EMBASSY Remote Administration Server (ERAS) Administrator Manual Part I Introduction, Main Management Principles and Components ERAS Version 2.8 Document Version 1.0.0.23 http://www.wave.com ERAS v 2.8 Wave Systems Corp. 2011
Contents Contents... 4 1. Introduction... 5 Technical Support... 6 2. ERAS Overview... 7 3. ERAS Management Console... 9 3.1 Role Management...11 Adding a user to a role...11 Role Definitions included in ERAS:...14 Managing Role Definitions...14 Task Definitions included in ERAS:...15 Managing Task Definitions...16 3.2 ERAS Search and Logging...17 Finding Computer by TPM, TD, BIOS and BitLocker management status criteria...18 Server Log Filter...18 Searching Event Log by Trusted Drive, Serial Number or Model Number...19 Client Audit Log Consolidation...21 3.3 Multi-domain support...21 Adding a Different Domain User to a Trusted Drive...23 Deleting the User Account from Active Directory...24 Moving Client Machine from Domain...24 3.4 Manage Wizard...24 3.5 Server Settings UI...25 3.6 Pending Operations...27 3.6 General Tab Overview...28 4. Managing and Applying Policies...29 4.2 TDM settings using Group Policy Management Console...29 ADMX Policy Deployment...29 4.4 ERASConnector.msi Deployment...30 ERASConnector.msi installation on domain clients...30 ERASConnector Call from Client...31 4.5 Installing ERASProvider versus ERASConnector...31 Command-line options for ERASProvider...31 4.6 Failure using command line parameters when installing ERASConnector or ERASProvider...32 2 Contents Wave Systems Corp. 2011
5. Non-Domain or Un-Trusted Domain Management Support...33 Command-line options for ERAS Connector...33 Adding Local Users...33 Workgroup or Non-Trusted Domain Client Management with ERAS...33 GPO propagation to Workgroup or Non-Trusted Domain Clients...34 Workgroup or Non-Trusted Domain ERASCMD Syntax Rules...34 Auto-Enrollment...34 Manual Enrollment for Workgroup or Non-Trusted Domain Computers...35 User Report for Foreign User...35 6. ERAS External Client Tree Naming Convention Adding Users...36 Workgroup Computer Name Change...36 6.1 ERAS communication outside a firewall...38 7. Command line operations...39 Command line format...39 ERAS Sample Command Scripts...47 Command Prompt UpdateMBR Instructions...48 8. ERAS Reports, Event Logging and License Management...51 8.1 Reports...51 Trusted Drive Management Report...53 BitLocker Drive Management Report...54 Export Reports...57 Trusted Drive Authentication Log Report...57 Other Report Samples...58 8.2 Event Logging...59 8.3 License Management...60 Activate License...60 Renew (Add) License...60 Maximum number of items displayed per folder...61 Update Seats Button...61 Clear TPM License...61 9. High Availability and Disaster Recovery...62 Changing ERASService Password using IIS6...64 Changing ERASService Password using IIS7...64 Database Backup and Recovery...65 Update Master Password for Database...66 3 Contents Wave Systems Corp. 2011
Master Key Back Up...67 ERAS Database Restore and Resetting Database Connection...67 ERAS Database Restore on Different Database or Machine...68 Master Key Restore...68 Server Recovery on the New Platform...69 Clustered Environment...70 Additional setup instructions for ERAS...70 Appendix I...71 ERAS Icon Reference...71 Appendix II...72 Additional Sources...72 Terms and definitions...72 Appendix III...74 Wave Software Terminology...74 Task Definitions...74 Tasks by Role...76 Select Dell ControlVault Platforms...76 Default Server Settings...77 Appendix IV...80 Configuring TDM Password Filter...80 MMC.EXE.CONFIG Table...80 EnableFumc and StandbySleepMode in Server Settings UI...80 StandbySleepMode...80 Appendix V...81 WaveSystemsCorp Policies...81 Contents Part II Remote Administration of Self-Encrypting Drives and Smart Card Support Part III BitLocker, Trusted Platform Module, SafeNet ProtectDrive and Dell BIOS & CV Management 4 Contents Wave Systems Corp. 2011
1. Introduction Welcome Welcome and thank you for choosing Wave s EMBASSY Remote Administration Server (ERAS) software. In this manual is the information needed to configure, use and perform management task with the EMBASSY Remote Administration Server (ERAS) software. Intended Audience This document is intended for system administrators as well as other information technology personnel responsible for installing, deploying and administering the EMBASSY Remote Administration Server (ERAS) software. Documentation The ERAS Administrator Manual provides an overview of ERAS from Wave Systems and more in-depth detail about the product, components and functionality: Part I Introduction, Main Management Principles and Components Part II Remote Administration of Self-Encrypting Drives and Smart Card Support Part III BitLocker, Trusted Platform Module, SafeNet ProtectDrive and Dell BIOS & CV Management All three parts will be consolidated in the ERAS Admin Manual PDF when one launches the F1 button from within ERAS. It will also be accessible from the root directory. The document version will be reflected with the shipped readme.txt file. Additional documents included in the root directory of the ERAS CD are as follows: ERAS Installation Guide ERAS HelpDesk Guide ERAS Quick Start Installation Guide v2.1 ERAS Best Practice Guide_v2.1 ERAS Installation Flowchart 1.1 ERAS Troubleshooting Guide ERAS BitLocker Deployment Guide What do these mean? These items denote: Important actions or tasks that need to be taken by the Admin or User Preparations, Needed Files or Settings required for a particular action These items denote: Important Information and/or Additional Requirements These items denote: Warning 5 Introduction Wave Systems Corp. 2011
Technical Support Additional information, technical support and contact information for the ERAS can be found online: Refer to the Wave Systems website http://support.wavesys.com or E-mail your questions or issues to: support@wavesys.com Toll free: (800) WAVE-NET Tel: (413) 243-1600 Fax: (413) 243-0045 6 Introduction Wave Systems Corp. 2011
2. ERAS Overview EMBASSY Remote Administration Server (ERAS) provides remote management for a new generation of hardware security that is embedded within PC platforms. Security hardware that is embedded into PCs enables stronger data protection and authentication. ERAS provides the server infrastructure to enable enterprises to manage and leverage both TPM security chips and self-encrypting hard drives that are distributed in individual PCs deployed across the organization. ERAS is also integrated with Active Directory and GPO to enable centralized IT to take ownership, providing directory-based management for the embedded security now shipping in enterprise PCs. Direct management of client machines utilize Microsoft 128 bit encrypted Windows Management Instrumentation (WMI). ERAS also uses Windows AES 256 bit encrypted Windows Communication Foundation (WCF) for asynchronous device management utilizing ERASConnector by way of the http protocol on any assigned port. ERASConnector allows for the client to initiate device management based on operations placed in a queue or also referred to as pending operations. ERAS Overview Diagram 7 ERAS Overview Wave Systems Corp. 2011
ERAS includes the following auxiliary components: ERAS Server and Tools a setup program that installs server components, creates the ERAS SQL database and configures necessary settings. Server component that includes ERAS Core, ERAS SQL Server database, Management Console and command-line interface ERAS Remote Management Console independent remote management console to perform ERAS management operations from any machine in the domain ERAS Helpdesk Web service for helpdesk personnel ADM or ADMX (Windows 2008 Server or above) Group policy deployment component ERAS client configuration Two sets of.msi (32 bit and 64 bit) for each deployable type, that can be pushed to the client. ERASCMD a command line utility that allows execution of ERAS management functions from the command line window using scripts. ERAS Script This allows the administrator to have a portable command line utility. The tool allows the administrator to run SED deployment commands from any machine on the network to ERAS which then initiates the task to the target machine. 8 ERAS Overview Wave Systems Corp. 2011
3. ERAS Management Console The ERAS management console is a snap-in that can be run from any qualified domain computer. The primary functions of the ERAS console are: ERAS Console Manage clients Initialize the TPM or Trusted Drive Manage BIOS and CV (Dell Platforms only) Enroll users Configure client settings Reset passwords Perform advanced functions Search for clients Examine attributes of client Define & assign delegated administration rights ERAS allows an administrator to navigate from both panes of the console. For the purpose of this section management will be performed on one computer at a time but the ability exists to manage multiple units at once. More specifically, ERAS facilitates management of multiple TPMs and multiple Trusted Drives at the same time. In the ERAS Management console above double-click on the EMBASSY Remote Administration Server in the scope pane to perform ERAS management operations. OUs listed under domain nodes from the scope pane can be clicked to view platform list in the result pane. 9 ERAS Management Console Wave Systems Corp. 2011
The details pane located on the right hand side, has six columns by default from left to right: Name Domain Name or Computer Name TPM Status Unmanaged Enabled : Active Not detected Deactivated: Disabled Both statuses have Detection Failed, which result from unable to access condition. Trusted Drive(s) Status Unmanaged; not detected The number of trusted drives installed on the client machine; Initialized or Uninitialized, Unlocked or Locked, BIOS Status Displays the BIOS management information. Unmanaged Managed: (states the managed items - Admin, System and HDD BIOS passwords) ControlVault Status (Select Dell Platforms) Unmanaged Managed Location directory path of the computer Access Time The columns on the console can be configured (reordered, enabled or disabled) by use of View menu - Add / Remove Columns console menu option. This allows configuring column display as shown in the next two screenshots. 10 ERAS Management Console Wave Systems Corp. 2011
3.1 Role Management ERAS console can be used to manage role definitions, task definitions and role assignments Adding a user to a role 1. From ERAS Console, right-click on Authorization Manager, selecting Authorization Store Change ERAS Console from Author Mode 1. Open ERAS console. 2. On File menu, select Options. 3. In the Options window, as below, change Console mode to user mode limited access, single window. 4. If Allow the user to customize views is checked, uncheck this checkbox. 5. Save the console. 2. Open Authorization Store screen use the Browse button to select the correct store name By default if ERAS detects during installation the presence of Microsoft SQL 2008 or better, the authorization store will utilize the database. If the database is Microsoft SQL 2005 the user can choose to work with either Active Directory or the XML file. 11 ERAS Management Console Wave Systems Corp. 2011
On Microsoft SQL 2008 and above where the AzMAN does not pre-populate the database location, then use the following template string: mssql://driver={sql Server};Server={HOST\INSTANCE};/ERASAzMan/ERAS Role Management e.g. If your SQL Box is: wk200820\sqlexpress Then the string would be: mssql://driver={sql Server};Server={wk200820\SQLExpress};/ERASAzMan/ERAS Role Management Detail remote administration of the Trusted Drive and TPM are covered respectively in part II and Part III of manual. When the Domain functionality level is not raised to 2003, one must select the XML policy file (ERASPolicy.xml) from the system32 folder. The xml version can be used if one does not wish to use the AD version. This xml can be provided as well on 64bit OS and will be located In SysWOW64 Role Management Considerations: It is highly recommended that Role Management is done from the main server console. In cases where the Windows Server 2003 is functioning at a 2000 level, the ERASPolicy.xml file is utilized rather than Active Directory. If one desires to manage roles from the remote console, then one will need to maintain equivalent copies of the XML file on all remote consoles and main computer after modifying the role assignments. 3. Authorization Manager can now be expanded in the ERAS Console. Navigate to Authorization Manager\ERAS Role Management\EMBASSY Remote Administration Server 4. Expand Role Assignments and right-click on System Administrator. Select Assign Windows Users and Groups (The same procedure can be used for the roles of Security Officer, Enrollment Agent and Help Desk.) 12 ERAS Management Console Wave Systems Corp. 2011
5. The Select Users, Computers or Groups screen pops up. To add a user to the System Administrator role, add the username in the names field and Click OK. 6. Repeat steps 4 and 5 (with the relevant selection of role assignment) to add users to any of the roles of Enrollment Agent, Help Desk, Security Officer or System Administrator. Here one would start by selecting a System Administrator which, has a defined role in ERAS, also comes with a profile of defined tasks. These tasks can be expanded or reduced for the role or new roles can be created and customized to fit the organizational needs. Now look at the role definitions provided by ERAS. From the ERAS console navigate to and expand the left pane again as done previously and under Definitions highlight Role 13 ERAS Management Console Wave Systems Corp. 2011
Definitions as seen below Role Definitions included in ERAS: Enrollment Agent Help Desk Security Officer System Administrator Definitions of roles already supplied by ERAS The management of Role Definitions allows your organization to implement requirements that best fit your company profile. For example, there may be a need to expand some of the functions of the Security Officer role since some organizations do not to assign a non-it administrative role, the Help Desk role. This way the Security Officer role can be redefined to include the Task Definitions of the Help Desk role. Managing Role Definitions 1. If starting a new session, follow steps 1-3 to open the authorization store, to navigate to EMBASSY Remote Administration Server. 2. Click + on Definitions to expand, this will turn it to a minus sign. 3. Select Role Definitions. Select the role to be managed System Administrator, for example 4. The Definition Properties screen pops up. Select Definition tab. 5. To add tasks to the role, select the Tasks tab. Click on the tasks to add to the role. Select OK 6. Or, to remove tasks from the role, select the tasks in the Definition Properties screen. Click on Remove. The same sequence can be used to set the definitions for Help Desk, Security Officer and Enrollment Agent with the appropriate selections. 14 ERAS Management Console Wave Systems Corp. 2011
