Symantec Endpoint Encryption Full Disk

Symantec Endpoint Encryption Full Disk Installation Guide Version 7.0

Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Symantec Corporation. 2008 Symantec Corporation. All rights reserved. Encryption Anywhere and Authenti-Check are either trademarks or registered trademarks of GuardianEdge Technologies Inc. Microsoft, Active Directory, Windows, Windows 2000, Windows XP, Windows Vista, Windows 2000 Server, and Windows Server 2003 are either registered trademarks or trademarks of Microsoft Corporation. Novell is a registered trademark of Novell, Inc. Any other trademarks used herein are the property of their respective owners and are hereby acknowledged. Other product and company names mentioned herein may be the trademarks of their respective owners. Printed in the United States of America.

Contents Contents 1. Introduction................................................................................ 1 Overview................................................................................. 1 Architecture.......................................................................... 1 Services and Associated Ports/Protocols.................................................... 2 System Requirements....................................................................... 3 Basics............................................................................... 3 SEE Management Server................................................................ 3 Novell edirectory...................................................................... 3 Active Directory....................................................................... 3 SEE Database Instance.................................................................. 3 Manager Computer(s)................................................................... 4 Client Computers...................................................................... 4 SEE..................................................................................... 5 Installation Sequence................................................................... 5 Account Provisioning................................................................... 6 SEE Database Instance.................................................................. 7 SEE Management Server................................................................ 7 SEE Manager......................................................................... 7 SEE Client........................................................................... 7 SEE Roles................................................................................ 7 Policy Administrator.................................................................... 7 Client Administrator.................................................................... 8 User................................................................................. 8 2. SEE Management Server.................................................................... 10 Overview................................................................................ 10 Basics.............................................................................. 10 Database Instance Prerequisites.......................................................... 10 SEE Management Server Prerequisites.................................................... 10 HTTPS Prerequisites.................................................................. 11 Summary of Steps..................................................................... 11 SEE Management Server InstallShield Wizard.................................................. 12 Basics.............................................................................. 12 Active Directory Synchronization........................................................ 14 Novell edirectory Synchronization Selected................................................ 15 Both Active Directory & edirectory Synchronization Selected.................................. 16 Verification.............................................................................. 19 SEE Management Server............................................................... 19 SEE Database Instance................................................................. 20 Log Files............................................................................ 20 Backup................................................................................. 20 3. SEE Manager............................................................................. 21 Overview................................................................................ 21 Default and Serverless Installation Modes...................................................... 21 HTTPS Prerequisite....................................................................... 22 Microsoft Administration Tools.............................................................. 22 Basics.............................................................................. 22 Symantec Endpoint Encryption Full Disk iii

Contents Group Policy Management Console....................................................... 22 Windows Server 2003 Administration Tools Pack........................................... 22 SEE Manager Setup Process................................................................. 22 Framework InstallShield Wizard......................................................... 23 Full Disk InstallShield Wizard........................................................... 29 Add Forest.......................................................................... 31 One-Time Password Program................................................................ 31 Basics.............................................................................. 31 Installation.......................................................................... 32 Creating SEE Policy Administrators.......................................................... 34 Steps to Create....................................................................... 34 Verification.......................................................................... 35 Policy Administrator Default Capabilities.................................................. 36 Establishing Default SEE Policies............................................................ 36 Basics.............................................................................. 36 Limiting Access to the SEE Snap-ins...................................................... 36 Creating a Policy that Restricts Access to Snap-ins........................................... 36 Restricting Access to Snap-in Extensions.................................................. 38 Creating a Policy that Permits Access to Snap-ins............................................ 39 Segmenting Support Duties............................................................. 40 4. Client Installation Package Creation............................................................ 41 Framework Installation Settings Wizard....................................................... 41 Basics.............................................................................. 41 Client Administrators.................................................................. 41 Registered Users...................................................................... 43 Single Sign-On....................................................................... 44 Password Authentication............................................................... 45 Removable Storage Certificates.......................................................... 47 Authentication Message................................................................ 47 Authenti-Check....................................................................... 48 One-Time Password................................................................... 50 Communication...................................................................... 51 Encryption........................................................................... 52 Saving the Framework Client Installer MSI................................................. 52 Full Disk Installation Settings Wizard......................................................... 53 Basics.............................................................................. 53 Startup.............................................................................. 54 Logon History........................................................................ 55 Encryption........................................................................... 55 Installer Customization................................................................. 57 Client Monitor....................................................................... 57 Saving the Full Disk Client Installer MSI.................................................. 58 5. Client Installations......................................................................... 60 Overview................................................................................ 60 Deploying Client Installer Packages........................................................... 60 Third-Party Tool Deployment........................................................... 60 Group Policy Deployment.............................................................. 61 Manual Client Installations.................................................................. 64 Basics.............................................................................. 64 Symantec Endpoint Encryption Full Disk iv

Contents Framework Install..................................................................... 64 Full Disk Install...................................................................... 66 6. Upgrades................................................................................. 68 Overview................................................................................ 68 SEE Management Server................................................................... 68 Basics.............................................................................. 68 Prerequisites......................................................................... 68 Running the Key Exporter Script......................................................... 68 Verification.......................................................................... 70 SEE Manager............................................................................ 70 Basics.............................................................................. 70 Version Number Determination.......................................................... 70 Framework Upgrade................................................................... 70 Full Disk Upgrade..................................................................... 71 SEE Client Computers..................................................................... 71 Basics.............................................................................. 71 Creating Client Upgrade Packages........................................................ 71 Upgrading Client Installer Packages...................................................... 72 Client Upgrade Methods................................................................ 72 Deploying and Installing Client Module Upgrades........................................... 72 7. Uninstallation............................................................................. 76 Overview................................................................................ 76 SEE Management Server................................................................... 76 SEE Manager............................................................................ 76 SEE Client Computer...................................................................... 78 Basics.............................................................................. 78 Client Packages Deployed Using a GPO................................................... 78 Using a Command Line................................................................ 78 Appendix A. Extending Domain User Rights with DSACLS.......................................... 80 Overview................................................................................ 80 Prerequisites......................................................................... 80 Summary of Steps..................................................................... 80 Install ADAM Administrator Tools....................................................... 81 Grant List Children & Read Property Access Permissions..................................... 81 Testing AD Synchronization............................................................ 81 Glossary................................................................................... 82 Index...................................................................................... 88 Symantec Endpoint Encryption Full Disk v

Figures Figures Figure 1.1 Architectural Overview.............................................................. 2 Figure 2.1 Database Server................................................................... 12 Figure 2.2 Database Configuration............................................................. 13 Figure 2.3 Directory Synchronization, Active Directory Selected..................................... 13 Figure 2.4 Active Directory Synchronization, Account Credentials.................................... 14 Figure 2.5 edirectory Synchronization, Account Credentials......................................... 15 Figure 2.6 Directory Synchronization, Policy Precedence........................................... 16 Figure 2.7 IIS Client Account Credentials........................................................ 17 Figure 2.8 Client Server Communications, HTTP Protocol.......................................... 17 Figure 2.9 Client Server Communications, HTTPS Protocol......................................... 18 Figure 2.10 Destination Folder................................................................ 18 Figure 2.11 Ready to Install Program........................................................... 19 Figure 3.1 Framework Manager Installer, Destination Folder......................................... 23 Figure 3.2 Framework Manager Installer, Database Server.......................................... 24 Figure 3.3 Management Password and Random String Backup....................................... 25 Figure 3.4 Framework Manager Installer, Ready to Install the Program................................ 26 Figure 3.5 Framework Manager Installer, Database Server.......................................... 26 Figure 3.6 Framework Manager Installer, One-Time Password Key................................... 27 Figure 3.7 Management Password and Random String Backup....................................... 28 Figure 3.8 One-Time Password Key, Use an Existing OTP Key...................................... 29 Figure 3.9 Full Disk Manager Installer, Destination Folder.......................................... 30 Figure 3.10 Full Disk Manager Installer, Ready to Install Program.................................... 30 Figure 3.11 Group Policy Management Console Add Forest........................................ 31 Figure 3.12 One-Time Password Program Installer, Destination Folder................................. 32 Figure 3.13 Add/Remove Snap-In without OTP................................................... 33 Figure 3.14 Add Standalone Snap-In............................................................ 33 Figure 3.15 Add/Remove Snap-In with OTP...................................................... 34 Figure 3.16 SEE Manager, Human Resources OU................................................. 35 Figure 3.17 Restricted Snap-in Warning Screen................................................... 37 Figure 3.18 Restricted Snap-in Error Screen...................................................... 38 Figure 4.1 Framework Installation Settings, Client Administrators.................................... 41 Figure 4.2 Framework Installation Settings, Registered Users........................................ 43 Figure 4.3 Framework Installation Settings, Single Sign-On......................................... 45 Figure 4.4 Framework Installation Settings, Password Authentication.................................. 46 Figure 4.5 Framework Installation Settings, Removable Storage Certificates............................ 47 Figure 4.6 Framework Installation Settings, Authentication Message.................................. 48 Figure 4.7 Framework Installation Settings, Authenti-Check......................................... 49 Figure 4.8 Framework Installation Settings, One-Time Password..................................... 50 Figure 4.9 Framework Installation Settings, Communication......................................... 51 Figure 4.10 Framework Installation Settings, Encryption............................................ 52 Figure 4.11 Save MSI Package, Framework Client................................................. 53 Figure 4.12 Full Disk Installation Settings, Startup................................................. 54 Figure 4.13 Full Disk Installation Settings, Logon History........................................... 55 Figure 4.14 Full Disk Installation Settings, Encryption.............................................. 56 Figure 4.15 Full Disk Installation Settings, Installer Customization.................................... 57 Figure 4.16 Installation Settings, Client Monitor.................................................. 58 Figure 4.17 Select Output MSI Package, Full Disk Client........................................... 59 Figure 5.1 Group Policy Object Editor.......................................................... 63 Figure 5.2 Changing the Scope of the Software Installation Policy.................................... 63 Figure 5.3 Framework Client Installer Destination Folder........................................... 65 Figure 5.4 Framework Client Ready to Install..................................................... 65 Symantec Endpoint Encryption Full Disk vi

Figures Figure 5.5 Framework Client Installer Restart..................................................... 66 Figure 5.6 Full Disk Client Installer Destination Folder............................................. 66 Figure 5.7 Full Disk Client Ready to Install...................................................... 67 Figure 5.8 Full Disk Client Installer Restart...................................................... 67 Figure 6.1 Software Installation GPO, Add Upgrade Package........................................ 74 Figure 7.1 Add or Remove Programs Wizard Warning.............................................. 76 Figure 7.2 Remove SEE One-Time Password Program............................................. 77 Figure 7.3 Remove SEE Full Disk.............................................................. 77 Figure 7.4 Remove SEE Framework............................................................ 78 Symantec Endpoint Encryption Full Disk vii

Tables Tables Table 1.1 Service Ports and Protocols............................................................ 2 Table 1.2 SEE Management Server Hardware Requirements.......................................... 3 Table 1.3 SEE Management Server Software Requirements.......................................... 3 Table 1.4 SEE Database Instance Software Requirements............................................ 3 Table 1.5 Manager Computer Hardware Requirements.............................................. 4 Table 1.6 Manager Computer Software Requirements............................................... 4 Table 1.7 Client Computer Hardware Requirements................................................. 5 Table 1.8 Client Computer Software Requirements................................................. 5 Table 1.9 Required Accounts................................................................... 6 Table 1.10 Synchronization Accounts............................................................ 6 Table 1.11 Optional Accounts.................................................................. 6 Table 1.12 Optional Groups.................................................................... 7 Table 1.13 Client Administrator Levels of Privilege................................................. 8 Table 5.1 MSIEXEC Parameters for Framework.................................................. 61 Table 5.2 MSIEXEC Parameters for Full Disk.................................................... 61 Table 6.1 Parameters of the Key Export Script.................................................... 69 Symantec Endpoint Encryption Full Disk viii

Introduction 1. Introduction Overview Symantec Endpoint Encryption Full Disk ensures that only authorized users can access data stored on hard disks. This safeguards enterprises from the accidental loss or theft of a laptop or PC and eliminates the legal need for public disclosure. As part of Symantec Endpoint Encryption, SEE Full Disk leverages existing IT infrastructures for seamless deployment and operation. This Guide is intended for use by the team of administrators responsible for provisioning and deploying the system. This chapter provides you with an overview of Symantec Endpoint Encryption using an architectural diagram and defines the required system components and software you need prior to installation. The sections are as follows: Architecture on page 1 Services and Associated Ports/Protocols on page 2 System Requirements on page 3 SEE on page 5 SEE Roles on page 7 Architecture Refer to Figure 1.1 to view SEE components, communications protocols between components, and their interrelationships. Included in this diagram are the protocols used for communication between SEE Client Computers, the SEE Management Server, Active Directory, and optionally, Novell edirectory. While the diagram shows all clients as members of a domain, multi-domain configurations within a single Active Directory forest are supported. Multiple Active Directory forests and multiple Novell edirectory trees are not supported. Symantec Endpoint Encryption Full Disk 1

Introduction HTTP(S)/SOAP Client Group Policy ODBC LDAP Active Directory Domain Controller Client Manager Computer Database Server Novell edirectory Server SEE Management Server Client your-org.com Client your_tree Client Figure 1.1 Architectural Overview Services and Associated Ports/Protocols Refer to the following table to see a list of each service, and its associated default port(s) and protocol(s), as shown in Figure 1.1. Table 1.1 Service Ports and Protocols Service(s) Purpose(s) Used by Port/Protocol Protocol Server Message Block (SMB) Group Policy Objects (GPOs) Client Computers 445 TCP/UDP Lightweight Directory Access Protocol (LDAP); LDAP ping Global Catalog LDAP LDAP HTTP/HTTPS Apply GPOs; retrieve Active Directory and edirectory GUIDs Synchronize data from Active Directory and edirectory Synchronize data from Active Directory and edirectory Client-Server communication Client Computers 389 TCP/UDP SEE Management Server SEE Management Server Client Computers SEE Management Server 3268 TCP 389 TCP configurable TCP/SSL Symantec Endpoint Encryption Full Disk 2

Introduction System Requirements Basics An Active Directory domain is required for hosting the SEE Management Server, SEE database instance, Manager Computer(s) and all must reside in the same Active Directory forest. It is recommended that the Global Catalog Server be located in the same site and/or domain as the SEE Management Server. SEE Management Server The SEE Management Server should be installed on a member server. Table 1.2 SEE Management Server Hardware Requirements Component Type Processor RAM Free disk space Requirement 1.3 GHz Intel Pentium 4 or higher processor (or equivalent) 1 GB 80 MB Table 1.3 SEE Management Server Software Requirements Operating System Edition(s) Service Pack(s) Windows Server 2003 Standard or Enterprise SP1 or SP2 Includes Windows Server 2003 R2 Additional Software Microsoft.NET Framework 2.0 Internet Information Services (IIS) application server v6.0 with ASP.NET installed Novell edirectory SEE supports synchronization with Novell edirectory versions 8.7.3.7 and 8.7.3.9. Active Directory SEE supports synchronization with an Active Directory that has a domain functional level of Windows 2000 native or higher and a forest functional level of Windows 2000 or higher. SEE Database Instance The SEE database instance can be hosted on an existing server in the corporate datacenter, on the SEE Management Server, or on any computer that is a member of the Active Directory forest/domain. Hosting the SEE database instance in the corporate datacenter is recommended, as it can leverage existing enterprise-wide backup procedures. It is recommended that the SEE database instance be located in the same domain as the optional domain local groups: the One-Time Password group, and the Policy Administrators group. The SEE database instance must be configured to use mixed mode authentication. In addition, both local and remote connections must be allowed, using both TCP/IP and named pipes. Table 1.4 SEE Database Instance Software Requirements Component Type Supported versions of Microsoft SQL Server Free disk space Requirement Microsoft SQL Server 2005 Standard Edition Microsoft SQL Server 2005 Enterprise Edition Microsoft SQL Server 2005 Express Edition with Advanced Services 1 GB minimum, more depending on the number of Client Computers Symantec Endpoint Encryption Full Disk 3

Introduction Manager Computer(s) Each Manager Computer must be a member of the Active Directory forest/domain. Table 1.5 Manager Computer Hardware Requirements Component Type Processor RAM Free disk space Requirement 223 MHz or faster 512 MB or more recommended 80 MB Table 1.6 Manager Computer Software Requirements Operating System Edition(s) Service Pack(s) Windows XP Professional SP2 or SP3 Windows Server 2003 Standard or Enterprise SP1 or SP2 Windows Vista Business, Ultimate, or Enterprise None or SP1 Additional Software Microsoft.NET Framework 1.1 and Microsoft.NET Framework 2.0 Microsoft Management Console 3.0 Group Policy Management Console with SP1 (GPMC.msi) Server 2003 Administration Tools Pack (adminpak.msi) Microsoft.NET Framework 2.0 Microsoft Management Console 3.0 Group Policy Management Console with SP1 (GPMC.msi) Server 2003 Administration Tools Pack (adminpak.msi) Client Computers Basics Fast user switching is not supported. The system BIOS must support extended INT 13h. SCSI devices that do not use INT 13h to access the hard disk are not supported. The NTFS and FAT32 formats are supported for the primary hard disk. Symantec recommends disabling the USB emulation setting in the system BIOS. Client Computers configured to boot from more than one partition (i.e. a dual or multi-boot system), must be reconfigured to boot from a single partition before SEE Full Disk can be installed. SEE Full Disk relies on the Master Boot Record (MBR). System restore tools that replace the MBR, such as IBM Rescue and Recover, can cause serious problems to Client Computers and are not compatible with SEE Full Disk. SEE Full Disk relies on its client database files and cannot protect them before Windows has loaded. Boot-time defragmentation programs will scramble the client database files and prevent the computer from booting. Single Sign-On (SSO) SEE s Single Sign-On feature will synchronize with Novell Client 4.91 Service Pack 3 (SP3). Section 508 SEE Full Disk provides Section 508 compliant text-to-speech capability for its Windows user interface components when used with JAWS version 9.0.2152 or later. Symantec Endpoint Encryption Full Disk 4

