive Encryption 10.3.0 for Mac OS X Recovery Disk Images TECH199903: PGP Desktop 10.2.1 for Windows Recovery Disk Images http://www.symantec.com/docs/tech 199906 http://www.symantec.com/docs/tech 199903 TECH197687: PGP Whole Disk Encryption for Mac OS X (PGP Desktop 10.2.1) Recovery Disk Images http://www.symantec.com/docs/tech 197687 TECH176201: PGP Desktop 10.2.0 for Windows Recovery Disk Images http://www.symantec.com/docs/tech 176201 TECH176187: PGP Whole Disk Encryption for Mac OS X (PGP Desktop 10.2.0) Recovery Disk Images TECH152604: PGP Desktop 10.0 and 10.1 for Windows Recovery Disk Images http://www.symantec.com/docs/tech 176187 http://www.symantec.com/docs/tech 152604 TECH152610: Symantec Drive Encryption (formerly known as PGP Whole Disk Encryption) for Mac OS X Recovery Disk Images (versions 10.0.x - 10.1.x) http://www.symantec.com/docs/tech 152610 Be certain that you will have AC power throughout the encryption process If loss of power during encryption is a possibility, consider choosing the Power Failure Safety option before starting the disk encryption. Also consider this option if you do not have an uninterruptible power supply for your computer.

8 Recommended Best Practices Follow installation procedures to install only the Symantec Drive Encryption drivers Follow installation procedures to install only the Symantec Drive Encryption drivers Symantec Corporation offers a number of product suites that contain Symantec Drive Encryption, Symantec File Share Encryption, and Symantec Desktop Email. When you install Symantec Encryption client products on your server, ensure that you use the.msi installation switches so that you do not install the Symantec File Share Encryption and Symantec Desktop Email drivers. Instructions for utilizing the.msi switches are included in the Symantec Knowledgebase. Go to Symantec Knowledgebase (http://www.symantec.com/business/support/index?page=home) and search for TECH149282, "PGP Desktop Installation (msi) Switches." An example of the.msi switch is: MsiExec /I pgpdesktop.msi PGP_INSTALL_WDE=1 PGP _INSTALL_MAPI=0 PGP_INSTALL_NOTES=0 PGP_INSTALL_LSP=0 PGP_INSTALL_NETSHARE=0 Installing these drivers can impact the performance of the server and email functionality that is hosted on the server. Additionally, you cannot host Symantec File Share Encryption folders on a system that has Symantec File Share Encryption enabled. In a Symantec File Share Encryption environment, these servers are mainly used for hosting shared folders and installing the File Share drivers on the server. Run a pilot test to ensure software compatibility As a security practice, test Symantec Drive Encryption on a test server to ensure that Symantec Drive Encryption does not conflict with other software. Run the test before rolling Symantec Drive Encryption out to a large number of servers. This pre-test is particularly useful in environments that use a standardized Corporate Operating Environment (COE) image. The following software is not compatible with Symantec Drive Encryption: Symantec Endpoint Encryption Full Disk Faronics Deep Freeze (any edition) Utimaco Safeguard Easy 3.x Absolute Software's CompuTrace security and tracking product. Symantec Drive Encryption is compatible only with the BIOS configuration of CompuTrace. Using CompuTrace in MBR mode is not compatible. Hard disk encryption products from GuardianEdge Technologies: Encryption Anywhere Hard Disk and Encryption Plus Hard Disk products, formerly known as PC Guardian products. The following programs co-exist with Symantec Drive Encryption on the same system, but will block the Symantec Drive Encryption feature: Control Break International Safeboot Solo SecureStar Technologies SecureStar SCPP

Recommended Best Practices 9 Understand how performance is affected Understand how performance is affected Run performance testing as described in Run a pilot test to ensure software compatibility (on page 8). During testing, Symantec Corporation did not observe any major performance-related issues with RAID 1 or RAID 5. However, performance can vary depending on the processor, memory, drives, and so on. For example, a 500GB RAID 5 system with three disks can take 8-9 hours to encrypt. After initial encryption, performance can be affected slightly. However, performance is dependent upon individual server configurations. Perform disk recovery on decrypted disks If you need to perform recovery activities on a disk that is protected with Symantec Drive Encryption, when possible, decrypt the disk first. Do this by selecting Disk > Decrypt in Symantec Encryption Desktop, using your prepared Symantec Drive Encryption Recovery Disk, or by connecting the hard disk using a USB cable to a second system and decrypting from that system's Symantec Drive Encryption software. Once the disk is decrypted, proceed with your recovery activities. Remote rebooting of the Windows Server WDE Command Line contains the Boot Bypass function. This function lets you configure Symantec Drive Encryption so that PGP BootGuard does not require a passphrase at the next boot. This boot bypass allows remote rebooting of the server without someone being physically present. For more information on Boot Bypass, see Booting and accessing the Server (see "Scenario 2: Booting and accessing the server" on page 1). The Boot Bypass feature lets you reboot a system one or more times without having to authenticate at the PGP BootGuard screen. Boot Bypass can be set for boot disks only. You can configure Symantec Drive Encryption to authenticate automatically at the PGP BootGuard screen and boot the system. Note: You must set up Boot Bypass in advance. Boot Bypass is generally used for remote deployment or upgrade scenarios when a reboot is required; for example, for patch management. Caution: Boot Bypass bypasses the security of a system. Use it sparingly and with caution. The Boot Bypass commands are: --add-bypass: Enables the specified disk for Boot Bypass. --check-bypass: Indicates whether the specified disk is enabled for Boot Bypass.

10 Recommended Best Practices Remote rebooting of the Windows Server --remove-bypass: Removes Boot Bypass from a disk where it is enabled.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information