Task Definitions included in ERAS: An example of modifying Tasks to the System Administrator role TDM User Management TPM User Management TDM Password Management TPM Password Management CV Password Management Manipulate TDM View BIOS Passwords Retrieve TDM Recovery Password Unlock TPM General TPM Ownership Management Manipulate TPM BIOS Password Management CV User Management Reset TPM Task ERAS Administration Erase TD Task View Reports View CV Passwords 15 ERAS Management Console Wave Systems Corp. 2011
Here is a view from the ERAS Console Task Definitions Similar to how one accessed role definitions, one can access the task definitions. In the next diagram, there is a view of how one can add or remove task definitions to limit or enhance the task definition. Managing Task Definitions 1. If starting a new session, follow steps 1-3 above to open the authorization store, to navigate to EMBASSY Remote Administration Server. 2. Click + on the Definitions tab to expand, this will turn it to a minus sign. 3. Select Task Definitions the tasks appear in the right pane. Select the task to be managed. The Definition Properties screen pops up. Select Definitions tab for a list of operations that define the task. 4. As with Role Definitions, select Add for the purpose of adding operations to a task or to remove operations from a task, select the operation(s). Click Remove. Role management changes may not take an immediate effect and require IIS restart. 16 ERAS Management Console Wave Systems Corp. 2011
Managing Task Definitions 3.2 ERAS Search and Logging This tool allows for a search of client machines within a domain. Right-click on computers under the domain of the desired search and select Search Below is the Search for Computers filter that allows for searches based on various criteria of the TPM and Trusted Drive as seen on the next page. This built-in search is only supported on installed domain. 17 ERAS Management Console Wave Systems Corp. 2011
Finding Computer by TPM, TD, BIOS and BitLocker management status criteria When searching computer by computer name, additional functionality is introduced to query computer by additional criteria, TPM, TD, BIOS, CV and BitLocker status. When no TPM, TD, BIOS, CV or BitLocker status is selected, all the computers with names starting with the specified input string are retrieved. When at least one TPM, TD, BIOS, CV and BitLocker status is selected, only the computers with input string and specified condition(s) in TPM, TD, BIOS, CV and BitLocker status are retrieved. In ERAS, the computer search is a wildcard search by default. That means, when the specified input string is abc, in fact, if a search for computers with the name starting with abc. No wildcard character is needed for wildcard search. Also one would select the filters they wish to apply by highlighting them on the left and clicking the Add-> button to apply them on the right under Selected Filters. Server Log Filter The ERAS transactions that change the state of the trusted drive are recorded in ERAS database. The information can be retrieved using the filter as shown below: One can access the Server Log Filter from ERAS; the user can select the computer(s) on the right panel, and then right click and select View Server Log to see the logs associated with the computer(s). Logs can also be filter by OU. Again one would find the OU on the console and Right-Click on the OU and select View Server Logs 18 ERAS Management Console Wave Systems Corp. 2011
Searching Event Log by Trusted Drive, Serial Number or Model Number Besides searching Event Log by target computer name, additional functionality is included to filter the event log by Trusted Drive Serial Number or Model Number. Right clicking the node under the domain node, to view the log filter as below: The search for Unlocked drives will generate a list of PC(s) that has a Trusted Drive that is either initialized or uninitialized. Functionality has been introduced to query event log when Trusted Drive is relocated. Right clicking the node EMBASSY Remote Administration Sever that is above the domain node, can bring the following dialog to query event log by Trusted Drive Serial Number or Model Number: 19 ERAS Management Console Wave Systems Corp. 2011
The ERAS transactions that change the state of the trusted drive are now recorded in ERAS database. This information can be retrieved using the provided filter. All Trusted Drive Operations is listed by default. They include several groups and individual operations. Some operation groups include: 1. (group) User Management 2. (group) Trusted Drive Management 3. (group) Bios Management 4. (group) Control Vault Management 5. (group) BitLocker Management Below is a view of the log record for a new computer s activity pertaining to the Trusted Drive Initialization, Reset User Password and Add User. One would select and double-click to view the event within the log as seen below: Server Logs It is also possible to add additional detail to the log once has been generated by selecting View from the menu and Add/Remove Columns 20 ERAS Management Console Wave Systems Corp. 2011
Event for Trusted Drive initialization Client Audit Log Consolidation Authentication logs to self-encrypting drives (SED) can be uploaded to ERAS so Administrators can view an audit trail on any SED that is managed by ERAS. The installation of the ERASConnector.msi on the client machine is needed for communication and upload of these logs. This allows for ERAS to maintain a record of these events for reports that can then be generated from these logs on ERAS for further analysis. 3.3 Multi-domain support There is now support to load multiple domain root nodes from the Console UI, where the domain is accessible to the ERAS console machine. The admin can manage any computer at the domain where there s a trust relationship between domain to be managed and the current user domain. Computer administrator and user can be any user in any of the accessible domains that can be browsed. The domain node can be removed from UI by right clicking the node and then clicking Remove The default domain cannot be removed from the console. ERAS has the capability to manage client machines on other domains if the appropriate trusts are established between the domains. In order to locate another domain on the network through ERAS do the following: On the left frame, right-click on EMBASSY Remote Administration Server (ERAS Machine Name) then select Connect to Domain a small window will appear where the domain name can be typed into the empty field then click OK and the Domain tree for that domain will then appear on the left frame and can be expanded by clicking on the + sign. 21 ERAS Management Console Wave Systems Corp. 2011
Right-clicking on EMBASSY Remote Administration Server (Machine_Name) on the left of ERAS console will provide one with the following menu located here on the right. ERAS does not allow installation of a second instance of ERAS Server in another domain. Only remote management of platforms is supported across domains in a forest with trust relationships that have been established. After one adds a user from another It may be impossible to remove a user from role if not part of the same domain 22 ERAS Management Console Wave Systems Corp. 2011
Additional view of ERAS with expanded tree nodes and managing two domains: Adding a Different Domain User to a Trusted Drive As referenced in Part II of ERAS Administration Manual under TDM management, the user is being added within the same domain by default. In order to add a user for another domain at that point click the Location button and select domain the user resides in. In this example the user Wave User01 resides in the domain wavematrix.local and is being added to a machine located in wavematrix02.local. Once the appropriate location is selected then one can search for Wave User01. The two steps are reviewed below and the next page. Step 1: Click on the Location button and select the appropriate domain. This may differ depending on the established trust configuration 23 ERAS Management Console Wave Systems Corp. 2011
Step 2: Here the appropriate domain appears in the From this location field. Now the user from that domain can be selected. These steps are discussed Part II of ERAS Administration Manual under TDM management Deleting the User Account from Active Directory Before deleting the user account from Active Directory, remove the corresponding user account from the Trusted Drive users list on all PCs with any Trusted Drive that grants access for that user. This can be done from either the ERAS console or command line or scripts. If the computer is no longer available on the network, the user account can be removed using command line utility locally and administrator password. Moving Client Machine from Domain When a client machine is moved from one domain to another, the user or Admin needs to uninstall ERASProvider.msi or ERASConnector.msi, then install again. The reason for this is to establish appropriate privileges on the client so that it is tied to the appropriate domain, otherwise refresh will fail. 3.4 Manage Wizard To access the management wizard in ERAS 2.8, one would right-click on a computer displayed on the right pane of the snap-in or to make a selection of all the computers in the Computer folder or in an organizational unit performs the right-click action on the left pane where those items would be located. When one right-click and selects Manage Devices this displays a second menu to the right with the following possible wizard selections listed below. Trusted Drive BitLocker Volumes TPM System BIOS (specific to Dell platforms) ControlVault (Select Dell Platforms) ERAS can also be configured to only manage and select the desired items to be managed thru a Configuration Settings user interface that will be discussed in the next section. 24 ERAS Management Console Wave Systems Corp. 2011
3.5 Server Settings UI ERAS now has a server settings window to customize ERAS view to your organization s needs. This can be accessed from the right-click menu on EMBASSY Remote Administration Server (Machine_Name) in the ERAS snap-in and select Change Server Settings For instance if one does not wish to have the CV management tab or System BIOS tab available on the client management tab, change the Value field from True to False using the dropdown menu in those fields as shown below. Changes made in the Server Settings UI may require a restart of IIS in order to be applied. Note that, as a general rule, restarting IIS can be used to apply changes to the ERAS configuration. An Overview of the settings, and screenshots are presented on the next page For default setting and descriptions, please review the end of Appendix III Client Reconnect Interval - Default value 1440 Client Retry Communication Interval - Default value 10 ERAS Client Connector is required for the use of Postpone Operations Note: The description for 'Initialize First Drive Only' should indicate that it applies to the Manage Wizard only. 25 ERAS Management Console Wave Systems Corp. 2011
Server Settings Parameters Allow these special characters in auto-generated passwords Auto-enroll foreign client to ERAS Automatically lock Trusted Drives after first Smart Card user is enrolled Bypass ICMP when validating network access to remote computer Client Reconnect Interval (minutes) Client Retry Communication Interval (minutes) Default to checked state for Allow temporary passwords checkbox on SED initialization user interface Default to checked state for Smart card authentication factor checkbox on SED initialization user interface Enable BitLocker management Enable ControlVault management Enable foreign client management Enable FUMC settings by default Enable password filtering for Trusted Drives Enable pending operation Enable ProtectDrive management Enable standby and sleep mode settings by default Enable Systems BIOS management Enable TPM management ERAS console wait time ERAS database query timeout in seconds Exclude these characters in auto-generated passwords Foreign client container name Foreign client maximum reconnect interval (minutes) Foreign client minimum reconnect interval (minutes) Initialize first Trusted Drive only (Manage Wizard) Maximum base 10 allowed in auto-generated passwords digits Maximum instance of any character allowed in auto-generated passwords Maximum length allowed in auto-generated BIOS passwords Maximum length allowed in auto-generated Trusted Drive and ControlVault passwords Maximum non-alphanumeric characters allowed in auto-generated passwords Maximum number of records to return in search for computers Maximum upper-case characters allowed in autogenerated passwords Minimum base 10 allowed in auto-generated passwords digits Minimum length allowed in auto-generated BIOS passwords Minimum length allowed in auto-generated Trusted Drive and ControlVault passwords Minimum non-alphanumeric characters allowed in auto-generated passwords Minimum upper-case characters allowed in autogenerated passwords Number of allowed logins to Trusted Drives before enrollment (1-5) Password recovery method Recovery key length Remote management preference Show failed pending operations Use extended user account mode Validate user access to computer objects 26 ERAS Management Console Wave Systems Corp. 2011
3.6 Pending Operations Once postpone operations is enabled in server settings, it is possible to have management tasks placed into a queue. Pending operations are queued task(s) for computers intermittently connected to the network and management of non-domain machine(s). This is provided that the client computer can connect to the ERAS proxy server. This is done with the assistance of the ERASConnector, which will broadcast a directed message based on its location. When a management operation cannot reach the destination computer, it shall be postponed. The client when it is connected back to the network which can be an Intranet or internet-qualified connection to the ERAS server will receive a message from the ERASConnector. ERAS will determine whether to execute the postponed operation directly or return the postponed operation to the ERASConnector in the reply. HTTP communication between ERAS and Connector is protected via Microsoft WCF message encryption protocol: Initial TLS negotiation via WS-Trust and SOAP messages encrypted (AES-256 algorithm) and signed. If a client computer is off-line, then a couple of management operations are performed, they will go into pending. ERASConnector.msi must be installed on the client machine, then reconnect computer to network. This should trigger the operations to be performed on the client machine. In order to view the Pending Operations, one would rightclick on EMBASSY Remote Administration Server and select View Pending Operations Once operations are in pending status, one can choose to pause, cancel or resume the operation that has been selected. The Administrator can search for specific ones and assign the order of the management actions. 27 ERAS Management Console Wave Systems Corp. 2011
