getting started with Symantec Endpoint Encryption A user guide from Royal Mail Technology For further help, contact the IT Helpdesk on 5415 2555 (01246 282555) March 2010
Contents 1 Introduction to Symantec Endpoint Encryption... 3 2 Storing a file on removable USB drive (e.g. memory stick, external hard drive, etc.)... 4 2.1 Saving to USB Drive for storage or sharing internally... 4 2.2 Saving to USB Drive for Sharing Externally... 5 3 Sending a File securely via email... 8 4 Receiving an Encrypted File via email...10 5 Access an encrypted file on a USB drive, on a RMG computer with SEE installed...11 6 Access an encrypted file on a USB drive on a computer without SEE installed...12 7 Accessing a Self-Extracting file on a Removable USB Drive...13 8 Storing and Accessing files on CD/DVD...15 8.1 Saving to CD/DVD for storage or internal transfer...15 8.2 Saving to CD/DVD for External Transfer...18 9 Accessing Files on a Secure CD/DVD...20 9.1 Accessing on a RMG computer with SEE installed...20 9.2 Accessing on a computer without SEE installed...20 10 Accessing a Self-Extracting file on a CD/DVD Drive...21 Appendix A. Using the SEE User Client Console...23 Appendix B. Exchanging information securely our policies...27
1 Introduction to Symantec Endpoint Encryption Symantec Endpoint Encryption (SEE) software ensures that only authorised users are allowed to access removable devices such as memory sticks or CD/DVDs and that any information written to these devices is secure. When SEE is installed on your PC or laptop, you ll be automatically registered as an authorised user. This will mean that any file you save to a removable device will be automatically encrypted. This process will be seamless and you will be able to open documents on your PC as normal without noticing any difference. However, when sharing files with RMG users without SEE installed or with external users, you will need to create a separate file with a password. For details, go to section 2 - Storing a file on removable USB drive When SEE is installed, you ll also get an application for burning files to a CD/DVD, ensuring they are always encrypted. This application will replace all other CD burning software in RMG. Full details are in section 7. Symantec Endpoint Encryption (SEE) supports the RMG information security policies, further details of which can be found in Appendix B.
2 Storing a file on removable USB drive (e.g. memory stick, external hard drive, etc.) 2.1 Saving to USB Drive for storage or sharing internally Step 1 Whenever you save a file to a USB removable device, that file will now be automatically saved as an encrypted file. This means the file can only be accessed or shared internally within RMG. Step 2 The file icon displayed in Windows Explorer now includes a padlock, indicating the file is encrypted. Step 3 You can now remove the USB drive from your computer. All RMG computers will have Symantec Endpoint Encryption (SEE) installed by the end of July 2010. While the rollout takes place, only computers with SEE installed will be able to access files saved in this manner. The file won t open on RMG PC s without SEE installed or on external computers such as your home computer or one belonging to an external partner. If you need to share the information in the file with external third parties, or anyone in RMG who has not yet had the software installed, you will need to use a password to encrypt the file. See section 2.2 below.
2.2 Saving to USB Drive for Sharing Externally When sharing information on a removable USB drive with external third parties, or anyone in RMG yet to have the software installed, you will need to create a Self Extracting Archive (.exe) file encrypted with a password that you supply. The information will only be accessible to a third party by using that password. Step 1 Insert the removable USB drive into your computer. Step 2 Select the file(s) to be encrypted. Using Windows Explorer, browse to the location of the file(s) that you want to encrypt. A single file or multiple files can be encrypted to a self extracting file. Right-click the selected file(s), point to Symantec, and select Encrypt to self-extracting file.
The SEE Removable Storage Self-Extracting Archive dialogue box appears Step 3 Complete the fields in the Dialog box as follows: In the Archive Name field, type a name for the self-extracting file or use the default archive name that is displayed. The archive name can be different to the names of the files contained within it, however, it makes it easier for the recipient if you name the archive file with the same name as the original file. If you do use a different name ensure you advise the recipient of the names of the individual files so they can find the files when they extract them to their computer. Select the file path for the removable USB drive in the Encrypt to field, or browse to the appropriate folder in the Folders/Drives box. You need to save the archive directly to the removable device. If moved to the device later, the recipient won t be able to view it. To create a new folder or subfolder, select an existing folder then click the New folder button. The Create Folder dialogue appears. In the new folder field, type the name of the new folder and click OK. Your folder is created and you are returned to the SEE Removable Storage Self- Extracting Archive box to complete. If you have already saved a self-extracting file of the same name to this location and want to replace it with this one, tick the Overwrite existing files box.
