Symantec Endpoint Encryption Full Disk

Symantec Endpoint Encryption Full Disk Policy Administrator Guide Version 7.0

Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Symantec Corporation. 2008 Symantec Corporation. All rights reserved. Authenti-Check is a registered trademark of GuardianEdge Technologies Inc. Microsoft, Active Directory, Windows, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation. Any other trademarks used herein are the property of their respective owners and are hereby acknowledged. Other product and company names mentioned herein may be the trademarks of their respective owners. Printed in the United States of America.

Contents Contents 1. Introduction................................................................................ 1 Overview................................................................................. 1 Symantec Endpoint Encryption............................................................... 1 Basics............................................................................... 1 Architecture.......................................................................... 1 Directory Service Synchronization......................................................... 2 Endpoint Containers.................................................................... 2 Active Directory and Native Policies....................................................... 3 Installation and Policy Settings........................................................... 3 SEE Roles................................................................................ 4 Policy Administrators................................................................... 4 Client Administrators................................................................... 5 User................................................................................. 5 2. Reporting.................................................................................. 6 Overview................................................................................. 6 SEE Users and Computers................................................................... 7 SEE Server Reports........................................................................ 7 Computer Status Report................................................................. 7 Computers not Encrypting to RS.......................................................... 7 Computers with Decrypted Drives......................................................... 7 Computers with Specified Users.......................................................... 8 Computers without Full Disk Installed...................................................... 8 Computers without Removable Storage Installed............................................. 8 Non-Reporting Computers............................................................... 8 Resultant Set of Policy (RSoP)................................................................ 8 Windows System Events................................................................... 10 3. Policy Creation............................................................................ 12 Overview................................................................................ 12 Active Directory Policies................................................................... 12 Native Policies........................................................................... 13 Policy Options............................................................................ 13 Client Administrators.................................................................. 13 Registered Users...................................................................... 14 Password Authentication............................................................... 15 Authentication Message................................................................ 16 Communication...................................................................... 16 Single Sign-On....................................................................... 16 Authenti-Check....................................................................... 16 One-Time Password................................................................... 17 Startup.............................................................................. 18 Logon History........................................................................ 18 Autologon........................................................................... 18 Remote Decryption.................................................................... 19 Client Monitor....................................................................... 20 Local Decryption..................................................................... 20 Symantec Endpoint Encryption Full Disk iii

Contents 4. Policy Deployment......................................................................... 21 Overview................................................................................ 21 Active Directory Policies................................................................... 21 Basics.............................................................................. 21 Order of Precedence................................................................... 21 Forcing a Policy Update................................................................ 21 Native Policies........................................................................... 22 Basics.............................................................................. 22 SEE Managed Computer Groups......................................................... 22 Policy Assignment.................................................................... 24 Order of Precedence................................................................... 26 Forcing a Policy Update................................................................ 26 5. Endpoint Support.......................................................................... 27 The Management Password................................................................. 27 Basics.............................................................................. 27 Setting the Management Password........................................................ 27 Changing the Management Password...................................................... 27 One-Time Password Program................................................................ 28 Basics.............................................................................. 28 Launch............................................................................. 29 SQL Server Logon Information.......................................................... 29 Management Password................................................................. 30 Method............................................................................. 30 Error Messages....................................................................... 35 Hard Disk Recovery....................................................................... 36 Basics.............................................................................. 36 Recover DAT File Generation........................................................... 36 6. Server Configuration........................................................................ 39 Overview................................................................................ 39 Configuration Editor....................................................................... 39 Basics.............................................................................. 39 Database Configuration Tab............................................................. 39 Directory Sync Services Configuration.................................................... 40 Web Server Configuration.............................................................. 41 Directory Sync Service Status........................................................... 42 Appendix A................................................................................ 43 Framework System Events List.............................................................. 43 Full Disk System Events List................................................................ 56 Glossary................................................................................... 62 Index...................................................................................... 66 Symantec Endpoint Encryption Full Disk iv

Figures Figures Figure 1.1 Architectural Overview.............................................................. 1 Figure 2.1 Group Policy Results Wizard, User Selection............................................. 9 Figure 2.2 RSoP Report From an SEE Client..................................................... 10 Figure 3.1 Framework Computer Policy, Client Administrators Options................................ 13 Figure 3.2 Framework Computer Policy, Registered Users Options.................................... 14 Figure 3.3 Framework Computer Policy, Password Authentication Options............................. 15 Figure 3.4 Framework Computer/User Policy, Authenti-Check Options................................ 16 Figure 3.5 Framework Computer/User Policy, One-Time Password Options............................ 17 Figure 3.6 Full Disk Computer Policy, Startup Options............................................. 18 Figure 3.7 Full Disk Computer Policy, Autologon Options.......................................... 19 Figure 3.8 Full Disk Computer Policy, Client Monitor Options....................................... 20 Figure 4.1 SEE Managed Computers, Add New Group............................................. 23 Figure 4.2 Name New Group Dialog............................................................ 23 Figure 4.3 SEE Unassigned, Computer Highlighted................................................ 24 Figure 4.4 SEE Managed Computers Groups Dialog............................................... 24 Figure 4.5 SEE Managed Computers Group Selected............................................... 25 Figure 4.6 Policy Selection Dialog............................................................. 25 Figure 4.7 Native Policy Assignment Confirmation................................................ 25 Figure 4.8 SEE Managed Computers Policy Assigned.............................................. 26 Figure 5.1 Management Password Snap-in....................................................... 27 Figure 5.2 Management Password Changed, Confirmation Message................................... 28 Figure 5.3 One-Time Password, Welcome....................................................... 29 Figure 5.4 SQL Server Logon Prompt........................................................... 29 Figure 5.5 One-Time Password, Management Password............................................ 30 Figure 5.6 One-Time Password, Method Selection, Online.......................................... 31 Figure 5.7 One-Time Password, Online Method, Identifying Information............................... 31 Figure 5.8 One-Time Password, Online Method, Response Key...................................... 32 Figure 5.9 One-Time Password, Method Selection, Offline.......................................... 33 Figure 5.10 One-Time Password, Offline Challenge Key............................................ 33 Figure 5.11 One-Time Password, Offline Response Key............................................ 34 Figure 5.12 One-Time Password, User Record Not Found........................................... 35 Figure 5.13 One-Time Password, Invalid Code Synchronization...................................... 35 Figure 5.14 Manager Console, Computer in Need of Recovery Highlighted............................. 37 Figure 5.15 Management Password Prompt...................................................... 37 Figure 5.16 Recovery Password Prompt......................................................... 37 Figure 5.17 Recovery Data Export Dialog........................................................ 38 Figure 5.18 Recovery Data Export Success Message............................................... 38 Figure 6.1 Configuration Editor, Database Configuration Tab........................................ 39 Figure 6.2 Configuration Editor, Directory Sync Services Configuration Tab............................ 40 Figure 6.3 Configuration Editor, Web Server Configuration Tab...................................... 41 Figure 6.4 Configuration Editor, Directory Sync Service Status Tab................................... 42 Symantec Endpoint Encryption Full Disk v

Tables Tables Table 1.1 Active Directory and Native Policies Compared............................................ 3 Table 1.2 Client Administrator Levels of Privilege.................................................. 5 Table 2.1 Data Available About Client Computers That Have Checked In............................... 6 Table 6.1 Synchronization Service Status Values.................................................. 42 Table A.1 Framework System Events........................................................... 43 Table A.2 Full Disk System Events............................................................. 56 Symantec Endpoint Encryption Full Disk vi

Introduction 1. Introduction Overview Symantec Endpoint Encryption Full Disk protects data on laptops and PCs from the threat of theft or loss with strong, centrally managed encryption, auditing, and policy controls for hard disks and partitions, ensuring that the loss of a machine and its data does not result in disclosure required by corporate policy or government regulation. As part of Symantec Endpoint Encryption, SEE Full Disk leverages existing IT infrastructures for seamless deployment, administration, and operation. Symantec Endpoint Encryption Basics SEE is comprised of SEE Full Disk, SEE Removable Storage, and SEE Framework. SEE Framework includes all the functionality that is extensible across SEE. It allows behavior that is common to both SEE Removable Storage and SEE Full Disk to be defined in one place, thus avoiding potential inconsistencies. Architecture The following diagram depicts a sample mixed network and the interrelationships between SEE components. HTTP(S)/SOAP Client Group Policy ODBC LDAP Active Directory Domain Controller Client Manager Computer Database Server Novell edirectory Server SEE Management Server Client your-org.com Client your_tree Client Figure 1.1 Architectural Overview The Active Directory domain controller and SEE Management Server are required. Symantec Endpoint Encryption Full Disk 1

Introduction A database server is recommended, but the SEE database instance can also be configured to reside on the SEE Management Server. The machine hosting the SEE database instance must be a member of the Active Directory forest/domain. The Manager Console can be installed on multiple Manager Computers. It can also be installed on the SEE Management Server. It must reside on a computer that is a member of the Active Directory forest/domain. The Novell edirectory tree and Active Directory group policy communications are optional. Directory Service Synchronization Synchronization with Active Directory and/or Novell edirectory is an optional feature. If enabled, then the SEE Management Server will obtain the organizational hierarchy of the specified forest, domain, and/or tree and store this information in the SEE database. It also keeps this information up to date. This improves performance during Client Computer communications with the SEE Management Server, as the SEE Management Server will be able to identify the Client Computer without having to query the Active Directory domain controller and/or the Novell edirectory server. When you open the SEE Manager, you will have your Active Directory and/or Novell endpoints organized just the way that they are in the directory service, easing your deployment activities. In addition, you will have records of computers that reside in the designated forest, domain, or tree, even if these computers do not have any SEE products installed and/or have never checked in with the SEE Management Server. This will allow you to run reports to assess the success of a given deployment and gauge the risk that your organization may face due to unprotected endpoints. The timing of the synchronization event differs according to the directory service. Whereas Novell informs the SEE Management Server of any changes that may occur, the SEE Management Server needs to contact Active Directory to obtain the latest information. Synchronization with Active Directory is set to occur once every fifteen minutes. Endpoint Containers Basics The SEE Manager will place each endpoint into one or more of the following containers: Active Directory Computers, Novell edirectory Computers, or SEE Managed Computers. Active Directory/Novell edirectory Computers No computers will be placed in the Active Directory Computers or Novell edirectory Computers containers unless synchronization with the directory service is enabled. If synchronization with Active Directory is enabled, the Active Directory Computers container will be populated with the computers in the Active Directory forest/domain. If synchronization with Novell is enabled, the Novell edirectory Computers container will hold the computers in the Novell tree. If synchronization with both directory services is enabled and the computer is managed by both, it will appear in both containers. Computer and user objects located within the Active Directory and/or Novell containers cannot be moved or modified with SEE snap-ins. SEE Managed Computers Computers located within the Active Directory Computers and/or Novell edirectory Computers containers will not be shown in the SEE Managed Computers container. Only computers that have checked in with the SEE Management Server will be shown in the SEE Managed Computers container. Whether a computer is placed in the SEE Managed Computers container or not following check in will vary depending on whether synchronization is enabled or not. Symantec Endpoint Encryption Full Disk 2

Introduction If synchronization is not enabled, all Client Computers that have checked in will be placed in the SEE Managed Computers container. If synchronization is enabled, only Client Computers that have checked in that do not reside within the designated Active Directory forest/domain and/or Novell tree will be placed in the SEE Managed Computers container. Computers located within the SEE Managed Computers container should be grouped into the organizational structure that you desire. Active Directory and Native Policies Active Directory policies are designed for deployment to the users and computers residing within your Active Directory forest/domain. Active Directory policies can be created and deployed whether synchronization with Active Directory is enabled or not. Native policies are designed for deployment to computers that are not managed by Active Directory. Should you wish to deploy native policies to computers that are managed by Active Directory, you must turn synchronization with Active Directory off. The following table itemizes the differences between Active Directory and native policies. Table 1.1 Active Directory and Native Policies Compared Active Directory Policies Certain policies are deployed to users and others are deployed to computers. Policies applied in Local, Site, Domain, OU (LSDOU) order of precedence. Single pane policy creation/deployment. Policies are obtained from the domain controller and applied at each reboot. An immediate policy update can be forced using the gpupdate \force or secedit command. Installation and Policy Settings Basics While the majority of the installation settings can be overridden with policy updates, certain installation settings cannot. Furthermore, three SEE Full Disk settings do not have a corresponding installation setting, and can only be defined by pushing out a policy update. Installation Only Settings The following SEE Framework installation setting cannot be changed later by policy update: Encryption AES encryption strength The following SEE Full Disk installation settings cannot be changed later by policy update: Encryption settings related to initial encryption (the Disk Partitions and Advanced Options sections of this panel); Installer Customization location of the client database files; and Startup custom image bitmap file. Native Policies Policies can only be applied to computers. Policies are applied in Computer, Subgroup, Group (CSG) order of precedence. Each pane must be visited when creating the policy. Policies are applied when the client checks in with the SEE Management Server. An immediate policy update can be forced by clicking Check in now from the User Client Console. Symantec Endpoint Encryption Full Disk 3

Introduction Note that although a custom image bitmap file cannot be changed by a policy setting once the SEE client software has been deployed, a custom image could be effectively hidden at a later time by pushing out a Startup policy that causes the Symantec logo to be displayed instead. Policy Only Settings The following SEE Full Disk settings can only be defined using a policy: Autologon the active period and number of restarts that control the Autologon feature; Remote Decryption decryption of all disk partitions; and OTP Communication Unlock the ability of users to use the One-Time Password program to regain access to their computer after it has been locked for a failure to communicate. SEE Roles Policy Administrators As the Policy Administrator, you perform centralized administration of SEE. Your primary tool is the Manager Console, installed on the Manager Computer. The Manager Console contains the following SEE snap-ins: Symantec Endpoint Encryption Management Password allows you to change the Management Password. Symantec Endpoint Encryption Software Setup is used to create client installation packages. Symantec Endpoint Encryption Native Policy Manager escorts you through the process of creating a computer policy for clients not managed by Active Directory, such as Novell and other clients. Symantec Endpoint Encryption Users and Computers displays the organizational structure of your Active Directory forest and/or Novell tree; allows you to organize clients not managed by either Active Directory or Novell into groups; provides the ability to export computer-specific Recover DAT files necessary for Recover /B. Symantec Endpoint Encryption Server Reports includes Computer Status, Computers not Encrypting to RS, Computers with Decrypted Drives, Computers with Specified Users, Computers without Full Disk Installed, Computers without Removable Storage Installed, and Non-Reporting Computers reports. Each report provides the ability to export computer-specific Recover DAT files necessary for Recover /B. Symantec Endpoint Encryption One-Time Password Program (optional) enables you to assist users who can t get into Windows because they forgot their credentials or have been locked out for a failure to communicate with the SEE Management Server. It also contains the following Microsoft snap-ins to help you manage your Active Directory computers: Active Directory Users and Computers allows you to both view and modify your Active Directory organizational hierarchy. Group Policy Management lets you manage group policy objects and launch the Group Policy Object Editor (GPOE). Within the GPOE you will find SEE snap-in extensions that allow you to create and modify SEE user and computer policies for Active Directory managed computers. Depending on your responsibilities, you may not have access to all of these snap-ins. These restrictions, if any, will be effected as part of the privileges associated with your Windows account. Your Windows account may have been provisioned with rights to access the SEE database. If so, ensure that you are logged on to Windows with this account before launching the Manager Console. Alternatively, you may be required to log on to the SEE database separately using SQL authentication. Symantec Endpoint Encryption Full Disk 4