Pending Operations Windows 3.6 General Tab Overview The General tab displays computer information and reports IP address of the client. The View Installed Programs button will display the installed Wave software components on the client machine. In the lower half of the General tab is reserved for Pending Operations. The Current View displays current operations on client and the Expected View, these are operations that will occur or expect to see once Pending Operations has completed with queued tasks. This is accessible from the console for any client machine once it has been refreshed. 28 ERAS Management Console Wave Systems Corp. 2011
4. Managing and Applying Policies Background Information At installation time, a ADM or ADMX (Windows 2008 Server or above) files can be installed on the domain and administered to organization units. The most used ERAS policies relate to the use of SED. This ERAS ADM file contains group policy objects associated to TDM that are administered using the GPO manager. The ERAS ADMX policies have additional policies which support smartcard / CAC functionality, and are only supported in Domain Controller environments of Windows 2008 or above. The locations for these policy files are: <Program Files>\WaveSystems\ Embassy Remote Administration Server\Support 4.2 TDM settings using Group Policy Management Console ADM or ADMX (Windows 2008 Server and above) files allow for the customization of the software settings by group policies. The ADM and ADMX folders are located: <Program Files>\WaveSystems\ Embassy Remote Administration Server\Support\Group Policy. ADMX file contain a number of Wave System Corp policies and are available in Windows 2008 Servers and above. For Windows 2003 domain functional level policies utilize the ADM files provided in the same directory mentioned in this section. For more information related to all policies contained WaveSystemsCorp.admx please reference the appendix The ADM and ADMX policies deploy the general TDM related settings: Enable Windows Password Synchronization (WPS) - Ensures that the User s Trusted Drive password and User s Windows Password are identical Enable Single Sign On (SSO) - Combines trusted drive pre-boot authentication and the Windows OS post-boot authentication into a single authentication step. Remember last user - A policy option If enabled, last user logged in at pre-boot will be cached. Customize pre-boot screen - only supported with ESC 2.3.1 or higher After installing ERAS and ADM or ADMX, this group policy is deployed. For a complete list of Wave policies please refer to Appendix V ADMX Policy Deployment The ADMX files installation is discussed in the ERAS Installation Guide in section 3.6, ADMX GPO Installation. These policies reside in the same location as the ADM files \program files\wave Systems\EMBASSY Remote Administration Server\Support\Group Policy. The ADM files are primarily provided for support of Windows 2003 server environments. 29 Managing and Applying Policies Wave Systems Corp. 2011
4.4 ERASConnector.msi Deployment The ERASConnector is deployed for use in smart card enrollment for SED; queued or postponed operations drive authentication log reports were it actively communicates the information to the server from the client machine. It is also required for application of single use password recovery method that allows for combined SSO method on selective client application. (See Trusted Drive Authentication Log Report) Client Prerequisite: Installation of.net Framework 3.5 SP1 on client machines prior to installation. ERASConnector.msi installation on domain clients When ERASConnector.msi installs on the client it will choose the first instance of ERAS to enter an entry for SVC Host in the registry. If the proper instance of ERAS needs to be added to the client this can be done in one of two ways first ERASConnector.msi can be deployed and then edit the registry key on the client under HKEY_LOCAL_MACHINE>Software>Wave Systems Corp>WSCEAA to reflect the correct FQDN of the installed ERAS. The second method is by running the installation using the command line parameters on the client machine as done for foreign clients. The installation command can also be used to point to a load balancer. Command-line options for ERASConnector can be found under section five, Non-Domain or Un-Trusted Domain Management Support. A functional ERAS server should be treated as a prerequisite for the deployment of ERASConnector.msi files or ERASProvider.msi to the client. Also if ERASConnector or ERASProvider was previously installed while a machine was a member to a different domain, then one should uninstall and re-install the component while on the new domain. This will prevent issues with resolving the ERAS Service Account name. When installing ERASConnector.msi on Vista/Windows 7 client machines, "Run as administrator" menu option should be selected upon right clicking on the setup.exe to avoid any permission denied errors due to privilege restrictions for the logged in user during installation. 30 Managing and Applying Policies Wave Systems Corp. 2011
ERASConnector Call from Client Once ERASConnector is installed one can force a call from ERASConnector from the system tray icon. This is done by performing a click on the icon as seen below: This action will prompt a notification indicating a status update is taking place. Note that prior to installing connector on the domain that setting the Wave policy Configure ERASConnector settings will prevent installer errors involving writing the location of server host. This will not prevent the installation of ERASConnector and can be configured afterwards by setting the policy 4.5 Installing ERASProvider versus ERASConnector ERASProvider will only allow use of WMI direct management of clients. For this reason it is highly recommended that one installs and uses ERASConnector for all network environments. However ERASProvider can be used if one does not need or use any of the following functionality: Pending Operations this can be disabled from the Server Setting UI since it will not be used Asynchronous management of the client Collection of client authentication logs to generate reporting SED enrollment and authentication by smart card SED/Computer migration, moving drive from one computer to another and moving computer in/out of domain Command-line options for ERASProvider USAGE (ERASProvider): msiexec /i <Full path of MSI> [ERASACCOUNT=<NetBios Domain Name>\<ERAS Service Account Name> OR <ERASServiceUserName>@<DomainName> (UPN format)] 31 Managing and Applying Policies Wave Systems Corp. 2011
Example: msiexec /i c:\temp\erasprovider_x32.msi /q ERASACCOUNT=WAVX\ErasService 4.6 Failure using command line parameters when installing ERASConnector or ERASProvider If the client is a domain client that has been connected to the domain and the GPO for setting the ERAS service account has already been set. Then one can expect the following behavior when there is a command line installation that conflicts with the GPO setting: ERASConnector or ERASProvider installation will fail gracefully with "The provided ERAS domain service account could not be mapped". The reason being during ERASConnector or ERASProvider installation, if the ERAS service account parameter passed can t be mapped to a valid security ID (SID) which means the WMI name space permissions will not be set correctly. The GPO that sets the ERAS service account on the client takes precedence over any command line parameters. So, even if one uses erasaccount=system in the command line for a foreign client, expect this error message if there is already a registry entry for the ERAS service account. One will also have this problem if a host computer goes offline to install ERASConnector after the registry entry for the ERAS service account is populated. 32 Managing and Applying Policies Wave Systems Corp. 2011
5. Non-Domain or Un-Trusted Domain Management Support Any client that is a non-domain client that maybe part of a workgroup or un-trusted domain uses client initiated management (CIM). These clients can also be referred to as foreign clients. The client component for this communication is contained in ERASConnector. To enable foreign client management, on the client computer for a particular trusted device, the ERASConnector.msi must be installed through command line in a DOS windows running as Administrator privilege using the following command-line formats before installing ERASConnector on that client computer. This is done to define the location for the client of the ERAS communication. Navigate using the command line to appropriate location of the files. Then use the following command strings for the installation on the client machine. Command-line options for ERAS Connector Command-line options are case-insensitive. msiexec /i <Full path of MSI> [/q /L <Full Path of Log File including File Name> ERASACCOUNT=<NetBios Domain Name>\<ERAS Service Account Name> OR <ERASServiceUserName>@<DomainName> (UPN format) PORT=<Port Number> HOST=<ERAS Server name or IP Address> Example: msiexec /i c:\temp\erasconnector_x32.msi /q ERASACCOUNT=WAVX\ErasService PORT=80 HOST=192.168.23.21 Information on Options: /q: Silent installation. ERASACCOUNT: Domain user account name allocated for ERAS Service. If the provided information does not have valid SID, then the installation will succeed without permission setting on DCOM and WMI. To enable installation on a client not connected to domain, this parameter shall be used as "ERASACCOUNT=SYSTEM" PORT: TCP/IP port number HOST: ERAS Server name or IP address Adding Local Users The ERAS administrator will need to type in the MachineName\UserName instead of browse/select through the foreign user list in order to add users to authenticate to the SED. Set Server settings for Foreign Client Auto enrollment from False to True. Make sure system clocks are within 5 minutes between Server and Client. Workgroup or Non-Trusted Domain Client Management with ERAS 1. Deployment environment creation steps: Acquire a client machine with CV, BIOS, TPM, and SED Install Wave ETS 3.5.2 or ESC 2.5.1 or better The client machine would belong to any non-trusted domain of ERAS or a Workgroup computer. Install ERASConnector.msi using above described command line instructions. 2. Management operations: Upon rebooting the client machine once prepared using steps in item 1, ERASConnector will connect to ERAS Server using data provided during installation and after this, the client machine shows up in the ERAS Management Console under one of the ERAS external client OUs. Note this is done either by auto-enrollment or manual enrollment 33 Non-Domain or Un-Trusted Domain Management Support Wave Systems Corp. 2011
Manage CV, BIOS, TPM and TD residing on this foreign client from ERAS Management Console as before. GPO propagation to Workgroup or Non-Trusted Domain Clients Currently the only supported policies for Foreign Clients are for Common and Trusted Drive Manager policies. Server port setting for ERASConnector can also be done by use of the Configure ERASConnector settings policy. This allows the ability to designate which port and ERAS to designate for communication. Configure ERASConnector settings Workgroup or Non-Trusted Domain ERASCMD Syntax Rules For Erascmd, the W (workgroup) client user name should omit the ERAS added prefix such as 'W1C1-'. However, the COMPUTER name should include this prefix. An example in add TD user to a W (workgroup) client: 'erascmd set w1c1-rothw7jd.qa3-english.wavesys.com deviceid=physicaldrive0 user=add userid=rothw7jd\dd3 password=wave123 pmc=enabled' Where: ROTHW7JD is the client's computer name Auto-Enrollment For auto-enrollment, please make sure to change the 'Auto-enrollment" setting from FALSE to TRUE in 'Change Server Settings UI" window. After that, there are 2 operations: 34 Non-Domain or Un-Trusted Domain Management Support Wave Systems Corp. 2011
1. Give ErasService full permission to create child and descendant objects for the entire domain. 2. As domain admin, create 'ERAS External Clients' OU in domain, then give ErasService full permissions to create child and descendant objects in this OU. If both of the above options are not viable, then manual-enrollment is the only way. Manual Enrollment for Workgroup or Non-Trusted Domain Computers If auto-enrollment for foreign client is not desirable, please follow the steps below to enroll a foreign client to ERAS: 1. Pre-requisite: Wave Client Software and ERASConnector x32 or x64 MSI file. 2. On client machine, install ERASConnector. 3. Open command window, change directory to the location where ERASConnector is installed. [\Program Files\Wave Systems Corp\ RemoteManagement] 4. Execute 'gethostinfo.exe'. This should result in a XML file. 5. Out of band delivery to the ERAS server. 6. Logon to ERAS Server box and copy the XML file generated in step 3 to the folder where ERAS command-line utility is installed. 7. From ERAS Server box run ERAS Command Line Utility from Program menu. 8. Execute 'erascmd enrollclient <filename>' where filename is the name of the file with information collected from the client machine. 9. Run ERAS Management Console and right-click on host domain node and do a refresh. 10. Navigate to ERAS External Clients OU and below to find the newly enrolled client. Add entry "x.z.c.v IP and ERAS Server FQDN" must be added in the \drivers\etc\hosts file if the host server is not resolved by DNS If there are already enrolled Foreign Clients they will continue to be managed by ERAS even if one attempts to disable the functionality in the Server Settings UI. Provisioning Model for Computers Not Reachable For all computers not reachable on the network the following is true: Workgroup or non-trusted domain computers are always unreachable and all management operations are postponed. Computer not connected to the domain are not reachable and will have operations postponed. For more clarification read section on Pending Operations. User Report for Foreign User ERAS admin needs to type in the machinename\username instead of browse/select through the foreign user list. 35 Non-Domain or Un-Trusted Domain Management Support Wave Systems Corp. 2011