Tick the Password to allow you to enter a password in the Password and Confirm boxes. Click Encrypt Step 4 When the encryption is complete you ll get this message: Step 5 Click OK to confirm Step 6 Send the removable device to the external third party Step 7 Send the password to the third party separately and securely via email, or over the telephone. You should never send a password with the removable media on which it is encrypted. Ensure the password is at least eight characters long and is a mix of upper and lower case letters, numbers and symbols.
3 Sending a File securely via email (Please be aware that the functionality in this section may not work whilst our systems are prepared for the migration from Lotus Notes to Microsoft Outlook) If you need to send a file to someone outside RMG using email, you ll need to create a Self Extracting Archive file, encrypted with a password that you supply. The information will only be accessible to a third party by using that password. Step 1 Select the file(s) to be encrypted and emailed Using Windows Explorer, browse to the location of the file(s) that you want to encrypt. A single file or multiple files can be encrypted to a self extracting file. Right-click the selected file(s), point to Symantec, and select Encrypt, rename and email The SEE Encrypt, rename and email dialog box appears
Step 2 Complete the fields in the Dialog box as follows: In the Archive Name field, type a name for the self-extracting file or use the default archive name that is displayed. The archive name can be different to the names of the files contained within it. It makes it easier for the recipient if you rename the archive. If you do use a different name ensure you advise the recipient of the names of the individual files. This will enable them to find the files when they extract them to their computer. Tick the Password to allow you to enter a password in the Password and Confirm boxes Click email Step 3 Complete the Message details When the encryption is complete a New Mail is displayed with the encrypted file attached and a message telling the recipient how to access the file is included in the Mail Body Add the Recipient details and Subject and Send the message Step 4 Send the password to the third party separately and securely via a separate email, or over the telephone. You should never send a password with the email containing the encrypted file. Ensure the password is at least eight characters long and is a mix of upper and lower case letters, numbers and symbols.
4 Receiving an Encrypted File via email (Please be aware that the functionality in this section may not work whilst our systems are prepared for the migration from Lotus Notes to Microsoft Outlook) When the recipient receives the encrypted file as an email attachment, they save the attachment to their computer, and rename the attachment so that it has.exe as the file extension, instead of.rse. They then double click on the renamed file to display the SEE Removable Storage Extractor screen. They complete this by choosing the location on their computer in the Extract to field and the password you gave them in the password box. The file is extracted to the specified location and can be accessed by the recipient in the normal way. When looking for the extracted files, keep in mind that they might have different names to the archive file. If you are unsure you will need to contact the sender of the file.
5 Access an encrypted file on a USB drive, on a RMG computer with SEE installed In the screen shot below, a USB Drive containing an encrypted file has been plugged into your computer and is accessible as Drive F: The encrypted files appear in the folder listing in Windows Explorer. The padlock symbol which can be gold or red - indicates that the file is encrypted. A gold padlock means you can copy or open the file without a password. A red padlock means you will need to enter the password to decrypt the file when you try to copy or open it. When sharing encrypted files with other RMG users with SEE installed, this will not occur. If a file is displayed with the extension.exe and a padlock symbol, it has been saved as a self extracting executable archive. For details on accessing the files in the archive, refer to the next section.
6 Access an encrypted file on a USB drive on a computer without SEE installed Files encrypted and copied by SEE in the normal way (as described in section 2.1) cannot be opened automatically on a computer without SEE installed. If anyone tries to access the files using Windows Explorer they will see files with XML added to the end of the file name. If they try to access one of the files by double clicking it, this message will appear If this occurs because the user is waiting for SEE to be installed on their computer, the originator of the file should copy the file as a self extracting file as described in section 2.2 and send them the password separately and securely.
7 Accessing a Self-Extracting file on a Removable USB Drive Files that are to be securely transferred externally will be encrypted and should be saved as a self extracting file (as described in section 2.2) Step 1 To access these files, open Windows Explorer. The files will be displayed with a padlock symbol as shown here. To extract an unencrypted version of the file to your hard disc so you can access the file as normal. Double-click the self-extracting file name to start the process. A dialog box is displayed and you need to fill in the details. Step 2 Extract to: Type the name of folder on your hard disc where you want to save the extracted file to or Press to select the folder Password Enter the password provided by the originator, in the box (this is the password that was used when the self extracting file was originally created). Press Extract Note the number of remaining password attempts. Step 3 If the password is correct you will see this message and a normal unencrypted file will be placed on your hard drive that you can access as normal When looking for the extracted file(s), keep in mind that they may have different names to the archive file. The person who created the self-extracting file will be able to advise the original file names.