Introduction Hardware Table 1.7 Client Computer Hardware Requirements Component Type Processor RAM Free disk space Software Requirement 223 MHz or faster 512 MB or more recommended 65 MB Canadian French Chinese Bopomofo IME* French German Italian Keyboard Japanese* Korean* Portuguese Spanish United Kingdom US English * Users will only be able to enter those characters that can also be typed from the US English keyboard. Table 1.8 Client Computer Software Requirements Operating System Edition(s) Service Pack(s) Additional Software Windows XP Professional or Tablet* SP1, SP2 or SP3 Microsoft.NET Framework 1.1 or 2.0 Microsoft Internet Explorer 6.0 with SP2 or Internet Explorer 7 Windows 2000 Professional SP4 Microsoft.NET Framework 1.1 or 2.0 Microsoft Internet Explorer 6.0 with SP2 Windows Vista Business, Ultimate, or Enterprise None or SP1 * A keyboard is required for tablet PCs. Windows Vista is only supported when run on Vista Capable hardware. SSO synchronization with Novell Client 4.9.1 SP3 is not supported on Windows Vista. SEE Installation Sequence SEE must be installed in the following sequence: 1. Required account provisioning, 2. SEE database instance, 3. SEE Management Server, 4. SEE Manager, and 5. SEE client. Symantec Endpoint Encryption Full Disk 5

Introduction Account Provisioning Basics SEE uses several domain user accounts and domain groups for its operation. The following tables list the accounts that must be provisioned prior to installation of the SEE Management Server, as well as accounts and groups that are optional to deployment. Required Accounts The following accounts are required to deploy the product in its minimum configuration. Table 1.9 Required Accounts Account IIS client account Database creation account Policy Administrator account Description Each Client Computer shares a single domain user account to authenticate to IIS on the SEE Management Server. No specific privileges are required for this account. A Windows or SQL Server account with sufficient privileges to create a database is required to execute the SEE Management Server installation. Policy Administrators must be provisioned with read-write access to the SEE database. Either a Windows or a SQL account can be used for this purpose. This account will allow the Policy Administrator to use the snap-ins of the SEE Manager. If you choose to use a Windows account for database access, a Policy Administrators group may ease administration. See Optional Groups on page 6. Synchronization Accounts The following accounts are required to enable the synchronization feature. Table 1.10 Synchronization Accounts Account Active Directory synchronization account edirectory synchronization account Description To enable synchronization with Active Directory, a domain user account in the same domain that the SEE Management Server has been joined to is required. The Active Directory synchronization service uses this account to bind to Active Directory. If the account does not have domain administrator privileges, you must extend the account privileges so that they include read permissions to the deleted objects container in Active Directory. One method of doing so is described in Appendix A, Extending Domain User Rights with DSACLS, on page 80. To enable synchronization with Novell edirectory, an edirectory account with read-only permissions to the edirectory tree is required. Optional Accounts The following accounts are optional. Table 1.11 Optional Accounts Account IIS administrator account One-Time Password account Description To effect changes to the IIS configuration using the Configuration Editor, an account with administrative rights in IIS is required. If you plan to allow certain Policy Administrators access to the One-Time Password Program snap-in only, provisioning them with a read-only database account is recommended. This account can be either a Windows or a SQL account. If you choose to use a Windows account for database access, a One-Time Password group may ease administration. See next section. Optional Groups The following groups may be used to ease the administration of Policy Administrator database accounts, if Windows authentication is chosen for this purpose. In order to create domain groups, you will need an account with create child Symantec Endpoint Encryption Full Disk 6

Introduction permissions in Active Directory. Locating the groups in the same domain as the SEE database instance is recommended. Domain local groups can be assigned member permissions only within the same domain, but can contain accounts or groups from any domain. Table 1.12 Optional Groups Account Policy Administrators group One-Time Password group Description An optional domain local group with read-write permissions to the SEE database. It is used for managing Policy Administrator accounts when Windows authentication to the database is used. An optional domain local group with read-only permissions to the SEE database. It is used for managing One-Time Password accounts, when Windows authentication is chosen. SEE Database Instance The SEE database instance is a standard installation of a supported version of Microsoft SQL Server 2005 configured for mixed mode authentication. The database and necessary tables are created during installation of the SEE Management Server. SEE Management Server The SEE Management Server enables all aspects of SEE policy management and application, accepts data reported by Client Computers and stores that data in the SEE database instance, and (optionally) synchronizes information from Active Directory and/or edirectory to the SEE database instance. SEE Manager Installing the SEE Manager setup packages creates a customized Microsoft Management Console (MMC) containing the SEE snap-ins and snap-in extensions. The SEE Manager setup packages consist of the following two files: Symantec Endpoint Encryption Framework.msi Symantec Endpoint Encryption Full Disk Edition.msi SEE Client The SEE client installation packages deliver the client software, software upgrades, and initial settings to Client Computers. The client installation packages consist of two MSIs and two log files. The log files document the contents of the associated MSI. Symantec Endpoint Encryption Framework Client.msi FrameworkSettings month_day_year-hour.minute.sec.log Symantec Endpoint Encryption Full Disk Edition Client.msi HardDiskSettings month_day_year-hour.minute.sec.log where month, day, year, hour, minute, and sec are the date and time the package was created SEE Roles Policy Administrator Policy Administrators perform centralized administration of SEE. Using the Manager Console and the Manager Computer, the Policy Administrator: Creates and deploys client installation packages. Updates and sets client policies. Runs reports. Changes the Management Password. Symantec Endpoint Encryption Full Disk 7

Introduction Reconfigures the SEE Management Server if necessary. Runs the One-Time Password Program. Creates the computer-specific Recover DAT file necessary for Recover \B. Policy Administrators log on to their workstation using a Windows account. Access to the individual snap-ins of the SEE Manager can be restricted by Windows privilege. The Policy Administrator will require access privileges to the SEE database. These can be provided through their Windows account or the Policy Administrator can be required to log on to the SEE database using SQL authentication. Read and write access to the SEE database is required for all snap-ins except the One-Time Password Program. Only read access is necessary for the One-Time Password Program. The Policy Administrator s account privileges are maintained by Windows and Microsoft SQL Server; SEE does not manage these accounts. Policy Administrators should be trusted in accordance with their assigned level of privilege. Client Administrator Client Administrators provide local support to SEE users and guarantee that SEE protected computers are always accessible even when all SEE users have been removed from those computers. Each Client Computer must have at least one Client Administrator account and can have up to 100. The Policy Administrator creates and maintains Client Administrator accounts, using the SEE Manager. Because Client Administrator accounts are managed entirely by SEE and do not relate to Windows accounts, Client Administrators can support users who are not a part of the domain. The Policy Administrator assigns one of three privilege levels to each Client Administrator account. At least one Client Administrator account with a privilege level of high must exist on each workstation. Table 1.13 Client Administrator Levels of Privilege Level Can Unlock Computer Can Extend Next Communication Due Date Client Administrators should be trusted in accordance with their assigned level of privilege. There must be at least one Client Administrator on each workstation to allow hard disk recovery. Client Administrator passwords are managed by the Policy Administrator and cannot be changed on the workstation. This single-source password management allows Client Administrators to remember only one password as they move among many Client Computers. If password(s) were local to each computer, then remembering multiple passwords would become unwieldy. Client Administrator accounts have the following restrictions: Client Administrators do not have either of the authentication assistance methods (Authenti-Check and One-Time Password) available. Client Administrators cannot use Single Sign-On. Can Run Recover Program Can Decrypt Hard Disk Can Unregister Users High Medium Low User SEE Full Disk protects the data stored on the Client Computer by encrypting it and requiring valid credentials to be provided before allowing Windows to load. During the registration process, users set their SEE credentials, allowing them to power the machine on from an off state and gain access to Windows. Only the credentials of registered users and Client Administrators will be accepted by SEE Full Disk. At least one user is required to register with SEE on each Client Computer. Symantec Endpoint Encryption Full Disk 8

Introduction A wizard guides the user through the registration process, which involves a maximum of four screens. The registration process can also be configured to occur without user intervention. Authentication to SEE Full Disk can be configured to occur in one of three ways: Single Sign-On enabled The user will be prompted to authenticate once each time they restart their computer. Single Sign-On not enabled The user must log on twice: once to SEE Full Disk and then separately to Windows. Automatic authentication enabled The user is not prompted to provide credentials to SEE Full Disk; the authentication process is transparent. This option relies on Windows to validate the user s credentials. To ensure the success of this product in securing your encrypted assets, do not define users as local administrators or give users local administrative privileges. Symantec Endpoint Encryption Full Disk 9

SEE Management Server 2. SEE Management Server Overview Basics This chapter describes how to install the SEE Management Server on a member server. After ensuring that all prerequisites have been met, you will run the SEE Management Server installer. Database Instance Prerequisites Prior to installing the SEE Management Server, the SEE database instance must be provisioned according to the following requirements: A member server running Windows 2003 Server for hosting the SEE database instance. This server must be a member of the same Active Directory forest as and accessible to the SEE Management Server. The member server must be installed with.net Framework 2.0. The member server must be installed with a supported version of Microsoft SQL Server 2005. SQL Server must be configured to allow mixed-mode authentication. SQL Server must be configured to allow local and remote connections, using both TCP-IP and named pipes. SEE Management Server Prerequisites Once the SEE database instance has been provisioned, you can begin installation of the SEE Management Server on a computer that meets the following requirements: A member server running Windows 2003 Server for hosting the SEE Management Server. This server must be a member of an Active Directory forest domain that contains at least one Global Catalog server in the same site and/ or domain that the SEE Management Server has been joined to, and must be on the same corporate network as and accessible to the SEE database instance. The member server hosting the SEE Management Server must be configured as an application server (IIS) with ASP.NET installed. One Active Directory domain user account with limited access privileges, the IIS client account. This account is shared among all SEE Client Computers and is used to authenticate to IIS on the SEE Management Server. One Active Directory domain user account, the database creation account. This account must have administrative privileges on the server hosting the SEE database instance, and is used during installation of the SEE Management Server. Alternately, you can use an SQL account that has administrative privileges, for example, the built-in SA account. One or more Active Directory domain user accounts assigned to the Policy Administrator role. These accounts can be given membership in the optional Policy Administrators group, allowing them read-write access to the SEE database from the SEE Manager. One Active Directory domain user account, the Active Directory synchronization account. This account is only required if synchronization with Active Directory is enabled. This account must have domain administrator privileges in the same site and/or domain that the SEE Management Server has been joined to. Note that if your corporate security policy prohibits the use of an administrator account, a non-administrator account can be used, provided that it has been granted read permissions to the Active Directory deleted objects container. See Extending Domain User Rights with DSACLS on page 80. One Novell edirectory account, the edirectory synchronization account. This account must have read-only privileges to edirectory. This account is only required if synchronization with edirectory is enabled. Symantec Endpoint Encryption Full Disk 10

SEE Management Server One optional Active Directory domain user account, the IIS administrator account. This account is necessary to effect changes to IIS configuration using the Configuration Editor. One optional Active Directory domain user account, the One-Time Password account. This account can be given membership in the optional One-Time Password group, allowing it read-only access to the SEE database. One optional domain local group with read-write permissions to the SEE database. It is used for managing Policy administrator accounts. One optional domain local group with read-only permissions to the SEE database. It is used for managing One- Time Password accounts. The installer file, Symantec Endpoint Encryption Management Server.msi. This file could be located on a shared network directory, on the SEE Management Server, or in some other location. The person who provided you with this Guide should be able to direct you to this location. A domain user account with administrative privileges on the member server. This domain user account will be used for running the SEE Management Server installer. The user names and passwords of two of the required Active Directory domain user accounts: the IIS client account and the database creation account (see Table 1.9 on page 6). The user names and passwords of any optional accounts: the Active Directory synchronization account, and/or the edirectory synchronization account (see Table 1.10 on page 6). HTTPS Prerequisites If you plan to use HTTPS communication between Client Computers and the SEE Management Server, you must install the server-side certificate on the SEE Management Server. This certificate must be valid for IIS and possess the following characteristics: Valid during the period in which it will be used. Enabled for server authentication. Contain the private key. Have a common name (CN) that is the computer name of the SEE Management Server. Summary of Steps This chapter will walk you through the remaining steps necessary to complete installation: 1. Install the SEE Management Server InstallShield Wizard from the GUI or the command line. 2. Verify correct operation of the SEE Management Server. 3. Perform a backup of the SEE database instance. If you are upgrading from a previous version of SEE, you must also run a script that migrates important data objects from the existing ADAM-based SEE Server to the new SQL-based SEE database instance. See the Upgrades chapter of this Guide for information on how to run this script. Symantec Endpoint Encryption Full Disk 11

SEE Management Server SEE Management Server InstallShield Wizard Basics Locate the SEE Management Server installer (Symantec Endpoint Encryption Management Server.msi) and launch it from the GUI or command line. Running the installer from the command line allows you to specify a output log file, which can be helpful for troubleshooting installation problems. To run the installer from the command line, click Start, click Run, type cmd, then click OK to open a new command prompt window. Invoke the Windows Installer (msiexec.exe) with the following command-line parameters: MSIEXEC /i "[path]\symantec Endpoint Encryption Management Server.msi" /lvx [logpath]\logfile where [path] is the actual path on the member server where the SEE Management Server installer package is located, and [logpath]\logfile is the path and name of the output log file that will be created. The Welcome page of the SEE Management Server InstallShield Wizard appears. Click Next. The License Agreement page appears. Select the option I accept the terms in the license agreement, then click Next. The Database Creation page appears. Figure 2.1 Database Server This page allows you to specify the database instance on which to create the SEE database. Click Browse to select from a list of available instances, or type the Windows computer name of the instance. A database server is recommended, but you can also install the SEE database instance locally on the SEE Management Server, if a supported version of Microsoft SQL Server has been installed. Choose the account you will use to connect to the database instance, either the currently logged on Windows user, or a SQL Server account. If you choose to connect using an SQL Server account, you must specify the account Symantec Endpoint Encryption Full Disk 12

SEE Management Server credentials. Click Next. The installer will attempt to authenticate to the instance, and the Database Configuration page will appear. Figure 2.2 Database Configuration This page allows you to create a new database or use an existing one. If you are reinstalling the SEE Management Server and want to use an existing SEE database, choose Use existing database, type the credentials of an existing SQL account, click Next, and skip to the IIS Client Account InstallShield Wizard page on page 17. If you are installing SEE Management Server for the first time, use the default choice, Create a new database. This allows you to specify a limited privilege database user account that is created on the database server and used for secure communication between the SEE Management Server and the SEE database instance. Type the user name, password, and password confirmation of the new account, then click Next. The Directory Service Synchronization page will appear. Figure 2.3 Directory Synchronization, Active Directory Selected This page allows you to select the directory services from which the SEE database instance will be populated. The SEE Management Server ensures that the SEE database instance remains up to date with information from these Symantec Endpoint Encryption Full Disk 13

SEE Management Server directory services. For example, when computer or container objects are added to or deleted from Active Directory and/or edirectory, directory service synchronization propagates those changes to the SEE database instance. This allows you to use the SEE Manager to view and apply SEE native policies to the computers in your organization according to the directory OUs or containers in which they reside. From this point forward, the successive pages of the SEE Management Server InstallShield Wizard will differ depending on whether you select Microsoft Active Directory, Novell edirectory, or both. If you select: Microsoft Active Directory, continue reading. Novell edirectory by itself, skip to Novell edirectory Synchronization Selected on page 15. Both boxes and click Next, skip to Both Active Directory & edirectory Synchronization Selected on page 16. If your deployment doesn t use directory services, or you don t want to enjoy the benefits of directory service synchronization, leaving both boxes unselected and clicking Next will take you to the IIS Client Account page on page 17. Note that directory service synchronization can be changed after installation using the SEE Configuration Manager Utility. See the Policy Administrator Guide for more details. Active Directory Synchronization If you selected Microsoft Active Directory by itself or in combination with Novell edirectory, and then clicked Next, the following InstallShield Wizard pages will appear. Figure 2.4 Active Directory Synchronization, Account Credentials The installer will prefill the Forest Name box with information about the forest the SEE Management Server resides in. Type the user name, password, and NetBIOS or DNS domain name of a user account that has administrative privileges in the same domain that the SEE Management Server has been joined to. The Active Directory synchronization service binds to Active Directory using this account, and requires administrative privileges for accessing deleted objects in Active Directory. If your corporate security policy prohibits using an account with administrative privileges, you can use a nonadministrative domain account that has been granted read permissions to the deleted objects container. See Extending Domain User Rights with DSACLS on page 80. Symantec Endpoint Encryption Full Disk 14