6. ERAS External Client Tree Naming Convention Adding Users ERAS-FCM will maintain foreign computers and users accounts in the dedicated Active Directory (AD) organizational unit (OU) ERAS External Clients (note: OU name is customizable). These can be created manually and ERASService account can be assigned appropriate privileges if ERASService account was not provided sufficient privileges to create containers in AD. ERAS-FCM tree panel The first non-trusted domain or foreign domain OU will be named D1. Then each foreign domain OU will obtain the next consecutive number D2, D3, etc. The first workgroup OU will follow a similar convention W1. Then after that W2, W3 and so forth. The users contained in each of these groups are only profiles contained on that particular computer C1, C2, C3 etc. D1C1-ComputerName or W1C1-ComputerName and so forth. So when adding a user to a Trusted Drive or TPM etc. The only users in the AD list will be profiled users that are contained on that computer. Foreign client computer and users accounts shall be grouped under ERAS External Clients OU that contains following sub-ous: Domain Clients OU for the computer and user accounts from un-trusted domains Workgroup Client OU - for the computer and user accounts from machines that are members of Windows Workgroups. D# an OU with Computers and Users sub-ou dedicated for the computers and users accounts from the un-trusted domains. W# an OU with Computers and Users sub-ous dedicated for the computers and users accounts from various Workgroups. C# references a computer added to the above mentioned non-trusted domain or workgroup. For example the first workgroup machine enrolled on this ERAS : W1C1-MYHOMEPC ERAS allows for the initial naming of OU prior to enrollment of workgroup or non-trusted domain computers. Once a computer is enrolled, it will not be possible change the OU name. Setting for assigning the OU name can be found in the Server Settings UI. Workgroup Computer Name Change For workgroup computers ERAS and TDM maintain the following: Format: ComputerName\UserName. In case of computer name change the SED users will be listed in using old computer name. Newly added users will have new computer name prefix. 36 ERAS External Client Tree Naming Convention Adding Users Wave Systems Corp. 2011
Note that for foreign clients, when adding a user to a Trusted Drive or TPM etc. The only users in the AD list will be profiled users that are contained on that computer. 37 ERAS External Client Tree Naming Convention Adding Users Wave Systems Corp. 2011
6.1 ERAS communication outside a firewall The ERAS Client Connector is designed to communicate across port 80. There are a number of products available for arranging secure proxy to an organization s internal network. Below is a simple diagram showing a setup of firewall handling NAT of public address of ERAS to private protected network address. There are a number of products on the market that have proxy/firewall capabilities. One can also arrange for any number of proxy server products such as Open source Squid or a more robust solution such as Microsoft ISA server. 38 ERAS External Client Tree Naming Convention Adding Users Wave Systems Corp. 2011
7. Command line operations Command line format Usage: erascmd [command] [hostname] [properties] hostname Specifies a client platform computer name. ERAS Command Line Utility Commands: version Display the version of erascmd. help Display this help message. show [hostname] Display platform profiles currently stored in the database, bios password in clear text. enrollclient [filename] Enroll client to Eras. list List platforms currently stored in the database. create hostname Create or refresh a platform record in the database. set hostname {deviceid} {ownership user enable export erase unlock} Manage TPM or Trusted drive on a platform update hostname Update Trusted drive on a platform Properties: deviceid={<trusted_drive_unique_id>} or Bios or CV ownership={take change clear reset} [ouserid=<original_owner_user_name>] [opassword=<orginal_owner_password>] [userid=<owner_user_name>] [password=<owner_password>] [s3=yes no] user={add remove reset} [usertype=admin user recovery] [userid=<user_name>] [password=<user_password>] [pmc=enabled] enable={true false} export={rpassword} 39 Command line operations Wave Systems Corp. 2011
erase=[true] unlock=[true] devicetype deviceid ownership usertype user userid password pmc ouserid opassword enable export erase mbr unlock s3 passwordtype adminpwd biospwd Specify the type of device to operate on Trusted Drive unique identifier. Set this to Bios to perform command line Bios operations. If missing or empty, the target device is assumed to be TPM. TPM or Trusted Drive ownership mode. Must be either 'take', 'change', 'clear', or 'reset'. Type of a trusted drive user to manage. By default the type equals to 'user'. User management operation. Must be either 'add', 'remove', 'reset', 'removeall' (CV), 'archive' (CV), or 'restore' (CV). Either TPM or Trusted Drive owner or user account name. Either TPM or Trusted Drive owner password or user password. Enable password must change policy. Original (old) TPM or Trusted Drive owner user name. Original (old) TPM or Trusted Drive owner or Bios password. Enable flag. Must be either 'true' or 'false'. Export recovery password of a trusted drive. 'rpassword' - recovery password. Erase all information from a trusted drive. UNC path for the preboot image file of Trusted drive's master boot record Reset TPM lock-out or unlock a secondary trusted drive. Standby and Sleep mode support flag. Must be either 'yes' or 'no'. The default value is 'no'. Type of password. For BIOS, it can be set to 'system' or 'admin' or 'hdd'; For CV, 'admin' or 'bios'. CV administrator password CV BIOS firmware password IMPORTANT: 1. The server assumes the ownership must be taken/changed by/to Domain user account name allocated for ERAS Service if the 'userid' property is not specified or empty while performing the ownership management operation. Also, the server generates a random password for the owner if the 'password' property is not specified or empty. 2. The domain name for user account may be omitted. TPM management operations: * Take ownership of COMPUTER by Domain user account name allocated for ERAS Service. Standby and Sleep support will be enabled. erascmd set COMPUTER ownership=take * Take ownership of COMPUTER by user 'DomainName\bob'. Standby and Sleep support will be disabled. erascmd set COMPUTER ownership=take userid=domainname\bob password=12345678 * Change ownership of COMPUTER to user 'DomainName\mike'. erascmd set COMPUTER ownership=change opassword=12345678 userid=domainname\mike password=12345678 * Change ownership of COMPUTER to user Domain user account name allocated for ERAS Service. 40 Command line operations Wave Systems Corp. 2011
erascmd set COMPUTER ownership=change opassword=12345678 * Delegate full owner rights to user 'DomainName\alice' on platform COMPUTER. erascmd set COMPUTER user=add userid=domainname\alice password=mypassw0rd * Remove delegation for user 'DomainName\alice' on platform COMPUTER. erascmd set COMPUTER user=remove userid=domainname\alice * Enable TPM on COMPUTER. erascmd set COMPUTER enable=true * Disable TPM on COMPUTER. erascmd set COMPUTER enable=false * Reset TPM auth lock out on COMPUTER. erascmd set COMPUTER unlock=true * Reset TPM auth lock out on COMPUTER with the specified owner password. erascmd set COMPUTER unlock=true password=12345678 Examples: * Show the platform record for COMPUTER. erascmd show COMPUTER * List all platforms currently stored in the database. erascmd list * Create or refresh the platform record. erascmd create COMPUTER * Enroll client to Eras. erascmd enrollclient CLIENTINFO.xml Trusted Drive management operations: * Show the recovery password of the trusted drive with specified serial number and model number (optional). erascmd show SN=SERIALNUMBER output=rpwd erascmd show SN=SERIALNUMBER Model=MODELNUMBER output=rpwd * Retrieve CRRPII recovery password with hostname erascmd show COMPUTER passwordtype=crrpii deviceid=physicaldrive0 userid=domainname\bob challenge=[13/26 characters] * Retrieve CRRPII recovery password with drive model and serial number only, without hostname, (when drive is detached) *erascmd tdrecover SN=SERIALNUMBER Model=MODELNUMBER passwordtype=crrpii userid=domainname\bob challenge=[13/26 characters] 41 Command line operations Wave Systems Corp. 2011
* Retrieve CRRPI recovery password erascmd show COMPUTER passwordtype=crrpi deviceid=physicaldrive0 userid=domainname\bob challenge=[13/26 characters] erascmd show SN=SERIALNUMBER Model=MODELNUMBER passwordtype=crrpi userid=domainname\bob challenge=[13/26 characters] * Initialize 'PhysicalDrive0' drive on COMPUTER by ERAS service account. erascmd set COMPUTER deviceid=physicaldrive0 ownership=take [smartcard=true] [temppass=true] * Initialize 'PhysicalDrive0' drive on COMPUTER by user 'DomainName\bob'. erascmd set COMPUTER deviceid=physicaldrive0 ownership=take userid=domainname\bob password=123 [smartcard=true] [temppass=true] * Uninitialize 'PhysicalDrive0' drive on COMPUTER. erascmd set COMPUTER deviceid=physicaldrive0 ownership=clear * Register drive's administrator to user 'DomainName\mike' (old user is 'DomainName\bob'). erascmd set COMPUTER deviceid=physicaldrive0 ownership=change ouserid=domainname\bob opassword=123 userid=domainname\mike password=321 * Change ownership of 'PhysicalDrive0' to ERAS service account (old user is 'DomainName\bob'). erascmd set COMPUTER deviceid=physicaldrive0 ownership=change ouserid=domainname\bob opassword=123 * Add user 'DomainName\alice' to 'PhysicalDrive0' on COMPUTER. erascmd set COMPUTER deviceid=physicaldrive0 user=add userid=domainname\alice password=mypassw0rd * Add user 'DomainName\alice' to 'PhysicalDrive0' on COMPUTER with password must change enabled. erascmd set COMPUTER deviceid=physicaldrive0 user=add userid=domainname\alice password=mypassw0rd pmc=enabled * Remove user 'DomainName\alice' from 'PhysicalDrive0' on platform COMPUTER. erascmd set COMPUTER deviceid=physicaldrive0 user=remove userid=domainname\alice * Reset user 'DomainName\alice' password on 'PhysicalDrive0'. erascmd set COMPUTER deviceid=physicaldrive0 user=reset userid=domainname\alice password=mypassw0rd2 * Reset user 'DomainName\alice' password on 'PhysicalDrive0' with password must change enabled. erascmd set COMPUTER deviceid=physicaldrive0 user=reset userid=domainname\alice password=mypassw0rd2 pmc=enabled * Reset admin's password on 'PhysicalDrive0' in case the admin is 'DomainName\bob'. erascmd set COMPUTER deviceid=physicaldrive0 ownership=reset userid=domainname\bob password=mypassw0rd * Reset recovery password on 'PhysicalDrive0'. erascmd set COMPUTER deviceid=physicaldrive0 user=reset usertype=recovery 42 Command line operations Wave Systems Corp. 2011
* Enable pre-boot authentication for 'PhysicalDrive0' on COMPUTER if the drive has user defined. erascmd set COMPUTER deviceid=physicaldrive0 enable=true * Disable pre-boot authentication for 'PhysicalDrive0' on COMPUTER. erascmd set COMPUTER deviceid=physicaldrive0 enable=false * Export recovery password of a trusted drive 'PhysicalDrive0' on COMPUTER. erascmd set COMPUTER deviceid=physicaldrive0 export=rpassword * Erase all information from a trusted drive 'PhysicalDrive0' on COMPUTER. erascmd set COMPUTER deviceid=physicaldrive0 erase=true * Update a trusted drive on COMPUTER to use the new preboot mbr image erascmd update COMPUTER mbr=\\networkdrive\share\pbsignon.img Protect Drive management operations: * Initialize 'PhysicalDrive0' drive on COMPUTER by ERAS service account. erascmd set COMPUTER deviceid=pd:physicaldrive0 ownership=take [smartcard=true] * Initialize 'PhysicalDrive0' drive on COMPUTER by user 'DomainName\bob'. erascmd set COMPUTER deviceid=pd:physicaldrive0 ownership=take userid=domainname\bob password=123 [smartcard=true] * Export recovery files of a protect drive 'PhysicalDrive0' on COMPUTER. erascmd set COMPUTER deviceid=pd:physicaldrive0 backup=recovery * Enable protect drive 'PhysicalDrive0' partition C: on COMPUTER. erascmd set COMPUTER deviceid=pd:physicaldrive0 partition=c: enable=true [/force] * Disable protect drive 'PhysicalDrive0' partition C: on COMPUTER. erascmd set COMPUTER deviceid=pd:physicaldrive0 partition=c: enable=false [/force] * Uninitialize 'PhysicalDrive0' drive on COMPUTER. erascmd set COMPUTER deviceid=pd:physicaldrive0 ownership=clear * Register drive's administrator to user 'DomainName\mike' (old user is 'DomainName\bob'). erascmd set COMPUTER deviceid=pd:physicaldrive0 ownership=change ouserid=domainname\bob opassword=123 userid=domainname\mike password=321 * Change ownership of 'PhysicalDrive0' to ERAS service account (old user is'domainname\bob'). erascmd set COMPUTER deviceid=pd:physicaldrive0 ownership=change ouserid=domainname\bob opassword=123 * Add user 'DomainName\alice' to 'PhysicalDrive0' on COMPUTER. erascmd set COMPUTER deviceid=pd:physicaldrive0 user=add userid=domainname\alice password=mypassw0rd * Remove user 'DomainName\alice' from 'PhysicalDrive0' on platform COMPUTER. 43 Command line operations Wave Systems Corp. 2011
erascmd set COMPUTER deviceid=pd:physicaldrive0 user=remove userid=domainname\alice * Reset user 'DomainName\alice' password on 'PhysicalDrive0'. erascmd set COMPUTER deviceid=pd:physicaldrive0 user=reset userid=domainname\alice password=mypassw0rd2 * Reset admin's password on 'PhysicalDrive0' in case the admin is 'DomainName\bob'. erascmd set COMPUTER deviceid=pd:physicaldrive0 ownership=reset userid=domainname\bob password=mypassw0rd * Reset recovery password on 'PhysicalDrive0'. erascmd set COMPUTER deviceid=pd:physicaldrive0 user=reset usertype=recovery * Enable pre-boot authentication for 'PhysicalDrive0' on COMPUTER if the drive has user defined. erascmd set COMPUTER deviceid=pd:physicaldrive0 enable=true * Disable pre-boot authentication for 'PhysicalDrive0' on COMPUTER. erascmd set COMPUTER deviceid=pd:physicaldrive0 enable=false * Export recovery password of a trusted drive 'PhysicalDrive0' on COMPUTER. erascmd set COMPUTER deviceid=pd:physicaldrive0 export=rpassword BIOS management operations: ** If password is omitted, it will be auto-generated by Eras. ** If opassword is omitted, current password from database will be used. Bios passwordtypes: system, admin, hdd * Set Bios Password **By User - erascmd set COMPUTER deviceid=bios passwordtype=system password=temp123 **By Eras - erascmd set COMPUTER deviceid=bios passwordtype=hdd * Change Bios Password **By User - erascmd update COMPUTER deviceid=bios passwordtype=admin opassword=temp123 password=temp1234 **By Eras - erascmd update COMPUTER deviceid=bios passwordtype=admin opassword=temp123 * Show Bios Password erascmd show COMPUTER deviceid=bios passwordtype=hdd * Clear Bios Password erascmd set COMPUTER deviceid=bios passwordtype=admin opassword=123 password= Retrieve Password History for BIOS passwords ** This will show the passwords that were set in past in the reverse order --- newest-first - oldest-last ** erascmd list COMPUTER deviceid=bios passwordtype=system 44 Command line operations Wave Systems Corp. 2011