Introduction Client Administrators Client Administrators provide local support to SEE users and guarantee that SEE Full Disk protected computers are always accessible even when all SEE users have been removed from those computers. Each Client Computer must have at least one Client Administrator account. As Policy Administrator, you are responsible for creating and maintaining Client Administrator accounts using the SEE Manager. Because Client Administrator accounts are managed entirely by SEE and do not relate to Windows accounts, Client Administrators can support users who are not a part of the domain. One of three privilege levels will be assigned to each Client Administrator account. At least one Client Administrator account with a privilege level of high must exist on each workstation. Table 1.2 Client Administrator Levels of Privilege Level Can Unlock Computer Can Extend Next Communication Due Date Client Administrators should be trusted in accordance with their assigned level of privilege. There must be at least one Client Administrator on each workstation to allow hard disk recovery. Client Administrator passwords are managed by you and cannot be changed at the Client Computer. This single-source password management allows Client Administrators to remember only one password as they move among many Client Computers. If password(s) were local to each computer, then remembering multiple passwords would become unwieldy. Client Administrator accounts have the following restrictions: Client Administrators do not have either of the authentication assistance methods (Authenti-Check and One-Time Password) available. Client Administrators cannot use Single Sign-On. Can Run Recover Program Can Decrypt Hard Disk Can Unregister Users High Medium Low User SEE Full Disk protects the data stored on the Client Computer by encrypting it and requiring valid credentials to be provided before allowing Windows to load. Only the credentials of registered users and Client Administrators will be accepted by SEE Full Disk. During the registration process, users set their SEE credentials, allowing them to power the machine on from an off state and gain access to Windows. At least one user is required to register with SEE on each Client Computer. A wizard guides the user through the registration process, which involves a maximum of four screens. The registration process can also be configured to occur without user intervention. Authentication to SEE Full Disk can be configured to occur in one of three ways: Single Sign-On enabled The user will be prompted to authenticate once each time they restart their computer. Single Sign-On not enabled The user must log on twice: once to SEE Full Disk and then separately to Windows. Automatic authentication enabled The user is not prompted to provide credentials to SEE Full Disk; the authentication process is transparent. This option relies on Windows to validate the user s credentials. To ensure the success of this product in securing your encrypted assets, do not define users as local administrators or give users local administrative privileges. Symantec Endpoint Encryption Full Disk 5

Reporting 2. Reporting Overview The SEE Manager features several tools to retrieve data stored in the SEE database. These reporting tools will allow you to: Assess the success of a deployment, Gauge the risk that your organization may face due to unsecured endpoints, Locate individual computers for the purpose of exporting the computer-specific Recover DAT file necessary for Recover /B, Identify computers that have not checked in within a certain number of elapsed days, Find out all of the computers that a user has registered on, and Determine the SEE policy currently being enforced by protected endpoints. If Active Directory and/or Novell synchronization is enabled, you will be able to obtain the computer names and directory service location of any computer located on your forest, domain, or tree even if the computer has never checked in with the SEE Management Server. While only the computer and directory service location of these computers will be available, the absence of additional data will allow you to identify computers that are unprotected or have not checked in. The following table describes the data that will be available about Client Computers that have succeeded in checking in with the SEE Management Server. Table 2.1 Data Available About Client Computers That Have Checked In Column Heading Data Displayed Explanation Computer name computer name Computer name Group name* group name Location of the computer within SEE Users and Computers Last Check-in time/date stamp The time and date of the last connection that the Client Computer made with the SEE Management Server Decrypted partition letter(s) The letter(s) of any decrypted partition(s) on this computer Decrypting partition letter(s) The letter(s) of any partition(s) on this computer in the process of decrypting Encrypted partition letter(s) The letter(s) of any encrypted partition(s) on this computer Encrypting partition letter(s) The letter(s) of the partition(s) on this computer in the process of encrypting FR Version n.n.n The three digit version number of SEE Framework that is currently installed HD Version n.n.n The three digit version number of SEE Full Disk that is currently installed HD Installation Date time/date stamp The time and date on which SEE Full Disk was installed Serial Number Asset Tag Part Number serial number Not Available asset tag No Asset Tag No Asset Information part number The System Management BIOS (SMBIOS) serial number from WMI_SystemEnclosure class. If the data does not exist on the client, the value will either be blank or Not Available will be displayed. The System Management BIOS (SMBIOS) asset tag from WMI_SystemEnclosure class. If the data does not exist on the client, the value will either be blank or No Asset Tag/No Asset Information will be displayed. The System Management BIOS (SMBIOS) asset tag from WMI_SystemEnclosure class. This data may not exist on the client, in which case it will be blank. Symantec Endpoint Encryption Full Disk 6

Reporting Table 2.1 Data Available About Client Computers That Have Checked In (Continued) Column Heading Data Displayed Explanation RS Encryption Policy N/A N/A RS Encryption Method N/A N/A RS Executables N/A N/A RS Access Utility N/A N/A RS Master Cert N/A N/A RS Password Aging N/A N/A RS Version N/A N/A RS Installation Date N/A N/A * This column is not shown in the SEE Users and Computers snap-in. SEE Users and Computers The SEE Users and Computers snap-in allows you to export data about a specific group into a comma-delimited format (CSV). This can be useful for generating reports on a per-group basis. You might also want to consider your reporting needs when you create your groups ( SEE Managed Computer Groups on page 22). SEE Server Reports Computer Status Report The Computer Status Report is used to retrieve the records of specific computers when you know their computer name. This can be useful under the following circumstances: After deploying client installation packages using your third-party deployment tool of choice, run this report to ensure that the deployment was successful and that each client checks in. You should make sure that each client checks in at least once. During the check in process, the Client Computer sends data necessary for the online method of the One-Time Password Program and for the /B method of the Recover Program. Once you have identified Client Computers that have not checked in, you can target them using other tools such as Resultant Set of Policy (RSoP) reports and Windows system event logs to determine if there was a problem during installation. Should a Client Computer fail to boot, you may need to export computer-specific recovery data necessary for Recover /B. Type or paste the computer names in the Enter Computer Names field. Each should be on a separate line. The % character can be used as a wildcard. Once you have entered the computer names that you want to retrieve the records of, click Run. To refresh the data, click Run again. Computers not Encrypting to RS The Computers not Encrypting to RS report will retrieve the records of the following computers on your network: Did not have SEE Removable Storage installed as of the time of last check-in. Was not protected by a SEE Removable Storage Encrypt all or Encrypt new policy as of the time of last check in. Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not be allowing users to write unencrypted files to removable devices. Computers with Decrypted Drives The Computers with Decrypted Drives report will retrieve the records of the following computers on your network: Had one or more decrypted or decrypting partitions as of the time of last check-in. Symantec Endpoint Encryption Full Disk 7

Reporting Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not have a decrypted or decrypting partition. Computers with Specified Users The Computers with Specified Users report allows you to find out all of the computers that one or more users have registered on. Type the user names in the Enter User Names field. If you enter more than one user name, they should be separated by carriage returns. The % wildcard character is supported. Once the desired report parameters have been entered, click Run. The records of the computers on which one or more of the specified users has registered will be retrieved and listed in the report results. Computers without Full Disk Installed The Computers without Full Disk Installed report will retrieve the records of the following computers on your network: Did not have SEE Full Disk installed as of the time of last check-in. Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not have SEE Full Disk installed. Computers without Removable Storage Installed The Computers without Removable Storage Installed report will retrieve the records of the following computers on your network: Did not have SEE Removable Storage installed as of the time of last check-in. Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not have SEE Removable Storage installed. Non-Reporting Computers The Non-Reporting Computers report allows you to obtain a list of computers that have not checked in with the SEE Management Server within a specified number of elapsed days. This report will help you ensure that the data in the SEE database remains fresh. It is also an essential complement to a lockout policy. Enter the number of elapsed days in the Days Since Last Check-In field and click Run. The records of the computers on your network that have not checked in with the SEE Management Server within the specified number of days will be retrieved and listed. Resultant Set of Policy (RSoP) The Group Policy Management snap-in features a reporting facility which allows you to verify that the Active Directory policies you assigned to Client Computers or users were actually processed as intended. This report is known as a Resultant Set of Policies (RSoP) or Group Policy Report. The initial SEE installation settings as deployed using the Framework and Full Disk client MSI packages (even if the MSI packages were deployed as GPOs) will not appear in the RSoP report. Only the results of Active Directory policy updates will be shown in the RSoP report. To generate an RSoP report, perform the following steps: 1. Open the SEE Manager, and in the left pane, expand Group Policy Management, then expand Group Policy Results. 2. With the Group Policy Results container selected, right-click and choose Group Policy Results Wizard. 3. The Group Policy Results Wizard launches. Click Next, then select the option Another Computer. 4. Browse to or type the name of the computer for which you wish to generate a Group Policy Report. Symantec Endpoint Encryption Full Disk 8

Reporting 5. Click Next. Figure 2.1 Group Policy Results Wizard, User Selection 6. To view both user and computer policies, select the user that you want to see the user policies of. If you are only interested in computer policies, select Do not display user policy settings in the results. 7. Click Next. 8. Click Next at the summary screen, then click Finish. 9. The Group Policy Results snap-in connects to the Client Computer, gathers the policy information into a report, and displays the information in several tabs of the content pane on the right. 10. Click on the Settings tab of the Group Policy Results window in the pane on the right. 11. This windows shows a collapsed view representing all the settings for the user/computer pair you selected. The view is divided into two sections: one section named Computer Configuration, and another section beneath it named User Configuration. 12. Within the section named Computer Configuration, locate the subsection named Administrative Templates. SEE uses registry based policies, and any SEE computer policies you create and apply will show up within the subsections Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/ Framework, and Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/ Full Disk. For user settings, this pattern is mirrored in the User Configuration section of the Group Policy Results window. 13. Expand the Administrative Templates and then expand the Symantec Endpoint Encryption/Framework section by clicking on the Show link on the right. That subsection will expand to reveal all Framework policies currently in effect. Symantec Endpoint Encryption Full Disk 9

Reporting Figure 2.2 RSoP Report From an SEE Client Figure 2.2 shows that a Client Administrator policy has been applied. The Client Administrator mbrown authenticates using a password and has a high level of privilege. The Client Administrator mwilliams authenticates using a password and has a high level of privilege. Any level in the report hierarchy can be exported as an HTML file by right-clicking the name (for example, SEE/ Framework), choosing Save Report, and selecting a target location in which to save the HTML report. Some SEE Active Directory policies create other settings in the client registry that are shown in the RSoP as Extra Registry Settings. These represent internal registry values used by the particular SEE policy and can be ignored. Windows System Events All security-related system events are logged on the SEE Client Computer where they may be viewed remotely by an administrator using the Windows System Event viewer. To view SEE Full Disk specific system events logged on a specific computer, perform the following steps: 1. Open a Run dialog from the Windows Start menu. 2. Type eventvwr.msc and click OK. 3. An Event Viewer console window opens showing the events on your local computer. 4. In the navigation pane on the left, right-click the top-level folder named Event Viewer (Local), and choose Connect to another computer. 5. In the Select Computer dialog, make sure that the Another computer option is selected, then click Browse. Symantec Endpoint Encryption Full Disk 10

Reporting 6. In the Select Computer dialog, type the name of a computer you wish to inspect the events of, and click OK. 7. In the navigation pane on the left, right-click the item named Application, and choose Connect to another computer. 8. Choose View and click Filter to open the Application Properties window. 9. From the Event Source drop-down list box, choose Symantec and click Apply. 10. This filters the event log for that computer to show SEE Framework and SEE Full Disk events. Drag the Application Properties window away from the Event Viewer window, but leave it open. 11. In the right pane of the Event Viewer window, double-click the top-most event entry to open the Event Properties window for that event. The Description field contains information about that particular SEE Full Disk event. To inspect other events in the log, use the up and down arrow buttons in the upper right of the Event Properties window. To filter out all events other than a desired event, click on the Application Properties window. In the Event ID field, type the number of the event you are interested in, then click Apply. The Event Viewer window will update and filter out all event IDs other than the one you specified. SEE Full Disk System Events generated in Windows log the user account information associated with that event in the User field of the Event Properties window, while SEE Full Disk Events generated in the Pre- Windows environment log the user account information in the Description field of the Event Properties window. For a complete list of all SEE specific system events, their event code numbers, and descriptions of the events, refer to Framework System Events List on page 43 and Full Disk System Events List on page 56. Symantec Endpoint Encryption Full Disk 11

Policy Creation 3. Policy Creation Overview Before creating a policy, you will need to know whether the recipient computers are managed by Active Directory or not. While the individual policy options are the same regardless of the deployment mechanism, the process of creating the policies is quite different. This chapter discusses the following: How to create Active Directory policies using SEE snap-in extensions in the Group Policy Object Editor (GPOE); Creation of native policies using the SEE Native Policy Manager; and The individual policy options themselves. Active Directory Policies To create an Active Directory policy, expand the Group Policy Management snap-in, expand your forest, expand Domains, expand the domain, and expand Group Policy Objects. To edit an existing GPO, right-click the GPO and select Edit. To create a new GPO, right-click Group Policy Objects and select New. The Group Policy Object Editor (GPOE) will launch. To edit or create a computer policy, expand Computer Configuration, expand Software Settings, and expand Symantec Endpoint Encryption. Then expand Symantec Endpoint Encryption Framework and/or Symantec Endpoint Encryption Full Disk Edition, according to your needs. To edit or create a user policy, expand User Configuration, expand Software Settings, and expand Symantec Endpoint Encryption. Then expand Symantec Endpoint Encryption Framework and/or Symantec Endpoint Encryption Full Disk Edition, according to your needs. Each Active Directory policy panel features three radio buttons at the top: Do not change these settings this option is the default option. It specifies that no changes to existing policies or installation settings will be made. Change these settings click this option if you want to specify a policy update. When this option is selected, the fields below it will become available. These fields will not be defaulted to the policies currently in effect, they will just display generic defaults. Restore the installation settings click this option to apply a policy that instructs the client to disregard any existing policies and return to the settings that were specified in its installation package. When the Change these settings option is selected, your entries are validated when you click away from the panel. Any incorrect entries will be highlighted in red, and the icon for the panel, as shown in the navigation tree of the GPOE window, will change to a warning icon to remind you to return to that panel and make the necessary corrections before closing the GPOE window. For a detailed discussion of the options that will become available when the Change these settings option is selected, refer to Policy Options on page 13. Symantec Endpoint Encryption Full Disk 12

Policy Creation Native Policies To create a native policy, right-click the SEE Native Policy Manager and select Create New Policy. When naming a policy, observe the following: Each name must be unique and cannot have been assigned to any other native policy. Names are case-insensitive. Leading and trailing spaces will be deleted. To edit a native policy, expand the SEE Native Policy Manager. Locate the policy that you want to edit and highlight it. For a detailed discussion of the options available for modification within the SEE Native Policy Manager, continue to the next section. Policy Options Client Administrators When creating a Client Administrator policy, it must contain all Client Administrator accounts that are authorized to access the workstation. Any Client Administrator accounts not listed in this policy will not be able to authenticate to the Client Computer. Figure 3.1 Framework Computer Policy, Client Administrators Options At least one Client Administrator account must be specified. You can import a list of Client Administrators from a previously created installation settings package. Click Load from installation settings, select the previously created SEE Framework client installer package, then click Open. The GPO panel will populate with the Client Administrator account information specified when the installation settings package was created. When you specify each Client Administrator account, you must type and confirm the password for that account. Symantec Endpoint Encryption Full Disk 13

