Sophos SafeGuard Disk Encryption, Sophos SafeGuard Easy, User help
SafeGuard Easy Administrator help - Sophos
164
SafeGuard Easy Administrator help Product version: 6 Document date: February 2012
Transcript of SafeGuard Easy Administrator help - Sophos
SafeGuard EasyAdministrator help
Product version: 6Document date: February 2012
Contents
1 About Sophos SafeGuard (SafeGuard Easy)............................................................................................4
2 Getting started...........................................................................................................................................9
3 Installation...............................................................................................................................................16
4 Log on to SafeGuard Policy Editor.........................................................................................................38
5 Licenses....................................................................................................................................................39
6 Working with policies.............................................................................................................................41
7 Working with configuration packages...................................................................................................45
8 Exporting the company and security officer certificates.......................................................................47
9 Company Certificate Change Orders.....................................................................................................48
10 Check the database integrity................................................................................................................50
11 Administrative access to endpoint computers.....................................................................................51
12 Default policies......................................................................................................................................60
13 Policy Settings.......................................................................................................................................65
14 Power-on Authentication (POA).........................................................................................................92
15 Full disk encryption............................................................................................................................100
16 SafeGuard Data Exchange..................................................................................................................104
17 Cloud Storage......................................................................................................................................109
18 Sophos SafeGuard and self-encrypting, Opal-compliant hard drives..............................................115
19 Secure Wake on LAN (WOL).............................................................................................................117
20 Tokens and smartcards.......................................................................................................................119
21 Recovery options.................................................................................................................................124
22 Recovery with Local Self Help............................................................................................................125
23 Recovery with Challenge/Response....................................................................................................130
24 System Recovery..................................................................................................................................143
25 Restore a Sophos SafeGuard Database...............................................................................................146
2
26 Restore a corrupt SafeGuard Policy Editor installation....................................................................147
27 About upgrading.................................................................................................................................148
28 About migrating..................................................................................................................................151
29 About uninstallation...........................................................................................................................160
30 Technical support................................................................................................................................163
31 Legal notices........................................................................................................................................164
3
1 About Sophos SafeGuard (SafeGuard Easy)
Sophos SafeGuard (SafeGuard Easy) uses a policy-based encryption strategy to protect informationon endpoints.
Administration is carried out with the SafeGuard Policy Editor, which is used to create and managesecurity policies and to provide recovery functions. Policies are deployed to endpoints inconfiguration packages. On the user side, the main security functions are data encryption andprotection against unauthorized access. Sophos SafeGuard can be seamlessly integrated into theuser's normal environment and is easy and intuitive to use. The Sophos SafeGuard authenticationsystem, Power-on Authentication (POA), provides powerful access protection and offersuser-friendly support when recovering credentials.
Sophos SafeGuard components
Sophos SafeGuard consists of the following components:
DescriptionComponent
Sophos SafeGuard management tool used to create encryptionand authentication policies.
SafeGuard Policy Editor creates a default policy during first-timeconfiguration.
SafeGuard Policy Editor
SafeGuard Policy Editor also provides recovery functions toallow users to regain access to their computers, if they haveforgotten their password, for example.
Sophos SafeGuard Database holds all policy settings for theendpoints.
Sophos SafeGuard Database
4
SafeGuard Easy
DescriptionComponent
Encryption software on endpoints.Sophos SafeGuard software onendpoints
Product names
The following product names are used in this help:
DescriptionProduct name
Sophos SafeGuard standalone encryption software. Fromversions 5.x, SafeGuard Policy Editor is used for policyconfiguration and helpdesk tasks.
Sophos SafeGuard Easy (SGE)
Sophos SafeGuard standalone encryption software available withthe Endpoint Security and Data Protection (ESDP) bundle upto version 10.
Sophos SafeGuard Disk Encryption(SDE) up to 5.60
Managed full disk encryption through Sophos Enterprise Console5.1 and above.
Sophos Disk Encryption 5.61
Comprehensive, modular SafeGuard encryption suite withcentral, role-based management that protects data on endpointsfrom being read or changed by unauthorized persons.
SafeGuard Enterprise
Sophos console that manages and updates Sophos securitysoftware. With version 5.1 it also manages encryption onendpoints (Sophos Disk Encryption 5.61).
Sophos Enterprise Console
1.1 SafeGuard Policy Editor
SafeGuard Policy Editor is the management console for Sophos SafeGuard protected endpoints.