SEE Management Server If you selected Active Directory synchronization by itself, clicking Next will take you to the IIS Client Account page on page 17. If you selected Novell edirectory synchronization by itself, or both Active Directory and Novell edirectory synchronization, click Next and continue reading. Novell edirectory Synchronization Selected The following InstallShield Wizard page will appear if: You selected Novell edirectory by itself and clicked Next, or You selected both Active Directory and Novell edirectory, and have completed the Active Directory Wizard pages. Figure 2.5 edirectory Synchronization, Account Credentials Type the name of the edirectory tree you want to synchronize with, along with the IP address and LDAP port of your edirectory server, as well as the distinguished name and password of an administrator account that has Directory- Admin privileges within your edirectory. Clicking Next will attempt to authenticate to the edirectory Server using the specified information and take you to the IIS Client Account page on page 17. Symantec Endpoint Encryption Full Disk 15

SEE Management Server Both Active Directory & edirectory Synchronization Selected Selecting both Microsoft Active Directory and Novell edirectory will cause the policy precedence option to be shown: Figure 2.6 Directory Synchronization, Policy Precedence When Active Directory and edirectory are both present, a Client Computer can potentially be a member of both, thus receiving two sets of potentially conflicting SEE policies. To mitigate potential policy conflicts, you must choose the directory service whose policies will have priority. Select either Microsoft Active Directory or Novell edirectory, then click Next. The Active Directory Synchronization page on page 14 will appear. The IIS Client Account InstallShield Wizard page will appear once you have completed your directory synchronization selections, i.e., You made no selections on the Active Directory Synchronization page, and then clicked Next, or You selected either or both Active Directory and edirectory synchronization, and have completed their respective Wizard pages. Symantec Endpoint Encryption Full Disk 16

SEE Management Server This InstallShield Wizard page will also appear if you selected Use existing database in the Database Configuration InstallShield Wizard page on page 13, and then clicked Next. Figure 2.7 IIS Client Account Credentials Type the user name, password, and DNS domain name of the IIS client account that will be shared among all Client Computers and will be used to authenticate to the SEE Management Server. Server friendly name is an optional value stored in the database for future use. Clicking Next will attempt to validate the IIS client account details you entered with Active Directory, and if successful, the Client-Server Communications page will appear. Figure 2.8 Client Server Communications, HTTP Protocol This page allows you to specify the port and protocol used for communication between Client Computers and the SEE Management Server. To specify unencrypted client-server communications, type the port number to use for unencrypted communications (TCP Port), then click Next. Symantec Endpoint Encryption Full Disk 17

SEE Management Server To specify that client-server communications use SSL encryption, click HTTPS. Figure 2.9 Client Server Communications, HTTPS Protocol This will cause the SSL Port box and Browse button to be shown. Type the port numbers to use for unencrypted communications (TCP Port) and SSL-encrypted communications (SSL Port). Note that even when HTTPS protocol has been selected, you must also specify a TCP port for fall-back use. Click Browse and select a CER certificate for the client-side of the SSL communications. This certificate must be within its own validity period and issued by the same authority as the server-side SSL certificate. It will be stored in the SEE database instance at the successful conclusion of the installation and can be updated later using the Configuration Editor. See the Policy Administrator Guide. Once the selected the certificate has been accepted, click Next. The Destination Folder page will appear. Figure 2.10 Destination Folder This page allows you to change where the SEE Management Server files will be installed. Symantec Endpoint Encryption Full Disk 18

SEE Management Server Click Change to choose a different location to install the SEE Management Server files, or click Next to accept the default installation location. The Ready to Install Program page appears. Figure 2.11 Ready to Install Program Click Install. After the SEE Management Server InstallShield Wizard Completed page appears, click Finish. A series of command line windows will open and close during execution of the installer. Click Restart when prompted. Verification SEE Management Server Open the Internet Information Service (IIS) Manager snap-in. Expand the SEE Management Server computer. Expand Web Sites. Verify that the Symantec Endpoint Encryption Services website is listed and that the word Stopped does not appear beside it. If Stopped appears next to Symantec Endpoint Encryption Services, it indicates that the port number that you specified for communications with the Client Computers is already in use. See the Policy Administrator Guide for instructions on using the Configuration Editor to change the port number. Click on Symantec Endpoint Encryption Services, and verify that the right-hand pane contains the following three items: The bin subfolder, The GECommunicationWS.asmx file, The web.config file. Highlight Web Service Extensions. Check to make sure that ASP.NET v2.0.50727 is listed in the right-hand panel with a status of Allowed. Open the Event Viewer snap-in and examine the Application event log to verify that there are no errors generated by the event sources ADSyncService or NovellSyncService. Symantec Endpoint Encryption Full Disk 19

SEE Management Server SEE Database Instance Access the SEE database instance using the Microsoft SQL Server Management Studio (part of an optional install of tools for SQL Server 2005) using administrator-level privileges, and verify the following: A new database, SEEMSDb, has been created. The user you specified in the Database Configuration InstallShield Wizard page has been added as a user of the SEEMSDb database. The SEEMSDb database has been populated with SEE-specific tables, for example, dbo.gemseventlog. If you selected Active Directory synchronization, the contents of the SEEMSDb dbo.adcontainers database table reflect the OU structure of your Active Directory. If you selected edirectory synchronization, the contents of the SEEMSDb dbo.novellcontainers database table reflect the container structure of your edirectory. Log Files If you ran the MSI from the command line and enabled logging, each step of the installation process will be logged in the file and at the location specified from the command line prompt. If no path was specified, then the files will be stored in the working directory that was current at the time that the command was issued from the command line prompt. Backup Once the SEE Management Server has been installed and its operation verified, it is critical to now perform a complete backup of the SEE database named SEEMSDb. Furthermore, consult with personnel from your enterprise backup group to arrange for regular backups of the SEE database. Symantec Endpoint Encryption Full Disk 20

SEE Manager 3. SEE Manager Overview The SEE Manager is used by Policy Administrators and runs on one or more computers designated as Manager Computers. During installation of the initial Manager Console, the installer generates a set of keys, creates a backup of those keys, and stores them in the SEE database. For centralized administration, a Manager Computer could be configured to be remotely accessed by Policy Administrators. The SEE Manager can be installed in one of two modes: the default (recommended) mode, and the serverless mode. The default mode requires a SEE Management Server and a SEE database instance to be already installed and running before you install the SEE Manager. The serverless mode does not require a SEE database instance. Using the SEE Manager, a Policy Administrator defines SEE installation settings for one or more modules, then pushes them out together with the SEE client software in the form of Microsoft Installation (MSI) packages. When these SEE packages run on a Client Computer, they install the SEE client software and store the installation settings in the registry. Installation settings apply to all users on a given Client Computer, and refinements or updates to policy can subsequently be pushed to the SEE clients in the form of Active Directory or native policies. Certain SEE database-dependent features of the SEE Manager will be absent from a serverless mode installation of the SEE Manager, including the ability to run reports and the ability to create the computer-specific Recover DAT file necessary for Recover /B. Default and Serverless Installation Modes Both the default and serverless installation modes of the SEE Manager allow the Policy Administrator to: Create and deploy client installation packages. Update and set client policies. Change the Management Password. Run the One-Time Password Program. Reconfigure the SEE Management Server, as necessary. Additionally, the default mode installation of the SEE Manager allows the Policy Administrator to: Run reports; and Export computer-specific recovery data to assist in the hard disk recovery process. Clients installed from packages produced by a serverless installation of the SEE Manager do not communicate with an SEE Management Server, and are known as silent clients. Default mode deployments and serverless deployments of the SEE Manager can coexist within the same SEE deployment. The serverless installation mode may be appropriate in the following situations: The deployment consists of a few SEE clients, and the cost of installing and maintaining an SEE database instance is hard to justify; The accompanying trade-offs (fewer hard disk recovery options, lack of reporting capabilities) are deemed an acceptable risk; or There is a security requirement that SEE clients should not generate any network traffic. Symantec Endpoint Encryption Full Disk 21

SEE Manager HTTPS Prerequisite If you plan to use HTTPS communication between Client Computers and the SEE Management Server, you must install the client-side SSL certificate on each SEE Manager Computer. Microsoft Administration Tools Basics This section describes how to install the additional Microsoft administration tools required for using the SEE Manager on designated Manager Computers. Group Policy Management Console The GPMC must be installed on Manager Computers running either Windows Server 2003 or Windows XP Professional, and must be installed prior to installing the SEE Manager. The Microsoft Group Policy Management Console with Service Pack 1 (Gpmc.msi) may be downloaded from the Microsoft website at the following URL if it is not already installed: http://www.microsoft.com/downloads/ details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en To install the Group Policy Management Console snap-in, double-click the gpmc.msi file and follow the on screen instructions. On the final installation screen, click Finish. Windows Server 2003 Administration Tools Pack The Windows Server 2003 Administration Tools Pack must be installed on Manager Computers running Windows XP Professional or Windows Vista, and must be installed prior to installing the SEE Manager. The Windows Server 2003 Administration Tools Pack may be downloaded from the Microsoft website at the following URL if it not already installed: http://www.microsoft.com/downloads/ details.aspx?familyid=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en To install the Windows Server 2003 Administration Tools Pack, double-click the adminpak.msi file and follow the on-screen instructions. On the final installation screen, click Finish. Because Windows Server 2003 includes the Active Directory Users and Computer snap-in, you do not need to install the Windows Server 2003 Administration Tools Pack on Manager Computers running Windows Server 2003. After you install the Microsoft administration tools, continue to the following section. SEE Manager Setup Process To install the SEE Manager, the SEE Framework (Symantec Endpoint Encryption Framework.msi) must be installed first. Because the initial installation of the SEE Manager generates a set of keys and creates a backup of those keys, the initial installation should be done on a physically protected, highly available computer. Subsequent installations of the SEE Manager can be done on any computer running Windows XP Professional or Windows Server 2003. During the installation of the Symantec Endpoint Encryption Framework.msi package, the SEE Framework InstallShield Wizard will prompt you for input on several of the following screens. Note that the sequence of screens will differ depending on whether you have selected the default or serverless installation mode. If you plan to use HTTPS communications, install the client-side SSL certificate on the Manager Computer. This certificate must be the same certificate that is stored in the SEE database. Symantec Endpoint Encryption Full Disk 22

SEE Manager Framework InstallShield Wizard Basics Locate the SEE Framework installer (Symantec Endpoint Encryption Framework.msi) and launch it. The Welcome page of the Framework InstallShield Wizard appears. Click Next. The License Agreement page appears. Select the option I accept the terms in the license agreement, then click Next. The Destination Folder page appears. Figure 3.1 Framework Manager Installer, Destination Folder This page allows you to change where the SEE Manager program files will be installed. Click Change to choose a different location to install the SEE Manager, or click Next to accept the default installation location. The Database Server page appears. From this point forward, the successive pages of the Framework InstallShield Wizard will differ depending on whether you are performing a default mode installation or a serverless installation. To perform a default mode installation, continue reading. To perform a serverless installation, skip to Serverless Installation of the Manager on page 26. Symantec Endpoint Encryption Full Disk 23

SEE Manager Default Mode Installation of the Manager To perform a default mode installation of the SEE Manager, use the settings presented in the following sequence of InstallShield Wizard pages. Figure 3.2 Framework Manager Installer, Database Server This page allows you to choose whether to install the SEE Manager in default mode or serverless mode, and prompts you for the name of the computer hosting the SEE database instance and the credentials of the Policy Administrator account. See Required Accounts on page 6. This account was one of the two domain accounts used as Windows security principals for SEE Management Server authentication you created earlier as part of the SEE Management Server installation process. Type the name of the computer hosting the SEE database instance. Type the credentials for the database server administrator account in the corresponding boxes and click Next. The InstallShield Wizard authenticates to the database server you specified and verifies that the account credentials you entered are correct before allowing you to continue. Skip to Figure 3.3 on page 25. Click Next. Symantec Endpoint Encryption Full Disk 24

SEE Manager If this is the first installation of a default mode SEE Manager following a fresh SEE Management Server installation, or if OTP keys are otherwise not found in the SEE database instance, the SEE Management Password page appears. Figure 3.3 Management Password and Random String Backup During subsequent installations of the SEE Framework Manager Console, the installer will detect that the Management Password and the random string backup have already been created, and this screen will not be shown. Instead, the Ready to Install the Program page (Figure 3.4 on page 26) will appear. The Management Password must be between 16 and 32 characters in length, and is used by support personnel for various SEE data recovery and administrative functions. The Management Password can be changed at a later time using the Management Password snap-in from the SEE Manager. This page also allows you to change the default location for the backup of the random string. The random string is a critical value used to generate the OTP keys stored in the SEE Management Server, and is required when rebuilding an SEE Management Server instance or migrating from a serverless deployment to a deployment containing a SEE Management Server. The random string backup should be saved to removable media and stored in a secure location. For details on how to restore the OTP keys from a backup of the random string, see the Policy Administrator Guide. Once you have established a Management Password and performed the back up of the random string, click Next. Symantec Endpoint Encryption Full Disk 25

SEE Manager The Ready to Install Program page appears. Figure 3.4 Framework Manager Installer, Ready to Install the Program Click Install. After the Completed page of the SEE Framework InstallShield Wizard appears, click Finish. Continue to Full Disk InstallShield Wizard on page 29 and run the SEE Full Disk InstallShield Wizard. Serverless Installation of the Manager To perform a serverless installation of the SEE Manager, use the settings presented in the following sequence of InstallShield Wizard pages. Figure 3.5 Framework Manager Installer, Database Server Deselect the Use SEE Server check box. The Database Server and Connect using sections will become unavailable. Click Next. Symantec Endpoint Encryption Full Disk 26

SEE Manager The One-Time Password Key page appears. Figure 3.6 Framework Manager Installer, One-Time Password Key This page is specific to serverless installations of the SEE Manager. It allows you to create a new One-Time Password (OTP) key or import an existing OTP key. The OTP key only has meaning within the context of SEE Full Disk. However, ensuring that all installations of the SEE Manager use the same OTP key will ease the deployment of SEE Full Disk, should you decide to install it later. From this point forward, the successive pages of the Framework InstallShield Wizard will differ depending on whether you are creating a new OTP key or using an existing OTP key. Creating a new OTP key will be shown first. To use an existing OTP key, skip to page 29. Using the same OTP key across all installations of the SEE Manager becomes important when transitioning from a serverless deployment to a standard deployment. In such a scenario, you would create an OTP key backup the first time you install the SEE Manager, then import the same key when installing subsequent instances of the SEE Manager. This guarantees that Framework client packages created from any installation of the SEE Manager would contain the same OTP key. To create a new OTP key, click Browse. In the screen that opens, navigate to a destination location of your choice, or accept the default location C:\Program Files\Symantec\Symantec Endpoint Encryption Manager\Framework, and click OK. The Destination directory will update to indicate the location you selected. When the installation process completes, the new OTP keys will be created in a registry file named GEOTPKeysBackup.reg at the destination location. This registry file should be saved to removable media and stored in a secure location. Click Next. Symantec Endpoint Encryption Full Disk 27

SEE Manager The SEE Management Password page appears. Figure 3.7 Management Password and Random String Backup For serverless installations of the SEE Manager, the Management Password will be specific to this individual installation of the SEE Manager. The Management Password must be between 16 and 32 characters in length, and is used by support personnel for various SEE data recovery and administrative functions. The Management Password can be changed at a later time using the Management Password snap-in from the SEE Manager. This page also allows you to change the default location for the backup of the random string. The random string is a critical value used to generate the OTP keys stored in the SEE database, and is required when rebuilding the SEE database or migrating from a serverless deployment to a deployment containing an SEE Management Server. The random string backup should be saved to removable media and stored in a secure location. Once you have established a Management Password and performed the back up of the random string, click Next. The Ready to Install Program page appears. Click Install. After the SEE Framework InstallShield Wizard Completed page appears, click Finish. Continue to Full Disk InstallShield Wizard on page 29 and run the SEE Full Disk InstallShield Wizard. Symantec Endpoint Encryption Full Disk 28

SEE Manager Using an Existing OTP Key To use an existing OTP key created during a previous installation of the SEE Manager, click Use an existing OTP key, then click Browse. Figure 3.8 One-Time Password Key, Use an Existing OTP Key In the screen that opens, navigate to the folder where the registry file named GEOTPKeysBackup.reg containing the existing OTP keys are stored, and click OK. The Source directory will update to indicate the location you selected. Click Next. The Ready to Install Program page appears. Click Install. After the SEE Framework InstallShield Wizard Completed page appears, click Finish. Continue to Full Disk InstallShield Wizard on page 29 and run the SEE Full Disk InstallShield Wizard. Full Disk InstallShield Wizard Once the Framework InstallShield Wizard completes, launch the Symantec Endpoint Encryption Full Disk Edition.msi package. The Welcome page of the Full Disk InstallShield Wizard appears. Click Next. The License Agreement page of the Full Disk InstallShield Wizard appears. Symantec Endpoint Encryption Full Disk 29