If you enter the wrong password, you see this message and will be able to try again to re-enter the password After five wrong passwords, you ll see this message You will not be able to try to decrypt the file again for a period of five minutes (the screen shot above was taken with one minute remaining).
8 Storing and Accessing files on CD/DVD 8.1 Saving to CD/DVD for storage or internal transfer When SEE is installed on your computer, it installs a program to burn files to a CD or DVD. This program will replace all other versions of CD burning Software in RMG. Follow the process below to burn files to a CD or DVD. Step 1 To launch the CD-DVD Burner, click Start - All Programs - Symantec Endpoint Encryption - SEE-RS Edition CD-DVD Burner, as shown below. Alternatively you can right click on the SEE User Client icon in the system tray (bottom right hand corner of your screen) and select Symantec Endpoint Encryption - SEE-RS CD-DVD Burner
Step 2 Complete the following dialogue box. An explanation of the fields and how you complete them follows: The Destination Drive drop-down list displays all of the available CD/DVD drives. Select your CD/DVD Drive. The Policies box is for information and indicates that files burned to disc will be encrypted. The Disc Information box gives you information about the disc currently in the selected drive. The Files and/or Folders to be burned box displays a list of files and folders that you select for burning. As you add files and folders using the buttons at the bottom of the screen they are added to this list. Add Files - This button allows you to select individual files from your computer to be added to the CD/DVD. Add Folders - This button allows you to select folders from your computer to be added to the CD/DVD.
Remove files - If you have added a file or folder to the list and change your mind before burning the CD/DVD you can remove it by selecting it from the list box and clicking this button. If you want to add a label to the CD/DVD before type the name in the Disc Volume Label box. burning, Step 3 Burn when you have selected all the files to be burned, press this button. The files are prepared, encrypted and finally written to the CD/DVD. The progress of each stage can be monitored in the Progress bar and the Activity Details box Step 4 When all files have been written successfully, this message appears. If you need to create a another CD/DVD with the same files, put a new disc in the CD/DVD writer and click Yes If you are finished, click No to end the Burner program.
8.2 Saving to CD/DVD for External Transfer Any files, which will be transferred to a Third party, must be stored on the CD/DVD as self extracting executables, using a password which must be supplied to the third party. The self extracting files will have to be created on your hard drive first, before copying to the CD using the CD/DVD writer. Step 1 The process for creating a self extracting archive on the hard disc is almost identical to the process for creating a self extracting archive on a Removable device as detailed in section 2.2. The only difference is in Step 3, when you are completing the Encrypt To part of dialog box. You need to save the self extracting file to a location on your hard drive. Complete the fields in the Dialog box as follows: In the Archive Name field, type a name for the self-extracting file - or use the default archive name that is displayed. The archive name can be different to the names of the files contained
within it. It makes it easier for the recipient if you name the archive file with the same name as the original file. If you do not use a different name ensure you advise the recipient of the names of the individual files. This will enable them to find the files when they extract them to their computer. Type the file path for the location on your hard drive where you want to save the file, in the Encrypt to field, or browse to the appropriate folder in the Folders/Drives box. You need to save the archive directly to the hard drive for copying to the CD at a later date. To create a new folder or subfolder on your hard disc, select an existing folder then click the New folder button. The Create Folder dialogue appears. In the new folder field, type the name of the new folder and click OK. Your folder is created and you are returned to the SEE Removable Storage Self-Extracting Archive box to complete. If you have already saved a self-extracting file of the same name to this location and want to replace it with this one, tick the Overwrite existing files box. Tick the Password to allow you to enter a password in the Password and Confirm boxes Click Encrypt Step 2 Once you have saved the self extracting file to your hard disc, you use the CD/DVD writer utility to copy that archive to your CD following the instructions in section 8.1 of this guide.
9 Accessing Files on a Secure CD/DVD 9.1 Accessing on a RMG computer with SEE installed If you are accessing a CD/DVD on an authorised workstation in RMG, then the files will appear with the gold padlock icon (described in section 5) and can be accessed as described for files on a removable USB device also detailed in section 5 of this guide. 9.2 Accessing on a computer without SEE installed If you try to access encrypted CD/DVD files from an RMG computer without SEE installed or any external computer, you won t be able to, unless the files have been saved as self extracting files. If not, when you access the CD/DVD files in Windows Explorer, you will not icons and the file names will end in and look at the see the padlock XML. If you try to access one of the files by it, you get this message: double clicking
10 Accessing a Self-Extracting file on a CD/DVD Drive A self extracting archive that has been saved to CD/DVD can be accessed using the same steps detailed for accessing a self extracting archive on a removable USB device. The process is explained in section 7 of this guide.