SafeGuard Policy Editor is installed on the computer that you want to use to carry outadministrative tasks. As a security officer, you use SafeGuard Policy Editor to manage SophosSafeGuard policies and to create configuration settings for endpoints. You publish policies andsettings into a configuration packages to deploy them on endpoints. Several configuration packagescan be created, and distributed using third party mechanisms. You distribute the packages whenyou install the Sophos SafeGuard encryption software. You can deploy further packages to changethe settings on endpoints later.
SafeGuard Policy Editor also provides recovery functions to regain access to endpoints, if usershave, for example forgotten their password.
5
Administrator help
Features
SafeGuard Policy Editor offers the following:
■ Default configuration: During first-time configuration, SafeGuard Policy Editor automaticallycreates a default policy with preconfigured, recommended policies for endpoints. You cancustomize the default policy to your requirements.
■ Administrative access options: The administrative access options service accounts and POAusers provide special access for post-installation and administrative tasks on endpoints.
■ Encryption keys: An automatically generated machine key is used for SafeGuard DeviceEncryption (volume-based encryption). Keys generated locally on the endpoint will be usedfor SafeGuard Data Exchange (file-based encryption).
■ Local Self Help: For recovery of forgotten passwords, Sophos SafeGuard offers the convenientrecovery option Local Self Help. Local Self Help enables users to recover their password evenwithout the assistance of a help desk.
■ Challenge/Response with help desk assistance:
Challenge/Response with help desk assistance can be requested by a user if a password has beenforgotten or typed in incorrectly too often. It can also be used to recover data if the POA iscorrupted. Challenge/Response is based on specific key recovery files that are automaticallygenerated when Sophos SafeGuard is installed on the endpoint.
Database
The Sophos SafeGuard policies are stored in an SQL database on the administrator's computer.You are prompted to install Microsoft SQL Server 2005 Express during the SafeGuard PolicyEditor installation if an existing SQL server instance is unavailable. For this purpose, MicrosoftSQL 2005 Express is included in your product delivery.
6
SafeGuard Easy
Migration
You can easily migrate to the SafeGuard Enterprise suite with central management to make useof the full functionality of SafeGuard Enterprise.
Logging
Events for Sophos SafeGuard protected computers are logged in the Windows Event Viewer.
How does SafeGuard Policy Editor differ from SafeGuard Management Center?
SafeGuard Management Center has a central management server and offers enhanced managementfunctionalities, including:
■ Active Directory import with user and domain management.
■ Central logging.
■ Definable administrative roles.
SafeGuard Management Center is available with SafeGuard Enterprise.
Note:
In SafeGuard Management Center, you can also define settings and create configuration packagesfor Sophos SafeGuard computers that do not have any connection to a SafeGuard EnterpriseServer.
1.2 Sophos SafeGuard on endpoint computers
Data encryption and protection against unauthorized access are the main security functions ofSophos SafeGuard. Sophos SafeGuard can be seamlessly integrated into the user's normalenvironment and is easy and intuitive to use. The Sophos SafeGuard authentication system,Power-on Authentication (POA), provides the necessary access protection and offers user-friendlysupport when recovering credentials.
Supported features
Note: Availability of features depends on the respective license.
■ Full disk encryption
Ensures that all data on the specified volumes (including boot volume, hard drive, partitions)is transparently encrypted (boot files, swapfiles, idle files/hibernation files, temporary files anddirectory information etc.) without the user having to change normal operating proceduresor to consider security.
■ Power-on Authentication
User logon is performed immediately after switching on the computer.After successful Power-onAuthentication, users are automatically logged on to the operating system.
■ SafeGuard Data Exchange
7
Administrator help
SafeGuard Data Exchange allows users to encrypt data stored on removable media that areconnected to their computers, and exchange it with other users. All encryption and decryptionprocesses are run transparently and involve minimum user interaction.
■ SafeGuard Cloud Storage
SafeGuard Cloud Storage offers file-based encryption of data stored in the cloud. It does notchange the way users work with data stored in the cloud. Local copies of cloud data are encryptedtransparently and remains encrypted when stored in the cloud.
8
SafeGuard Easy
2 Getting started
This section explains how to prepare for your Sophos SafeGuard installation successfully.
2.1 Deployment strategy
Before you deploy Sophos SafeGuard on endpoint computers, we recommend that you define adeployment strategy.
The following options should be considered.
Policies
Sophos SafeGuard offers the following options:
■ Default policy
Sophos SafeGuard offers a default policy with pre-defined encryption and authenticationsettings for quick and easy policy deployment. During first-time configuration in SafeGuardPolicy Editor, the default policy is automatically created.