SEE Manager Select the option I accept the terms in the license agreement, then click Next. The Destination Folder page appears. Figure 3.9 Full Disk Manager Installer, Destination Folder This page allows you to change where the SEE Full Disk program files will be installed. Click Change to choose a different location to install the Full Disk program files, or click Next to accept the default installation location. The Ready to Install Program page appears. Figure 3.10 Full Disk Manager Installer, Ready to Install Program Click Install. After the SEE Full Disk InstallShield Wizard Completed page appears, click Finish. Symantec Endpoint Encryption Full Disk 30

SEE Manager Add Forest To complete the installation, follow these steps: 1. Open the SEE Manager. Click Start, point to All Programs, then click Symantec Endpoint Encryption Manager. 2. In the navigation pane on the left, select the Group Policy Management snap-in, right-click, and choose Add Forest. Figure 3.11 Group Policy Management Console Add Forest 3. In the Add Forest dialog box, type the fully-qualified domain name. 4. Click OK. With the SEE Manager now installed on the Manager Computer, you are now ready to create client installer packages. Before continuing, it is highly recommended that you perform an immediate backup of the SEE database that was just updated to include the OTP keys during the course of initial installation of the Manager Console. One-Time Password Program Basics The One-Time Password (OTP) Program allows administrators to assist users who have forgotten their password in Pre-Windows. Using the One-Time Password Program, the administrator provides the user with a one-time response key that allows the user to gain access to Windows, where they are prompted to enter a new password. For more details on running the One-Time Password Program, refer to the Policy Administrator Guide. Symantec Endpoint Encryption Full Disk 31

SEE Manager The One-Time Password Program is installed on Manager Computers that have connectivity to the SEE database instance. If the Manager Computer was installed in serverless mode or is otherwise unable to connect to the SEE database instance, the One-Time Password Program will not run. Installation The One-Time Password Program requires the Framework portion of the Manager Console to be installed first. This process is discussed in Framework InstallShield Wizard on page 23. Once the SEE Framework portion of the Manager Console has been installed, proceed to install the One-Time Password Program by executing the Symantec Endpoint Encryption One-Time Password.msi file. The Welcome page of the SEE One-Time Password Program InstallShield Wizard appears. Click Next. The License Agreement page of the SEE One-Time Password Program InstallShield Wizard appears. Select the option I accept the terms in the license agreement, then click Next. The Destination Folder page appears. Figure 3.12 One-Time Password Program Installer, Destination Folder Click Change to choose a different location to install the One-Time Password Program files, or click Next to accept the default installation location. The Ready to Install Program page appears. Click Install. After the SEE One-Time Password InstallShield Wizard Completed page appears, click Finish. Launch the SEE Manager from the Start menu. Select Add/Remove Snap-In from the File menu. Symantec Endpoint Encryption Full Disk 32

SEE Manager The Add/Remove Snap-In dialog will be displayed. Figure 3.13 Add/Remove Snap-In without OTP Click Add. Figure 3.14 Add Standalone Snap-In Scroll until you locate the One-Time Password Program. Highlight SEE One-Time Password Program and click Add. Symantec Endpoint Encryption Full Disk 33

SEE Manager Then click Close. Figure 3.15 Add/Remove Snap-In with OTP The One-Time Password Program should now appear in the list of snap-ins included in the SEE Manager. Click OK. The One-Time Password Program should now be shown in the console tree of the SEE Manager. To optionally restrict access to the other snap-ins of the Manager Console, see Restricting Access to Snap-in Extensions on page 38. Creating SEE Policy Administrators Steps to Create A domain or higher-level administrator can create Policy Administrators using the following steps: 1. Select the OU you wish to assign Policy Administrators to, and create a new group named Policy Administrators inside of the OU. 2. Identify the user accounts slated for becoming Policy Administrators and add each one as a member of both the Group Policy Creator Owners group, as well as the Policy Administrators group you created. 3. Select the OU and run the Delegation of Control Wizard to allow the Policy Administrators group to manage group policy links for that OU. 4. Optionally, define policies that restrict and/or permit Policy Administrator access to individual SEE snap-ins. In the following example, you will define a Policy Administrator group for a specific OU such that all members of the group can create, edit, and apply GPOs to only that OU. The Active Directory presented in this example has the following configuration: Two OUs have been created: Human Resources and Sales. One group has been created: Policy Admins in Human Resources. Symantec Endpoint Encryption Full Disk 34

SEE Manager Three user accounts have been created: pmiller, wmoore, and mwilliams. User accounts pmiller, wmoore, and mwilliams have been added as members of the group Policy Admins in Human Resources. Figure 3.16 SEE Manager, Human Resources OU 5. In the Active Directory Users and Computers snap-in, click the Users container, and in the pane on the right, select the three user accounts pmiller, wmoore, and mwilliams, then right-click and select Add to a group. The Select Group window opens. 6. Type the name of the group, Group Policy Creator Owners, and click Check Names. The field will autofill with an underlined version of the group name you typed. Click OK. A confirmation dialog will appear. Click OK. 7. In the GPMC snap-in, select the Human Resources OU, right-click, choose Delegation of Control Wizard, and click Next. 8. Click Add, browse to the Users container, select the group Policy Admins in Human Resources, click OK, then click Next. In the Tasks to Delegate page of the wizard, click the item next to Manage Group Policy links, then click Next and Finish. Verification To verify that the Policy Administrator functionality is in place, complete the following steps: 1. From a computer which has the SEE Manager installed, log on using a Policy Administrator account and launch the SEE Manager. 2. In the navigation tree on the left, expand the GPMC, select the Human Resources OU, right-click, and verify that the menu contains the Create and Link a GPO Here item. 3. Next, click the Sales OU and right-click. The menu appears, but shows the Create and Link a GPO Here item as unavailable. This indicates that the Policy Administrator account can only apply policies to the Human Resources OU and no other OU. Symantec Endpoint Encryption Full Disk 35

SEE Manager Policy Administrator Default Capabilities Accounts within the Policy Administrator group you created have the following default capabilities: They can create and apply Active Directory policies containing SEE policy settings. They can push out SEE client install packages using GPOs. You can apply policies to restrict or permit Policy Administrator access to a specific SEE snap-in. For details on how to do this, refer to Limiting Access to the SEE Snap-ins on page 36. Establishing Default SEE Policies Basics Just as a Policy Administrator is delegated control of an OU by a higher level of authority, that higher level administrator can and should establish default blanket SEE policies to strengthen security and help simplify the deployment and management of SEE. For example, a domain or higher-level administrator could apply a software installation policy to select OUs in the organization which had been targeted for SEE deployment. This policy would install the SEE client packages, automatically encrypting all disk partitions upon installation. A WMI filter could be used to select which computers (such as all laptops) the policy would apply to. The SEE Manager is comprised of the Microsoft and SEE snap-ins. Like other Microsoft Management Console (MMC) snap-ins, one or more SEE snap-ins can be added to a custom MMC file for distribution to support personnel. To ensure that SEE management facilities are limited only to authorized personnel, Symantec recommends that you create a default policy that restricts SEE snap-in access to all users. Policy Administrators and others can be assigned access on a per snap-in basis. Limiting Access to the SEE Snap-ins Limiting access to the SEE snap-ins can be done in two steps: 1. Create a policy which restricts users from running the SEE snap-ins. 2. Create a second policy with a higher precedence which permits selected users or groups to run the SEE snap-ins. The Permitted policy must be applied at a lower level (i.e. higher precedence) in the Active Directory container hierarchy than the Restricted policy. If both policies are applied to the same OU, make sure that the Permitted policy has a lower link order number (higher precedence) than the Restricted policy. Creating a Policy that Restricts Access to Snap-ins In the first step, you will create and edit a new GPO, disable the Restricted/Permitted snap-ins settings for all currently installed SEE snap-ins, and link this GPO at the domain level to prevent all domain users from running the SEE snap-ins. 1. Open the SEE Manager, expand the Group Policy Management Console (GPMC) snap-in, select Group Policy Objects, right-click, and choose New to create a new GPO. 2. Type the name for the new Group Policy, select it, right-click, and choose Edit. The GPOE (Group Policy Object Editor) will open. 3. In the navigation pane on the left side of the GPOE window, expand User Configuration, then Administrative Templates. If the SEE subfolder is already present within the Administrative Templates folder, skip ahead to step 7. If you have previously accessed an SEE settings panel within this GPO, the SEE templates were loaded automatically. 4. Select the Administrative Templates folder. From the Actions menu, choose Add/Remove Templates, and the Add/Remove Templates window opens. Symantec Endpoint Encryption Full Disk 36

SEE Manager 5. In the Add/Remove Templates window, click Add, and navigate to the local path where the SEE Framework administrative template is stored: C:\Program Files\Symantec\Symantec Endpoint Encryption Manager\Framework\ADM 6. Select the template file EA Framework.adm, click Open, then click Close. 7. With the SEE Framework template now loaded in the GPOE, expand Symantec Endpoint Encryption, then Framework, then Restricted/Permitted Snap-ins. This folder will contain the Extension Snap-ins folder and four separate settings panels, one for each SEE Framework snap-in or snap-in extension: Symantec Endpoint Encryption Software Setup, SEE Server Reports, SEE Native Policy Manager, SEE Users and Computers, SEE Group Policy, SEE Management Password, and SEE One-Time Password. 8. In the pane on the right, double-click the item named Symantec Endpoint Encryption Software Setup, and the panel properties for that item opens with the Setting tab shown. Change the option from Not Configured to Disabled, click Apply, then Next Setting. The next panel in the sequence will appear. 9. Using the Next Setting and Apply buttons, change the options for all six remaining panels to Disabled. Click OK when finished, and close the GPOE window. 10. Select and drag the policy onto the OU named Human Resources to link it. When this policy has been processed on the Client Computers, users that are members of the Human Resources OU who log on and launch the SEE Manager, or launch a custom MMC console containing an SEE snap-in, will see a warning screen similar to the following: Figure 3.17 Restricted Snap-in Warning Screen Symantec Endpoint Encryption Full Disk 37

SEE Manager After the SEE Manager or other MMC console containing the SEE snap-ins has fully launched, clicking on an individual SEE snap-in produces an error screen similar to the one shown in the following figure: Figure 3.18 Restricted Snap-in Error Screen The error message shown in the figure reflects the fact that this user has been prohibited by policy from accessing the selected snap-in, the Symantec Endpoint Encryption Software Setup snap-in. Notice also that the SEE Framework and Full Disk submodules normally located beneath the parent node of the Symantec Endpoint Encryption Software Setup snap-in are not present in the navigation pane. These submodules extend the functionality of their parent snap-in, and are called snap-in extensions. If desired, you can restrict access to individual snap-in extensions. Restricting Access to Snap-in Extensions The SEE Manager is comprised of SEE snap-ins and extensions, as well as SEE extensions to Microsoft snap-ins. The SEE extensions to the Microsoft Group Policy Management Console snap-in are what enable the SEE policy settings panels to appear in the Group Policy Object Editor. By disabling two of the four settings mentioned previously (Symantec Endpoint Encryption Software Setup and SEE Group Policy), you can restrict access to both the Framework and Full Disk settings used for creating SEE installation settings or policy settings. If for some reason you wish to only restrict access to a specific snap-in extension, such as the SEE Software Setup Framework, create a policy using the following procedure: 1. Open the SEE Manager, expand the Group Policy Management Console (GPMC) snap-in, select Group Policy Objects, right-click, and choose New to create a new GPO. 2. Type the name for the new Group Policy, select it, right-click, and choose Edit. The Group Policy Object Editor (GPOE) will open. 3. In the navigation pane on the left side of the GPOE window, expand User Configuration, expand Administrative Templates, expand Symantec Endpoint Encryption, expand Framework, expand Restricted/ Permitted Snap-ins, and then expand Extension Snap-ins. This folder will contain one settings panel for each of the SEE Framework snap-in extensions: SEE Framework Software Setup, and SEE Framework Group Policy. 4. Double-click the item named SEE Framework Software Setup, and the panel properties for that item opens with the Setting tab shown. Symantec Endpoint Encryption Full Disk 38

SEE Manager 5. Change the option from Not Configured to Disabled, click Apply, then Next Setting. Click OK when finished, and close the GPOE window. 6. Finally, select and drag the policy onto the OU named Human Resources to link it. When this policy has been processed on the Client Computers, domain users who launch the SEE Manager, or who launch a custom MMC console containing the Symantec Endpoint Encryption Software Setup snap-in, will see the warning and error screens shown earlier. After the SEE Manager or other MMC console containing the Symantec Endpoint Encryption Software Setup snap-in has fully launched, the Symantec Endpoint Encryption Software Setup snap-in will be available, but the Framework extension to this snap-in will not be loaded. When this policy is in effect, domain users will be unable to add any restricted SEE snap-ins when creating a custom MMC. Also, domain users will receive the warning and error messages shown earlier if they attempt to run an SEE snap-in on a computer where the SEE Manager has already been installed, or on a computer where a custom Microsoft Management Console (MMC) has been created and one or more SEE snap-ins have been added. Creating a Policy that Permits Access to Snap-ins With a policy in place which prevents all domain users from running SEE snap-ins, the second and final step of limiting comprehensive access to the SEE snap-ins requires that you create a matching policy which is linked at a higher level in the Active Directory object hierarchy. This second policy overrides the first policy, permitting selected users (Policy Administrators) who are members of that OU to run SEE snap-ins. Open the SEE Manager, expand the Group Policy Management Console (GPMC) snap-in, select Group Policy Objects, right-click, and choose New to create a new GPO. Type the name for the new Group Policy, select it, right-click, and choose Edit. The Group Policy Object Editor (GPOE) will open. In the navigation pane on the left side of the GPOE window, expand User Configuration, expand Administrative Templates, expand Symantec Endpoint Encryption, expand Framework, expand Restricted/Permitted Snap-ins. This folder will contain the Extension Snap-ins folder and four separate settings panels, one for each SEE Framework snap-in or snap-in extension: Symantec Endpoint Encryption Software Setup, SEE Server Reports, SEE Native Policy Manager, SEE Users and Computers, SEE Group Policy, SEE Management Password, and SEE One-Time Password. 1. Double-click the item named Symantec Endpoint Encryption Software Setup, and the panel properties for that item opens with the Setting tab displayed. Change the option from Not Configured to Enabled, click Apply, then Next Setting. 2. The next panel in the sequence will appear. Using the Next Setting and Apply buttons, change the options for all three remaining panels to Disabled. Click OK when finished, and close the GPOE window. 3. Next, change the security filtering for this policy so that only Policy Administrators for this OU, HR Admins, will receive the policy. With the policy still selected, click Remove in the Security Filtering section to remove the default group, Authenticated Users. Click Add, and in the input field of the window that opens, type HR, click Check Names, and the input field will fill with the HR Admins group name. Click OK. Symantec Endpoint Encryption Full Disk 39

SEE Manager 4. Finally, link this second policy to the same OU as you did the first policy, making sure that the second policy has a higher order of precedence in the Active Directory object hierarchy. With the policy selected, drag it on top of the OU named Human Resources, and click OK to confirm policy linking. 5. Select the Human Resources OU, and in the Linked Group Policy Objects tab in the right pane, make sure that the Link Order of the Permitted policy you just created is at a higher precedence (i.e., the link order number is lower) than the restricted policy. If necessary, you can adjust the link order using the up or down arrow buttons in the area to the left of the Link Order column. When both the Restricted and Permitted policies have been successfully processed on the clients, all Policy Administrator accounts in the Human Resources OU will have full access to the SEE snap-ins, and all domain user accounts in the Human Resources OU will be unable to access the SEE snap-ins. Segmenting Support Duties The ability to restrict access to individual SEE snap-ins allows you to assign the duties of SEE support staff in a granular fashion. For example, you could create a custom MMC file containing only the SEE One-Time Password snap-in, and distribute this file to select Client Administrator accounts which you had restricted from accessing the other SEE snap-ins. This would allow those Client Administrator accounts the ability to create SEE recovery media (provided they had also been given the Management Password) and view the last check-in time of SEE Client Computers, while at the same time preventing them from accessing the SEE policy settings panels or allowing them to create SEE installation packages. Symantec Endpoint Encryption Full Disk 40

Client Installation Package Creation 4. Client Installation Package Creation Framework Installation Settings Wizard Basics Prior to deploying SEE Framework to your clients, you need to run a wizard that lets you select installation settings specific to SEE Framework. When you reach the final panel of the wizard, you will be prompted for a location to save the Framework client installation settings MSI package. Open the SEE Manager, and in the left pane, expand the Symantec Endpoint Encryption Software Setup container, and click on Symantec Endpoint Encryption Framework. The first wizard screen appears in the right pane of the Manager window. Client Administrators Use the Client Administrators panel to specify SEE Client Administrator accounts for the computers on which this software setup package will be installed. Note that you must specify at least one password-based Client Administrator account, and at least one with high privilege. When you define a Client Administrator account, you must choose the account password, and whether the account is permitted to unregister SEE users. For more information on adding or removing Client Administrators following the deployment of the initial installation package, refer to the Policy Administrator Guide. Figure 4.1 Framework Installation Settings, Client Administrators A minimum of one Client Administrator account with password authentication and a high level of privilege ensures that a computer receiving this policy will still be accessible even if all SEE registered users are unregistered. To specify a Client Administrator account, type the account information and choose the appropriate options on the Client Administrators screen: 1. In the Account Name box, type the account name for this Client Administrator. The account name can be between 1 and 32 characters in length. Symantec Endpoint Encryption Full Disk 41