Policy Creation Registered Users Basics The Registered Users pane can be used to change the way that users authenticate to, register with, or get unregistered from SEE. Figure 3.2 Framework Computer Policy, Registered Users Options Authentication Method In Authentication Method, select the authentication method you want SEE to effect. Click on Require registered users to authenticate with a password. Select Do not require registered users to authenticate to the SEE to enable automatic authentication. This option is designed for kiosk environments. If it is selected, users will not need to provide valid credentials to SEE Full Disk before Windows loads and your organization will rely on Windows for user authentication. It will reduce the security of the Client Computer but increase the transparency of the user experience. The registration process will be silent and automatic as well unless a registration password is specified. Coupling automatic authentication with a registration password serves to avoid reaching the maximum registered user limit and to limit the number of users that can gain access to the User Client Console. Registration To allow any Windows user the ability to register, click the option Any Windows user can register for a SEE account. To allow only those users who know a special registration password to be able to register, click Users must know this password to register, and type the password in the adjacent field and again to confirm. Each user will be required to know the administrator-defined registration password before they can register for an SEE account. Specify the maximum number of SEE registered user accounts which can be created on each computer. New users will not be permitted to register after the maximum number of accounts has been reached. Symantec Endpoint Encryption Full Disk 14

Policy Creation Specify a custom message users will see when they are forced to register after grace restarts expire. The custom message can be from 0 900 characters in length, or you can use the default message. Note that the custom registration message field ignores any carriage returns you type or paste in. Specify the number of grace restarts, i.e., the number of times, from 0 99, that the computer can restart before the first user who logs on will be forced to register for an SEE account and see the custom registration message. This setting can effectively allow users to defer registration. To force the first user to register immediately, set this value to zero. Unregistration Unregistration selects whether to allow users to only be unregistered manually by Client Administrators, or whether to also automatically unregister users who do not log on after a specified period, from 1 365 days. This setting is useful in a kiosk environment where many infrequent users can fill up the maximum number of available SEE accounts on a given computer. Use caution with this setting so that users do not have their accounts deleted unexpectedly. Password Authentication Use the Password Authentication panel to set or change the logon delay and/or to set the criteria that new passwords must meet, if Single Sign-On is not enabled. Figure 3.3 Framework Computer Policy, Password Authentication Options Under Password Attempts, select the Limit password and Authenti-Check attempts check box to set the number of incorrect passwords or Authenti-Check answers a user can type in succession before the system will introduce a one minute delay between further logon attempts. You can also specify the time in minutes that must elapse after the last incorrect attempt occurred, after which the one minute delay behavior is lifted. Symantec Endpoint Encryption Full Disk 15

Policy Creation Password Complexity These include the minimum number of characters users SEE passwords must contain, the set of non-alphanumeric characters users may have in their passwords, as well as the minimum number of non-alphanumeric characters, uppercase letters, lowercase letters, and digits users must have in their passwords. Maximum Password Age Leave this option at the default to not set an expiration date on user passwords. If you select the option to set an expiration date on user passwords, type the number of days after which users passwords will expire, and type the number of days in advance users will be prompted to change their expiring passwords. Password History allow users to use any previously-used SEE password, or select the other option and type the number of different passwords users must use before reverting to old passwords. Minimum Password Age Leave this option at the default to allow users to change their SEE passwords as frequently as they wish, or select the other option and type the minimum number of days that must pass before users can change their passwords. Note that leaving this option at the default will effectively override the password history feature, since a user could quickly cycle through the required number of new passwords in order to keep an old, favorite password. Authentication Message To change the message shown to users who are having trouble authenticating, edit the text within the Instructions for users who are having trouble with authentication field. For example, the phone number of your help desk may have been provided in the message and you may need to update it. Communication Use the Communication panel to modify the interval at which the recipient computers will attempt to make contact with the SEE Management Server. Single Sign-On Select or deselect the Enable Single Sign-On check box for the desired effect. Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s). Authenti-Check Use the Authenti-Check panel to enable or disable Authenti-Check and/or to change the question-answer pair requirements. Figure 3.4 Framework Computer/User Policy, Authenti-Check Options Symantec Endpoint Encryption Full Disk 16

Policy Creation Select or deselect the Enable Authenti-Check check box according to the policy that you wish to effect. You can also adjust the other settings to your needs. Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s). Authenti-Check is a self-help password recovery method for SEE Full Disk passwords. It does not recover SEE Removable Storage passwords. One-Time Password Use the One-Time Password panel to modify the availability of One-Time Password assistance, change the default message, update the personal identifier explanatory text, or adjust the availability of the OTP Communication Unlock feature. Figure 3.5 Framework Computer/User Policy, One-Time Password Options Select the Enable One-Time Password check box to make this Pre-Windows authentication assistance method available to SEE Full Disk users. Within the Default method area, select the default method that the Client Computers will begin with when initiating a One-Time Password recovery attempt. Select Online if the clients are configured to connect to the SEE Management Server. Select Offline if the clients are silent. Type the instructions to be displayed to users when prompted to enter their One-Time Password personal identifier. Select the OTP Communication Unlock check box to allow users who have been locked out of their computers for a failure to communicate to regain access using the One-Time Password Program. Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s). One-Time Password is a help-desk-assisted means for SEE Full Disk users to regain access to Windows. It is not relevant to SEE Removable Storage. Symantec Endpoint Encryption Full Disk 17

Policy Creation Startup Use the Startup panel to revert to the Symantec startup image, change the logon instructions, or change the legal notice shown on the Startup screen. This panel cannot be used to change a custom image. To change a custom image, push out a new installation package. Figure 3.6 Full Disk Computer Policy, Startup Options Select The SEE logo to replace a custom image with the default image from SEE. You can also use the Logon instructions and Legal notice fields to customize the text displayed on the Startup screen. Logon History Use the Logon History panel to change whether the SEE logon is prefilled with the user name and/or domain of the last successfully authenticated user. Selecting the User name check box allows users to see the name and domain of the last user who logged on at the SEE pre-windows logon screen. This will reduce the security of your Client Computers, so Symantec recommends deselecting both the User name and Domain check boxes. If this policy will be effected on a computer operated by a visually impaired user who will be using audio cues in pre-windows, ensure that the User name check box is deselected and that the Domain box is selected. This will allow the user to log on using the audio cues. Autologon Autologon is used by Policy Administrators for remotely deploying software to computers protected by SEE Full Disk. Many software installation packages require one or more restarts of the target computer, and Autologon will automatically authenticate without user or administrator intervention. The Policy Administrator defines a window of time during which Autologon remains active, along with the total number of restarts that may occur within the defined period. When either the total number of restarts has been reached, the defined time window has elapsed, or the computer shuts down for more than ten minutes, the Autologon feature terminates. The Autologon policy will take effect approximately five minutes after receipt. Because this policy temporarily bypasses the normal logon process for SEE Full Disk, computers receiving this policy will be in a state of heightened vulnerability while Autologon remains active. To minimize the associated risks, make certain that you carefully review the number of reboots allowed and the inclusive dates and times that Autologon will remain active before deploying this policy. Symantec Endpoint Encryption Full Disk 18

Policy Creation Figure 3.7 Full Disk Computer Policy, Autologon Options When the default option Boot only after user authentication to SEE is selected, the Autologon feature is deactivated, and Client Computers receiving the policy will only boot after user authentication. To activate the Autologon feature, select the Boot up to option button and type the maximum number of Autologon restarts you wish to occur, from 1 999, in the text box. Autologon will deactivate itself if either the specified number of restarts has been reached or the specified active period has elapsed. Autologon will also automatically deactivate itself five minutes after the computer has been shut down, thus limiting exposure should the computer be stolen while an Autologon policy is in effect. When the Autologon feature is activated, use the eight controls provided to define the inclusive starting and ending period during which the Autologon feature will be active. The start and end dates and times must be within a valid range in order for the Autologon feature to function as intended. If a Client Computer has a pending lock out condition due to a failure to communicate within the period of time specified in either the Full Disk Installation Settings Client Monitor or Full Disk Computer Policy Client Monitor panels, an Autologon policy applied will pre-empt the lockout condition for as long as the Autologon policy is in effect. This is to ensure that a communication lockout condition does not disrupt the completion of the Autologon process. Indefinite Autologon Autologon can also be used to suppress SEE Full Disk authentication indefinitely. To turn on this indefinite Autologon mode, choose an ending year of --- in the drop-down list box. As computers will be in a heightened state of vulnerability for the duration of the Autologon, it is recommended that good security practices to secure the computer be followed, such as setting a Windows administrator password and requiring token-based Windows authentication. Remove this policy to restore the secure authentication provided by SEE Full Disk. Note that the five minute self-deactivation behavior is suppressed when indefinite Autologon mode is used. When multiple Active Directory policies are in effect, their precedence on a Client Computer is defined according to the following order, from highest to lowest: Indefinite Autologon GPO (highest precedence) Autologon GPO Grace restarts (lowest precedence) Remote Decryption Create a remote decryption policy to decrypt all encrypted disk partitions on one or more computers protected by SEE Full Disk. Client Computers receiving this policy will commence decryption once the policy has been processed. Processing of the policy takes approximately five minutes. Symantec Endpoint Encryption Full Disk 19

Policy Creation Client Monitor Use the Client Monitor panel to modify the enforcement of client communication with the SEE Management Server. Figure 3.8 Full Disk Computer Policy, Client Monitor Options Click Do not enforce a minimum contact period with the SEE Server if you do not want to enforce regular contact with the SEE Management Server. Click Lock computer after to force a computer lockout after a specified number of days without network contact. If you select this option, you can specify the number of days a computer may remain without network contact, from 0 365. You can also specify how many days in advance, from 0 365, that users will be warned to connect to the network and avoid a lockout. Note that the values you type in these two box are validated to ensure that users will always be warned prior to a lockout. For example, you will be prevented from specifying that the computer should be locked after five days without contact, and that the users should be warned 15 days before being locked out. If this case were allowed, the user could run the risk of being locked out 10 days before the warning is displayed. Local Decryption Select the Registered users can decrypt disk check box if you want to permit registered users to use the User Client Console to decrypt encrypted partitions. Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s). Symantec Endpoint Encryption Full Disk 20

Policy Deployment 4. Policy Deployment Overview Policy deployment differs according to the type of policy that you are deploying. Deployment of Active Directory policies is discussed in the next section. Deployment of native policies is discussed in Native Policies on page 22. Active Directory Policies Basics Active Directory policies are deployed using the Group Policy Management Console (GPMC) snap-in of the SEE Manager. Order of Precedence When a single computer or user object has two or more policies assigned to it, the Local, Site, Domain, OU (LSDOU) order of precedence and link order will be considered. Policies specific to a single computer or user object are considered local and have the highest order of precedence in the LSDOU chain. If the policies are at the same LSDOU level, they will then be applied according to their link order. Those lowest in the link order will have the highest order of precedence. Forcing a Policy Update Basics Active Directory policy changes take approximately 90 minutes and no more than 120 minutes to push out to Client Computers. To accelerate this, you can force an immediate policy update. Windows XP Clients 1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER. A command prompt will open. 2. Type the following command at the command prompt: gpupdate /force and press ENTER. 3. A message will appear in the command prompt window after a few seconds indicating that the update has taken place. The message will prompt you to confirm a restart. Type Y and press ENTER to restart the Client Computer. Windows 2000 Clients 1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER. A command prompt will open. 2. Type the following command at the command prompt: secedit /refreshpolicy machine_policy /enforce and press ENTER. 3. The secedit command will not prompt you to restart. If the policy you are updating includes any computer policies, you will have to restart the computer manually to complete the update. Symantec Endpoint Encryption Full Disk 21

Policy Deployment Native Policies Basics Native policies are applied at the computer level: they cannot be assigned on a per user basis. Each policy will be comprehensive and contain all of the possible configurable settings. Only one policy can be applied to a computer at a time. If no policy is assigned to a computer, it will revert to the settings specified in its original installation package. Native policies are applied at the time that the Client Computer checks in with the SEE Management Server. If synchronization with Novell is enabled, the Novell computers will already be organized within the Novell edirectory Computers container, just as they are organized within the Novell edirectory tree. Native policies can be assigned to Novell computers, even if they have not checked in. Clients in the SEE Managed Computers container cannot be assigned policies until: They have checked in with the SEE Management Server. They have been placed in a group other than SEE Unassigned. The following section discusses the process of creating groups and placing Client Computers inside of them. SEE Managed Computer Groups Basics Before you can assign policies to your SEE-managed computers, they need to be organized into groups. This can be done from any Manager Computer. The structure will be saved in the SEE database and available to all other Manager Computers. The SEE Managed Computers container will only have two groups in by default: SEE Unassigned and Deleted Computers. Clients located within the SEE Unassigned group do not have any policies assigned to them. Clients will be placed in the SEE Unassigned group if: Synchronization with its directory service is not enabled. The computer does not reside within the Active Directory forest/domain or Novell tree that you are synchronizing with. In general, the Client Computer will appear in SEE Unassigned at the time that it checks in. However, if the Client Computer is manually deleted from the Active Directory domain or Novell tree, it will not appear in SEE Unassigned until the time of the next synchronization. Client Computers within the SEE Unassigned group do not have any policies assigned to them. Such Client Computers are enforcing the settings specified within their original installation package. Symantec Endpoint Encryption Full Disk 22

Policy Deployment Group Creation The first step in organizing your SEE-managed computers is to create the groups that they will reside in. To add a group, right-click Symantec Endpoint Encryption Managed Computers. Figure 4.1 SEE Managed Computers, Add New Group Select Add New Group. Figure 4.2 Name New Group Dialog Enter the name of the new group. This name must be unique within its group. For example, the Finance group can have two subgroups named Laptops and Desktops and the Human Resources group can also have two subgroups named Laptops and Desktops. But there cannot be two top-level groups just below SEE Managed Computers named Human Resources. Each name must be at least one character. Leading and trailing spaces will be deleted. Enter the desired name of the group and click OK. Continue to add groups and subgroups until you have the desired structure. Move Computers Client Computers can be moved from any SEE Managed Computers group to another SEE Managed Computers group. This section will discuss the process of moving a Client Computer out of the SEE Unassigned group and into one of the manually created groups. Symantec Endpoint Encryption Full Disk 23

Policy Deployment Highlight SEE Unassigned. Locate the computer that you want to move and highlight it. Figure 4.3 SEE Unassigned, Computer Highlighted Click Move. Figure 4.4 SEE Managed Computers Groups Dialog Navigate to the desired destination group of the Client Computer. Highlight it and click OK. Each Client Computer can only reside in one group at a time. Policy Assignment Native policies can be assigned to individual computers, subgroups, or groups located within either the SEE Managed Computers container or the Novell edirectory Computers container. This section describes how to assign a policy to a group within the SEE Managed Computers container, but the instructions are fully extensible to your individual circumstance. Symantec Endpoint Encryption Full Disk 24

Policy Deployment Begin by locating the recipient computer, subgroup, or group of the policy. Highlight the name of the recipient. Figure 4.5 SEE Managed Computers Group Selected Click Policy. Figure 4.6 Policy Selection Dialog Locate the native policy to be assigned to this group within the dialog and highlight it. Click OK. Figure 4.7 Native Policy Assignment Confirmation A confirmation message will be displayed. Click OK. Symantec Endpoint Encryption Full Disk 25