Retrieve super password erascmd show COMPUTER passwordtype=super deviceid=physicaldrive0 challenge=[13 characters] userid=domainname\bob CV management operations: ** If password is omitted, it will be auto-generated by Eras. --- CV password types: admin, firmwareupgrade --- CV ownership types: take, clear --- CV user operations: add, remove, archive, restore --- CV user must be specified as: <username>@<domain-prefix> example - alice@mydomain --- CV administrator password: adminpassword --- CV BIOS firmware password: firmwareupgradepassword * Show CV Admin Password erascmd show COMPUTER deviceid=cv passwordtype=admin * Show CV Firmware Upgrade Password erascmd show COMPUTER deviceid=cv passwordtype=firmwareupgrade * Set CV Admin Password **By User - erascmd set COMPUTER deviceid=cv passwordtype=admin adminpassword=temp123 **By Eras - erascmd set COMPUTER deviceid=cv passwordtype=admin * Set CV Firmware Upgrade Password **By User - erascmd set COMPUTER deviceid=cv passwordtype=firmwareupgrade firmwareupgradepassword=temp123 **By Eras - erascmd set COMPUTER deviceid=cv passwordtype=firmwareupgrade * ListCVUsers - implemented in 'show' * Initialize CV **By User - erascmd set COMPUTER deviceid=cv ownership=take adminpassword=temp123 firmwareupgrade password=temp456 **By Mixed - erascmd set COMPUTER deviceid=cv ownership=take adminpassword=temp123 **By Mixed - erascmd set COMPUTER deviceid=cv ownership=take firmwareupgradepassword=temp456 **By Eras - erascmd set COMPUTER deviceid=cv ownership=take * Uninitialize CV ** This operation may require client machine to be rebooted. ** If 'forcerebootclient' parameter is omitted, then it will default to false **Auto-reboot client - erascmd set COMPUTER deviceid=cv ownership=clear forcerebootclient=true **Manually reboot client - erascmd set COMPUTER deviceid=cv ownership=clear forcerebootclient=false * Archive CV User erascmd set COMPUTER deviceid=cv user=archive userid=alice@domainprefix 45 Command line operations Wave Systems Corp. 2011
* Restore CV User erascmd set COMPUTER deviceid=cv user=restore userid=alice@domainprefix * Add CV User erascmd set COMPUTER deviceid=cv user=add userid=alice@domainprefix * Delete CV User -- Delete CV User uses the System BIOS password. erascmd set COMPUTER deviceid=cv user=remove userid=alice@domainprefix BitLocker management operations * Initialize BitLocker volume ** With TPM - erascmd set COMPUTER deviceid=bl volume=c:os ownership=take ** With TPM/PIN - erascmd set COMPUTER deviceid=bl volume=c:os ownership=take pin=1234 ** With TPM/PIN & Startup Key -- erascmd set COMPUTER deviceid=bl volume=c:os ownership=take pin=1234 op=key ** With TPM & startup key-- erascmd set COMPUTER deviceid=bl volume=c:os ownership=take op=key/tpm ** With Startup key - erascmd set COMPUTER deviceid=bl volume=e: ownership=take op=key ** With Password - erascmd set COMPUTER deviceid=bl volume=d: ownership=take password=secretpass * Uninitialize BitLocker volume erascmd set COMPUTER deviceid=bl volume=d: ownership=clear [tpm=clear] * Reset Bitlocker recovery key erascmd set COMPUTER deviceid=bl volume=d: ownership=reset op=key * Reset Bitlocker recovery password erascmd set COMPUTER deviceid=bl volume=e: ownership=reset op=rpassword * Change Bitlocker pin erascmd update COMPUTER deviceid=bl volume=d: passwordtype=pin pin=12345 * Change BitLocker password erascmd update COMPUTER deviceid=bl volume=d: passwordtype=password password=secretpass * Lock BitLocker volume erascmd set COMPUTER deviceid=bl volume=d: enable=true * Unlock BitLocker volume erascmd set COMPUTER deviceid=bl volume=d: enable=false * Enable/Disable BitLocker Autounlock erascmd set COMPUTER deviceid=bl volume=e: autounlock=true/false * Show BitLocker recovery password erascmd show COMPUTER deviceid=bl volume=d: passwordtype=rpassword 46 Command line operations Wave Systems Corp. 2011
ERAS Sample Command Scripts Refresh: Refresh the status of computers. Note: It is important since ERAS supports multi-domain environments that the complete Fully Qualified Domain Name is used in all commands and scripts. For example: MyComputer.MyDomain.com Refresh /C:Computer Name [/L:Log File Path] Refresh /F:Computer List File Path [/L:Log File Path] /C Specifies full name of the computer to refresh. /F Specifies name of the file contains a list of computers to refresh. /L Specifies where to save the log file. If not specified, Refresh.Log will be created in current directory. For example: Refresh /C:MyComputer.MyDomain.com Reset Recovery Password: Reset recovery password of computers. ResetRecoveryPwd /F:Computer List File Path [/L:Log File Path] /F Specifies name of the file contains a list of computers to be resetted. /L Specifies where to save the log file. If not specified, ResetRecoveryPwd.Log will be created in current directory. For example: ResetRecoveryPwd /F:MyComputerList.txt /L:ResetRecoveryPwd.Log Take ownership of TPM: Take ownership of computers. TakeOwnership /C:Computer Name [/U:User /P:Password] [/L:Log File Path] TakeOwnership /F:Computer List File Path [/U:User /P:Password] [/L:Log File Path] /C Specifies full name of the computer to take ownership. /F Specifies name of the file contains a list of computers to take ownership. /U Specifies which user to take ownership of the computer(s). /P Specifies the password of the user. /L Specifies where to save the log file. If not specified, 47 Command line operations Wave Systems Corp. 2011
TakeOwnership.Log will be created in current directory. For example: TakeOwnership /C:MyComputer.MyDomain.com TakeOwnership /F:MyComputerList.txt /L:TakeOwneship.Log TakeOwnership /F:MyComputerList.txt /U:DOMAIN\USER /P:MYPASSWORD /L:TakeOwnership.Log Initialize Trusted Drive: Initialize trusted drive of computers. TDInitialize /C:Computer Name [/U:User /P:Password] [/L:Log File Path] TDInitialize /F:Computer List File Path [/U:User /P:Password] [/L:Log File Path] /C Specifies full name of the computer. /F Specifies name of the file contains a list of computers. /U Specifies pre-2000 user logon name. /P Specifies the password of the user. /L Specifies where to save the log file. If not specified, TDInitialize.Log will be created in current directory. For example: TDInitialize /C:MyComputer.MyDomain.com TDInitialize /F:MyComputerList.txt /L:TDInitialize.Log TDInitialize /F:MyComputerList.txt /U:DOMAIN\USER /P:MYPASSWORD /L:TDInitialize.Log Enable Trusted Drive Preboot: Enable or disable Trusted Drive Pre-boot authentication. Enable PrebootTDM /F:Computer List File Path /E:Enable [/L:Log File Path] /F Specifies name of the file contains a list of computers. /E Enable or disable preboot. /L Specifies where to save the log file. If not specified, Enable TDPreboot.Log will be created in current directory. For example: PrebootTDM /F:MyComputerList.txt /E:disable PrebootTDM /F:MyComputerList.txt /E:enable /L:EnableTDPreboot.Log Command Prompt UpdateMBR Instructions There are three ways to use this utility. It can update one computer, a list of computer from a text file, or search for computer from Active Directory. Please make sure the MBR image is shared in the network and the client computer(s) can access that file. UpdateMBR MBR UNC Path /A [/L:Log File Path] UpdateMBR MBR UNC Path /C:Computer Name [/L:Log File Path] UpdateMBR MBR UNC Path /F:Computer List File Path [/L:Log File Path] UpdateMBR MBR UNC Path /Q[R]:"OU path" [/L:Log File Path] 48 Command line operations Wave Systems Corp. 2011
[MBR UNC Path] Specifies local or network path to the MBR image. /A Update All computers managed by ERAS. /C Specifies full name of the computer. /F Get list of computers to be updated from a file. /L Specifies where to save the log file. If not specified, UpdateMBR.Log will be created in current directory. /Q Get list of computers from organizational units in Active Directory. R Search for all computers in nested Organization Units. OU path must be in quotes and in the form of: "ou=<ou1>,ou=<ou2>,dc=<dc1>,dc=<dc2>" For example: UpdateMBR \\MyServer\Shared\MBR.img /A UpdateMBR \\MyServer\Shared\MBR.img /C:MyComputer.MyDomain.com /L:UpdateMBR.Log UpdateMBR \\MyServer\Shared\MBR.img /F:MyComputerList.txt /L:UpdateMBR.Log UpdateMBR \\MyServer\Shared\MBR.img /Q:"ou=Accounting,dc=MyCompany,dc=com" UpdateMBR \\MyServer\Shared\MBR.img /QR:"ou=Accounting,dc=MyCompany,dc=com" The LDAP query must be in quotes ("). The prefix "LDAP:\\" and current domain controller "dc=..." can be omitted for convenience. Example: "LDAP:\\ou=MyOU,dc=MyDomain,dc=Wave,dc=com" or "ou=myou,dc=mydomain,dc=wave,dc=com" or "ou=myou" Following is the detailed example of how to use the utility. The following assumptions will be used in the following examples: 1. MBR image located at: \\MyServer\Shared\PRSIGNON.img 2. ERAS manages at least one computer with TDM: MyClient 3. There is an OU called MyOU under root of Active Directory.Directory. It contains some computers managed by ERAS. 4. There is an OU called MySubOU under MyOU. It also contains some computers managed by ERAS. There is no assumption of the name and location of the log file. Examples will specify the log file in different ways to show what the possibilities are. I. Update one computer (MyClient): UpdateMBR \\MyServer\Shared\PRSIGNON.img /C:MyClient The default UpdateMBR.Log will be created. II. Update a list of computers in file "host.ls" at current directory: UpdateMBR \\MyServer\Shared\PRSIGNON.img /F:host.ls /L:c:\Log\UpdateMBR.Log 49 Command line operations Wave Systems Corp. 2011
III. IV. Update a list of computers in file "MyList.txt" at "C:\": UpdateMBR \\MyServer\Shared\PRSIGNON.img /F:C:\MyList.txt Update computers under MyOU, including computers under MySubOU: UpdateMBR \\MyServer\Shared\PRSIGNON.img /QR:"ou=MyOU" /L:UpdateMBR.txt V. Update computers only under MyOU, do not include any computers in sub-ou such as MySubOU: UpdateMBR \\MyServer\Shared\PRSIGNON.img /Q:"ou=MyOU" /L:\\MyServer\Shared\Log\UpdateMBR.Log VI. Update computers under MySubOU: UpdateMBR \\MyServer\Shared\PRSIGNON.img /Q:"ou=MySubOU,ou=MyOU" Notice MySubOU is placed in front of MyOU. This is the regular syntax of LDAP. Note: For performing this operation, IT administrators can modify the scripts UpdateMBR.bat and process_platforms.vbs to fulfill their specific requirements as they see fit. 50 Command line operations Wave Systems Corp. 2011
8. ERAS Reports, Event Logging and License Management 8.1 Reports To run ERAS reports, right-click on the EMBASSY Remote Access Server icon from the left pane of the ERAS console, and select View Reports, a dialog containing the ERAS Report Selection Form in which the Summary Report is highlighted by default. The ERAS Report Selection Form contains two buttons located on the lower right, Show Report which allows you to display the chosen report and Close to exit. Click on Show Report to display the Summary Report. This is done with the item Summary Report highlighted. This report displays statistical information about secure devices managed by ERAS. 51 ERAS Reports, Event Logging and License Management Wave Systems Corp. 2011
This Statistics report displays a summary of the Number of Computers Trusted Platform Module Statistics TPM Enabled TPM Activated TPM owned ERAS Summary Report Trusted Drive Statistics Computer with managed trusted TD This refers to those drives that are initialized and security enabled. Number of trusted drives: Managed Hardware FDE: Initialized Locked Managed Software FDE Initialized Locked BitLocker Drive Statistics Computers with BitLocker capable Drives Number of BitLocker Drives: Initialized Locked BIOS Statistics Computers with managed BIOS System password set Admin password set Hard drive password set ControlVault statistics Computers with managed controlvault 52 ERAS Reports, Event Logging and License Management Wave Systems Corp. 2011
Trusted Drive Management Report Trusted Drive Management reports are accessed through the + sign. To display any of these reports, select the desired report by clicking and highlighting item, and then click on Show Report. The Trusted Drive Management Report section consists of the following reports: Managed but not Locked Report displays Trusted Drives with the security locking disabled. Managed and Locked Report displays Trusted Drives with the security locking enabled Deployed but not yet Managed Report displays Trusted Drives that are capable to be managed by ERAS Remove from Computer Report displays Trusted Drives that have been removed from their enrolled host computer Migrate to Another Computer Report displays Trusted Drives that have been migrated from their enrolled host computer to other computers When a computer's name is changed, the Trusted Drive report shows the TD as having migrated to another computer. When a name of Unknown for the computer is created, this indicates that the Authentication Log uploaded to ERAS does not report the computer name. Refresh Status Report displays Trusted Drives that have a specified refresh status Erased Report displays Trusted Drives that have been previously cryptographically erased. 53 ERAS Reports, Event Logging and License Management Wave Systems Corp. 2011
BitLocker Drive Management Report The BitLocker Drive Management Report allows for filtering reports based on BitLocker drive properties and authentication method. This area allows one to select these parameters by clicking on the associated box areas based on the selected query. In order display the queried information then click on the Show Report button to display the report. BitLocker Drive Management Report The two final reports located at the bottom of the ERAS Report Selection Form are: Trusted Drive Device Report - Report displays status and historical information about a Trusted Drive managed by ERAS Trusted Drive User Report - Report displays a summary and history about any user whom may have access to any Trusted Drives managed by ERAS 54 ERAS Reports, Event Logging and License Management Wave Systems Corp. 2011
Trusted Drive Device Report To acquire a Trusted Drive Device Report, select from the displayed devices. The ERAS Report Selection Form allows one to also Search by serial number. From the displayed Trusted Drives, click on the appropriate device then click on Show Report. Trusted Drive Device Report 55 ERAS Reports, Event Logging and License Management Wave Systems Corp. 2011
Trusted Drive User Report The Trusted Drive User Report requires navigation of AD to select the user first. This is done by way of the Browse button. The use of the Show Report button remains consistent as shown on previous reports. The user reports are limited to trusted domain users. Once the user is selected, then click Show Report 56 ERAS Reports, Event Logging and License Management Wave Systems Corp. 2011