Client Installation Package Creation 2. Click to set the desired privilege level for the Client Administrator. High unregister users, decrypt encrypted partitions, extend the Client Computer s next communication date, and unlock Client Computers. Medium decrypt encrypted partitions, extend the Client Computer s next communication date, and unlock Client Computers. Low extend the Client Computer s next communication date and unlock Client Computers. 3. Type the desired password for this Client Administrator account in the Password box, between 16 and 32 characters in length. Type the password a second time in the Confirm password box. Note that the SEE password you specify in this panel is separate and distinct from the Windows password for this domain account. 4. Click New to add more Client Administrator accounts. If you decide not to include a Client Administrator you have already added, click the Delete button adjacent to that account. Click Next to advance to the Registered Users panel of the wizard. Symantec Endpoint Encryption Full Disk 42

Client Installation Package Creation Registered Users Basics Use the Registered Users panel to specify settings related to the SEE user registration process, including the authentication method, registration password, maximum number of registered users allowed, custom registration message, number of grace restarts, and unregistration. Figure 4.2 Framework Installation Settings, Registered Users Authentication Method The first option on this panel allows the Policy Administrator to define how users authenticate to SEE. Select Do not require registered users to authenticate to the SEE to enable automatic authentication. This option is designed for kiosk environments. If it is selected, users will not need to provide valid credentials to SEE Symantec Endpoint Encryption Full Disk 43

Client Installation Package Creation Full Disk before Windows loads and your organization will rely on Windows for user authentication. It will reduce the security of the Client Computer but increase the transparency of the user experience. The registration process will be silent and automatic as well unless a registration password is specified (see page 44) Coupling automatic authentication with a registration password serves to avoid reaching the maximum registered user limit and to limit the number of users that can gain access to the User Client Console. When you select Do not require registered users to authenticate to the SEE, the Single Sign-On and Authentication Assistance panels will be skipped in the sequence of Wizard panels. Select Require registered users to authenticate with to specify using the drop-down menu whether users authenticate to SEE with a password. Note that when Single Sign-On is active (see Single Sign-On on page 44), the authentication method chosen for SEE must match the method specified in Windows. Registration The Registration section defines which users will be allowed to become SEE registered users. To allow any Windows user the ability to register, click the option Any Windows user can register for a SEE account. To allow only those users who know a special registration password to be able to register, click Users must know this password to register, and type the password in the adjacent field and again to confirm. Each user will be required to know the administrator-defined registration password before they can register for an SEE account. Specify the maximum number of SEE registered user accounts which can be created on each computer. New users will not be permitted to register after the maximum number of accounts has been reached. Specify a custom message users will see when they are forced to register after grace restarts expire. The custom message can be from 0 900 characters in length, or you can use the default message. Note that the custom registration message field ignores any carriage returns you type or paste in. Specify the number of grace restarts, i.e., the number of times, from 0 99, that the computer can restart before the first user who logs on will be forced to register for an SEE account and see the custom registration message. This setting can effectively allow users to defer registration. To force the first user to register immediately, set this value to zero. Unregistration Unregistration selects whether to allow users to only be unregistered manually by Client Administrators, or whether to also automatically unregister users who do not log on after a specified period, from 1 365 days. This setting is useful in a kiosk environment where many infrequent users can fill up the maximum number of available SEE accounts on a given computer. Use caution with this setting so that users do not have their accounts deleted unexpectedly. Next Button If you chose password authentication, clicking Next will advance to the Single Sign-On panel discussed in the next section. If you chose automatic authentication, clicking Next will advance to the Communication panel (see page 44). Single Sign-On The Single Sign-On panel will only be shown if you chose Require registered users to authenticate with a password in the Registered Users panel (see page 43). Use the Single Sign-On panel to control the Single Sign-On feature. The Single Sign-On feature allows users to authenticate to both the SEE and Windows at the same time allowing them to access the User Client Console without an additional logon. This installation setting can be changed later using a policy. To enable Single Sign-On, select the Enable Single Sign-On check box. By default, Windows Vista users will have to press CTRL+ALT+DEL in order to progress through Single Sign-On. If this is undesirable, enable the Do not require CTRL+ALT+DEL Windows policy. Symantec Endpoint Encryption Full Disk 44

Client Installation Package Creation Figure 4.3 Framework Installation Settings, Single Sign-On Click Next will advance to the Password Authentication panel. Password Authentication Use the Password Authentication panel, shown in Figure 4.4, to specify password-related settings, including whether to impose a delay when a user types an incorrect password during SEE authentication. When Single Sign-On is not used, you may specify that SEE passwords be managed according to a number of criteria, including password age, Symantec Endpoint Encryption Full Disk 45

Client Installation Package Creation reuse of previous passwords, and password complexity. When Single Sign-On is enabled, all controls on this panel, with the exception of the Limit password attempts controls, do not apply. Figure 4.4 Framework Installation Settings, Password Authentication Under Password Attempts, select the Limit password and Authenti-Check attempts check box to set the number of incorrect passwords or Authenti-Check answers a user can type in succession before the system will introduce a one minute delay between further logon attempts. You can also specify the time in minutes that must elapse after the last incorrect attempt occurred, after which the one minute delay behavior is lifted. Symantec Endpoint Encryption Full Disk 46

Client Installation Package Creation Password Complexity These include the minimum number of characters users SEE passwords must contain, the set of non-alphanumeric characters users may have in their passwords, as well as the minimum number of non-alphanumeric characters, uppercase letters, lowercase letters, and digits users must have in their passwords. Maximum Password Age Leave this option at the default to not set an expiration date on user passwords. If you select the option to set an expiration date on user passwords, type the number of days after which users passwords will expire, and type the number of days in advance users will be prompted to change their expiring passwords. Password History Leave this option at the default to allow users to use any previously-used SEE password, or select the other option and type the number of different passwords users must use before reverting to old passwords. Minimum Password Age Leave this option at the default to allow users to change their SEE passwords as frequently as they wish, or select the other option and type the minimum number of days that must pass before users can change their passwords. Note that leaving this option at the default will effectively override the password history feature, since a user could quickly cycle through the required number of new passwords in order to keep an old, favorite password. Click Next to advance to the Removable Storage Certificates panel. Removable Storage Certificates Use the Removable Storage Certificates panel shown in Figure 4.5 to control whether expired certificates are allowed for the encryption or decryption of SEE Removable Storage encrypted files. Figure 4.5 Framework Installation Settings, Removable Storage Certificates Select the Removable Storage ignores certificate expiration check box to control whether expired certificates are allowed for the encryption or decryption of SEE Removable Storage encrypted files. Click Next to advance to the Authentication Assistance panel (see page 47). Authentication Message The Authentication Message panel will only be shown if you chose Require registered users to authenticate with a password in the Registered Users panel (see page 43). Symantec Endpoint Encryption Full Disk 47

Client Installation Package Creation Use the Authentication Message panel to specify a custom authentication assistance message shown to users having trouble logging on. Figure 4.6 Framework Installation Settings, Authentication Message The Instructions for users who are having trouble with authentication box allows you to specify a custom message of up to 900 characters in length which will be shown to users who have requested logon assistance during pre-windows authentication. Click Next to advance to the following panel of the wizard, the Authenti-Check panel. Authenti-Check The Authenti-Check panel will only be shown if you chose Require registered users to authenticate with a password in the Registered Users panel (see page 43). Symantec Endpoint Encryption Full Disk 48

Client Installation Package Creation Authenti-Check is an authentication assistance method that allows the user to recover their password without assistance. Users must answer up to three questions correctly in order to regain access. Once they regain access they will be prompted to set another password. Figure 4.7 Framework Installation Settings, Authenti-Check Select the Enable Authenti-Check check box to make this authentication assistance method available to SEE Full Disk users. Type a value in the Minimum answer length box to set the minimum number of characters, from 1 99, that users must include when answering Authenti-Check questions. Type one, two, or three Predefined questions, 0 99 characters in length, that a user must correctly answer before the user authenticates. The number displayed in the Number of user-defined questions required drop-down list is dynamically updated based on how many questions you have typed in the Predefined questions boxes. Number of pre-defined questions shows the number of predefined questions currently specified, while Total shows the combined total of the Number of pre-defined questions plus the Number of user-defined questions required. Note that at least one question must be defined either by you or by the user. Click Next to advance to the following panel of the wizard, the One-Time Password panel. Symantec Endpoint Encryption Full Disk 49

Client Installation Package Creation One-Time Password The One-Time Password panel will only be shown if you chose Require registered users to authenticate with a password in the Registered Users panel (see page 43). One-Time Password requires the user to communicate with a Policy Administrator. When One-Time Password activates, the user s screen displays a code that the user provides to the Policy Administrator. The Policy Administrator types the code into the One-Time Password Program to generate a key that temporarily authenticates the user. Figure 4.8 Framework Installation Settings, One-Time Password Select the Enable One-Time Password check box to make this authentication assistance method available to SEE Full Disk users. Within the Default method area, select the default method that the Client Computers will begin with when initiating a One-Time Password recovery attempt. Select Online if the clients are configured to connect to the SEE Management Server. Select Offline if you installed this SEE Manager in serverless mode or if the recipient clients are silent. The One-Time Password personal identifier is an important means for identifying the users who call for assistance. The administrator assisting the user must have some means of verifying the validity of this personal identifier. Your organization will need to decide on a standard means of identifying the users who contact you for help. Type the instructions to be displayed to users when prompted to enter this personal identifier. Enter up to 900 characters in this box. Click Next to advance to the following panel of the wizard, the Communication panel. Symantec Endpoint Encryption Full Disk 50

Client Installation Package Creation Communication Use the Communication panel (see Figure 4.9) to specify how often client status data is reported to the SEE Management Server, the shared domain account used for client-server communication, and the certificate used to encrypt that communication. The Communication panel will be skipped if you are creating a client package using a serverless installation of the SEE Manager. Figure 4.9 Framework Installation Settings, Communication In the Communication section, specify the interval, in minutes, at which the SEE client reports any changes to its status data to the SEE Management Server. The Communication information section will be prefilled with information specified during installation of the SEE Management Server. Server is prefilled with the URL of the web service running on the SEE Management Server, including the computer name and port number. Do not modify this information. If the URL specifies HTTP protocol, it indicates that unencrypted client-server communication was selected during installation of the SEE Management Server. If the URL specifies HTTPS protocol, it indicates that a client-side SSL certificate was selected during installation of the SEE Management Server and stored in the SEE database. A hash of the client-side SSL certificate retrieved from the SEE database will be displayed in the Certificate Hash section. If you want to use a different certificate from the one stored in the SEE database, click Browse and locate the client-side SSL certificate (CER file) to be used. For HTTPS, the specified client-side SSL certificate must also be installed on the Manager Computer you are working on. The Manager Console will attempt to connect to the SEE Management Server when you click Next. If the specified client-side SSL certificate is not also installed on this computer, the communication will fail and you will be unable to progress to the next panel. Symantec Endpoint Encryption Full Disk 51

Client Installation Package Creation Name and Domain are prefilled with the name and domain of the IIS client account that was specified during installation of the SEE Management Server. This account is shared among all Client Computers and used to authenticate to the SEE Management Server. Note that you must type the password of this account in the Password box before the wizard will allow you to continue. Click Next to advance to the final panel of the wizard, the Encryption panel. Encryption Use the Encryption panel (see Figure 4.10) to specify the AES encryption strength, either 128-bit or 256-bit. Figure 4.10 Framework Installation Settings, Encryption SEE Full Disk will use this setting when encrypting partitions. Note that the encryption strength setting cannot be changed by a policy once the SEE client software has been deployed. When the SEE client is upgraded, SEE Full Disk will retain the original setting and ignore any changes made in this panel. Saving the Framework Client Installer MSI Once you have finished making changes to this final wizard panel, the SEE Framework Installation Settings Wizard is complete. When you click Finish, the following screen will differ depending on whether you are using a standard or a serverless installation of the SEE Manager. If you are using a standard installation of the SEE Manager, a dialog box may appear prompting you to type the credentials of an account with read-write privileges to the SEE database, for example, a Policy Administrator account (see Required Accounts on page 6). Enter the credentials and click OK. Once you enter the credentials, you will not be prompted to provide them again when saving SEE client installer packages until the SEE Manager is restarted. Note that you will not be prompted for these credentials if the Windows account you have logged on with has read-write privileges to the SEE database, i.e., if your account is a member of the optional Policy Administrators group. If you are using a serverless installation of the SEE Manager, you will not be prompted for credentials. Symantec Endpoint Encryption Full Disk 52

Client Installation Package Creation In both cases, you will next be presented with the Save MSI package box prompting you for a location to save the SEE Framework Client installer that reflects the settings you have just made. Figure 4.11 Save MSI Package, Framework Client You must save the Framework installation packages in a shared network location such as the domain controller s SYSVOL folder if you intend to deploy the SEE client installer packages using a Software Installation GPO. Because you cannot load a previously created client installer package to examine what settings were used, you should save each client installer package using a descriptive name, such as Framework Client Installer for Sales OU (27-Mar-08). This is especially helpful if you plan to deploy multiple sets of packages throughout your organization. To help manage installation packages, the individual settings chosen for a given installation package are saved in a date and time stamped log file (Example: FrameworkSettings 3_27_2008-18 21 59.log). The log file is created in the same location that you specified when saving the package. Since the log file does not show the contents of completed password fields, all passwords you specify in an installation package should be separately recorded and stored in a secure location. Navigate to the directory location in which you want to save the output MSI package and type the new name for the MSI package, or accept the default name Symantec Endpoint Encryption Framework Client.msi and click Save. Click Yes to create the MSI package, then click OK in the confirmation dialog that is displayed. Full Disk Installation Settings Wizard Basics This section shows how to run the wizard that lets you select installation settings specific to SEE Full Disk. When you reach the final panel of the wizard, you will be prompted for a location to save the Full Disk installation settings MSI package. Open the SEE Manager, and in the left pane, expand the Symantec Endpoint Encryption Software Setup container, and click on Symantec Endpoint Encryption Full Disk. The first wizard panel appears in the right pane of the SEE Manager window. Symantec Endpoint Encryption Full Disk 53

Client Installation Package Creation Startup Use the Startup settings panel to specify an optional custom graphics image to be displayed on the Client Computer when SEE Full Disk starts up. If you do not click A custom image and leave this panel at the default setting of The SEE logo, the SEE logo will be shown at startup. This default SEE logo will be overlaid with the text specified in the Logon instructions and Legal notice boxes. Figure 4.12 Full Disk Installation Settings, Startup Clicking the Browse button allows you to choose a BMP format graphics file to use for the custom startup image displayed on the Client Computer when SEE Full Disk starts up. This image can be used to brand all SEE Full Disk protected computers in your organization with your corporate logo, as well as for displaying a legal warning to those attempting to access a protected computer. If you do not select a custom image, the SEE logo will be used. Note that a custom image can only be deployed as an installation setting, and cannot be added later on with a policy setting. A custom image could be effectively hidden at a later time by pushing out a Startup policy that causes the SEE logo to be displayed instead. Guidelines for Creating a Custom Startup Image Any image editing application which saves graphics files in the Windows Bitmap (BMP) format can be used to create a custom image. One such application, Microsoft Paint (mspaint.exe), is included with Windows. The dimensions of the custom image must be between 640 x 480 (VGA resolution) and 800 x 600 (SVGA resolution) pixels, can have a color depth of 8-bit (256-color or grayscale) or 24-bit (millions of colors), and the file must be no Symantec Endpoint Encryption Full Disk 54

Client Installation Package Creation larger than 2,000,000 bytes in size. 16-bit color mode images are not supported. The file must be saved as an uncompressed Windows BMP file. OS/2 BMP formats are not supported. Because there is no guarantee that the display adapter of a Client Computer will start up in the highest color depth it supports, a high bit-depth (24-bit) startup image may appear distorted when a Client Computer starts up in a lower color depth mode. For this reason, you may wish to limit the color depth of your custom image to 8-bit for maximum compatibility. Your custom image must contain text directing the user to press the CTRL+ALT+DELETE keys to log on to the computer. If you omit these instructions, the user may be unsure of how to log on. Logon History Use the Logon History settings panel to specify whether to prefill the SEE logon screen with the name and domain of the most recently logged on user. Figure 4.13 Full Disk Installation Settings, Logon History Selecting the User name check box allows users to see the name and domain of the last user who logged on at the SEE pre-windows logon screen. This will reduce the security of your Client Computers, so Symantec recommends deselecting both the User name and Domain check boxes. If you are deploying SEE Full Disk to computers operated by visually impaired users who will be using audio cues in pre-windows, ensure that the User name check box is deselected and that the Domain check box is selected. This will allow the user to log on using the audio cues. Encryption Initial encryption takes place transparently in the background, allowing users to continue working normally while partitions are being encrypted. Use the Encryption panel to specify which hard disk partitions on the Client Computer will be encrypted, whether initial encryption will begin immediately or can be initiated by users, and whether unused Symantec Endpoint Encryption Full Disk 55