Policy Deployment Figure 4.8 SEE Managed Computers Policy Assigned Following the successful assignment of the policy, the Manager Console will display the name of the policy now assigned to the group. The next time the Client Computers in this group check in with the SEE Management Server, they will download this policy and apply it. Order of Precedence Each computer can only have one policy assigned to it at any given time. Policies can be assigned to individual computers, subgroups, or entire groups. The rules of precedence are as follows: (1) Computer, (2) Subgroup, and (3) Group. Computer policies have the highest precedence. For example, if a policy is applied to computer D9HCPD3, and another policy is applied to the Laptops subgroup in which it resides, the policy applied to the computer will take precedence over the policy that was applied to the Laptops subgroup. Forcing a Policy Update Registered users can force an immediate policy update by launching the User Client Console, opening the Check-In panel, and clicking Check in Now. Symantec Endpoint Encryption Full Disk 26

Endpoint Support 5. Endpoint Support The Management Password Basics The Management Password is used by SEE to control administrator access to two help desk functions: Recover /B and the One-Time Password Program. SEE Policy Administrators or other support personnel who have access to the Management Password snap-in must type the Management Password before they can export computer-specific hard disk recovery files (see Recover DAT File Generation on page 36), or run the One-Time Password Program. The Management Password snap-in is not applicable if your SEE Manager was installed in serverless mode. Because the Management Password is shared among support personnel, you should establish a protocol for all Management Password changes. This will avoid the situation of one administrator changing the Management Password and preventing other administrators from performing help desk functions which require the Management Password. The Management Password should be backed up and stored in a safe location, as there is no mechanism available for recovering a lost Management Password. Setting the Management Password The Management Password is set during the initial installation of the SEE Manager. During subsequent installations of the SEE Manager, the fact that the Management Password has already been set will be detected by the installer, and it will not be necessary to set the Management Password again. Changing the Management Password To change the Management Password, perform the following steps: 1. Open the SEE Manager. 2. In the navigation pane on the left, click on Symantec Endpoint Encryption Management Password. Figure 5.1 Management Password Snap-in Symantec Endpoint Encryption Full Disk 27

Endpoint Support 3. In the pane on the right, type the existing Management Password, type a new Management Password between 16 32 characters in length, and type the new Management Password again to confirm. 4. Click OK. A confirmation message will be displayed. Figure 5.2 Management Password Changed, Confirmation Message 5. Click OK. One-Time Password Program Basics The One-Time Password (OTP) Program allows users to recover from a forgotten password with help desk assistance. It also allows users to regain access to their computer after it has been locked for a failure to communicate with the SEE Management Server. This assistance provides the user with a one-time password called a response key which allows the user to temporarily authenticate. The user is then prompted to enter a new password. To run the help desk side of the utility, you must: Use a Manager Computer that has the OTP snap-in installed. Log on to that computer using a Windows account that has been provisioned with read access to the SEE database, or have SQL database credentials that will allow you to read the SEE database. Know the Management Password. Be certain of a user s identity prior to assisting the user with OTP. If the user requesting help is contacting you from their desk, a simple way to help establish their identity is to call them back at the phone number listed in the organization s phone directory. Symantec Endpoint Encryption Full Disk 28

Endpoint Support Launch When a user calls for One-Time Password recovery, open the SEE Manager and click on the One-Time Password snap-in. Figure 5.3 One-Time Password, Welcome Click Next to begin. SQL Server Logon Information If you are currently logged on to Windows as a user that does not have sufficient privileges to read the SEE database, you will be prompted to provide SQL Server database credentials. Figure 5.4 SQL Server Logon Prompt Enter SQL database credentials that will allow you read access to the SEE database. Click Connect. Symantec Endpoint Encryption Full Disk 29

Endpoint Support Management Password Following successful authentication to the SEE database, the One-Time Password Program will request the Management Password. Figure 5.5 One-Time Password, Management Password Enter the Management Password and click Next. Method Basics Two methods are available for assisting users: online and offline. The online method is easier and more secure, but will not succeed unless the Client Computer has made contact with the SEE Management Server at least once following the registration of the user requiring assistance. Ask the user what method is displayed on their screen. If it is online, continue to the next section. If it is offline, skip to Offline on page 33. Symantec Endpoint Encryption Full Disk 30

Endpoint Support Online After entering the Management Password, you will be prompted to select the method. Figure 5.6 One-Time Password, Method Selection, Online Select the Online option. Click Next. Figure 5.7 One-Time Password, Online Method, Identifying Information Ask the user to tell you their user name, domain, computer name, and the code that appears on their screen. Enter this data in the corresponding fields, then click Next. Symantec Endpoint Encryption Full Disk 31

Endpoint Support The One-Time Password Program will confirm that the information you have entered corresponds to that stored in the SEE database. Figure 5.8 One-Time Password, Online Method, Response Key Read the response key to the user from left to right and ask the user to type those numbers into the corresponding blank data-entry fields that appear on the user s screen. Under each box is a checksum. Once the user has typed in the entire response key, ask the user to read back to you the checksums. If the user s checksums agree with your checksums, the user has correctly entered the data. If a checksum is not in agreement, the user entered one or more response key digits incorrectly. Read the response key to the user again and determine the incorrect portion. Once the user has entered the response key and the checksums agree, ask the user to click Next. Remain in contact with the user. If the user gains access to Windows, click Yes. If the user fails to gain access to Windows, click No. The wizard will initiate the offline method if you have not already tried it. Skip to Offline on page 33. If the user correctly entered the response key, when the user clicks Next, they will gain access to Windows. Remain in contact with the user to make sure they change their password. They should be prompted to do so either before or after Windows loads. If they don t get prompted and SSO is enabled, they are not connecting to the domain and this is a Windows issue. If they don t get prompted and SSO is not enabled, have them open the User Client Console and change their password. Symantec Endpoint Encryption Full Disk 32

Endpoint Support Offline The offline method can be used if the online method fails or if the Client Computer has never checked in with the SEE Management Server. Figure 5.9 One-Time Password, Method Selection, Offline Select the Offline option. Click Next. Figure 5.10 One-Time Password, Offline Challenge Key Symantec Endpoint Encryption Full Disk 33

Endpoint Support Ask the user to provide their OTP personal identifier, which should be displayed on their screen. Ensure that the personal identifier provided corresponds to the person requesting the One-Time Password. If the identifiers do not match, it could indicate that this person is not authorized to access the workstation. Symantec recommends that you halt the process and send a Client Administrator out to help the user in person. Once you have verified the personal identifier, ask the user to provide you with the challenge key displayed on their screen. Type the digits into the fields on your screen from left to right. Under each field is a checksum. It is internally generated and uniquely represents in shorter form the digits entered in each field. As you enter the challenge key, checksums appear under their fields. To verify that you have entered the correct challenge key, ask the user to read back to you the checksums. If the checksums agree with your checksums, you have correctly entered the data. If a checksum is not in agreement, ask the user to provide you with the challenge key again and check it against what you have typed. Under each box is a checksum. Once you have typed in the entire challenge key, ask the user to read back to you the checksums. If the user s checksums agree with your checksums, you have correctly entered the data. If a checksum is not in agreement, you entered one or more challenge key digits incorrectly. Ask the user to read you the challenge key again and determine the incorrect portion. Most likely, the first mismatching checksum will be below the incorrect portion of the challenge key. Once you have verified and entered the correct challenge key, click Next. Figure 5.11 One-Time Password, Offline Response Key Read the response key to the user from left to right and ask the user to type those numbers into the corresponding blank data-entry fields that appear on the user s screen. Under each box is a checksum. Once the user has typed in the entire response key, ask the user to read back to you the checksums. If the user s checksums agree with your checksums, the user has correctly entered the data. If a checksum is not in agreement, the user entered one or more response key digits incorrectly. Read the response key to the user again and determine the incorrect portion. Symantec Endpoint Encryption Full Disk 34

Endpoint Support Once the user has entered the response key and the checksums agree, ask the user to click Next. If they entered the response key correctly, they will gain access to Windows. Stay on the phone with the user to make sure they change their password. They should be prompted to do so either before or after Windows loads. If they don t get prompted and SSO is enabled, they are not connecting to the domain and this is a Windows issue. If they don t get prompted and SSO is not enabled, have them open the User Client Console and change their password. Accept the default option button selection of Yes and click Next. If the user fails to gain access to Windows, select the No option button and click Next. Error Messages User Record Not Found This error is applicable to the online method only. After entering the user s identifying information and clicking Next (Figure 5.7 on page 31), if the computer record is found on the SEE Management Server, but not the user record, the following message will be displayed. Figure 5.12 One-Time Password, User Record Not Found This error indicates that the Client Computer in question has succeeded in making contact with the SEE Management Server at least once, but that the user in question was not registered as of the last point of contact. You should proceed with caution because although human or computer error could have caused this condition, it is also possible that the person you are speaking to is trying to exploit these possibilities to gain access to a computer that s/he is not authorized to access. Use the SEE Server Reports to help you determine the root cause of the situation. Ask the user if they have registered and when and cross-check their claims with the data stored in the SEE database. If you are sure that the user is authorized, try the offline method. If not, send a Client Administrator to help the user in person. Invalid Code Synchronization This error is applicable to the online method only. If the user record exists, but the code stored in the SEE database does not agree with the code that the user read to you, an error dialog box appears, similar to the following: Figure 5.13 One-Time Password, Invalid Code Synchronization Symantec Endpoint Encryption Full Disk 35

Endpoint Support The code on the Client Computer has digits that are incremented each time the One-Time Password Program runs to completion on the Client Computer. When the Client Computer checks in with the SEE Management Server, these codes are synchronized. There are three possible causes of this error: The user has completed the One-Time Password process multiple times without reconnecting to the SEE Management Server. This is an unauthorized party attempting to guess the response key by triggering the One-Time Password Program over and over. You can proceed with the recovery assistance process, even when codes are out of sync between the Client Computer and the SEE Management Server; but you should consider taking extra precautions to identify the user. If you decide to proceed, from the error message box click OK, and then from the Client Computer information screen, click Next; otherwise, click Cancel. Hard Disk Recovery Basics The Recover Program that tries to regain access to the hard disk and runs with three options: The /A option attempts to repair damaged client database files. The /D option attempts to repair damaged client database files and then to decrypt the hard disk. The /B option is performed only if all other previous steps have failed and requires the assistance of Symantec Technical Support. This option reads from a computer-specific recovery file that contains an important cryptographic key. You create this data file for a particular Client Computer, usually when requested to do so by a Client Administrator. This option is not available for silent clients that have never checked in with the SEE Management Server. Recover DAT File Generation Should the Recover /A and /D options fail, you may be called upon to locate and export recovery data sent by a specific Client Computer and stored in the SEE database. Immediately after SEE Full Disk is installed on a Client Computer, Client Computers that are not silent try to contact the SEE Management Server to store Client Computer-specific files necessary for hard disk recovery. If this contact does not occur, the only recovery options available will be Recover /A and /D. Recover /A and /D do not require computer-specific recovery information stored in the SEE Management Server. For this reason, it is critical to make sure that each Client Computer succeeds in checking in at least once. 1. Open the Manager Console. 2. Expand the Symantec Endpoint Encryption Server Reports snap-in. 3. Highlight the Computer Status Report. 4. Type the name Symantec Endpoint Encryption Full Disk 36

Endpoint Support Figure 5.14 Manager Console, Computer in Need of Recovery Highlighted 5. Click Recover. 6. You will be prompted to enter the Management Password. Figure 5.15 Management Password Prompt 7. Enter the Management Password and click OK. 8. You will be prompted to enter a password to protect the Recover DAT file. Figure 5.16 Recovery Password Prompt 9. Enter a Recovery Password of at least 16 characters and no more than 32 characters. The Client Administrator must enter this password before they can run Recover /B on that computer. Symantec recommends a high entropy password containing mixed case, numbers, and special characters not found in a dictionary. 10. Enter the same password again in the Confirm password field. Then click OK. 11. You will be presented with a browse dialog. Symantec Endpoint Encryption Full Disk 37

Endpoint Support Figure 5.17 Recovery Data Export Dialog 12. Navigate to the desired destination of the Recover DAT file. Because the Client Administrator will need this file while running the Recover Program from a Windows PE CD/DVD, you should either save the file to a network location that will be accessible from the Client Computer or to removable media other than CD. 13. Assign an informative name to the file. Because the file is computer-specific, you might consider using the name of the computer in need of recovery. Because the recover data will change following a successful recovery, consider using the current date and time. 14. Click OK. Figure 5.18 Recovery Data Export Success Message 15. Click OK on the confirmation message. 16. Provide the media containing the file or the network location of the file to the Client Administrator. Also inform the Client Administrator of the Recovery Password. Due to the sensitive nature of the Recovery Password, consider using a secure channel. Symantec Endpoint Encryption Full Disk 38

Server Configuration 6. Server Configuration Overview This chapter describes how to change the configuration of the SEE Management Server. Configuration Editor Basics Settings specified during the installation of the SEE Management Server can later be modified using the Configuration Editor. The Configuration Editor should be used with great caution, since errors made during your use of this utility could result in significant damage to your deployment. The Configuration Editor is placed on the SEE Management Server during installation. It can be found as follows C:\Program Files\Symantec\Symantec Endpoint Encryption Management Server\Services\ Symantec.Endpoint.Encryption.ConfigManager.exe This executable can only be run on the SEE Management Server. Launch the executable to begin. Database Configuration Tab The Configuration Editor will launch with its first tab open. This tab allows you to modify the SEE database instance parameters. Figure 6.1 Configuration Editor, Database Configuration Tab Symantec Endpoint Encryption Full Disk 39

Server Configuration The computer name of the machine currently hosting the SEE database instance will be displayed in the Database Server Name field. If the SEE database instance has been moved to a different machine, or if the machine hosting it has been renamed, edit the contents of this field. The name of the SEE database is fixed and cannot be modified. It will be displayed in the Schema Name field. The user name of the SQL account that the SEE Management Server is using to communicate with the SEE database will be displayed in the User Name field. This account was created during the installation of the SEE Management Server with privileges restricted to reading and writing activities only (datareader and datawriter). Asterisks representing the password used by the SQL account that the SEE Management Server is using to communicate with the SEE database instance will be displayed in the Password and Confirm Password fields. Directory Sync Services Configuration Click the Directory Sync Services Configuration tab to view and/or modify your current synchronization settings. Figure 6.2 Configuration Editor, Directory Sync Services Configuration Tab This tab will show you whether or not synchronization is enabled or not and with which directory service(s). If synchronization is currently enabled, the check box of the directory service in question will be selected. You can turn synchronization off by either deselecting the check box or clearing the Active Directory Forest Name or Novell Tree Name field, as appropriate. Because these actions will both stop the synchronization from occurring and delete the directory service information from the SEE database, you will be prompted to confirm after clicking OK. To enable synchronization services, select the appropriate check box and enter the necessary information into the fields below. All fields are mandatory. Click OK to effect the changes that you have made in this tab. Symantec Endpoint Encryption Full Disk 40

Server Configuration Web Server Configuration Click the Web Server Configuration tab to view and/or modify the protocol and/or port used for communications between the Client Computers and the SEE Management Server. Figure 6.3 Configuration Editor, Web Server Configuration Tab Before you can modify the information contained within the Protocol area, you must provide the credentials of a user with administrative rights to IIS on the SEE Management Server. Enter the user name in the IIS Administrator Name field and enter the password in the Password and Confirm Password fields. Type the domain of this account or the local computer name. You can also optionally provide the friendly server name of the SEE Management Server. This value is saved in the SEE database for future use. Once you have completed the entry of the administrative credentials, to change the protocol itself, select the relevant option button. If HTTPS is selected, an SSL Port field will be displayed. To change or set the TCP port that is used for client communications with the SEE Management Server, enter the appropriate number in the TCP Port field. An SSL port is also required for HTTPS communications. Symantec Endpoint Encryption Full Disk 41