Trusted Drive User Report Export Reports ERAS Report Selection Form allows for the exporting and saving of reports. Once the report is generated go to File, then select the appropriate format for export. These are webpage reports limited to following export formats:.mht,.htm,.html and.txt Trusted Drive Authentication Log Report Trusted Drive Authentication Log Under the Drive ID column, "Boot Drive indicates pre-boot authentication, "PHYSICALDRIVE" indicates authentication from an Operating System present. The ladder "PHYSICALDRIVE" occurs when a second drive is attached to the client machine and is unlocked from Windows XP, Vista or Windows 7. 57 ERAS Reports, Event Logging and License Management Wave Systems Corp. 2011
Other Report Samples Manage but not Locked Refresh Status 58 ERAS Reports, Event Logging and License Management Wave Systems Corp. 2011
8.2 Event Logging The event log can provide a record of events. Below are some examples of typical events that can be recorded from the event log. Initialized Trusted Drive Recovery Password Set Drive Locking Enabled User Added For a complete list of current events in ERAS review table in back of the latest ERAS TROUBLESHOOTING GUIDE. 59 ERAS Reports, Event Logging and License Management Wave Systems Corp. 2011
8.3 License Management To view your license details, right click on the EMBASSY Remote Access Server icon from the left pane of the ERAS console, and select Properties, a dialog like the ones below will appear. Your license details will appear in the Server License Details section. If on a trial license, similar details to the image above will be displayed, stating the end of the trial period. Note: There are unlimited licenses during the trial period. Activate License When one is ready to activate ERAS, right click on the EMBASSY Remote Access Server icon from the left pane of the ERAS console, and select Properties, find and click on the Acquire License button. You will be presented with the above dialog box to enter the activation code. After entering the code, click the Enter button to activate the license. If the server containing the installed ERAS does not have Internet access, please contact customer support for assistance in a manual activation. Renew (Add) License If the number of remaining licenses in the Server License Details section is zero and additional users need to be added, click the Renew License button to add an updated license to support the additional users. Activate license button enabled Renew license button enabled This button fulfills the requirement to be able to release licenses for drives that have been uninitialized or cryptographically erased from ERAS. Contact Information for new licenses 800 #: (866.286.5413) Direct #: (413.243.7093) Email @: (EnterpriseUpgrade@wavesys.com) This allows for the renewal of a license when an enterprise requires purchasing additional client seats for ERAS 60 ERAS Reports, Event Logging and License Management Wave Systems Corp. 2011
Maximum number of items displayed per folder This field is to manually set maximum number of objects that are desired to be displayed in the console window per folder. If the organizational unit has more objects, a message will pop-up which will explain the limit has been reached. Decommissioning of the platform There are two ways to release the license of a self-encrypting drive from ERAS: Uninitialize the drive from ERAS or use the instant Erase button located in the Security Control window referenced in section 5.3. This will automatically uninitialize the drive. Also reference section 1.4 of Part II of the ERAS Admin Manual - Decommissioning/Removing ERAS from your Network Update Seats Button This button allows for license maintenance in ERAS, and will free up licenses for self-encrypting drives that have been uninitialized or cryptographically erased from ERAS. If a drive has been initialized and /or locked then removed from a unit, it will remain part of the ERAS database as a consumed license. Clear TPM License Steps: 1. Clear the TPM from the BIOS. 2. Refresh the client machine from ERAS; it will release the license consumed for that PC (assuming that there is no Trusted Drive on that PC). If TPM is not cleared when re-provisioned, then ERAS allows the administrator to view the best known information available from the database about TPM on a platform. This will manifest as an unable to detect TPM status and with the ability to still display TPM information in properties tab. 61 ERAS Reports, Event Logging and License Management Wave Systems Corp. 2011
9. High Availability and Disaster Recovery Server high availability: a. IIS clustering ERAS supports installation as a clustered IIS instance providing for active passive failover. b. Load balancing using either windows load balancing or HW load balancer to provide active/active or active/passive fail over and load balancing for ERAS. Load balancing should be configured for persistent connections (Client IP to specific server also known as sticky connections) and this configuration supports a theoretical unlimited number of ERAS servers providing a scale out solution. Database redundancy: a. SQL server clustering on windows cluster server/services ERAS can be installed against a clustered SQL server instance, providing fail over. b. ERAS can be installed and connected to a SQL database that can then be clustered. Each SQL server holding a clustered DB will provide fail over and optional (If configured) transparent load balancing. Because of the encryption of the ERAS DB, all clusters must have a copy of the encryption key. c. ERAS to SQL connectivity multiple copies of ERAS can be connected to the same ERAS database, sharing configuration and inventory. This provides for fail over for ERAS, as well as for the DB connection if the DB resides on a clustered SQL server. 62 High Availability and Disaster Recovery Wave Systems Corp. 2011
63 High Availability and Disaster Recovery Wave Systems Corp. 2011
ERAS must be installed on Windows 2008 Servers in order to use 2008 Server failover clusters. http://support.microsoft.com/kb/970759 It is important to plan for the recovery of ERAS by backing up the ERAS database along with the backup of the database master key and service key. There will also be a reference to the use of SQL Server Management Studio. This is a tool included with Microsoft SQL Server 2005 and later versions for configuring, managing, and administering all components within Microsoft SQL Server. Note that this is not included as one of the necessary server prerequisites, but is a useful tool in the management of backup and restore of the ERAS database. The tool includes both script editors and graphical tools which work with objects and features of the server. Changing ERASService Password using IIS6 1. Reset ERASService account password from AD or change it by logging as ERASService on ERAS machine. 2. Login using ERASService account with new password and log off. 3. Launch IIS and expand Application Pools. Right click "ERAS" and select Properties. 4. Go to Identity tab, enter the new ERASService password and apply. The re-entering of this password is required in order to confirm. Restart IIS. Changing ERASService Password using IIS7 1. Reset ERASService account as stated using IIS6 steps 1 and step2. 2. Launch IIS7 and expand Application Pool (using Server Manager) as seen in screenshot below then re-enter password for ERASService account. When ERAS service account password setting contains a double quote ( ) password when added to the application pool, this will cause the first time launch of the ERAS management console to hang. Since a password with a double quote is not a supported format, one will need to correctly specify username/password and start the application pool in order to resolve the issue. ERAS will then be able to launch properly. 64 High Availability and Disaster Recovery Wave Systems Corp. 2011
Database Backup and Recovery A. Open SQL Server Management Studio. B. Expand Databases Highlight ERAS, right-click and select Tasks, select Back Up SQL Server Management Studio C. From the Back up Database window one can perform the back up to the desired path. D. A restore can be done by selecting the Restore from the menu to select the database for restores. 65 High Availability and Disaster Recovery Wave Systems Corp. 2011
SQL QUERY: If ERAS is not selected before opening a query, this query could be addressed to another database. Another solution is to begin all queries by use ERAS; Website reference for Transact SQL commands: http://msdn.microsoft.com/en-us/library/ms189826.aspx [Parameter values in red are sample data.] It is also recommended to backup the database master key into a file so that it can be restored and activated in case the Master key gets corrupted. The database master key is created during ERAS installation by running the following query: CREATE MASTER KEY ENCRYPTION BY PASSWORD = '23987hxJ#KL95234nl0zBe' Where '23987hxJ#KL95234nl0zBe' is the password submitted as the input parameter SetMasterKey_Password Back Up Database window in SQL Server Management Studio Update Master Password for Database E. Open SQL Server Management Studio. F. Expand Database G. Highlight ERAS, right click and select New Query from the menu. H. Copy the following code in the Query window: ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = '[PASSWORD]' Execute this code against ERAS database by pressing F5. This specifies a new password with which to encrypt or decrypt the database master key. 66 High Availability and Disaster Recovery Wave Systems Corp. 2011
The REGENERATE option re-creates the database master key and all the keys it protects. The keys are first decrypted with the old master key, and then encrypted with the new master key. This resource-intensive operation should be scheduled during a period of low demand, unless the master key has been compromised. [Parameter values in red are sample data.] Master Key Back Up MasterKeyBackup_Password A. Open SQL Server Management Studio. B. Expand Database C. Highlight ERAS, right click and select New Query from the menu. D. Copy the following code in the Query window: OPEN MASTER KEY DECRYPTION BY PASSWORD = '23987hxJ#KL95234nl0zBe' --SetMasterKey_Password BACKUP MASTER KEY TO FILE = 'd:\temp\keybackup.bak' -- complete path including the file name where the master key will be exported ENCRYPTION BY PASSWORD = 'sd092735kjn$&adsg' --MasterKeyBackup_Password GO Execute the query by pressing F5 against ERAS database ERAS Database Restore and Resetting Database Connection The database can be restored either on the same or on a different SQL Server instance. 1. After restoring the database or reinstalling ERAS application, while preserving the existing database, the database connection should be validated. Make sure that database connection string in web.config file located in \Wave Systems\EMBASSY Remote Administration Server\Server\ and \Wave Systems\EMBASSY Remote Administration Server\ WCFService on the Server, where the ERAS application is installed, points to the SQL Server instance where the database was restored. Change the SQL server instance name in the connection string if necessary. <connectionstrings> <add name="eras" connectionstring="database=eras;server=sql_server_instance_name;integrated Security=SSPI; providername="system.data.sqlclient"/> </connectionstrings> 2. Restart IIS service on a server, where ERAS was installed, by entering iisreset /restart command from DOS prompt. 67 High Availability and Disaster Recovery Wave Systems Corp. 2011
3. Activate database master key. A. Open SQL Server Management Studio. B. Expand Database C. Highlight ERAS, right click and select New Query from the menu. D. Copy the following code in the Query window: Run following SQL code against the restored ERAS database by pressing F5. OPEN MASTER KEY DECRYPTION BY PASSWORD = 'password' -- The original database master key encryption password ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY 4. Close and reopen ERAS management console. 5. Successfully expanding Domain - Computers node on ERAS management console would indicate that restoring the database and/or pointing ERAS to the correct database location completed successfully. ERAS Database Restore on Different Database or Machine If the database is restored on the different machine (or different SQL instance on the same machine) extra steps are needed: 1. Restore the database on another SQL server instance, can be for example SQLEXPRESS on the same Server 1 or any another SQL server instance on Server 2. 2. Change database connection string in web.config file located in \Wave Systems\EMBASSY Remote Administration Server\Server\ and \Wave Systems\EMBASSY Remote Administration Server\ WCFService on Server 1 to point to the SQL server instance where the database was restored. 3. Restart IIS service on Server 1, where ERAS was installed, by entering iisreset /restart command from DOS prompt. If one is required to restore the master key follow the steps provided in the next section. Master Key Restore To restore master key the KeyBackup.bak file should be copied to the local PC where the database is stored. Copy the following query into a query window of SQL Server Management Studio and run it against the database where the key is being restored: RESTORE MASTER KEY FROM FILE = 'C:\MSSQL9\BACKUPS\Keys\KeyBackup.bak' --Master Key backup file location DECRYPTION BY PASSWORD = 'sd092735kjn$&adsg' --MasterKeyBackup_Password ENCRYPTION BY PASSWORD = '23987hxJ#KL95234nl0zBe' --SetMasterKey_Password GO 68 High Availability and Disaster Recovery Wave Systems Corp. 2011
Server Recovery on the New Platform 1. Prepare a server computer as described in the ERAS Installation Guide. 2. Restore ERAS Database if it was located on the obsolete (lost) platform (see ERAS Database Restore and Resetting Database Connection). 3. Start ERAS installation on the new server platform. 4. Point to ERAS database server when asked for database server. 5. Complete the setup. Authorization Store Migration Note: ERAS will install the role management into Microsoft SQL as part of the ERAS database when Microsoft SQL 2008 or better is detected on new installations only. Therefore the role management will become part of the database. Authorization store deployed in the xml file does not have any ERAS Server host binding. Authorization store deployed in Active Directory can certainly be used by other instances of ERAS Servers installed in the domain. ERASPolicy.xml file with customer roles and Active Directory group assignments can be migrated (effectively be used) to another ERAS Server in the domain. 69 High Availability and Disaster Recovery Wave Systems Corp. 2011