Client Installation Package Creation sectors will be encrypted. Further advanced options are available which affect encryption/decryption time. This panel also allows you to specify whether registered users will be allowed to decrypt an encrypted partition. Figure 4.14 Full Disk Installation Settings, Encryption The Disk Partitions section lets you specify whether all or only some partitions should be encrypted, or whether the user will be allowed to select which partitions to encrypt. Choosing either of the first two options will cause encryption to begin immediately after the computer reboots once the client packages have been installed. If you select the Encrypt all partitions upon installation option, all disk partitions will begin the initial encryption process immediately after SEE Full Disk has been installed, and any new partitions added after installation will be encrypted automatically. Selecting Encrypt all partitions upon installation ensures encryption of the boot partition. Symantec recommends that you always encrypt the boot partition of any computer on which SEE Full Disk has been installed. SEE Full Disk can only encrypt partitions residing on a computer s primary hard disk, and cannot encrypt partitions residing on other volumes. If you select the Encrypt these partitions upon installation option, you can specify up to 26 individual partitions to encrypt, from A Z. If you select the Let users choose partitions and start the encryption option, users can select the individual partitions to encrypt by accessing the Encryption panel of the User Client Console. Note that this option allows users to defer the initial encryption process. Use the Local Decryption section to specify whether registered users are allowed to decrypt local disk partitions. Symantec Endpoint Encryption Full Disk 56

Client Installation Package Creation If you select the Registered users can decrypt disk option, registered users will be able to decrypt disks or partitions by accessing the Decryption panel of the User Client Console. Use the Advanced Options section to select whether to encrypt all portions of the drive including empty sectors and sectors containing deleted data. If you select this option, the entire partition will be encrypted, including any disk sectors marked as unused, but which may still contain previously erased data. Use this option when deploying SEE Full Disk to computers which have already been in service and whose hard disk sectors may contain deleted data. This option increases the amount of time necessary to complete the initial encryption operation. Click Show More to reveal further advanced options. Refer to the Quick Help for this panel for details about these options. Installer Customization Use the Installer Customization settings panel to allow the client database files to be installed in their default location on the Client Computer (recommended), or else specify an alternate location (advanced). The client database files cannot be installed on removable media or on a secondary physical hard disk. Figure 4.15 Full Disk Installation Settings, Installer Customization SEE Full Disk uses the client database files for its internal operations. Once installed, the client database files should never be moved. Client Monitor The Client Monitor panel is the final panel of the wizard. It will not be displayed if you are creating client packages using a serverless installation of the SEE Manager. Use the Client Monitor settings panel to force an SEE Full Disk protected computer to periodically report its status. If contact is not made within the designated interval, users will be locked out from access to their computers. The Client Monitor panel will be skipped if you are creating a client package using a serverless installation of the SEE Manager. Symantec Endpoint Encryption Full Disk 57

Client Installation Package Creation Figure 4.16 Installation Settings, Client Monitor Click Do not enforce a minimum contact period with the SEE Server only when you do not want to enforce regular network contact. Click Lock computer after to force a computer lockout after a specified number of days without network contact. If you select this option, you can specify the number of days a computer may remain without network contact, from 0 365. You can also specify how many days in advance, from 0 365, that users will be warned to connect to the network and avoid a lockout. Note that the values you type in these two box are validated to ensure that users will always be warned prior to a lockout. For example, you will be prevented from specifying that the computer should be locked after five days without contact, and that the users should be warned 15 days before being locked out. If this case were allowed, the user could run the risk of being locked out 10 days before the warning is displayed. Saving the Full Disk Client Installer MSI Once you have finished making changes to this final panel, the SEE Full Disk Installation Settings Wizard is complete. When you click Finish, a dialog box appears prompting you for a location to save the SEE Full Disk client installer which reflects the settings you have just made. You must save the Full Disk client installer packages in a Symantec Endpoint Encryption Full Disk 58

Client Installation Package Creation shared network location, such as the domain controller s SYSVOL folder, if you intend to deploy the SEE client installer packages using a Software Installation GPO. Figure 4.17 Select Output MSI Package, Full Disk Client To help manage installation packages, the individual settings chosen for a given installation package are saved in a date and time stamped log file (Example: HardDiskSettings 3_27_2008-18 25 1.log). The log file is created in the same location that you specified when saving the package. Since the log file does not store the contents of completed password fields, any passwords you specify in an installation package should be securely archived elsewhere. Navigate to the directory location in which you want to save the output MSI package and type the new name for the MSI package, or accept the default name Symantec Endpoint Encryption Full Disk Edition Client.msi and click Save. Click OK in the Settings Saved dialog that appears. Symantec Endpoint Encryption Full Disk 59

Client Installations 5. Client Installations Overview This section describes how to install a new deployment of the SEE client software. Client installation can be accomplished from either a central location (see Deploying Client Installer Packages on page 60) or from the local computer (see Manual Client Installations on page 64). You can install the SEE client software using any of the following methods: Installation using a third-party deployment tool (recommended), Installation from Active Directory using a software installation computer policy, Manual installation using a Windows Installer command line at the Client Computer, or Manual installation by double-clicking the client installer packages at the Client Computer. MSI packages represent a target for analysis in that they are unencrypted and can be intercepted in transit. Symantec recommends using a third party deployment tool with features to protect the MSI packages. Regardless of the deployment method, the SEE Framework client installer package must be installed before the Full Disk package. Symantec recommends that you defragment all hard disk partitions on the Client Computer prior to installation of SEE Full Disk. Deploying Client Installer Packages Third-Party Tool Deployment Installation of the SEE client packages can be accomplished using any third-party deployment tool that supports the MSI format. To avoid installation errors, make sure that when you create the client installer packages that you save them to a local hard disk or other volume which has Full Control permissions set. The client installer packages can then be copied to removable media, a network volume accessible to the client, or the local hard disk of the Client Computer you are upgrading. For large scale deployments, you can use the command-line method as a basis for scripted upgrades. 1. Click Start, click Run, type cmd, then click OK to open a new command prompt window. 2. Invoke the Windows Installer (msiexec.exe) with any of the command-line parameters from Table 5.1: MSIEXEC /i "[path]\symantec Endpoint Encryption Framework Client.msi" parameter where [path] is the actual path on the Client Computer where the package was copied to. Symantec Endpoint Encryption Full Disk 60

Client Installations Table 5.1 MSIEXEC Parameters for Framework Parameters Description MSIEXEC Version /q Quiet mode, no user interface 2.0 or 3.0 /qb Displays a basic user interface 2.0 or 3.0 /q /norestart Quiet mode, no user interface; do not restart after the installation is complete 3.0* /q REBOOT=ReallySuppress Quiet mode, no user interface; prevent an automatic or prompted reboot from occurring 2.0 or 3.0 * Clients that have not upgraded to MSIEXEC 3.0 are limited to using MSIEXEC 2.0 compatible parameters. Symantec recommends not restarting after the installation of the Framework package, using either the REBOOT=ReallySuppress or the /norestart parameters. This suppresses the display of harmless errors during installation. 3. When the Windows Installer finishes executing, the upgrade for the Framework client will be installed, and a completion dialog will display. Click OK. The next step will be to install the Full Disk client. 4. Invoke the Windows Installer (msiexec.exe) with any of the command-line parameters from Table 5.2: MSIEXEC /i "[path]\symantec Endpoint Encryption Full Disk Edition Client.msi" parameter where [path] is the actual path on the Client Computer where the package was copied to. Table 5.2 MSIEXEC Parameters for Full Disk Parameters Description MSIEXEC Version /q Quiet mode, no user interface 2.0 or 3.0 /qb Displays a basic user interface 2.0 or 3.0 /q /norestart Quiet mode, no user interface; do not restart after the installation is complete 3.0* /q REBOOT=ReallySuppress Quiet mode, no user interface; prevent an automatic or prompted reboot from occurring 2.0 or 3.0 * Clients that have not upgraded to MSIEXEC 3.0 are limited to using MSIEXEC 2.0 compatible parameters. When the Windows Installer finishes executing, a dialog prompting you to restart the computer will display. Click Yes to restart the computer. Symantec recommends that you avail of the security features of the third-party tool of your choice to protect your MSI packages. Group Policy Deployment With the SEE client installer packages already generated (Symantec Endpoint Encryption Framework Client.msi, and Symantec Endpoint Encryption Full Disk Edition Client.msi), the next series of steps describe how to use Active Symantec Endpoint Encryption Full Disk 61

Client Installations Directory s software distribution capabilities to push these MSI packages out to the Client Computers for automatic installation. When using Active Directory to deploy the client installer packages, they must be installed as part of a software installation computer policy and not as part of a software installation user policy. 1. Open the SEE Manager Console. In the left-hand navigation pane, click the Group Policy Management container and expand the entire container hierarchy to reveal the Group Policy Objects container. 2. Right-click Group Policy Objects and select New. A New GPO window displays. Type SEE Client Installer Packages in the Group Policy Object box and click OK to save the new policy. Right-click the new policy and choose Edit. The Group Policy Object Editor will display. 3. Expand Computer Configuration, Software Settings, then Software installation. 4. Right-click Software Installation and select New then Package. Click My Network Places, and navigate to the Microsoft Windows Network\your-org\Cadc-01\SYSVOL location or alternate location where you previously saved the two SEE client packages. If you do not select the install packages by navigating to them using My Network Places, Client Computers receiving the policy will be unable to locate the install packages and the software installation policy will fail to be applied. 5. Select the SEE Framework Client package, and click Open. 6. A confirmation screen will appear. Click OK to accept the default value of Assigned for that package. 7. Right-click Software Installation and select New then Package. Click My Network Places, and navigate to the Microsoft Windows Network\your-org\Cadc-01\SYSVOL location or alternate location where you previously saved the two SEE client packages. 8. Select the SEE Full Disk Client package, and click Open. 9. A confirmation screen will appear. Click OK to accept the default value of Assigned for that package. SEE clients are not currently compatible with 64-bit versions of Windows. The following setting will prevent SEE client packages from being deployed to computers running 64-bit versions of Windows. 10. Right-click Software Installation and click Properties. Click the Advanced tab. 11. Under 32-bit applications on 64-bit platforms, deselect the Make 32-bit X86 Windows Installer applications available to Win64 machines check box. Click Apply, then OK. Symantec Endpoint Encryption Full Disk 62

Client Installations Figure 5.1 Group Policy Object Editor 12. Close the Group Policy Object Editor. 13. In the SEE Manager, select the group policy you just created, then drag the group policy and drop it into the organizational unit (OU) or other object containing the computers you are deploying the client installer packages to. To simplify these instructions, the policy shown in Figure 5.1 is linked at the domain level. In practice, applying policies at the OU level allows much greater flexibility. 14. A confirmation dialog appears. Click OK to confirm linking the policy to the specified location. Figure 5.2 Changing the Scope of the Software Installation Policy Symantec Endpoint Encryption Full Disk 63

Client Installations The new Group Policy, SEE Client Installer Packages, is now linked to the domain your-org.com as shown in Figure 5.2. Once the software installation GPO has been linked, it can take between 90 and 120 minutes before it is processed by a Client Computer connected to the domain. In addition to this policy processing delay, the Client Computer must be restarted to begin the installation. Some users simply log off rather than perform a complete shut down, resulting in computer policies not being fully processed. Best practices can help mitigate this condition. For example, you can implement scripts to either periodically restart the Client Computer during off-peak hours or when a user logs off. To accelerate the GPO update process and to initiate a manual restart, refer to the Policy Administrator Guide. Remotely Initiated Package Installation on the Client After the software installation computer policy has been applied and the Client Computer has been restarted, the Symantec Endpoint Encryption Framework Client.msi and the Symantec Endpoint Encryption Full Disk Edition Client.msi installations will begin. Depending on the MSIEXEC parameters specified, the Client Computer can automatically restart when the client packages have finished installing. Manual Client Installations Basics In cases where only a few clients need to be installed or an infrastructure-based deployment is impractical, the SEE client software can be manually installed on individual Client Computers by installing the Framework and Full Disk client installer packages in sequence using the following steps. Framework Install 1. Transfer the previously prepared client installer packages (Symantec Endpoint Encryption Framework Client.msi and Symantec Endpoint Encryption Full Disk Edition Client.msi) to removable media such as a CD-ROM disc. 2. Log on to the target computer using an administrator account possessing sufficient rights for installing software, then insert the CD containing the SEE client installer packages into the CD-ROM drive of the computer. 3. Once the CD has mounted, navigate to the file Symantec Endpoint Encryption Framework Client.msi and doubleclick. The InstallShield Wizard for SEE Framework Client will launch. 4. Click Next. The Destination Folder page will display. Symantec Endpoint Encryption Full Disk 64

Client Installations Figure 5.3 Framework Client Installer Destination Folder 5. Click Next to install the SEE Framework Client to the following default location: C:\Program Files\Symantec\Symantec Endpoint Encryption Clients\ To install the SEE Framework Client to a different location, click Change, navigate to a different location on the local hard disk, click OK, then click Next. The Ready to Install the Program page will display. Figure 5.4 Framework Client Ready to Install 6. The installation can now begin. This is your last chance to change the installation location you established in the previous screens. Use the Back button to review and select a different installation location if necessary. Once you are satisfied and are ready to begin the installation, click Install. The Installing SEE Framework Client page will display. 7. The InstallShield Wizard will display status information during the installation process and will display a success confirmation screen once the installation process has successfully completed. Symantec Endpoint Encryption Full Disk 65

Client Installations 8. Click Finish to exit the InstallShield wizard. 9. The SEE installer will display an alert dialog prompting you to restart. Figure 5.5 Framework Client Installer Restart 10. Click No to defer system restart until after you have completed installation of the SEE Full Disk Client in the following steps. With the SEE Framework client package now installed, you can now install the SEE Full Disk Client package. Full Disk Install 1. Navigate to the Symantec Endpoint Encryption Full Disk Edition Client.msi file and double-click. The InstallShield Wizard for Symantec Endpoint Encryption Full Disk Edition Client will launch. 2. Click Next. The InstallShield Wizard will display the Destination Folder page. Figure 5.6 Full Disk Client Installer Destination Folder 3. The Full Disk Client installer uses the installation location specified during installation of the Framework. The Change button will be unavailable. Click Next. The Ready to Install the Program page will display. Symantec Endpoint Encryption Full Disk 66

Client Installations Figure 5.7 Full Disk Client Ready to Install 4. Click Install. The Installing SEE Full Disk Client page will display. 5. The InstallShield Wizard will display status information during the installation process and will display a success confirmation screen once the installation process has successfully completed. 6. Click Finish to exit the InstallShield wizard. 7. The SEE installer will display an alert dialog prompting you to restart. Figure 5.8 Full Disk Client Installer Restart 8. Click Yes if you are finished installing all software, or click No to defer system restart until later. Once the computer has restarted, SEE Full Disk will be fully installed. Note that depending on the values chosen for the authentication method and grace restarts option (available in the Framework Installation Settings Registered Users settings panel), users may be immediately forced to register for an SEE account at the next Windows logon. For information about the grace restarts option, see Registered Users on page 43. Symantec Endpoint Encryption Full Disk 67

Upgrades 6. Upgrades Overview This chapter describes how to upgrade the SEE Management Server, Manager Console, and SEE Client Computers. SEE Management Server Basics This section describes migrating from an existing ADAM-based SEE Server (versions 6.2.0 and previous) to a new SEE Management Server. Install the SEE Management Server. See Chapter 2 SEE Management Server on page 10. Once the SEE Management Server has been installed, it is essential that the existing ADAM-based SEE Server (versions 6.2.0 and previous) remain operational long enough to allow you to run the key exporter script. Copy the key exporter script from the SEE Management Server to the existing ADAM-based SEE Server. Run the key exporter script. The key exporter script captures critical keying data specific to each Client Computer and migrates that data to the SEE database instance. The rest of this section describes how to execute this script. Verify that the critical keying data was successfully migrated to the SEE database instance. Install the SEE Manager, and create and deploy the client upgrade packages. Prerequisites Your default script host must be set to either cscript or wscript. Before running the script, make sure you have the following information: The computer name or IP address of the computer hosting the SEE database; If the default instance name was not used during installation of Microsoft SQL Server, the name that was used; The ADAM Admin credentials of your existing ADAM-based SEE Server; The Windows or SQL credentials of a user with administrative privileges for the SEE database instance; The port number of the ADAM instance; The distinguished name (DN) of the ADAM instance s application partition. Running the Key Exporter Script The key exporter script must be run from the ADAM-based SEE Server. Do not run the key exporter script multiple times. The script should be run only once. Procedure 1. Log on to the SEE Management Server and locate the key exporter script, KeyExport.vbs, in the following folder: C:\Program Files\Symantec\Symantec Endpoint Encryption Management Server\Services 2. Copy the key exporter script to a location on the network that is also accessible to the existing ADAM-based SEE Server. 3. Log on to the existing ADAM-based SEE Server and copy the key exporter script from the accessible network location to the local computer. 4. Open a command prompt and use the CD command to change to the directory where you copied the key exporter script. Symantec Endpoint Encryption Full Disk 68