Server Configuration Directory Sync Service Status Click the Directory Sync Service Status tab to view the status of your configuration services and adjust their operation. Figure 6.4 Configuration Editor, Directory Sync Service Status Tab The tab is divided into two main areas containing the options and status information related to each directory service. The first field in each area will display the current status of synchronization with the directory service. Table 6.1 Synchronization Service Status Values Value Running Stopped Start Pending Continue Pending Pause Pending Not Installed Explanation The service is running. The service has been stopped. A command to start the service has been issued and is in process. A command to restart the service has been issued and is in process. A command to stop the service has been issued and is in process. The service has been manually removed. This represents an error condition as the service should only be removed during an uninstallation procedure. Below the status value, a sentence will state either that synchronization with the directory service has never occurred, or the last time and date on which the synchronization occurred. The status information for both areas is refreshed by clicking Refresh Status. The display of the buttons will vary as appropriate to the current status of the directory service synchronization. Click Stop to stop the synchronization service. Click Restart to restart the service. The Resync Now button is also available to effect an immediate synchronization. Symantec Endpoint Encryption Full Disk 42

Appendix A Appendix A Framework System Events List The following table lists the individual SEE Framework generated windows system events logged on the Client Computer. The column headings indicate the Event ID, the severity of the event (Error, Info, or Warning), and a description of the event indicating the type, source, or policy that generated the event (Internal, Program Action, Initial Setting, Settings Change, or Utility). Table A.1 Framework System Events Event Severity Description Explanation ID 0 Error Internal: Cannot map event ID to string. Framework The Framework event ID cannot be mapped to the string in the Framework. 1 Info Internal: Audit functions started. Framework The Framework audit functions have started. 2 Info Internal: Audit functions ended. Framework The Framework audit functions have ended. 3 Info 4 Warning 7 Info 8 Warning 9 Info 10 Warning 11 Warning 12 Info 13 Info 14 Warning 15 Info Program Action: Successful client logon/authentication attempted with password. Framework [user name] Program Action: Unsuccessful client logon/ authentication attempted with password. Framework [user name] Program Action: Successful logon/authentication attempted with One-Time Password. Framework Program Action: Unsuccessful logon/authentication attempted with One-Time Password. Framework Program Action: Successful logon/authentication attempted with Authenti-Check. Framework Program Action: Unsuccessful logon/authentication attempted with Authenti-Check. Framework Program Action: Number of client logon attempts exceeded the maximum allowed. Framework Program Action: User password changed successfully. Framework [user name] Program Action: User password changed unsuccessfully. Framework Program Action: User program uninstallation attempted. Framework Program Action: User changed Authenti-Check questions and answers successfully. Framework An attempt to logon at Pre-Windows with a password has succeeded. An attempt to logon at Pre-Windows with a password has failed. The One-Time Password process has succeeded in authenticating the user. The One-Time Password process has failed to authenticate the user. The Authenti-Check process has succeeded in authenticating the user. The Authenti-Check process has failed to authenticate the user. The number of Pre-Windows logon attempts allowed before a delay has been exceeded. The user has successfully changed their SEE password. The user attempted to change their SEE password, but failed. This could be because it did not meet the password requirements. An attempt to uninstall SEE Framework has been made. The user has succeeded in changing their Authenti- Check question(s) and/or answer(s). 16 Info Program Action: User has been unregistered. Framework The user has successfully been unregistered. 17 Info 18 Warning Program Action: User password resynchronized with Windows password. Framework Program Action: Computer locked due to failure to communicate with SEE server. Framework The user s SEE password has been resynchronized with their Windows password to enable the Single Sign-On feature. The Client Computer has failed to communicate with the SEE Management Server within the mandatory interval and, as a result, has been locked. 19 Warning Program Action: User password expired. Framework The user s SEE password has expired. 20 Info Program Action: User registration completed. Framework [user name] The user has successfully completed the registration process. Symantec Endpoint Encryption Full Disk 43

Appendix A Table A.1 Framework System Events (Continued) Event ID 21 Warning Program Action: Final grace logon reached. Framework 22 Info 23 Info Program Action: User logged on after Hibernation or/ and Stand by. Framework [user name] Program Action: Client program installation attempted. Framework The number of grace restarts is now zero and the next user to log on to Windows will be forced to register. A hibernation or standby process was initiated and ended when the user logged on to Windows. An attempt to install SEE Framework was made. 24 Info Program Action: Client program upgrade attempted. Framework An attempt to upgrade SEE Framework was made. 25 Info Program Action: Grace logon attempted. Framework An attempt to exercise a grace restart was made. 26 Info 27 Info 29 Info 30 Error 31 Info 32 Error 33 Info 34 Error 35 Info 36 Error 37 Info 38 Error 39 Info 40 Error Severity Description Explanation Program Action: Authenti-Check questions and answers created. Framework Program Action: User password created. Framework [user name] Initial Setting: One-Time Password [default server] method enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: One-Time Password [default server] method enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: One-Time Password not enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: One-Time Password not enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: Authenti-Check enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: Authenti-Check enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: Authenti-Check not enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: Authenti-Check not enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: Authentication Assistance message; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: Authentication Assistance message; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: Client Administrator [account name] account created with [low medium high] privileges; policy applied successfully. Framework Installation Settings - Client Administrators. Initial Setting: Client Administrator [account name] account created with [low medium high] privileges; policy failed. Framework Installation Settings - Client Administrators. The user has set their Authenti-Check questions and answers as a part of the registration process. The user has set their SEE password as a part of the registration process. The One-Time Password recovery method has been enabled as an installation setting. The default method will be [default server], as indicated in the audit event. The installation package specified that the One-Time Password recovery method should be enabled, but this setting failed to be applied. The One-Time Password recovery method is not enabled for this workstation, as per the installation setting. The installation package specified that the One-Time Password recovery method should not be enabled, but this setting failed to be applied. The Authenti-Check recovery method has been enabled as an installation setting. The installation package specified that the Authenti- Check recovery method should be enabled, but this setting failed to be applied. The Authenti-Check recovery method is not enabled for this workstation, as per the installation setting. The installation package specified that the Authenti- Check recovery method should not be enabled, but this setting failed to be applied. The authentication assistance message specified in the installation package was set successfully. The authentication assistance message specified in the installation package failed to be set. The Client Administrator account specified in the installation package and described in the audit log description was created successfully. The Client Administrator account specified in the installation package and described in the audit log description failed to be created. Symantec Endpoint Encryption Full Disk 44

Appendix A Table A.1 Framework System Events (Continued) Event ID 41 Info 42 Error 43 Info 44 Error 45 Info 46 Error 47 Info 48 Error 49 Info 50 Error 55 Info 56 Error 57 Info 58 Error 59 Info 60 Error 61 Info Severity Description Explanation Initial Setting: the SEE Management Server communication interval was set successfully. Framework Installation Settings - Communication. Initial Setting: the SEE Management Server communication interval failed to be set. Framework Installation Settings - Communication. Initial Setting: the user name of the SEE Management Server client account was set successfully. Framework Installation Settings - Communication. Initial Setting: the user name of the SEE Management Server client account failed to be set. Framework Installation Settings - Communication. Initial Setting: the SEE Management Server client account password was set successfully. Framework Installation Settings - Communication. Initial Setting: the SEE Management Server client account password failed to be set. Framework Installation Settings - Communication. Initial Setting: Limit password attempts enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Limit password attempts enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Limit password attempts not enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Limit password attempts not enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Maximum password age enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Maximum password age enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Maximum password age not enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Maximum password age not enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password history (any previous password can be reused) enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password history (any previous password can be reused) enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password history (limit password reuse and days between changes) enabled; policy applied successfully. Framework Installation Settings - Password Authentication. The SEE Management Server communication interval specified in the installation package was set successfully. The SEE Management Server communication interval specified in the installation package failed to be set. The user name of the SEE Management Server client IIS account specified in the installation package was set successfully. The user name of the SEE Management Server client IIS account specified in the installation package failed to be set. The SEE Management Server client IIS account password specified in the installation package was set successfully. The SEE Management Server client IIS account password specified in the installation package failed to be set. The limitation on the number of password authentication attempts specified in the installation package has been set successfully. The limitation on the number of password authentication attempts specified in the installation package failed to be set. No limitation to the number of password authentication attempts, as specified in the installation package, has been set successfully. No limitation to the number of password authentication attempts, as specified in the installation package, failed to be set. The user s passwords will expire at the interval designated in the installation package; this was set successfully. The user s passwords will not expire at the interval designated in the installation package; this failed to be set. The user s passwords will not expire. This was set successfully, as specified in the installation package. Although the installation package specified that the user s passwords would not expire, this failed to be set. The user will be able to reuse previous passwords, this installation setting was applied successfully. The installation package specified that the user should be able to reuse previous passwords, but this setting failed to be applied. The user will not be able to use previous passwords, the limitations specified in the installation package were applied successfully. Symantec Endpoint Encryption Full Disk 45

Appendix A Table A.1 Framework System Events (Continued) Event ID 62 Error 63 Info 64 Error 65 Info 66 Error 67 Info 68 Error 69 Info 70 Error 71 Info 72 Error 73 Info 74 Error 75 Info Severity Description Explanation Initial Setting: Password history (limit password reuse and days between changes) enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum password length met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum password length met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Non-alphanumeric characters allowed in password setting; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Non-alphanumeric characters allowed in password setting; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of non-alphanumeric characters met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of non-alphanumeric characters not met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of uppercase characters met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of uppercase characters not met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of lowercase characters met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of lowercase characters not met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of digits met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of digits not met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Require registration password enabled; policy applied successfully. Framework Installation Settings - Registered Users. Even though the installation package specified certain limitations on the ability of users to use previous passwords, these settings failed to be applied. The installation package specified that users must set their passwords to be of a minimum length. This was set successfully. The installation package specified that users must set their passwords to be of a minimum length. This setting failed to be applied. The installation package specified that users will be able to use non-alphanumeric characters in their passwords. This was set successfully. The installation package specified that users should be able to use non-alphanumeric characters in their passwords. This setting failed to be applied. The installation package specified that a minimum number of non-alphanumeric characters must be present in the user s passwords. This was set successfully. The installation package specified that a minimum number of non-alphanumeric characters must be present in the user s passwords. This setting failed to be applied. The installation package specified that a minimum number of uppercase characters must be present in the user s passwords. This was set successfully. The installation package specified that a minimum number of uppercase characters must be present in the user s passwords. This setting failed to be applied. The installation package specified that a minimum number of lowercase characters must be present in the user s passwords. This was set successfully. The installation package specified that a minimum number of lowercase characters must be present in the user s passwords. This setting failed to be applied. The installation package specified that a minimum number of digits must be present in the user s passwords. This was set successfully. The installation package specified that a minimum number of digits must be present in the user s passwords. This setting failed to be applied. The installation package specified that the user must provide the registration password to be able to register. This was set successfully. Symantec Endpoint Encryption Full Disk 46

Appendix A Table A.1 Framework System Events (Continued) Event ID 76 Error 77 Info 78 Error 79 Info 80 Error 81 Info 82 Error 87 Info 88 Error 89 Info 90 Error 91 Info 92 Error 93 Info 94 Error 95 Info 96 Error Severity Description Explanation Initial Setting: Require registration password enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: Require registration password not enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Require registration password not enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: Number of allowed user accounts setting; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Number of allowed user accounts setting; policy failed. Framework Installation Settings - Registered Users. Initial Setting: User authentication with password setting enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: User authentication with password setting enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: Registration Wizard custom message; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Registration Wizard custom message; policy failed. Framework Installation Settings - Registered Users. Initial Setting: Grace restarts before registration setting; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Grace restarts before registration setting; policy failed. Framework Installation Settings - Registered Users. Initial Setting: User can authenticate with expired certificates setting enabled; policy applied successfully. Framework Installation Settings - Token Authentication. Initial Setting: User can authenticate with expired certificates setting enabled; policy failed. Framework Installation Settings - Token Authentication. Initial Setting: User can authenticate with expired certificates setting not enabled; policy applied successfully. Framework Installation Settings - Token Authentication. Initial Setting: User can authenticate with expired certificates setting not enabled; policy failed. Framework Installation Settings - Token Authentication. Initial Setting: Single Sign-On enabled; policy applied successfully. Framework Installation Settings - Single Sign-On. Initial Setting: Single Sign-On enabled; policy failed. Framework Installation Settings - Single Sign-On. The installation package specified that the user must provide the registration password to be able to register. This setting failed to be applied. The installation package specified that no registration password is required to allow a user to register. This was set successfully. The installation package specified that no registration password is required to allow a user to register. This setting failed to be applied. The installation package specified the maximum number of user accounts allowed on the Client Computer. This was set successfully. The installation package specified the maximum number of user accounts allowed on the Client Computer. This setting failed to be applied. The installation package specified that users will authenticate using passwords. This was set successfully. The installation package specified that users will authenticate using passwords. This setting failed to be applied. The installation package specified that users will see a custom message during registration. This was set successfully. The installation package specified that users will see a custom message during registration. This setting failed to be applied. The installation package specified the number of grace restarts that users will have before being forced to register. This was set successfully. The installation package specified the number of grace restarts that users will have before being forced to register. This setting failed to be applied. The installation package specified that users with expired certificates will be allowed to authenticate. This was set successfully. The installation package specified that users with expired certificates will be allowed to authenticate. This setting failed to be applied. The installation package specified that users with expired certificates will not be allowed to authenticate. This was set successfully. The installation package specified that users with expired certificates will not be allowed to authenticate. This setting failed to be applied. The installation package specified that users will authenticate using Single Sign-On. This was set successfully. The installation package specified that users will authenticate using Single Sign-On. This setting failed to be applied. Symantec Endpoint Encryption Full Disk 47

Appendix A Table A.1 Framework System Events (Continued) Event ID 97 Info 98 Error 99 Info 100 Error 101 Info 102 Error 103 Info 104 Error 105 Info 106 Error 107 Info 108 Error 109 Info 110 Error 111 Info 112 Error 113 Info Severity Description Explanation Initial Setting: Single Sign-On not enabled; policy applied successfully. Framework Installation Settings - Single Sign-On. Initial Setting: Single Sign-On not enabled; policy failed. Framework Installation Settings - Single Sign-On. Initial Setting: Encryption strength setting; policy applied successfully. Framework Installation Settings - Encryption. Initial Setting: Encryption strength setting; policy failed. Framework Installation Settings - Encryption. Initial Setting: Default log file location enabled; policy applied successfully. Framework Installation Settings - Installer Customization. Initial Setting: Default log file location enabled; policy failed. Framework Installation Settings - Installer Customization. Initial Setting: Custom log file location enabled; policy applied successfully. Framework Installation Settings - Installer Customization. Initial Setting: Custom log file location enabled; policy failed. Framework Installation Settings - Installer Customization. Settings Change: Authentication Assistance message modified; policy applied successfully. Framework Computer Policy - Authentication Assistance. Settings Change: Authentication Assistance message modified; policy failed. Framework Computer Policy - Authentication Assistance. Settings Change: One-Time Password [default server] method enabled; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: One-Time Password [default server] method enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: One-Time Password not enabled; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: One-Time Password not enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check enabled; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check not enabled; policy applied successfully. Framework User Policy - Authentication Assistance. The installation package specified that users will not authenticate using Single Sign-On. This was set successfully. The installation package specified that users will not authenticate using Single Sign-On. This setting failed to be applied. The installation package specified the encryption strength. This was set successfully. The installation package specified the encryption strength. This setting failed to be applied. The installation package specified that the client database files will be stored in the default location. This was set successfully. The installation package specified that the client database files will be stored in the default location. This setting failed to be applied. The installation package specified that the client database files will be stored in a custom location. This was set successfully. The installation package specified that the client database files will be stored in a custom location. This setting failed to be applied. A policy specified that users will see a modified message when requesting authentication assistance. This was set successfully. A policy specified that users will see a modified message when requesting authentication assistance. This setting failed to be applied. A policy specified the One-Time Password method that users see when requesting authentication assistance: either default (offline method), or server (online method). This was set successfully. A policy specified the One-Time Password method that users see when requesting authentication assistance: either default (offline method), or server (online method). This setting failed to be applied. A policy specified that the One-Time Password method will not be available to users requesting authentication assistance. This was set successfully. A policy specified that the One-Time Password method will not be available to users requesting authentication assistance. This setting failed to be applied. A policy specified that Authenti-Check will be available to users requesting authentication assistance. This was set successfully. A policy specified that Authenti-Check will be available to users requesting authentication assistance. This setting failed to be applied. A policy specified that Authenti-Check will not be available to users requesting authentication assistance. This was set successfully. Symantec Endpoint Encryption Full Disk 48