Clustered Environment Additional setup instructions for ERAS After ERAS is setup in a cluster and before any ERASConnector.msi installation, we need to first rename one of the computers under ERAS folder to the cluster name and delete the other computers that are part of a cluster, using ADSIEDIT.MSC. ERASConnector then will always connect to ERAS using the cluster name, not the ERAS server name because in a failover, anyone of the ERAS servers may be down. For example: In the window below, there are two ERAS's installed on machines (joe2008_64b_vm1 and joe2008_64b_vm2). These two machines in a cluster named DeanzaCluster. In order for ERASConnector to correctly connect to ERAS, we need to rename either joe2008_64b_vm1 or joe2008_64b_vm2 to DeanzaCluster and then delete the other one. 70 Clustered Environment Wave Systems Corp. 2011
Appendix I ERAS Icon Reference 71 Appendix I Wave Systems Corp. 2011
Appendix II Additional Sources TCG TPM Specification Version 1.2 https://www.trustedcomputinggroup.org/specs/tpm/ TCG Software Stack Specification Version 1.2 https://www.trustedcomputinggroup.org/specs/tss/ Desktop Deployment for Midsize Businesses http://www.microsoft.com/technet/desktopdeployment/midsize/default.mspx Microsoft Solution Accelerator for Business Desktop Deployment http://www.microsoft.com/technet/desktopdeployment/bdd/enterprise/default.mspx Security Guidelines: ASP.NET 2.0 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/pagguidelines0001.asp Windows BitLocker Drive Encryption Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc766295(ws.10).aspx AES-CBC + Elephant diffuser http://www.microsoft.com/downloads/details.aspx?familyid=131dae03-39ae-48be-a8d6-8b0034c92555&displaylang=en Terms and definitions Term AD ADUC BIOS BitLocker Drive Encryption CAC CV ECC ELEPHANT DIFFUSER ERAS ESC ETS ERASCMD FDE FUMC FQDN Definition Active Directory Active Directory Users and Computers Basic input/output system A Microsoft full disk encryption feature included with the Ultimate and Enterprise editions of Windows 7 desktop operating systems, as well as the Windows Server 2008 R2 server platforms. Common Access Card Dell ControlVault, a unique hardware-based security solution that provides a hardened and secure bank for storing and processing user credentials. ERAS Client Connector (ERASConnector.msi) Microsoft diffuser layer designed to work along with AES-CBC cipher EMBASSY Remote Management Server EMBASSY Security Center EMBASSY Trust Suite ERAS command line utility Full Disk Encryption First Use Must Change Fully Qualified Domain Name 72 Appendix II Wave Systems Corp. 2011
GPMC GPO IT MBR MMC OS Platform Self-encrypting drives SSO TDM TPM UI WCF WMI WPS Group Policy Management Console Group Policy Object Information Technology Master Boot Record Microsoft Management Console Operating System TPM enabled computing platform Hard drives with an on-board security controller and embedded capabilities for media-speed full disk encryption and pre-boot authentication. Single Sign-on Trusted Drive Manager Trusted Platform Module User Interface Windows Communication Foundation Windows Management Instrumentation Windows Password Synchronization 73 Wave Systems Corp. 2011
Appendix III Wave Software Terminology Initialized This is a self-encrypted hard drive or software FDE hard drive that is now controlled remotely by ERAS or locally by ETS. The term Initialize refers to make initial communication with the Trusted Drive in order to control the device. This process also includes adding the Trusted Drive Admin account Trusted Drive Locking Refers to self-encrypted hard drive locking mechanism that can be enabled or disabled. When enabled, the drives require credentials in order to be accessed. In the case of software FDE such as ProtectDrive, enabling Trusted Drive Locking from ERAS initiates software encryption and requires credentials for drive access from the beginning, throughout the encryption process, and completed encryption. Task Definitions ERAS Administration - This task comprises all operations that can change how ERAS is used. Change Server Settings Operation Change Server Settings. TDM User Management - Manage TDM users Edit TDM User Operation Add or remove TDM user Reset TDM User Password Operation Reset TDM user password TPM User Management - Manage TPM users Edit TPM User Operation Add or remove TPM user TDM Password Management - Reset TDM user or owner password Reset TDM Administrator Password Operation Reset TDM administrator password Reset TDM User Password Operation Reset TDM user password TPM Password Management - Reset TPM user or owner password Reset TPM Owner Password Operation Reset TPM owner password Reset TPM User Password Operation Reset TPM user password Reset TPM Task - Task to reset TPM Clear TPM Ownership Operation Clear TPM Erase TD Task - Task to Erase TD Erase TD Operation Erase Trusted Drive Retrieve TDM Recovery Password - View TDM recovery password View TDM Recovery Password Operation View TDM recovery password Unlock TPM - Reset TPM lock Reset TPM Auth Lock Out Operation Reset TPM authentication lock out General - Generic tasks like refresh and search Refresh Platform Operation Refresh specified platform Search Platform Operation Search a platform by path, machine name, or TD serial number 74 Appendix III Wave Systems Corp. 2011
TPM Ownership Management - Take, changes TPM ownership Change TPM Ownership Operation Change TPM Ownership Take TPM Ownership Operation Take TPM Ownership Manipulate TPM - Operate TPM Enable or Disable TPM Operation Enable or disables TPM Run TPM Self Test Operation Run TPM self test TPM Physical Presence Operation Operation Perform TPM physical presence authorized operations CV Password Management - Manage ControlVault Admin/Bios Firmware HDD Password Manage BIOS Firmware Password Operation Change BIOS Firmware Password Manage CV Administrator Password Operation Change CV Administrator Password CV User Management - Initialize/Uninitialize ControlVault and Add/Remove users. Add user to CV Operation Add user to ControlVault Archive CV user Operation Archive ControlVault User Initialize CV Operation Initialize ControlVault Remove user from CV Operation Remove user from ControlVault Restore CV user Operation Restore ControlVault User Uninitialize CV Operation Uninitialize ControlVault Manipulate TDM - Operate Trusted Drives Change TD Administrator Operation Change TD administrator Enable or Disable TD Operation Enable or disable Trusted Drive Regenerate TD Recovery Password Operation Regenerate TD recovery password TD Initialization Operation Initialize or uninitialize TD Updated TDM MBR Operation Update Master Boot Record View BIOS Passwords - View BIOS System/Admin/Internal HDD Password Retrieve BIOS Administrator Password Operation View BIOS Administrator Password Retrieve BIOS System Password Operation View BIOS System Password Retrieve Internal HDD Password Operation View BIOS Internal Hard Drive Password View CV Passwords - View ControlVault Admin/Bios Firmware HDD Password Retrieve BIOS Firmware Password Operation View BIOS Firmware Password Retrieve CV Administrator Password Operation View CV Administrator Password View Report - Get statistics reports View Statistics Report Operation Get and display statistics reports BIOS Password Management Manage BIOS Administrator Password Operation Define and change BIOS Administrator Password Manage BIOS System Password Operation Define and change BIOS System Password Manage Internal HDD Password Operation Define and change Internal HDD Password Retrieve BIOS Administrator Password Operation View BIOS Administrator Password Retrieve BIOS System Password Operation View BIOS System Password Retrieve Internal HDD Password Operation View Internal HDD Password 75 Appendix III Wave Systems Corp. 2011
Tasks by Role Help Desk General Regenerate TD Recovery Password Task Retrieve TDM Recovery Password TDM User Management Unlock TPM View BIOS Passwords Security Officer CV Password Management CV User Management Erase TD Task General Reset TPM Task TPM Password Management TDM Password Management View CV Passwords Enrollment Agent CV Password Management CV User Management General TPM User Management TDM User Management View CV Passwords System Administrator All Task Functions Select Dell ControlVault Platforms E6400 E6400 ATG XFR E6400 E6500 E4300 M4500 Z600 E4200 XT2 XFR E4310 M4400 E6510 E6410 E6410 ATG M6400 M6500 M2400 76 Appendix III Wave Systems Corp. 2011
Default Server Settings Allow these special characters in auto-generated passwords Define special characters to be allowed when setting passwords for Trusted Drives, System BIOS, and ControlVault. Auto-enroll foreign client to ERAS Set to True to allow ERAS to auto-enroll foreign clients to Active Directory. Automatically lock Trusted Drives after first Smart Card user is enrolled Set to True to enable automatic locking of Trusted Drive after first Smart Card user is enrolled. Bypass ICMP when validating network access to remote computer Set to True to bypass ICMP ping and attempt TCP/IP connection Null False True False Client Reconnect Interval (minutes) 1440 Specify the interval in minutes for the client to reconnect to ERAS Client Retry Communication Interval (minutes) 10 Specify the interval in minutes for the client to try to reconnect to ERAS after a failure Default to checked state for Allow temporary passwords checkbox on SED initialization user interface Set the checked state as the default for Allow temporary passwords checkbox on SED initialization user interface True Default to checked state for Smart card authentication factor checkbox on SED initialization user interface False Set the checked state as the default for Smart card authentication factor checkbox on SED initialization user interface Enable BitLocker management Set to True to enable BitLocker management Enable ControlVault management Set to True to enable ControlVault remote management Enable foreign client management Set to True to enable management of workgroup and/or non-trusted domain clients Enable FUMC settings by default Set to True to enable 'First Use Must Change (FUMC)' password policy setting by default. Enable password filtering for Trusted Drives Set to True to filter unallowable characters when setting passwords on Trusted Drives. True True True True True Enable pending operation True Set to True to enable pending operations. All management operations shall be postponed when the client is not online Enable ProtectDrive management Set to True to enable ProtectDrive remote management Enable standby and sleep mode settings by default Set to True to enable Standby Mode settings by default True False 77 Appendix III Wave Systems Corp. 2011
Enable Systems BIOS management Set to True to enable BIOS remote management Enable TPM management Set to True to enable TPM remote management True True ERAS console wait time 15 Set the operation timeout ERAS database query timeout in seconds 120 Set the database timeout in seconds Exclude these characters in auto-generated passwords 10Oo lii Define characters to be excluded when generating passwords for Trusted Drives, System BIOS, and ControlVault. Note: Space is not visible at the beginning or end of pattern. Foreign client container name Specify a container (OU) name to use for foreign clients ERAS External Client Foreign client maximum reconnect interval (minutes) 1440 Specify the maximum interval in minutes for foreign clients to reconnect to ERAS. Foreign client minimum reconnect interval (minutes) 0.25 Specify the minimum interval in minutes for foreign clients to reconnect to ERAS. Initialize first Trusted Drive only (Manage Wizard) Set to True to initialize only the first drive if there are multiple drives in the computer False Maximum base 10 digits allowed in auto-generated passwords 3 Set the maximum base 10 digits allowed when generating passwords for Trusted Drives, System BIOS, and ControlVault. Maximum instances of any character allowed in auto-generated passwords 4 Set the maximum instance of any character allowed when generating passwords for Trusted Drives, System BIOS, and ControlVault. Maximum length allowed in auto-generated BIOS passwords 12 Set the maximum length allowed when generating BIOS passwords. Maximum length allowed in auto-generated Trusted Drive and ControlVault passwords 20 Set the maximum length allowed when generating passwords for Trusted Drives, and ControlVault. Maximum non-alpha-numeric characters allowed in auto-generated passwords 1 Set the maximum number of non-alphanumeric characters allowed when generating passwords for Trusted Drives, System BIOS, and ControlVault. Maximum number of records to return in search for computers 5000 Specify the maximum number of records to return in search for computers Maximum upper-case characters allowed in auto-generated passwords 8 Set the maximum number of upper-case characters allowed when generating passwords for Trusted Drives, System BIOS, and ControlVault. 78 Appendix III Wave Systems Corp. 2011
Minimum base 10 digits allowed in auto-generated passwords 1 Set the minimum base 10 digits allowed when generating passwords for Trusted Drives, System BIOS, and ControlVault. Minimum length allowed in auto-generated BIOS passwords 8 Set the minimum length allowed when generating BIOS passwords. Minimum length allowed in auto-generated Trusted Drive and ControlVault passwords 20 Set the minimum length allowed when generating passwords for Trusted Drives and ControlVault. Minimum non-alpha-numeric characters allowed in auto-generated passwords 0 Set the minimum number of non-alphanumeric characters allowed when generating passwords for Trusted Drives, System BIOS, and ControlVault. Minimum upper-case characters allowed in auto-generated passwords 2 Set the minimum number of upper-case characters allowed when generating passwords for Trusted Drives, System BIOS, and ControlVault. Number of allowed logins to Trusted Drives before enrollment (1-5) 2 Specify the number of allowed logins before enrollment for Trusted Drives. Applicable only to releases prior to TDM releases 4.0 Password recovery method CRRP-II Specify a drive password recovery method to use. This only applies to Trusted Drive Manager version 4.0 and older. Starting with TDM version 4.1, drive recovery method must be set and enforced by domain group policies. The Recovery Password is a static password that has a limit of 20 maximum characters. The Challenge Response Recovery Password (CRRP-II) is a onetime recovery password using either a 128-bit or 256-bit key. The size of the key depicts the number of characters the user would have to type in order to unlock the drive, 31 and 61 characters respectively. Recovery key length 128 Set length of recovery key in bits for drive recovery, applicable to CRRP-II recovery method only. This setting is used by ERAS to manage drives using Trusted Drive Manager version 4.0 and older. Starting with TDM version 4.1, recovery key length is coupled with recovery method and must be set and enforced by domain group policies. Remote management preference Remote WMI with 128 bit packet encryption Specify one of three preferences for remote management: Remote Windows Management Instrumentation (WMI) with 128 bit packet encryption, Enable 256 bit AES data encryption, or Client initiated management (this provides 256 bit AES data encryption and can be used where WMI is disabled). Show failed pending operations False By default, pending operations that have not been executed successfully are not shown. Set to True to show failed pending operations. Use extended user account mode False Set to True to enable the maximum user accounts on Trusted Drives, up to 256 users. Note this setting only applies to SED drives provisioned with password pre-boot authentication factor Validate user access to computer objects True When set to True users must have write access to computer objects. When set to False users will not require write access to manage the computer object. 79 Appendix III Wave Systems Corp. 2011