Upgrades 5. At the command prompt, type the following command and press ENTER: KeyExport.vbs Database_Host Database_Name Uid=Username;Pwd=Password Port Application_Partition_Name ADAMAdmin_Username DN_of_Domain ADAMAdmin_Password Script Parameters Table 6.1 Parameters of the Key Export Script Parameters Description/Use Case Usage Database_Host When Microsoft SQL Server was installed, the default instance was selected as the instance name When Microsoft SQL Server was installed, a named instance was selected as the instance name Server Name or Server IP Address, i.e. SEEDB-01 or 10.0.3.8 Server Name\Instance Name or Server IP Address\Instance Name, i.e. SEEDB-01\SQL2005 or 10.0.3.8\SQL2005 The SEE database instance is running on Server Name\SQLEXPRESS, SQL Server 2005 Express Edition i.e. SEEDB-01\SQLEXPRESS Database_Name The name of the SEE database SEEMSDb Username and Password To use SQL credentials to authenticate to the SEE database instance To authenticate to the SEE database with the credentials of the currently logged on Windows user Uid=Username;Pwd=Password, i.e. Uid=Administrator;Pwd=pass@word1 NULL Port The port of the ADAM Instance 389 is the default port of the ADAM Instance Application_Partition_Name ADAMAdmin_Username DN_of_Domain ADAMAdmin_Password The distinguished name (DN) of the application partition name of the ADAM instance User name of an account with administrative privileges over the ADAM application partition Distinguished Name (DN) of the domain that the ADAMAdmin account is member of Password of the domain that the ADAMAdmin account is member of DC=EncryptionAnywhere,DC=com is the default DN of the application partition name of the ADAM instance User Name, i.e. ADAMAdmin Distinguished Name, i.e. DC=your-org,DC=com Password, i.e. pass@word1 Examples KeyExport.vbs SEEDB-01\SQL2005 SEEMSDb Uid=Administrator;Pwd=pass@word1 389 dc=encryptionanywhere,dc=com ADAMAdmin dc=your-org,dc=com pass@word1 This command line shows the following: The SEE database is being hosted on a server named SEEDB-01 where SQL Server was installed with a named instance of SQL2005 The credentials of a SQL database account will be used to authenticate to the SEE database. The credentials and domain of the ADAM Administrator account Symantec Endpoint Encryption Full Disk 69

Upgrades KeyExport.vbs SEEDB-01\SQLEXPRESS SEEMSDb NULL 389 dc=encryptionanywhere,dc=com ADAMAdmin dc=your-org,dc=com pass@word1 This command line shows the following: The SEE database is located on an SQL Server 2005 Express Edition instance. The credentials of the currently logged on Windows account will be used to authenticate to the SEE database. Success After the script has successfully completed, the following message will be displayed at the command line: SUCCESS: Migrated encryption info into SQL Database. You must now verify that the key info was successfully migrated to the SEE database instance. Verification Access the SEE database using the Microsoft SQL Server Management Studio (part of an optional install of tools for SQL Server 2005) using administrator-level privileges, and verify that the SEEMSDb database has been populated with a table named dbo.gemsdeploymentkeys. If the dbo.gemsdeploymentkeys table did not get created in the SEEMSDb database, do not run the key export script a second time. Contact Symantec technical support for instructions on how to proceed. With the migration of the key info from the ADAM Server to the SEE database now complete, you can continue on to the installation of the SEE Manager and the creation and deployment of the client upgrade packages. At this time, you should also perform a backup of the SEE database. If you are prompted for the management password during an install or upgrade of the SEE Manager, it means that the key export operation failed. Contact Symantec technical support for instructions on how to proceed. SEE Manager Basics Review the following important points before upgrading the Manager Computer: The latest version of SEE Framework is only compatible with the latest versions of SEE Full Disk and SEE Removable Storage. All three must be upgraded. You should always be running the latest version of the SEE Manager on all Manager Computers. A default mode installation of the SEE Manager cannot be upgraded to a serverless installation of the SEE Manager. Framework must always be upgraded first. Version Number Determination 1. Open the SEE Manager. In the navigation pane on the left, expand Symantec Endpoint Encryption Software Setup, click Symantec Endpoint Encryption Framework, point to Help, and click About SEE Framework. 2. The About Framework window displays showing the current version of the Framework component. 3. Expand Symantec Endpoint Encryption Software Setup, right-click Symantec Endpoint Encryption Full Disk, point to Help, and click About SEE Full Disk. Framework Upgrade 1. Before starting the upgrade, close all instances of the Microsoft Management Console (MMC) currently running on the Manager Computer you are upgrading. Symantec Endpoint Encryption Full Disk 70

Upgrades 2. Transfer the installer packages comprising the latest release of the SEE Manager (Symantec Endpoint Encryption Framework.msi and Symantec Endpoint Encryption Full Disk Edition.msi, along with any other Manager components you want to install) to removable media or a designated network share. 3. Log on to the Manager Computer using an administrator account possessing sufficient rights for installing software. 4. Locate the SEE Manager installer packages on the removable media or network share (Symantec Endpoint Encryption Framework.msi and Symantec Endpoint Encryption Full Disk Edition.msi) and copy them to the local hard disk. 5. With the SEE Manager installer packages copied to the Client Computer, upgrade SEE Framework first by invoking the Windows Installer with the following command-line parameters: MSIEXEC /i "[path]\symantec Endpoint Encryption Framework.msi" REINSTALL="ALL" REINSTALLMODE="vomus" Substitute [path] with the actual path on the Client Computer where the package was copied to. Full Disk Upgrade 1. Upgrade SEE Full Disk Manager Console by invoking the Windows Installer with the following command-line parameters. MSIEXEC /i "[path]\symantec Endpoint Encryption Full Disk Edition.msi" REINSTALL="ALL" REINSTALLMODE="vomus" 2. Repeat the above process on each Manager Computer: Upgrade Framework. Upgrade Full Disk. SEE Client Computers Basics Using the Framework and Full Disk Installation Settings Wizards, you create a set of client installer packages and apply them to Client Computers. Whenever you are upgrading Client Computers, you must first upgrade the Framework module prior to upgrading other modules. The latest version of SEE Framework is only compatible with the latest versions of SEE Full Disk and SEE Removable Storage. All three must be upgraded. Creating Client Upgrade Packages Existing installations of the SEE client software can be upgraded by creating a new set of client installer MSI packages and applying them as upgrades to previously deployed client installer MSI packages. The exception to this are clients created from a default mode installation of the SEE Manager, which cannot be upgraded using client installation packages created from a serverless installation of the SEE Manager. When upgrading clients created from a serverless installation of the SEE Manager to clients created from a default mode installation of the SEE Manager, ensure that the Full Disk Client Monitor lockout policy is not enforced on those clients prior to performing the upgrade. If a lockout policy is in effect, the client machines could be subject to lockout immediately after the upgrade. Upgrading clients to this version of SEE Full Disk will delete any existing Client Administrator accounts, along with their associated Windows domain user accounts. Once you complete the upgrade process, only the newly defined Client Administrator accounts you specified in the Framework upgrade package will exist. Symantec Endpoint Encryption Full Disk 71

Upgrades When you upgrade an SEE client, the existing installation settings from the originally deployed client packages are preserved, and the settings chosen in the wizard when you create the new client installer MSI packages are discarded with the exception of the following settings: Full Disk Installation Settings - Startup A custom image should be displayed Custom image bitmap file When upgrading SEE to a more recent version, both the Framework and Full Disk client modules must be upgraded with both the Framework and Full Disk components of the SEE Manager. Upgrading Client Installer Packages Existing installations of the SEE client software can be upgraded by creating a new set of client installer MSI packages and applying them as upgrades to previously deployed client installer MSI packages. Client Upgrade Methods You can upgrade an existing client package using any of the following methods: Installation from Active Directory as an upgrade to an existing software installation computer policy; Installation using a third-party deployment tool; or Manual installation using a Windows Installer command line at the Client Computer. When a client installer MSI package is saved at the completion of the Installation Settings Wizard, the package will retain the Windows permissions of the target location it was saved to. These retained permissions may interfere with the upgrade process, causing it to fail. To avoid installation failure, save all client installer MSI packages to a local or network volume which has Full Control permissions set in the properties sheet. Deploying and Installing Client Module Upgrades Client module upgrades may be deployed using any delivery method that supports MSI packages. The following sections detail two delivery methods: Upgrading using an existing software installation GPO, or Upgrading manually using the command line. Upgrading Using an Existing Software Installation GPO The method described here assumes that you deployed the SEE client installer packages as part of a Software Installation GPO using Active Directory, and that the policy is still in place. Do not manually upgrade a GPO deployment of SEE client installer packages, and do not upgrade a manual deployment of SEE client installer packages using a Software Installation GPO. Windows 2000 computers installed with SEE software deployed using a GPO cannot be upgraded using the method described here. To upgrade Windows 2000 computers, you must replace the original client package referenced by the GPO with the new upgrade package, making sure that the two file names are identical. To complete the upgrade process, you must edit the GPO, right click the client package, choose All Tasks, click Redeploy application, then close the GPO editor to apply the policy. Note that the product name and version information shown in the GPO editor will reflect those of the original package and not the upgrade package. Because the upgrade involves creating a new set of client installer packages, you will need the following credentials to be able to complete the Framework Installation Settings Wizard: Credentials of the SEE Management Server Administrator, and Credentials of at least one domain user account. Symantec Endpoint Encryption Full Disk 72

Upgrades You will create a new set of client installer packages for upgrading the existing client installer packages. As you did with the existing client installer packages, you will save the new set of client installer packages to the SYSVOL folder where they will be referenced by the software installation GPO. This will allow all Client Computers processing the policy to be able to access and apply the client installer upgrades. Always deploy the SEE client installer packages as part of a software installation computer policy and never as a software installation user policy. 1. On the Manager Computer, open the SEE Manager. Click Start, point to All Programs, then click Symantec Endpoint Encryption Manager. 2. The SEE Manager opens. In the navigation pane on the left, expand Symantec Endpoint Encryption Software Setup and click Symantec Endpoint Encryption Framework. 3. In the Framework Installation Settings Wizard panel on the right, enter the required information and click Next. Because the majority of settings contained in client installer upgrade packages are discarded when the upgrade packages are applied, you can leave most of the panel settings at their default values. However, two of the Wizard panels, Communication and Client Administrators, require that you enter valid values before allowing you to advance to the next panel. These two panels also contain the settings that are updated when an upgrade package is applied. These settings are listed in section Creating Client Upgrade Packages on page 71. 4. When you reach the final panel of the Wizard, click Finish. A success confirmation dialog will display. Click OK. You will be prompted to specify a location in which to save the Symantec Endpoint Encryption Framework Client.msi file. Navigate to the SYSVOL folder. If the SYSVOL folder already contains a file named Symantec Endpoint Encryption Framework Client.msi (this is the existing Framework client installer package), change the default name of the new client installer package (to, for example, Symantec Endpoint Encryption Framework Client2.msi) and click OK. 5. Repeat steps 3 and 4 to create the Full Disk client installer upgrade package using the Full Disk Installation Settings Wizard. Rename the resulting Full Disk client installer package to Symantec Endpoint Encryption Full Disk Edition Client2.msi and also save the file in the SYSVOL folder. 6. In the navigation pane of the SEE Manager, expand the Group Policy snap-in to reveal the existing GPOs. Locate the GPO you created for deploying the SEE client installer packages, select it, right-click, and choose Edit. 7. The Group Policy Object Editor (GPOE) opens. Expand Computer Configuration, then expand Software Settings. 8. Right-click Software Installation, point to New, then click Package. Click My Network Places, and navigate to the location Microsoft Windows Network\your-org\Cadc-01\SYSVOL where you previously copied the client installer upgrade packages, for example, Symantec Endpoint Encryption Framework Client2.msi and Symantec Endpoint Encryption Full Disk Edition Client2.msi. 9. Click to select the client installer upgrade, Symantec Endpoint Encryption Framework Client Installer2.msi, and click Open. 10. A confirmation screen will appear. Click OK to accept the default value of Assigned for that package. If you do not select the client module upgrade template package by navigating to it using My Network Places, Client Computers receiving the policy will be unable to locate the install package and the software installation policy will fail to be applied. 11. The new package will appear in the pane on the right as Symantec Endpoint Encryption Framework Client (2). Select it, right-click, and choose Properties. 12. The Properties window opens. Click the Upgrade tab, then click Add. Symantec Endpoint Encryption Full Disk 73

Upgrades 13. In the Package to upgrade box, choose Symantec Endpoint Encryption Framework Client. 14. Choose Package can upgrade over the existing package. Click OK, click Apply, then OK. 15. Repeat steps 8 through 14 to assign the new Full Disk client installer package Symantec Endpoint Encryption Full Disk Edition Client2.msi as an upgrade to the existing package. Figure 6.1 Software Installation GPO, Add Upgrade Package 16. Finally, close the GPOE window to apply the policy. Note that Client Computers targeted by this computer policy must be restarted in order to install the upgrade. Upgrading Using a Command Line Existing deployments of the SEE client can be upgraded using client installer packages created with a more recent version of the SEE Manager. To avoid installation errors during the upgrade, make sure that when you create the client installer packages that you save them to a local hard disk or other volume which has Full Control permissions set. The client installer packages can then be copied to removable media, a network volume accessible to the client, or the local hard disk of the Client Computer you are upgrading. For large scale deployments, you can use the command-line method as a basis for scripted upgrades. Upgrade the Framework Module 1. Click Start, click Run, type cmd, then click OK to open a new command prompt window. Symantec Endpoint Encryption Full Disk 74

Upgrades 2. Invoke the Windows Installer with the following command-line parameters: MSIEXEC /i "[path]\symantec Endpoint Encryption Framework Client.msi" REINSTALL="ALL" REINSTALLMODE="vomus" where [path] is the actual path on the Client Computer where the package was copied to. 3. When the Windows Installer finishes executing, the upgrade for the Framework client will be installed, and a completion dialog will display. Click OK. The next step will be to install the upgrade for the Full Disk client. Upgrade the Full Disk Module 1. Upgrade SEE Full Disk by invoking the Windows Installer with the following command-line parameters. MSIEXEC /i "[path]\symantec Endpoint Encryption Full Disk Edition Client.msi" REINSTALL="ALL" REINSTALLMODE="vomus" where [path] is the actual path on the Client Computer where the package was copied to. 2. When the Windows Installer finishes executing, a dialog prompting you to restart the computer will display. Click Yes to restart the computer. Repeat the above process on each Client Computer: Upgrade the Framework module. Upgrade the Full Disk module. Symantec Endpoint Encryption Full Disk 75

Uninstallation 7. Uninstallation Overview This section describes how to uninstall the SEE Management Server, the SEE Manager, and the SEE client software. SEE Management Server To uninstall an SEE Management Server, you will log on to the SEE Management Server and uninstall the server using Add or Remove Programs. 1. Log on to the SEE Management Server using the SEE Admin domain user account. 2. Click Start, then click Control Panel. Double-click Add or Remove Programs. 3. In Currently installed programs, select Symantec Endpoint Encryption Management Server. Click Remove. Figure 7.1 Add or Remove Programs Wizard Warning 4. The Add or Remove Programs Wizard displays a warning dialog. Click Yes. If an existing SEE database is detected, a dialog will display asking if you want to delete it. Clicking No will preserve the existing SEE database and allow you to reuse it if you plan to re-install the SEE Management Server. Clicking Yes will remove the existing SEE database and all client data records. SEE Manager When uninstalling the SEE Manager, always remember to uninstall the SEE Framework package last. To uninstall the SEE Manager software, do the following: 1. Log on to the SEE Manager Computer using an administrator account or other account with sufficient privileges to uninstall software. 2. Click Start, click Control Panel. Double-click Add or Remove Programs. 3. In Currently installed programs, select Symantec Endpoint Encryption One-Time Password. Click Remove. Symantec Endpoint Encryption Full Disk 76

Uninstallation Figure 7.2 Remove SEE One-Time Password Program 4. A confirmation message box displays. Click Yes. A progress box briefly displays. 5. In Currently installed programs, select Symantec Endpoint Encryption Full Disk Edition. Click Remove. Figure 7.3 Remove SEE Full Disk 6. A confirmation message box displays. Click Yes. A progress box briefly displays. 7. With Add or Remove Programs still open, select Symantec Endpoint Encryption Framework. Click Remove. Symantec Endpoint Encryption Full Disk 77