Appendix A Table A.1 Framework System Events (Continued) Event ID 114 Error 115 Info 116 Error 117 Info 118 Error 119 Info 120 Error 121 Info 122 Error 123 Info 124 Error 125 Info 126 Error 127 Info 128 Error Severity Description Explanation Settings Change: Authenti-Check not enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check settings modified; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check settings modified; policy failed. Framework User Policy - Authentication Assistance. Settings Change: Client Administrator [account name] account modified, privileges changed from [low medium high] to [low medium high]; policy applied successfully. Framework Computer Policy - Client Administrators. Settings Change: Client Administrator [account name] account modified, privileges changed from [low medium high] to [low medium high]; policy failed. Framework Computer Policy - Client Administrators. Settings Change: the SEE Management Server communication interval was modified successfully. Framework Computer Policy - Communication. Settings Change: a policy modifying the SEE Management Server communication interval failed to be applied. Framework Computer Policy - Communication. Settings Change: Settings Change: the SEE Management Server client account was modified successfully. Framework Computer Policy - Communication. Settings Change: a policy modifying the SEE Management Server client account failed to be applied. Framework Computer Policy - Communication. Settings Change: the SEE Management Server client account password was modified successfully. Framework Computer Policy - Communication. Settings Change: a policy modifying the SEE Management Server client account password failed. Framework Computer Policy - Communication. Settings Change: Limit password attempts enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts not enabled; policy failed. Framework Computer Policy - Password Authentication. A policy specified that Authenti-Check will not be available to users requesting authentication assistance. This setting failed to be applied. A policy specified that the Authenti-Check settings were modified. This was set successfully. A policy specified that the Authenti-Check settings were modified. This setting failed to be applied. A policy specified that the privileges of Client Administrator account [account name] were changed from [low medium high] to [low medium high]. This was set successfully. A policy specified that the privileges of Client Administrator account [account name] were changed from [low medium high] to [low medium high]. This setting failed to be applied. A settings change specified a change in how often the Client Computer reports its status to the SEE Management Server. This was set successfully. A policy specified a change in how often the Client Computer reports its status to the SEE Management Server. This setting failed to be applied. A policy specified a change to the credentials of the SEE Management Server Client account that the Client Computer uses when reporting status to the SEE Management Server. This was set successfully. A policy specified a change to the credentials of the SEE Management Server Client account that the Client Computer uses when reporting status to the SEE Management Server. This setting failed to be applied. A policy specified a change to the password of the SEE Management Server Client account that the Client Computer uses when reporting status to the SEE Management Server. This was set successfully. A policy specified a change to the password of the SEE Management Server Client account that the Client Computer uses when reporting status to the SEE Management Server. This setting failed to be applied. A policy was specified that limits the number of times a user can attempt to authenticate with an incorrect password. This was set successfully. A policy was specified that limits the number of times a user can attempt to authenticate with an incorrect password. This setting failed to be applied. A policy was specified that does not limit the number of times a user can attempt to authenticate with an incorrect password. This was set successfully. A policy was specified that does not limit the number of times a user can attempt to authenticate with an incorrect password. This setting failed to be applied. Symantec Endpoint Encryption Full Disk 49

Appendix A Table A.1 Framework System Events (Continued) Event ID 129 Info 130 Error 135 Info 136 Error 137 Info 138 Error 139 Info 140 Error 141 Info 142 Error 143 Info 144 Error 145 Info 146 Error 147 Info 148 Error Severity Description Explanation Settings Change: Limit password attempts settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts settings modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age not enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age settings modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Password history (any previous password can be reused) enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Password history (any previous password can be reused) enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) settings modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Minimum password length setting modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Minimum password length setting modified; policy failed. Framework Computer Policy - Password Authentication. A policy was specified that modified the settings controlling how often a user can attempt to authenticate with an incorrect password. This was set successfully. A policy was specified that modified the settings controlling how often a user can attempt to authenticate with an incorrect password. This setting failed to be applied. A policy was specified that forces the user s passwords to expire at the designated interval. This was set successfully. A policy was specified that forces the user s passwords to expire at the designated interval. This setting failed to be applied. A policy was specified that does not force the user s passwords to expire. This was set successfully. A policy was specified that does not force the user s passwords to expire. This setting failed to be applied. A policy was specified that modified the settings controlling how often a user s passwords will expire. This was set successfully. A policy was specified that modified the settings controlling how often a user s passwords will expire. This setting failed to be applied. A policy was specified that allows the user to reuse previous passwords. This was set successfully. A policy was specified that allows the user to reuse previous passwords. This setting failed to be applied. A policy was specified that prevents the user from using previous passwords. This was set successfully. A policy was specified that prevents the user from using previous passwords. This setting failed to be applied. A policy was specified that modified the settings controlling how often the user is prevented from using previous passwords. This was set successfully. A policy was specified that modified the settings controlling how often the user is prevented from using previous passwords. This setting failed to be applied. A policy was specified that modified the minimum length for user passwords. This was set successfully. A policy was specified that modified the minimum length necessary for user passwords. This setting failed to be applied. Symantec Endpoint Encryption Full Disk 50

Appendix A Table A.1 Framework System Events (Continued) Event ID 149 Info 150 Error 151 Info 152 Error 153 Info 154 Error 155 Info 156 Error 157 Info 158 Error 159 Info 160 Error 161 Info 162 Error 163 Info Severity Description Explanation Settings Change: Non-alphanumeric characters allowed in password setting modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Non-alphanumeric characters allowed in password setting modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of non-alphanumeric characters; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of non-alphanumeric characters; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of uppercase characters; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of uppercase characters; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of lowercase characters; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of lowercase characters; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of digits; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of digits; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Require registration password enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Require registration password enabled; policy failed. Framework Computer Policy - Registered Users. Settings Change: Require registration password not enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Require registration password not enabled; policy failed. Framework Computer Policy - Registered Users. Settings Change: Registration password modified; policy applied successfully. Framework Computer Policy - Registered Users. A policy was specified that modified the number of nonalphanumeric characters allowed in user passwords. This was set successfully. A policy was specified that modified the number of nonalphanumeric characters allowed in user passwords. This setting failed to be applied. A policy was specified that changed the minimum number of non-alphanumeric characters that must be present in the user s passwords. This was set successfully. A policy was specified that changed the minimum number of non-alphanumeric characters that must be present in the user s passwords. This setting failed to be applied. A policy was specified that changed the minimum number of uppercase characters that must be present in the user s passwords. This was set successfully. A policy was specified that changed the minimum number of uppercase characters that must be present in the user s passwords. This setting failed to be applied. A policy was specified that changed the minimum number of lowercase characters that must be present in the user s passwords. This was set successfully. A policy was specified that changed the minimum number of lowercase characters that must be present in the user s passwords. This setting failed to be applied. A policy was specified that changed the minimum number of digits that must be present in the user s passwords. This was set successfully. A policy was specified that changed the minimum number of digits that must be present in the user s passwords. This setting failed to be applied. A policy was specified that the user must provide the registration password to be able to register. This was set successfully. A policy was specified that the user must provide the registration password to be able to register. This setting failed to be applied. A policy was specified that no registration password is required to allow a user to register. This was set successfully. A policy was specified that no registration password is required to allow a user to register. This setting failed to be applied. A policy was specified that modified the registration password users must know to be able to register. This was set successfully. Symantec Endpoint Encryption Full Disk 51

Appendix A Table A.1 Framework System Events (Continued) Event ID 164 Error 165 Info 166 Error 167 Info 168 Error 173 Info 174 Error 175 Info 176 Error 177 Info 178 Error 179 Info 180 Error 181 Info 182 Error 183 Info 184 Info Severity Description Explanation Settings Change: Registration password modified; policy failed. Framework Computer Policy - Registered Users. Settings Change: Number of allowed user accounts setting modified; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Number of allowed user accounts setting modified; policy failed. Framework Computer Policy - Registered Users. Settings Change: User authentication with password only setting enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: User authentication with password only setting enabled; policy failed. Framework Computer Policy - Registered Users. Settings Change: Registration Wizard custom message modified; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Registration Wizard custom message modified; policy failed. Framework Computer Policy - Registered Users. Settings Change: User can authenticate with expired certificates setting enabled; policy applied successfully. Framework User Policy - Token Authentication. Settings Change: User can authenticate with expired certificates setting enabled; policy failed. Framework User Policy - Token Authentication. Settings Change: User can authenticate with expired certificates setting not enabled; policy applied successfully. Framework User Policy - Token Authentication. Settings Change: User can authenticate with expired certificates setting not enabled; policy failed. Framework User Policy - Token Authentication. Settings Change: Single Sign-On enabled; policy applied successfully. Framework User Policy - Single Sign-On. Settings Change: Single Sign-On enabled; policy failed. Framework User Policy - Single Sign-On. Settings Change: Single Sign-On not enabled; policy applied successfully. Framework User Policy - Single Sign-On. Settings Change: Single Sign-On not enabled; policy failed. Framework User Policy - Single Sign-On. Program Action: The user was provided access to Windows using cached credentials and was not required to change their Windows password following successful completion of the password recovery process because there was no connectivity to a domain controller. Program Action: Client Administrator [account name] unregistered user [user name]. A policy was specified that modified the registration password users must know to be able to register. This setting failed to be applied. A policy was specified that modified the maximum number of user accounts allowed on the Client Computer. This was set successfully. A policy was specified that modified the maximum number of user accounts allowed on the Client Computer. This setting failed to be applied. A policy was specified that users will authenticate using passwords. This was set successfully. A policy was specified that users will authenticate using passwords. This setting failed to be applied. A policy was specified that modified the custom message users will see during registration. This was set successfully. A policy was specified that modified the custom message users will see during registration. This setting failed to be applied. A policy was specified that users with expired certificates will be allowed to authenticate. This was set successfully. A policy was specified that users with expired certificates will be allowed to authenticate. This setting failed to be applied. A policy was specified that users with expired certificates will not be allowed to authenticate. This was set successfully. A policy was specified that users with expired certificates will not be allowed to authenticate. This setting failed to be applied. A policy was specified that users will authenticate using Single Sign-On. This was set successfully. A policy was specified that users will authenticate using Single Sign-On. This setting failed to be applied. A policy was specified that users will not authenticate using Single Sign-On. This was set successfully. A policy was specified that users will not authenticate using Single Sign-On. This setting failed to be applied. After a user successfully completes the password recovery process in Pre-Windows, they will be forced to select a new password when they log on to Windows. If the Client Computer was offline and cached credentials were used, this password synchronization is deferred until after the Client Computer regains network connectivity. The Client Administrator [account name] has unregistered the user [user name] on the Client Computer. Symantec Endpoint Encryption Full Disk 52

Appendix A Table A.1 Framework System Events (Continued) Event ID 185 Info 186 Info 187 Error 188 Info 189 Error 190 Info 191 Error 192 Info 193 Error 194 Info 195 Error 196 Info 197 Error 198 Info 199 Error Severity Description Explanation Settings Change: Client Administrator [account name] was added with [low medium high] privileges; policy applied successfully. Initial Setting: Minimum password age enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Initial Setting: Minimum password age enabled; policy failed. Framework Computer Policy - Password Authentication. Initial Setting: Minimum password age not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Initial Setting: Minimum password age not enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age not enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age settings modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Do not require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Do not require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users. Settings Change: Require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users. A policy was specified that added [account name] as a Client Administrator having [low medium high] privileges. This was set successfully. The installation package specified that users must wait the designated interval before changing their passwords. This was set successfully. The installation package specified that users must wait the designated interval before changing their passwords. This setting failed to be applied. The installation package specified that users will not be forced to wait before changing their passwords. This was set successfully. The installation package specified that users will not be forced to wait before changing their passwords. This setting failed to be applied. A policy was specified that forces users to wait the designated interval before allowing them to change their passwords. This was set successfully. A policy was specified that forces users to wait the designated interval before allowing them to change their passwords. This setting failed to be applied. A policy was specified that users will not be forced to wait before changing their passwords. This was set successfully. A policy was specified that users will not be forced to wait before changing their passwords. This setting failed to be applied. A policy was specified that modified whether users must wait the designated interval before being allowed to change their passwords. This was set successfully. A policy was specified that modified whether users must wait the designated interval before being allowed to change their passwords. This setting failed to be applied. A policy was specified that automatically authenticates SEE users. If SEE Full Disk has been installed, the Pre- Windows authentication will be bypassed. This was set successfully. A policy was specified that automatically authenticates SEE users. If SEE Full Disk has been installed, the Pre- Windows authentication will be bypassed. This setting failed to be applied. A policy was specified that SEE users will authenticate normally. If SEE Full Disk has been installed, the Pre- Windows authentication will not be bypassed. This was set successfully. A policy was specified that SEE users will authenticate normally. If SEE Full Disk has been installed, the Pre- Windows authentication will not be bypassed. This setting failed to be applied. Symantec Endpoint Encryption Full Disk 53