Appendix - Additional Information
Appendix A. 1. Reviewing SEE account Settings Using the SEE User Client Console The User Client Console can be launched at any time from the Start Menu, to review and modify your SEE settings, if required. The User Client Console displays your user name in the top right corner of screen, as you are the user currently logged on to the workstation. The Left column contains a menu of the options available to you. They include an option to change/review Account Settings You can only make changes to the settings of your own account. If any check boxes are greyed-out, this means you do not have the necessary privileges to change this setting. The majority of settings in the console will be greyed-out. To review or modify your account settings, select the appropriate option under the Account Settings portion in the left column. For example, you can review the One Time Password settings by clicking the One Time Password option, under Account settings. Since RMG are using SEE for Removable Storage only, the option for One Time Password is not used, so selecting that option displays this message
A similar message is displayed if Authenti-Check is selected, as that feature is not used with Removable storage either. Selecting the Password option displays this message, because your registered SEE account uses the same password as your normal Windows User account. Use the Quick Help icon to display the Quick Help pane, then move your mouse over to the option on the left hand pane on which you want help. 2. Reviewing SEE Removable Storage Policies You can review the SEE policies in place on your computer. Removable Storage is enabled on your computer, so to review the policies in relation to Removable devices, click on the Removable Storage option on the left hand side to see a description of those policies on the right hand side. In the example shown below, you are allowed to read and write to removable devices. Any new files you write to the removable device will be encrypted automatically by SEE. 3. Setting or Changing your Default Password
When you want to securely transfer a file to a third party via a removable device(described on page 7 of this guide), you have to supply a password. You will need to share the password with the authorised third party, who can then use the password to decrypt the file and access the information. To simplify the process, you can specify a default password. The default password can be used for every file you are going to share, avoiding the need to type a password for every individual file. You can change that default password from the SEE User Client console. Step 1 Select the Default Password option in the console Step 2 Enter the new password in the Password and Confirm Password boxes Step 3 Click OK to save the new password. Note on Passwords:
The Default Password panel displays the password length that is required by RMG policy, the symbols that are allowed in your password, and any requirements for the number of symbols, uppercase letters, lowercase letters, and/or digits that your password must contain. The RMG password policy requires you to ensure the password is at least eight characters long and is a mix of upper and lower case letters, numbers and symbols.
Appendix B. Exchanging information securely our policies Our policies covering the secure exchange of electronic information are: 1. Information Classification Policy - How to exchange information securely Royal Mail Group information must be classified according to the sensitivity of the content of the data. We have four levels of classification: Level PUBLIC INTERNAL CONFIDENTIAL STRICTLY CONFIDENTIAL Description Information that has been created for external distribution, or released under the Royal Mail Publication Scheme, to meet the requirements of the Freedom of Information Act (2000). Information accessible to all employees, agents and contractors relating to the ongoing business of the Royal Mail Group. Information that has been assessed to be of a sensitive nature and likely to cause damage following unauthorised disclosure. Information meeting the classification standards of government departments, the security services or clients, or assessed to be so sensitive that unauthorised disclosure would cause acute organisational damage. All data that isn t rated Public as described above i.e. Internal, Confidential or Strictly Confidential, must be encrypted when copied from your PC or laptop to a form of removable media, such as CD, DVD, USB drive (memory stick, external hard drive, etc.) or any other removable media. For more information, please see: Information Classification Policy-v1.1.pdf 2. Encryption Policy Exchanging removable media with external third parties When exchanging files with a third party, you must ensure that the information is protected during the exchange. If using mobile media, you need to create a self-decrypting file (see page 7 of this guide). The password for decrypting the file should never be sent with the mobile media on which it is encrypted. Always send the decrypting password separately in an email or over the telephone. For more information, please see Encryption Policy-v1.1.pdf 3. User Access Management Policy
When choosing a password for your third party encrypted file, ensure it s at least eight characters long and contains a mix of numbers, upper and lower case letters, and symbols. To access the file, the third party will need to enter the password you created. They will have five attempts to input the correct password before the file becomes locked. For more information, please see - User Access Management Policy-v1.1.pdf To see our policies and supporting guidelines in full, go to http://iplatform.intranet.point/rmg/centralfunc/tech_purch/info_security/policy