Uninstallation Figure 7.4 Remove SEE Framework 8. A confirmation message box displays. Click Yes. A progress box briefly displays. Both the Full Disk and Framework portions of the SEE Manager have now been uninstalled from the computer. Repeat this process for any other installations of the SEE Manager you are uninstalling. SEE Client Computer Basics Before the SEE client software can be uninstalled, all encrypted disk partitions on the client must be decrypted. For information on how to remotely decrypt all client disk partitions using a policy, refer to the Policy Administrator Guide. For information on how a Client Administrator can decrypt individual disk partitions locally, refer to the Client Administrator Guide. Client Packages Deployed Using a GPO As is true of any software deployed using a Software Installation GPO, client packages should never be uninstalled manually at the client. Packages deployed using a Software Installation GPO should only be uninstalled by removing or changing the scope of the Software Installation GPO. Attempting to remove GPO-deployed client packages by manually uninstalling the packages using the Add or Remove Programs control panel on the client while the Software Installation GPO is still in effect will result in the packages being reinstalled at the next restart. Further attempts to uninstall the client packages will result in an error. As a Policy Administrator, you should set the appropriate Windows policies to prevent users from manually removing the client packages. Using a Command Line When uninstalling client installer packages, the Symantec Endpoint Encryption Framework Client.msi must be uninstalled last. Note that to successfully uninstall a client installer MSI package, that MSI package must be present on the computer. If the package was subsequently deleted from the computer, you may not be able to fully uninstall the package. To uninstall the SEE client software, invoke the Windows Installer with the following command-line parameters: MSIEXEC /x "[path]\symantec Endpoint Encryption Full Disk Edition Client.msi" REBOOT=ReallySuppress MSIEXEC /x "[path]\symantec Endpoint Encryption Framework Client.msi" REBOOT=ReallySuppress Symantec Endpoint Encryption Full Disk 78

Uninstallation Note that if the client installer packages were deployed using a Software Installation GPO, they can only be uninstalled by removing that GPO. The SEE client software has now been fully uninstalled. Symantec Endpoint Encryption Full Disk 79

Extending Domain User Rights with DSACLS Appendix A. Extending Domain User Rights with DSACLS Overview For situations in which corporate security policy restricts you from using a domain administrator account with the SEE Management Server s Active Directory synchronization service, you can instead use a non-administrator account that has been assigned modified permissions to allow read access to the deleted objects container in Active Directory. Although assigning modified permissions can be done in a variety of ways, the technique presented here uses the dsacls.exe utility, a separate download and install. The dsacls.exe utility is included with the ADAM administrator tools as part of the ADAM SP1 installer. This technique is discussed in the Microsoft knowledgebase article at the following URL: http://support.microsoft.com/kb/892806 Prerequisites Before you begin, you ll need to: Provision the non-administrator domain user account that will be used by the Active Directory synchronization service. Download and extract the ADAM SP1 installer (32-bit version). The ADAM SP1 installer may be downloaded from the Microsoft website at the following URL: http://www.microsoft.com/downloads/details.aspx?familyid=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4&displaylang=en Make sure that you download the 32-bit version of ADAM SP1 (ADAMSP1_x86_English.exe). A full installation of ADAM is not required. Only the ADAM administration tools must be installed in order to make the dsacls utility available. Summary of Steps Using a modified non-administrator account with the Active Directory synchronization service requires the following steps: 1. Launch the ADAM Setup Wizard and install the ADAM administrator tools only. 2. Modify the access permissions for the non-administrator domain user account using the dsacls.exe utility. 3. Install the SEE Management Server, and specify the non-administrator domain user account in the Directory Service Synchronization page of the SEE Management Server InstallShield Wizard. 4. Test the proper functioning of the Active Directory synchronization service running with the modified nonadministrator account. In the following steps of the SEE Management Server install process, you will set the permissions on the domain user account used for synchronizing Active Directory to the SEE Management Server. You will do this by logging on the domain controller as a domain administrator and executing the dsacls.exe utility two times with two sets of parameters. Symantec Endpoint Encryption Full Disk 80

Extending Domain User Rights with DSACLS Install ADAM Administrator Tools Launch the ADAM SP1 installer application (ADAMSP1_x86_English.exe). Click Next. The License Agreement page of the ADAM Setup Wizard appears. Select the option I Agree, then click Next. Select ADAM administration tools only, and then click Next. On the final installation screen, click Finish. Grant List Children & Read Property Access Permissions When you execute the dsacls.exe utility, you will grant the ability of the designated domain user account to read and list the children of all objects in Active Directory, including the deleted objects container. Applying this permission is necessary to allow the proper functioning of the Active Directory synchronization service. The permissions string ( LCRP ) in the following command line represents the list of granted operations. These operations are: List the children of an object, and Read property. Log on to the domain controller using the domain administrator account. Click Start, click Run, type cmd, then click OK to open a new command prompt window. 1. At the C:\WINDOWS\ADAM> command prompt, type the following command and press ENTER: dsacls.exe "CN=Deleted Objects,dc=your-org,dc=com" /takeownership Be sure to replace the dc=your-org,dc=com entry with the distinguished name of your own domain. 2. At the C:\WINDOWS\ADAM> command prompt, type the following command, and press ENTER: dsacls.exe "CN=Deleted Objects,dc=your-org,dc=com" /G "your-org\adsyncuser":lcrp Be sure to replace the dc=your-org,dc=com entry with the distinguished name of your own domain, and replace the your-org\adsyncuser entry with the domain name and user name of your own Active Directory synchronization account. Having modified the non-administrator domain user account, you can now proceed to the SEE Management Server installation, and enter this account in the Directory Service Synchronization page of the SEE Management Server InstallShield Wizard. Testing AD Synchronization In order to verify the proper functioning of the Active Directory synchronization service, perform the following steps: 1. Create a new computer object in Active Directory. 2. Access the SEE database instance using the Microsoft SQL Server Management Studio (part of an optional install of tools for SQL Server 2005) using administrator-level privileges, and verify that the newly created computer object in present in the dbo.adcomputers table of the SEEMSDb database. 3. Delete the new computer you just created. 4. Either wait for synchronization to occur, or force synchronization to take place using the Configuration Editor. See the Policy Administrator Guide for details on this utility. 5. Using Microsoft SQL Server Management Studio, verify that the newly created computer object has been deleted from the dbo.adcomputers table of the SEEMSDb database. Symantec Endpoint Encryption Full Disk 81

Glossary Glossary Active Directory Active Directory is the directory service included with Windows 2000 Server and Windows Server 2003. This service stores information about objects on a network and makes that information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network. Active Directory provides network administrators with a hierarchical view of the network and a single point of administration for all network objects. Active Directory Policies Active Directory policies are one of two types of policies that can be created and deployed from the SEE Manager. They feature seamless integration with well-known Active Directory toolsets and include user as well as computer policies. Active Directory Users and Computers Snap-in The Users and Computers snap-in from Microsoft is used to find and organize the User and Computer objects in an Active Directory structure. Automatic Authentication If the Client Computer is set for automatic authentication, SEE Full Disk will not require valid SEE credentials to be provided before allowing Windows to load. This option relies on Windows to authenticate users. In addition, users will be registered automatically unless a registration password is required. Requiring a registration password serves to avoid reaching the maximum registered user limit and to limit the number of users that can gain access to the User Client Console. Client Administrator Client Administrators provide local support to SEE users and guarantee that SEE protected computers are always accessible even when all SEE users have been removed from those computers. When creating or updating Client Administrator accounts, the Policy Administrator assigns one of three privilege levels. High unregister registered users, decrypt encrypted partitions, extend the Client Computer s next communication date, and unlock Client Computers. Medium decrypt encrypted partitions, extend the Client Computer s next communication date, and unlock Client Computers. Low extend the Client Computer s next communication date and unlock Client Computers. Client Administrators cannot change their own passwords or use any passwordrecovery methods. Containers The term containers is used to refer to organizational units (OUs) and domains. These are represented by folder icons in the left pane of the Microsoft Management Console. See also Objects. Domain Name System (DNS) Domain Name System (DNS) is a distributed database and name resolution system used for translating domain names into IP addresses. Symantec Endpoint Encryption Full Disk 82

Glossary Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol (DHCP) is a system for automatically assigning IP addresses to Client Computers on a network. Expand, Expanded, to Expand To reveal the contents of a container. This action is initiated by clicking the plus sign to the left of the container as displayed in the left pane of the Microsoft Management Console. Group Filtering Also known as Security Group Filtering or Security Filters. Security Filters applied to a Group Policy Object limit the scope for that Group Policy Object. Group Policy Management, Group Policy Management Console Snap-in A snap-in from Microsoft that a SEE Policy Administrator can use to assign Active Directory policies to users and computers. It can also be used to deploy client installation packages to Active Directory computers. Group Policy Object (GPO) An object in Active Directory that contains user and/or computer policies, and possibly software deployment policies. LSDOU This acronym describes the order in which GPOs are applied: Local (1), Site (2), Domain (3), OU (4), with local policies having the highest precedence. Management Password, Management Password Snap-in The Management Password controls access to snap-ins and snap-in functions used to support SEE Full Disk endpoints. It can be changed using the Management Password snap-in from the SEE Manager. Microsoft Management Console (MMC) Microsoft Management Console is a container User Interface (UI) that provides no functionality by itself. Each Microsoft Management Console process can host a set of snap-ins displayed in one or more windows. The layout of a Microsoft Management Console can be saved as a file with an.msc extension. Microsoft Management Console Tree The folder-like structure of snap-ins in a Microsoft Management Console. Snap-ins can be standalone, i.e., added to the root of the MMC tree, or they can be extensions of other snap-ins. Microsoft Windows Installer (MSI) A format for self-contained database files containing the requirements and instructions that the Windows Installer uses when installing applications. MSI packages can be deployed via Group Policy Objects. Native Policies Native policies are one of two types of policies that can be created and deployed from the SEE Manager. Native policies do not rely on any existing directory service for managing SEE Client Computers. Unlike SEE Active Directory policies, native policies apply to computers only and cannot be applied to users. Symantec Endpoint Encryption Full Disk 83

Glossary Novell edirectory An LDAP-based directory service from Novell. Computers that are members of an edirectory domain can be managed using SEE native policies. Information from edirectory can optionally be synchronized to the SEE Management Server, allowing SEE native policies to be applied according to the organizational structure maintained in edirectory. Objects The term objects is used to refer to any Active Directory object. This includes individual Users, Computers, or Policies, as well as Groups of Users or Computers. See also Containers. One-Time Password (OTP) The One-Time Password (OTP) Program allows registered users to recover from a forgotten password with help desk assistance. It also allows users to regain access to their computer after it has been locked for a failure to communicate with the SEE Management Server. This assistance provides the user with a one-time password or response key, which allows the registered user to temporarily authenticate. The registered user is then prompted to enter a new password. Two methods are available for assisting registered users: online and offline. The online method is easier and more secure, but will not succeed unless the Client Computer has made contact with the SEE Management Server at least once following the registration of the user requiring assistance. The offline method can be used if the online method fails or if the Client Computer has never checked in with the SEE Management Server. The registered user provides the help desk with an OTP personal identifier created during registration and updated using the User Client Console to help ensure their identity. They also provide the help desk with a challenge key; the help desk in turn provides the user with a response key. OTP Key A critical value used for the One-Time Password password recovery feature. When the SEE Manager is installed for the first time, it populates the SEE database with the OTP key. For serverless installations of the SEE Manager, a new OTP key can be created or an existing OTP key can be selected. Using the OTP Key Changer Utility, the OTP key can restored to the SEE Management Server. See also Random String. Symantec Endpoint Encryption Full Disk 84

Glossary Policy Administrator Policy Administrators perform centralized administration of SEE. Using the Manager Console and the Manager Computer, the Policy Administrator: Creates and deploys client installation packages. Updates and sets client policies. Runs reports. Changes the Management Password. Runs the One-Time Password Program. Creates the computer-specific Recover DAT file necessary for Recover /B. Reconfigures the SEE Management Server, as necessary. Access to SEE snap-ins can be restricted on a per snap-in basis, giving the domain or higher-level administrator flexibility when assigning specific Policy Administrator duties. Random String A critical value used to generate OTP keys stored in the SEE database, and required when rebuilding an SEE Management Server instance or migrating from a serverless deployment to a deployment containing a SEE Management Server. The random string backup should be stored in a secure location. See OTP Key. Recover Program The Recover Program can be used if a Client Computer encounters a serious error and cannot load Windows. The program attempts to regain access to data on the hard disk by repairing the SEE client database files (Recover /A), performing an emergency decryption of the entire hard disk (Recover /D), or restoring the encryption keys (Recover /B). SEE Database Instance A instance of an MS-SQL Server database used to host the SEE database. The SEE database instance can reside on an existing server in the corporate datacenter (recommended), on the SEE Management Server, or on any computer that is a member of the Active Directory forest/domain. SEE Management Server The SEE Management Server enables all aspects of SEE policy management and application, stores data reported by Client Computers in the SEE database, and (optionally) synchronizes information from Active Directory and/or edirectory to the SEE database. Symantec Endpoint Encryption Full Disk 85

Glossary SEE Password This password is used by registered users and by Client Administrators to authenticate to SEE during pre-boot authentication. Once Windows has loaded, registered users who do not have SSO enabled use this password to authenticate to the User Client Console and Client Administrators use their password to authenticate to the Administrator Client Console. Registered users who have SSO enabled and log off of their SEE session when closing the User Client Console, must also authenticate if they launch the console again during their Windows session. The Client Administrator uses their password to authenticate to Recover /A and Recover /D. A Client Administrator s password must be between 16 and 32 characters and is defined by the Policy Administrator through installation settings and policies. If automatic authentication is in effect, users will not have a SEE password. Otherwise, users will define their SEE password during registration. If SSO is enabled, the user s SEE password will be the same as their Windows password. If SSO is not enabled, the user s SEE password will differ from their Windows password and they will be able to change this password using the User Client Console. Serverless An installation mode of the SEE Manager that requires no connection to a SEE database. Framework client packages created from a serverless SEE Manager produce clients that do not communicate with an SEE Management Server. Silent Client A SEE client installed from a Framework client package created from a serverless mode installation of the SEE Manager. If the computer has never checked in, the online method of the One-Time Password recovery method and the Recover /B hard disk recovery option are not available. Single Sign-On (SSO) A feature that allows SEE registered users to log on to both Windows and the SEE with their Windows password. To activate an SSO policy, the Client Computer must reboot, which installs the SEE GINA into the GINA chain, allowing password synchronization to take place. Snap-in A Dynamic Link Library (DLL) file user interface module designed to be loaded into a Microsoft Management Console. Symantec Endpoint Encryption Framework Symantec Endpoint Encryption Framework provides SEE wide features, such as authentication methods and settings, as well as registered user and Client Administrator accounts and information. Symantec Endpoint Encryption Software Setup Snap-in A snap-in from Symantec that allows the SEE Policy Administrators to customize SEE client software before deployment. Symantec Endpoint Encryption Full Disk 86

Glossary User At least one user is required to register with the SEE on each Client Computer. A wizard guides the user through the registration process, which involves a maximum of four screens. The registration process can also be configured to occur without user intervention. Authentication to SEE Full Disk can be configured to occur in one of three ways: Single Sign-On enabled The user will be prompted to authenticate once each time they restart their computer. Single Sign-On not enabled The user must log on twice: once to SEE Full Disk and then separately to Windows. Automatic authentication enabled The user is not prompted to provide credentials to SEE Full Disk; the authentication process is transparent. This option relies on Windows to validate the user s credentials. Symantec Endpoint Encryption Full Disk 87

Index Index A accounts 41 Active Directory definition of 82 domain 3 forest 3 administrative templates 36 39 Authenti-Check 48 49 automatic authentication 9, 43, 82, 87 B boot-time defragmenters 4 C Client Administrator accounts creation of 8, 41 privilege levels 8, 42, 82 role definition 82 single-source passwords 8 upgrades 71, 73 Client Computer client database files and 4 domain user accounts and 6 installation of 7, 21, 60 67 keyboard support 5 lockouts and 71 system requirements 4 uninstallation 78 79 upgrades 71 75 Client installation packages creation 41 59 GPO deployment 53 MSIEXEC parameters and 60 61 protection of 60, 61 third party tool deployment 60 61 upgrades and 72 client packages deploying by GPO 62 installing 56 original settings 72 uninstalling 78 Communication 51, 73 D Domain Name System (DNS) definition of 82 domain user account required by SEE Management Server 10 E Encryption 55 Full Disk installation settings 55 encryption method selecting 57 F Framework installation settings Authentication Message 47 Authenti-Check 48 Client Administrators 41 Communication 51 Encryption 52 One-Time Password 50 Password Authentication 45 Registered Users 43 Single Sign-On 44 Full Disk installation settings Client Monitor 57 Encryption 55 Installer Customization 57 Logon History 55 Startup 54 G Global Catalog LDAP port/protocol 2 Grace restarts 44 Group Policy Object Editor 62 H HTTP/HTTPS port/protocol 2 I installation completion tasks 25, 28 Installation settings Encryption Full Disk 55 Installer Customization Full Disk installation settings 57 installing client packages 56 L LDAP port/protocol 2 Logon History Full Disk installation settings 55 M Management Password changing 25, 28 complexity requirements 25, 28 Manager console add forest 31 Monitor 57 O one-time password 25, 28 P Password Authentication Symantec Endpoint Encryption Full Disk

Index installation settings 45 Policy Administrator 34 default capabilities 36 Port/Protocol, services 2 R random string backup changing default location 25, 28 Recover Program 85 Registered Users installation settings 43 Removable 47 Restarts grace 44 restricting access to snap-in extensions 38 S SEE Management Server (SEEMS) service accounts 24 SEE roles 7 segmenting support duties 40 Single Sign-On installation settings 44 SMB port/protocol 2 snap-in extensions restricting access to 38 Startup Full Disk installation settings 54 Symantec Endpoint Encryption Management Server.msi 11 U uninstalling client packages 78 Symantec Endpoint Encryption Full Disk