Appendix A Table A.1 Framework System Events (Continued) Event ID 200 Info 201 Error 202 Info 203 Error 204 Info 205 Error 206 Info 207 Error 208 Info 209 Error 210 Info 211 Error 212 Info Severity Description Explanation Settings Change: Users can only be unregistered manually by client administrators; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Users can only be unregistered manually by client administrators; policy failed. Framework Computer Policy - Registered Users. Settings Change: Users who do not log on for [number] days will be automatically unregistered; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Users who do not log on for [number] days will be automatically unregistered; policy failed. Framework Computer Policy - Registered Users. Initial Setting: Do not require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users. Initial Setting: Do not require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users. Initial Setting: Require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users. Initial Setting: Require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users. Initial Setting: Users can only be unregistered manually by client administrators; policy applied successfully. Framework Computer Policy - Registered Users. Initial Setting: Users can only be unregistered manually by client administrators; policy failed. Framework Computer Policy - Registered Users. Initial Setting: Users who do not log on for [number] days will be automatically unregistered; policy applied successfully. Framework Computer Policy - Registered Users. Initial Setting: Users who do not log on for [number] days will be automatically unregistered; policy failed. Framework Computer Policy - Registered Users. Initial Setting: Silent client. The client will not communicate with the SEE Management Server; policy applied successfully. Framework Installation Setting A policy was specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This was set successfully. A policy was specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This setting failed to be applied. A policy was specified that inactive user accounts will be automatically unregistered after [number] days. This was set successfully. A policy was specified that inactive user accounts will be automatically unregistered after [number] days. This setting failed to be applied. The installation package specified that SEE users will be automatically authenticated. If SEE Full Disk has been installed, the Pre-Windows authentication will be bypassed. This was set successfully. The installation package specified that SEE users will be automatically authenticated. If SEE Full Disk has been installed, the Pre-Windows authentication will be bypassed. This setting failed to be applied. The installation package specified that SEE users will authenticate normally. If SEE Full Disk has been installed, the Pre-Windows authentication will not be bypassed. This was set successfully. The installation package specified that SEE users will authenticate normally. If SEE Full Disk has been installed, the Pre-Windows authentication will not be bypassed. This setting failed to be applied. The installation package specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This was set successfully. The installation package specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This setting failed to be applied. The installation package specified that inactive user accounts will be automatically unregistered after [number] days. This was set successfully. The installation package specified that inactive user accounts will be automatically unregistered after [number] days. This setting failed to be applied. The installation package specified that the Client Computer will not communicate with the SEE Management Server. This was set successfully. Symantec Endpoint Encryption Full Disk 54

Appendix A Table A.1 Framework System Events (Continued) Event ID 213 Error 214 Info 215 Error 216 Info 217 Error 218 Info 219 Error 222 Info 223 Info 224 Error 225 Info 226 Error 227 Info 228 Error Severity Description Explanation Initial Setting: Silent client. the installation setting dictated that the client would not attempt to communicate with the SEE Management Server and was a silent client, but this failed to be applied. Framework Installation Setting Settings Change: this client will no longer attempt to communicate with the SEE Management Server and is now a silent client; policy applied successfully. Framework Computer Polic Settings Change: a policy dictating that this client would no longer communicate with the SEE Management Server and would become a silent client failed to be applied. Framework Computer Polic Program Action: User [user name]successfully modified their One-Time Password personal identifier. Framework [user name] Program Action: User [user name] failed to modify their One-Time Password personal identifier. Framework [user name] Settings Change: Client Administrator [account name] password modified; policy applied successfully. Framework Computer Policy - Client Administrators. Settings Change: Client Administrator [account name] password modified; policy failed. Framework Computer Policy - Client Administrators. Settings Change: Client Administrator [account name] has unregistered. Framework Computer Polic Initial Setting: the address of the SEE Management Server was set successfully. Framework Installation Settings - Communication. Initial Setting: the address of the SEE Management Server failed to be set. Framework Installation Settings - Communication. Initial Setting: the domain of the SEE Management Server client account was set successfully. Framework Installation Settings - Communication. Initial Setting: the domain of the SEE Management Server client account failed to be set. Framework Installation Settings - Communication. Initial Setting: the certificate to be used for HTTPS communications with the SEE Management Server was set successfully. Framework Installation Settings - Communication. Initial Setting: the certificate to be used for HTTPS communications with the SEE Management Server failed to be set. Framework Installation Settings - Communication. The installation package specified that the Client Computer will not communicate with the SEE Management Server. This setting failed to be applied. A policy was specified that a Client Computer previously able to contact a SEE Management Server will now have all SEE Management Server communications suppressed. This was set successfully. A policy was specified that a Client Computer previously able to contact a SEE Management Server will now have all SEE Management Server communications suppressed. This setting failed to be applied. A user has successfully modified their One-Time Password personal identifier. This was set successfully. A user has successfully modified their One-Time Password personal identifier. This setting failed to be applied. A policy was specified that modified the SEE password of one or more Client Administrator accounts. This was set successfully. A policy was specified that modified the SEE password of one or more Client Administrator accounts. This setting failed to be applied. The address of the SEE Management Server was successfully set during installation. The address of the SEE Management Server was not set during installation. The domain of the SEE Management Server client account was successfully set during installation. The domain of the SEE Management Server client account was not set during installation. The certificate for HTTPS communication with the SEE Management Server was successfully set. The certificate for HTTPS communication with the SEE Management Server was not set during installation. Symantec Endpoint Encryption Full Disk 55

Appendix A Full Disk System Events List The following table lists the individual SEE Full Disk-generated windows system events logged on the Client Computer. The column headings indicate the Event ID, the severity of the event (Error, Info, or Warning), and a description of the event indicating the type, source, or policy that generated the event (Internal, Program Action, Initial Setting, Settings Change, or Utility). Table A.2 Full Disk System Events Event Severity Description Explanation ID 1000 Error Internal: Cannot map event ID to string. Full Disk The Full Disk event ID cannot be mapped to the string in the hard disk. 1001 Info Internal: Audit functions started. Full Disk The Full Disk audit functions have started. 1002 Info Internal: Audit functions ended. Full Disk The Full Disk audit functions have ended. 1003 Info 1004 Warning 1011 Info 1012 Warning 1013 Info 1014 Warning 1015 Warning 1017 Info 1018 Info 1019 Warning 1020 Info 1021 Info 1022 Info 1023 Warning Program Action: Successful pre-windows logon/ authentication attempted with password. Full Disk [user name] Program Action: Unsuccessful pre-windows logon/ authentication attempted with password. Full Disk [user name] Program Action: Successful logon/authentication attempted with One-Time Password. Full Disk Program Action: Unsuccessful pre-windows logon/ authentication attempted with One-Time Password. Full Disk Program Action: Successful logon/authentication attempted with Authenti-Check. Full Disk Program Action: Unsuccessful pre-windows logon/ authentication attempted with Authenti-Check. Full Disk Program Action: Number of pre-windows logon attempts exceeded the maximum allowed. Full Disk Program Action: User password changed successfully. Full Disk Program Action: User password changed unsuccessfully. Full Disk Program Action: User program uninstallation attempted. Full Disk Program Action: User changed Authenti-Check questions and answers successfully. Full Disk Program Action: Client Administrator has unregistered user. Full Disk Program Action: User password resynchronized with Windows password. Full Disk Program Action: Computer locked due to failure to communicate with SEE Management Server. Full Disk An attempt to logon at pre-windows with a password has succeeded. An attempt to logon at pre-windows with a password has failed. The One-Time Password process has succeeded in authenticating the user. The One-Time-Password process has failed to authenticate the user. The Authenti-Check process has succeeded in authenticating the user. The Authenti-Check process has failed to authenticate the user at pre-windows. The number of pre-windows logon attempts allowed before a delay has been exceeded. The user has successfully changed their SEE password. The user attempted to change their SEE password, but failed. this could be because the password did not meet the password requirements. An attempt to uninstall SEE Full Disk has been made. The user has succeeded in changing their Authenti- Check question(s) and/or answer(s). The Client Administrator has successfully unregistered a user. The user s SEE password has been resynchronized with their Windows password to enable the Single Sign-On feature. The Client Computer has failed to communicate with the SEE Management Server within the mandatory interval and, as a result, has been locked. 1024 Warning Program Action: User password expired. Full Disk The user s SEE password has expired. 1025 Info Program Action: User registration completed. Full Disk [user name] 1026 Warning Program Action: Final grace logon reached. Full Disk The user has successfully completed the registration process. The number of grace restarts is now zero and the next user to log on to Windows will be forced to register. Symantec Endpoint Encryption Full Disk 56

Appendix A Table A.2 Full Disk System Events (Continued) Event ID 1027 Warning Program Action: Partition decryption initiated. Full Disk 1028 Warning Program Action: Partition decryption completed. Full Disk 1029 Info Program Action: Partition encryption initiated. Full Disk 1030 Info 1031 Info 1032 Info Program Action: Partition encryption completed. Full Disk Program Action: User logged on after Hibernation or/ and Stand by. Full Disk Program Action: Client program installation attempted. Full Disk The user has initiated decryption of one or more partitions on the hard disk. Decryption of one or more partitions on the hard disk has been completed. The user has initiated encryption of one or more partitions on the hard disk. Encryption of one or more partitions on the hard disk has been completed. A hibernation or standby process was initiated and ended when the user logged on to Windows. An attempt to install SEE Full Disk was made. 1033 Info Program Action: Client program upgrade attempted. Full Disk An attempt to upgrade SEE Full Disk was made. 1034 Info Program Action: Grace logon attempted. Full Disk An attempt to exercise a grace restart was made. 1035 Info Program Action: Authenti-Check questions and answers created. Full Disk 1036 Info Program Action: User password created. Full Disk 1038 Info 1039 Error 1040 Info 1041 Error 1042 Info 1043 Error 1044 Info 1045 Error 1046 Info Severity Description Explanation Initial Setting: a minimum contact period with the SEE Management Server will not be enforced, policy applied successfully. Full Disk Installation Settings - Client Monitor. Initial Setting: an installation setting dictating that a minimum contact period with the SEE Management Server would not be enforced failed to be applied. Full Disk Installation Settings - Client Monitor. Initial Setting: a minimum contact period with the SEE Management Server will be enforced; policy applied successfully. Full Disk Installation Settings - Client Monitor. Initial Setting: an installation setting dictating that a minimum contact period with the SEE Management Server should be enforced failed to be applied. Full Disk Installation Settings - Client Monitor. Initial Setting: Encrypt all partitions upon installation enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Encrypt all partitions upon installation enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Encrypt specified partitions enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Encrypt specified partitions enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Let users choose partitions and start the encryption enabled; policy applied successfully. Full Disk Installation Settings - Encryption. The user has set their Authenti-Check questions and answers as a part of the registration process. The user has set their SEE password as a part of the registration process. An attempt to apply an installation setting not to enforce a minimum contact period with the SEE Management Server has succeeded. An attempt to apply an installation setting not to enforce a minimum contact period with the SEE Management Server has failed. An attempt to apply an installation setting enforcing a minimum contact period with the SEE Management Server has succeeded. An attempt to apply an installation setting enforcing a minimum contact period with the SEE Management Server has failed. An attempt to apply an installation setting that all partitions be encrypted upon installation has succeeded. An attempt to apply an installation setting that all partitions be encrypted upon installation has failed. An attempt to apply an installation setting that only specified partitions be encrypted upon installation has succeeded. An attempt to apply an installation setting that only specified partitions be encrypted upon installation has failed. An attempt to apply an installation setting that users be allowed to choose partitions to be encrypted and start the encryption process has succeeded. Symantec Endpoint Encryption Full Disk 57

Appendix A Table A.2 Full Disk System Events (Continued) Event ID 1047 Error 1048 Info 1049 Error 1050 Info 1051 Error 1052 Info 1053 Error 1054 Info 1055 Error 1056 Info 1057 Error 1058 Info 1059 Error 1064 Info 1065 Error 1066 Info 1067 Error Severity Description Explanation Initial Setting: Let users choose partitions and start the encryption enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Custom Encryption Method enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Custom Encryption Method enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Fastest Encryption Method enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Fastest Encryption Method enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Allow data recovery in case of power failure enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Allow data recovery in case of power failure enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Allow data recovery in case of power failure not enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Allow data recovery in case of power failure not enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Include unused disk space when encrypting enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Include unused disk space when encrypting enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Include unused disk space when encrypting not enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Include unused disk space when encrypting not enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Registered users can decrypt disk enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Registered users can decrypt disk enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Registered users can decrypt disk not enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Registered users can decrypt disk not enabled; policy failed. Full Disk Installation Settings - Encryption. An attempt to apply an installation setting that users be allowed to choose partitions to be encrypted and start the encryption process has failed An attempt to apply an installation setting enabling a Custom Encryption Method has succeeded. An attempt to apply an installation setting enabling a Custom Encryption method has failed. An attempt to apply an installation setting enabling a Fastest Encryption Method has succeeded. An attempt to apply an installation setting enabling a Fastest Encryption Method has failed. An attempt to apply an installation setting allowing data recovery in case of power failure has succeeded. An attempt to apply an installation setting allowing data recovery in case of power failure has failed. An attempt to apply an installation setting disallowing data recovery in case of power failure has succeeded. An attempt to apply an installation setting disallowing data recovery in case of power failure has failed. An attempt to apply an installation setting including unused disk space when encrypting partitions has succeeded. An attempt to apply an installation setting including unused disk space when encrypting partitions has failed. An attempt to apply an installation setting excluding unused disk space when encrypting partitions has succeeded. An attempt to apply an installation setting excluding unused disk space when encrypting partitions has failed. An attempt to apply an installation setting permitting registered users to decrypt the hard disk has succeeded. An attempt to apply an installation setting permitting registered users to decrypt the hard disk has failed. An attempt to apply an installation setting not permitting registered users to decrypt the hard disk has succeeded. An attempt to apply an installation setting not permitting registered users to decrypt the hard disk has failed. Symantec Endpoint Encryption Full Disk 58

Appendix A Table A.2 Full Disk System Events (Continued) Event ID 1068 Info 1069 Error 1070 Info 1071 Error 1072 Info 1073 Error 1074 Info 1075 Error 1076 Info 1077 Error 1078 Info 1079 Error 1080 Info 1081 Error 1082 Info 1083 Error Severity Description Explanation Initial Setting: Default client database file location enabled; policy applied successfully. Full Disk Installation Settings - Installer Customization. Initial Setting: Default client database file location enabled; policy failed. Full Disk Installation Settings - Installer Customization. Initial Setting: Custom client database file location enabled; policy applied successfully. Full Disk Installation Settings - Installer Customization. Initial Setting: Custom client database file location enabled; policy failed. Full Disk Installation Settings - Installer Customization. Initial Setting: Prefill the logon form with the most recent user name and domain enabled; policy applied successfully. Full Disk Installation Settings - Logon. Initial Setting: Prefill the logon form with the most recent user name and domain enabled; policy failed. Full Disk Installation Settings - Logon. Initial Setting: Prefill the logon form with the most recent user name and domain not enabled; policy applied successfully. Full Disk Installation Settings - Logon. Initial Setting: Prefill the logon form with the most recent user name and domain not enabled; policy failed. Full Disk Installation Settings - Logon. Initial Setting: Custom logon image selected; policy applied successfully. Full Disk Installation Settings - Logon. Initial Setting: Custom logon image selected; policy failed. Full Disk Installation Settings - Logon. Initial Setting: Custom logon image not selected; policy applied successfully. Full Disk Installation Settings - Logon. Initial Setting: Custom logon image not selected; policy failed. Full Disk Installation Settings - Logon. Settings Change: no minimum contact period with the SEE Management Server will be enforced;, policy applied successfully. Full Disk Computer Policy - Client Monitor. Settings Change: a policy dictating that no minimum contact period with the SEE Management Server would be enforced failed to be applied. Full Disk Computer Policy - Client Monitor. Settings Change: a minimum contact period with the SEE Management Server will be enforced; policy applied successfully. Full Disk Computer Policy - Client Monitor. Settings Change: a policy dictating that a minimum contact period with the SEE Management Server should be enforced failed to be applied. Full Disk Computer Policy - Client Monitor. An attempt to apply an installation setting locating the client database files in the default location has succeeded. An attempt to apply an installation setting locating the client database files in the default location has failed. An attempt to apply an installation setting locating the client database files in a custom location has succeeded. An attempt to apply an installation setting locating the client database files in a custom location has failed. An attempt to apply an installation setting that prefills the logon form with the most recent user name and domain has succeeded. An attempt to apply an installation setting that prefills the logon form with the most recent user name and domain has failed. An attempt to apply an installation setting that does not prefill the logon form with the most recent user name and domain has succeeded. An attempt to apply an installation setting that does not prefill the logon form with the most recent user name and domain has failed. An attempt to apply an installation setting to display a custom image when the computer starts up has succeeded. An attempt to apply an installation setting to display a custom image when the computer starts up has failed. An attempt to apply an installation setting not to display a custom image when the computer starts up has succeeded. An attempt to apply an installation setting not to display a custom image when the computer starts up has failed. An attempt to apply a settings change not to enforce a minimum contact period with the SEE Management Server has succeeded. An attempt to apply a settings change not to enforce a minimum contact period with the SEE Management Server has failed. An attempt to apply a settings change to enforce a minimum contact period with the SEE Management Server has succeeded. An attempt to apply a settings change to enforce a minimum contact period with the SEE Management Server has failed. Symantec Endpoint Encryption Full Disk 59