Appendix IV Configuring TDM Password Filter The following instructions will allow testing of TDM password filter ON OFF in Server Setting UI. The TDM password filter is on by default. 1. Change Enable Password Filtering for Trusted Drives value from True to False in Server Setting UI. 3. Restart IIS MMC.EXE.CONFIG Table Operating Systems Windows Server 2003 32-bit Windows Server 2003 64-bit Windows Server 2008 32-bit Windows Server 2008 64-bit Vista 32-bit Vista 64-bit XP 32-bit XP 64-bit MMC.EXE.CONFIG Location C:\Program Files\Wave Systems\EMBASSY Remote Administration server\tools\snapin C:\Program Files(x86)\Wave Systems\EMBASSY Remote Administration server\tools\snapin C:\Windows\System32 C:\Windows\System32 C:\Windows\System32 C:\Windows\System32 C:\Program Files\Wave Systems\EMBASSY Remote Administration server\tools\snapin C:\Program Files(x86)\Wave Systems\EMBASSY Remote Administration server\tools\snapin EnableFumc and StandbySleepMode in Server Settings UI EnableFumc EnableFumc is the flag in Server Setting UI to configure. When the UI is brought up, it set the FUMC checkbox depending on the value in the Server Setting UI. True = checked. False = unchecked. Default value is True after installation. StandbySleepMode "StandbySleepMode" is the property to configure in Server Setting UI to set the default value for S3 support. The initial value is False. 80 Appendix IV Wave Systems Corp. 2011
Appendix V WaveSystemsCorp Policies Authentication Manager Enable Intel GINA chaining If this policy is enabled, Wave GINA and Intel Wireless GINA are enabled and chained. This means single sign-on (SSO) is turned ON. Enable Wave secure logon If this policy is enabled or not configured and TDM SSO is turned ON, Wave GINA and Credential Provider are enabled automatically. Windows authentication factor If enabled, the selected authentication factor will be enforced. Password Biometric PKI Password or biometric Password and biometric Password or PKI PKI and biometric Biometric or PKI Common Disable local Control Vault management If enabled, local Control Vault management will be disabled. Disable local Trusted Drive management If enabled, local Trusted Drive management will be disabled. Disable local Trusted Platform Module management If enabled, local Trusted Platform Module management will be disabled. Enable single sign-on If enabled, a single sign-on allows access to both the primary SED drive and the Operating System. Embassy Remote Administration Server Configure ERASConnector settings Specify a server name (FQDN) and TCP port for ERASConnector to use when establishing a connection to ERAS. The default value for TCP port is 80. There is no default value for server name. Configure ERAS setup parameters A service account is required by ERAS to connect to ERAS database and to remotely manage client computers using 81 Appendix V Wave Systems Corp. 2011
WMI (Windows Management Instrumentation). Please specify a user account in the domain where ERAS is installed. Configure Wave secure key set If enabled, service key set will be used to protect the integrity of the data being transported to/from client and server. Embassy Security Setup Enable universal enrollment wizard (UEW) If enabled and set to 'Disabled', the UEW wizard will not be run automatically or manually. If set to 'Manual', the wizard can be started manually. If set to 'Automatic', the wizard will run automatically at startup. Enable first time wizard If enabled and set to 'Disabled', the first time wizard will not be run automatically or manually. If set to 'Manual', the first time wizard can be started manually. If set to 'Automatic', the first time wizard will run automatically when user first logs on to Windows. Trusted Drive Manager Configure additional authentication factors to unlock SED drives This policy setting allows administrators to specify whether the user must present additional credentials to unlock a SED. If enabled, the user must provide additional credential(s) as specified here in order to unlock a SED. If disabled or not configured, the user is required to provide credential(s) enforced by other policy settings. If "Configure USB token" is checked: a) The USB token shall be formatted and mapped to one user account only. b) The USB token must be removed after successful authentication during pre-boot. The pre-boot screen will prompt the user to remove the token and then boot to Windows. c) The software shall prevent copying of the token enrollment data by storing the USB drive serial number in WSS and in the token enrollment data and comparing these two values and only use the token for authentication if the values match. d) Only one drive can be unlocked by a USB token. Note: This policy enforcement is instantiated during SED drive initialization. In order to disable this policy enforcement, the policy must be set to disabled and the SED drive must be re-initialized. Note: This policy travels with the provisioned SED drive if enabled. Note: *This policy is currently in development. Configure additional authentication factors to unlock SED drives during recovery This policy setting allows administrators to specify whether the user must present additional credentials (insert a 82 Appendix V Wave Systems Corp. 2011
USB drive with token) when he/she attempts to unlock a SED drive during recovery. If enabled, the user must provide the recovery password and insert a USB drive with key in order to unlock a SED. If disabled or not configured, the user is required to provide recovery password. If "Configure USB token" is checked: a) The USB token shall be formatted and mapped to one user account only. b) The USB token must be removed after successful authentication during pre-boot. The pre-boot screen will prompt the user to remove the token and then boot to Windows. c) The software shall prevent copying of the token enrollment data by storing the USB drive serial number in WSS and in the token enrollment data and comparing these two values and only use the token for authentication if the values match. d) Only one drive can be unlocked by a USB token. Note: This policy enforcement is instantiated during SED drive initialization. In order to disable this policy enforcement, the policy must be set to disabled and the SED drive must be re-initialized. Note: This policy travels with the provisioned SED drive if enabled. Note: *This policy is currently in development. Configure anti-theft protection for SED drives This policy setting allows administrators to configure anti-theft protection for SED drives. If enabled, anti-theft protection will be turned on. Users will be locked-out from the SED drive after the next power cycle if an anti-theft action is triggered. If disabled or not configured, anti-theft protection will be turned off. Note: *This policy is currently in development. Disable automatic removal of invalid smart card credentials By default, invalid smart card credentials are removed automatically. To change this behavior, enable this setting to disable removal of invalid smart card credentials automatically. Automatic smart card user provisioning to SED drives Default state: Disabled. When enabled, any user logging on the Windows client with a smart card logon certificate validated and accepted by active directory will be automatically added during smart card enrollment as an authorized user for pre-boot SED drive unlock without the need to explicitly add the user as a valid drive user from ERAS. When disabled, only users added to the drive from ERAS can be enrolled on the client and unlock the drive at pre-boot. 83 Appendix V Wave Systems Corp. 2011
Configure use of biometrics to unlock SED drives This policy setting allows administrators to specify whether users can unlock the SED drive by using biometrics. By default, users cannot use biometrics to unlock the SED. If enabled, users can unlock the SED drive by using biometrics. If disabled or not configured, users will not be able to unlock the SED drive by using biometrics. Note: This policy enforcement is instantiated during the SED drive initialization. In order to disable this policy enforcement, the policy must be set to disabled and the SED drive must be re-initialized. Note: This policy travels with the SED drive if enabled and SED drive is provisioned. Note: *This policy is currently in development. Remember last user If enabled, last user logged in at pre-boot will be cached. Disable S3 support for SED drives This policy setting allows administrators to disable S3 support for SED drives. If enabled, the feature is supported. If disabled or not configured, this feature is not available. Disable SED user password reset during recovery If enabled, the user cannot reset his/her SED password during recovery. The user can only unlock the drive with the recovery password. If disabled or not configured, the user can define a new SED password during recovery. Note: Windows Password Synchronization (WPS) policy overrides this policy setting. If WPS is enabled, the user can reset his/her SED password despite of this policy setting. Note: This policy travels with the SED if enabled. Display all users If enabled, domain and user names will be pre-populated with SED users in TDM reboot Enable SED drive multi-factor enrollment wizard If enabled and set to 'Disabled', the TDM smart card enrollment wizard will not run automatically or manually. If set 84 Appendix V Wave Systems Corp. 2011
to 'Manual', the wizard can be started manually. If set to 'Automatic', the wizard will automatically run for every new Windows smart card user if auto-provisioning is enabled. Automatic smart card certificate enrollment for SED If enabled, a user logging on to Windows containing a SED drive initialized with smart card authentication factor will be automatically enrolled to the SED. Enable single sign-on If enabled, a single sign-on allows access to both the primary SED drive and the Operating System. Enable Windows password synchronization If enabled, SED drive password will be synchronized with Windows password. Define Protect Drive configuration template If enabled, use this to specify the file location for Protect Drive configuration template. Allow user to unlock SED drive by using password only This policy setting allows administrators to specify whether users can unlock the SED drive by using password only. If enabled, users can unlock the SED drive by using password only. If disabled or not configured, users can only unlock the SED drive by providing credentials enforced by other policy settings. Note: This policy enforcement is instantiated during SED drive initialization. In order to disable this policy enforcement, the policy must be set to disabled and the SED drive must be re-initialized. Note: This policy travels with the SED drive if enabled and SED drive is provisioned. Customize pre-boot screen If enabled, custom messages can be defined to display on pre-boot screen, and on recovery screen. Configure SED drive recovery methods Settings in this policy define recovery methods for SED drive Service Access Recovery. SED drive Recovery Method refers to a recovery based on the SED drive with no associated user. This allows for recovery by way of the "Service Access" account. SED drive User Recovery Method refers to a recovery by associated user account. Selecting "Disabled" will remove access to that particular recovery method at pre-boot. The remaining choices will define the encryption level setting to use for that particular recovery method. Enable warm boot after SED drive unlock If this policy is enabled and set to Compatibility, the computer will perform a warm restart after drive unlocks to allow the BIOS to rescan the drive and attached devices. This is required for some BIOS to correctly detect the 85 Appendix V Wave Systems Corp. 2011
available partitions and attached devices. If set to Auto-detect, the computer will only perform a restart after drive unlocks if it detects USB mass storage devices attached. If no USB mass storage devices are attached the computer will continue with the normal boot. If this policy is not configured or enabled and set to Fast, the computer will continue with the normal boot after SED unlocks. Configure SED drive keyboard layouts Select language keyboard layout type Enable single sign-on password recovery When enabled, allows for SSO into windows when using user based recovery Temporary password usage limit If enabled, and set to 0, the drive user password can be used unlimited number of times. If set to any number other than 0, Trusted Driver Manager decrements the usage counter each time the password is used. When the counter reaches 0, the user of the password will no longer be allowed. Enable user SED password recovery When enabling this policy it allows a user to reset and synchronize their Pre-Windows SED password, Windows Password, and Active Directory (AD) password during recovery as follows: a. Users who employ CRRP II for recovery will see a new screen after successful response validation allowing them to type a new password and retype for validation. (Currently password complexity setting will not be validated, but it is recommended to adhere to the password complexity rules if known). b. If WPS and/or SSO are enabled, the new password and the previous password will communicate to the OS present Wave components. c. If SSO is enabled the user will be silently logged in. d. After the user logs in to Windows, a dialog box is displayed with the old and new password pre-populated and hidden. The user is notified that a change to their AD password is required. User must verify that they are connected to the domain to continue. e. Upon user confirmation, ESC makes an attempt to sync the AD password to the new drive password using the old password. The user will be notified upon successful password change. Note: If the new password is set at pre-boot for the drive user are rejected by the DC due to complexity rules, the user will be prompted to change their password again. Note: A connection to the Domain Controller is required for this recovery process. 86 Appendix V Wave Systems Corp. 2011