Appendix A Table A.2 Full Disk System Events (Continued) Event ID 1084 Info 1085 Error 1090 Info 1091 Error 1092 Info 1093 Error 1094 Info 1095 Error 1096 Info 1097 Error 1098 Info 1099 Error 1100 Info 1101 Error Settings Change: the minimum SEE Management Server contact period and/or the number of days before lockout that a warning will be displayed was modified; policy applied successfully. Full Disk Computer Policy - Client Monitor. Settings Change: a policy changing the minimum SEE Management Server contact period and/or the number of days before lockout that a warning will be displayed failed to be applied. Full Disk Computer Policy - Client Monitor. Settings Change: Registered users can decrypt disk enabled; policy applied successfully. Full Disk User Policy - Local Decryption. Settings Change: Registered users can decrypt disk enabled; policy failed. Full Disk User Policy - Local Decryption. Settings Change: Registered users can decrypt disk not enabled; policy applied successfully. Full Disk User Policy - Local Decryption. Settings Change: Registered users can decrypt disk not enabled; policy failed. Full Disk User Policy - Local Decryption. Settings Change: Prefill the logon form with the most recent user name and domain enabled; policy applied successfully. Full Disk Computer Policy - Logon. Settings Change: Prefill the logon form with the most recent user name and domain enabled; policy failed. Full Disk Computer Policy - Logon. Settings Change: Prefill the logon form with the most recent user name and domain not enabled; policy applied successfully. Full Disk Computer Policy - Logon. Settings Change: Prefill the logon form with the most recent user name and domain not enabled; policy failed. Full Disk Computer Policy - Logon. Special Policy: Autologon (bypass user authentication to SEE) enabled; policy applied successfully. Full Disk Computer Policy - Logon. Special Policy: Autologon (bypass user authentication to SEE) enabled; policy failed. Full Disk Computer Policy - Logon. Special Policy: Autologon (boot as specified) enabled; policy applied successfully. Full Disk Computer Policy - Logon. Special Policy: Autologon (boot as specified) enabled; policy failed. Full Disk Computer Policy - Logon. An attempt to apply a settings change that modifies contact settings with the SEE Management Server has succeeded. An attempt to apply a settings change that modifies contact settings with the SEE Management Server has failed. An attempt to apply a settings change enabling registered users to decrypt the hard disk has succeeded. An attempt to apply a settings change enabling registered users to decrypt the hard disk has failed. An attempt to apply a settings change not enabling registered users to decrypt the hard disk has succeeded. An attempt to apply a settings change not enabling registered users to decrypt the hard disk has failed. An attempt to apply a settings change to prefill the logon form with the most recent user name and domain has succeeded. An attempt to apply a settings change to prefill the logon form with the most recent user name and domain has failed. An attempt to apply a settings change not to prefill the logon form with the most recent user name and domain has succeeded. An attempt to apply a settings change not to prefill the logon form with the most recent user name and domain has failed. An attempt to apply an Autologon special policy to bypass user authentication to SEE Full Disk Full Disk has succeeded. An attempt to apply an Autologon special policy to bypass user authentication to SEE Full Disk has failed. An attempt to apply an Autologon special policy to bypass user authentication to SEE Full Disk as specified has succeeded. An attempt to apply an Autologon special policy to bypass user authentication to SEE Full Disk as specified has failed. 1102 Info Special Policy: Autologon terminated. Autologon has terminated. 1103 Info Special Policy: Pre-Windows Autologon success. Pre-Windows Autologon has succeeded. 1104 Error Special Policy: Pre-Windows Autologon failure. Pre-Windows Autologon has failed. 1105 Info Severity Description Explanation Special Policy: Remote decryption of all disk partitions enabled; policy applied successfully. Full Disk Computer Policy - Remote Decryption. An attempt to apply a special policy enabling remote decryption of all hard disk partitions has succeeded. Symantec Endpoint Encryption Full Disk 60

Appendix A Table A.2 Full Disk System Events (Continued) Event ID 1106 Error Special Policy: Remote decryption of all disk partitions enabled; policy failed. Full Disk Computer Policy - Remote Decryption. An attempt to apply a special policy enabling remote decryption of all hard disk partitions has failed. 1107 Warning Utility: Access.exe initiated. Access.exe has been initiated. 1108 Warning Utility: Recover /a attempted. Recover /a has been attempted. 1109 Warning Utility: Recover /b attempted. Recover /b has been attempted. 1110 Warning Utility: Windows recovery process attempted. A Windows recovery process has been attempted. 1111 Warning Utility: Recover /d attempted. Recover /d has been attempted. 1112 Warning Utility: Recover /a successfully completed. Recover /a has been successfully completed 1113 Error Utility: Recover /a failed. Recover /a has failed. 1114 Warning Utility: Recover attempted. Recover has been attempted. 1115 Info Program Action: Logon delay of sixty seconds instituted. A logon delay of sixty seconds has been instituted. 1116 Info Program Action: Logon delay of sixty seconds lifted. A logon delay of sixty seconds has been lifted. 1117 Info 1118 Info 1121 Info 1122 Error 1123 Error 1124 Info 1125 Info Severity Description Explanation Program Action: Normal operations resumed: logon delays will be instituted after [number] attempts, as per policy. Program Action: Client Administrator successfully extended the check-in due date. Settings Change: Prefill the logon form with the most recent domain enabled; policy applied successfully. Full Disk Computer Policy - Logon. Settings Change: Prefill the logon form with the most recent domain enabled; policy failed. Full Disk Computer Policy - Logon. Settings Change: UnSuccessfull unlock on locked computer attempted with One-TimePassword. Full Disk Settings Change: Successful unlock on locked computer attempted with One-TimePassword. Full Disk Settings Change: Client Administrator [account name] has unregistered. Full Disk Computer Polic Normal operations have resumed: logon delays will be instituted after [number] of unsuccessful logon attempts, as set by policy. A Client Administrator has successfully extended the check-in due date. An attempt to apply a settings change to prefill the logon form with the most recent domain has succeeded. An attempt to apply a settings change to prefill the logon form with the most recent domain has failed. A user attempted to unlock a locked computer using the One-Time Password method, but the attempt did not succeed. A user succeeded in using the One-Time Password method to unlock a locked computer. Symantec Endpoint Encryption Full Disk 61

Glossary Glossary Active Directory Active Directory is the directory service included with Windows 2000 Server and Windows Server 2003. This service stores information about objects on a network and makes that information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network. Active Directory provides network administrators with a hierarchical view of the network and a single point of administration for all network objects. Active Directory Policies Active Directory policies are one of two types of policies that can be created and deployed from the SEE Manager. They feature seamless integration with well-known Active Directory toolsets and include user as well as computer policies. Active Directory Users and Computers Snap-in The Users and Computers snap-in from Microsoft is used to find and organize the User and Computer objects in an Active Directory structure. Automatic Authentication If the Client Computer is set for automatic authentication, SEE Full Disk will not require valid SEE credentials to be provided before allowing Windows to load. This option relies on Windows to authenticate users. In addition, users will be registered automatically unless a registration password is required. Requiring a registration password serves to avoid reaching the maximum registered user limit and to limit the number of users that can gain access to the User Client Console. Client Administrator Client Administrators provide local support to SEE users and guarantee that SEE protected computers are always accessible even when all SEE users have been removed from those computers. When creating or updating Client Administrator accounts, the Policy Administrator assigns one of three privilege levels. High unregister registered users, decrypt encrypted partitions, extend the Client Computer s next communication date, and unlock Client Computers. Medium decrypt encrypted partitions, extend the Client Computer s next communication date, and unlock Client Computers. Low extend the Client Computer s next communication date and unlock Client Computers. Client Administrators cannot change their own passwords or use any passwordrecovery methods. Expand, Expanded, to Expand To reveal the contents of a container. This action is initiated by clicking the plus sign to the left of the container as displayed in the left pane of the Microsoft Management Console. Group Filtering Also known as Security Group Filtering or Security Filters. Security Filters applied to a Group Policy Object limit the scope for that Group Policy Object. Symantec Endpoint Encryption Full Disk 62

Glossary Group Policy Management, Group Policy Management Console Snap-in A snap-in from Microsoft that an SEE Policy Administrator can use to assign SEE client MSI packages and policies to users and computers. Group Policy Object (GPO) An object in Active Directory that contains user and/or computer policies, and possibly software deployment policies. LSDOU This acronym describes the order in which GPOs are applied: Local (1), Site (2), Domain (3), OU (4). Local policies have the highest precedence. Management Password, Management Password Snap-in The Management Password controls access to snap-ins and snap-in functions used to support SEE Full Disk endpoints. It can be changed using the Management Password snap-in from the SEE Manager. Microsoft Management Console (MMC) Microsoft Management Console is a container User Interface (UI) that provides no functionality by itself. Each Microsoft Management Console process can host a set of snap-ins displayed in one or more windows. The layout of a Microsoft Management Console can be saved as a file with an.msc extension. Microsoft Management Console Tree The folder-like structure of snap-ins in a Microsoft Management Console. Snap-ins can be standalone, i.e., added to the root of the MMC tree, or they can be extensions of other snap-ins. Microsoft Windows Installer (MSI) A format for self-contained database files containing the requirements and instructions that the Windows Installer uses when installing applications. MSI packages can be deployed via Group Policy Objects. Native Policies Native policies are one of two types of policies that can be created and deployed from the SEE Manager. Native policies do not rely on any existing directory service for managing SEE Client Computers. Unlike SEE Active Directory policies, native policies apply to computers only and cannot be applied to users. Novell edirectory An LDAP-based directory service from Novell. Computers that are members of an edirectory domain can be managed using SEE native policies. Information from edirectory can optionally be synchronized to the SEE Management Server, allowing SEE native policies to be applied according to the organizational structure maintained in edirectory. Objects The term objects is used to refer to any Active Directory object. This includes individual Users, Computers, or Policies, as well as Groups of Users or Computers. See also Containers. Symantec Endpoint Encryption Full Disk 63

Glossary One-Time Password (OTP) The One-Time Password (OTP) Program allows registered users to recover from a forgotten password with help desk assistance. It also allows users to regain access to their computer after it has been locked for a failure to communicate with the SEE Management Server. This assistance provides the user with a one-time password or response key, which allows the registered user to temporarily authenticate. The user is then prompted to enter a new password. Two methods are available for assisting registered users: online and offline. The online method is easier and more secure, but will not succeed unless the Client Computer has made contact with the SEE Management Server at least once following the registration of the user requiring assistance. The offline method can be used if the online method fails or if the Client Computer has never checked in with the SEE Management Server. The registered user provides the help desk with an OTP personal identifier created during registration and updated using the User Client Console to help ensure their identity. They also provide the help desk with a challenge key; the help desk in turn provides the user with a response key. Policy Administrator Policy Administrators perform centralized administration of SEE. Using the Manager Console and the Manager Computer, the Policy Administrator: Creates and deploys client installation packages. Updates and sets client policies. Runs reports. Changes the Management Password. Runs the One-Time Password Program. Creates the computer-specific Recover DAT file necessary for Recover /B. Reconfigures the SEE Management Server, as necessary. Access to SEE snap-ins can be restricted on a per snap-in basis, giving the domain or higher-level administrator flexibility when assigning specific Policy Administrator duties. Recover Program The Recover Program can be used if a Client Computer encounters a serious error and cannot load Windows. The program attempts to regain access to data on the hard disk by repairing the SEE client database files (Recover /A), performing an emergency decryption of the entire hard disk (Recover /D), or restoring the encryption keys (Recover /B). SEE Framework SEE Framework provides SEE wide features, such as authentication methods and settings, as well as registered user and Client Administrator accounts and information. Single Sign-On (SSO) A feature that allows SEE users to log on to both Windows and SEE with their Windows password. To activate an SSO policy, the Client Computer must reboot. SSO is not relevant to automatically authenticated users. Symantec Endpoint Encryption Full Disk 64

Glossary Snap-in A Dynamic Link Library (DLL) file user interface module designed to be loaded into a Microsoft Management Console. Symantec Endpoint Encryption Software Setup Snap-in A snap-in from Symantec that allows the SEE Policy Administrators to customize SEE client installation settings before deployment. User At least one user is required to register with SEE on each Client Computer. A wizard guides the user through the registration process, which involves a maximum of four screens. The registration process can also be configured to occur without user intervention. Authentication to SEE Full Disk can be configured to occur in one of three ways: Single Sign-On enabled The user will be prompted to authenticate once each time they restart their computer. Single Sign-On not enabled The user must log on twice: once to SEE Full Disk and then separately to Windows. Automatic authentication enabled The user is not prompted to provide credentials to SEE Full Disk; the authentication process is transparent. This option relies on Windows to validate the user s credentials. Symantec Endpoint Encryption Full Disk 65

Index Index A Active Directory policies 3, 8, 10, 12, 16, 17, 19, 20, 21, 62, 63 architecture Symantec Endpoint Encryption 1 Authenti-Check 16 autologon indefinite 19 policy only setting 4 policy options 18 automatic authentication 5, 14, 62 C Client Administrator policy 13 privilege levels 5 single-source passwords 5 Client Computers communication with 16, 20 lockouts and 20 custom startup image 3, 18 F forcing an immediate policy update 21 G gpupdate /force 21 grace restarts 15 Group Policy Object Editor (GPOE) 12 I installation only settings 3 L Local, Site, Domain, OU (LSDOU) 63 M Management Password changing 27, 64 definition of 63 setting 27 snap-in 4 use of 27, 28, 30, 37 Manager Console endpoint containers 2 location of 2 SEE Managed Computers 3, 22 N native policies 3, 13, 22, 24 names of 13 Native Policy Manager 4, 12, 13 O One-Time Password offline method 17, 30, 32, 33, 34, 35, 48, 64 online method 7, 17, 30, 31, 32, 33, 35, 48, 64 overview 28, 64 policy options 17 snap-in 4 using 29 OTP communication unlock policy 4, 17 P policy only settings 4 policy update forcing an immediate update 3, 21 R Recover Program 7, 36, 64 /A option 36, 61, 64 /B option 4, 6, 7, 27, 37, 61, 64 Recover DAT file 4, 6, 36, 37, 38, 64 Recovery Password 37 /D option 36, 61, 64 remote decryption policy 4, 19 Resultant Set of Policy (RSoP) 8, 10 S SEE administrator roles 4 SEE database instance location of 2 SEE Framework about 1 synchronization about 2, 3, 6, 22 timing of 2 with both Active Directory and Novell 2 U users automatic unregistration of 15 forcing re-registration of 14 local administrative rights and 5 local decryption rights 20 registration password and 14 W Windows system events 43 Symantec Endpoint Encryption Full Disk 66