For details on the default policy and the settings defined, see Default policies (page 60).
■ Defining your own policies
If the default policy does not cover all your specific requirements, you can edit it or define yourown policies in SafeGuard Policy Editor.
For details on creating policies, see Working with policies (page 41). For details on deployingpolicies to endpoint computers, see Working with configuration packages (page 45).
For a detailed description of all available policies and settings, see Policy Settings (page 65).
Administrative access options
Sophos SafeGuard uses two types of accounts to enable users to log on to endpoint computersand carry out administrative tasks after Sophos SafeGuard has been installed.
■ Service accounts for Windows logon
With service accounts, users (for example rollout operators, members of the IT team) can logon to Windows on endpoint computers after the installation of Sophos SafeGuard withoutactivating the Power-on Authentication and without being added as POA users to the computers.
Service account lists are assigned to endpoint computers in policies. They should be assignedin the first Sophos SafeGuard configuration package you create for the configuration of theendpoint computers. Service account lists can be updated by creating a new configurationpackage and deploying it to the endpoint computers before activation of the POA.
For further information, see Service account lists for Windows logon (page 51).
■ POA users for POA logon
9
Administrator help
POA users are predefined local accounts that enable users (for example members of the ITteam) to log on to endpoint computers to perform administrative tasks after the POA has beenactivated. POA users enable POA logon, there is no automatic logon to Windows.
You can create POA users in the SafeGuard Policy Editor, group them in POA groups, andassign groups to endpoints using Sophos SafeGuard configuration packages.
For further information, see POA users for POA logon (page 55).
Recovery options
For situations requiring recovery (for example, forgotten passwords), Sophos SafeGuard offerstwo recovery options:
■ Logon recovery using Local Self Help
Local Self Help enables users who have forgotten their password to log on to their computerswithout the assistance of a help desk. To regain access to their computer, they simply answera predefined number of questions in the Power-on Authentication.
In the default policy, Local Self Help is enabled and configured by default. If you do not usethe default configuration, you have to enable Local Self Help in a policy and define the questionsto be answered by the end user.
For further information, see Recovery with Local Self Help (page 125).
■ Recovery using Challenge/Response
The Challenge/Response recovery mechanism is a secure and efficient logon recovery systemthat helps users who cannot log on to their computers or access encrypted data. ForChallenge/Response, the assistance of a help desk is required.
In the default policy, Challenge/Response is enabled by default. If you do not use the defaultconfiguration, you have to enable Challenge/Response in a policy. For data recovery usingChallenge/Response, you need to create specific files called Virtual Clients in the SafeGuardPolicy Editor beforehand.
For further information, see Recovery with Challenge/Response (page 130) and Create a VirtualClient (page 135).
2.2 Download installers
1. Using the web address and download credentials provided by your system administrator, goto the Sophos website and download the installers and documentation.
2. Store them in a location where you can access them for installation.
2.3 Language settings
The language settings for SafeGuard Policy Editor and Sophos SafeGuard encryption software onthe endpoint computers are as follows:
10
SafeGuard Easy
SafeGuard Policy Editor
You can set the language of the SafeGuard Policy Editor as follows:
■ In SafeGuard Policy Editor, click menu Tools > Options > General. Select Use user definedlanguage and select an available language. English, German, French and Japanese are provided.
■ Restart SafeGuard Policy Editor. It is displayed in the selected language.
Sophos SafeGuard on endpoint computers
You set the language of Sophos SafeGuard on endpoint computers in a policy of the type Generalin the SafeGuard Policy Editor, setting Customization > Language used on client:
■ If the language of the operating system is selected, Sophos SafeGuard uses the language settingof the operating system. If the operating system language is not available in Sophos SafeGuard,the Sophos SafeGuard language defaults to English.
■ If one of the available languages is selected, Sophos SafeGuard functions are displayed in theselected language on the endpoint computer.
2.4 Displaying SafeGuard Policy Editor help system
The SafeGuard Policy Editor help system is displayed in your browser. It provides comprehensivefeatures such as context-specific help as well as a full-text search. It is configured for fullfunctionality of the help system content pages enabling JavaScript in your browser.
With Microsoft Internet Explorer, the behavior is as follows:
■ Windows XP/Windows Vista/Windows 7 - Internet Explorer 6 and above - Default security:
You do not see a Security Bar informing you that Internet Explorer has blocked scriptingfrom running.
JavaScript is running.
■ Windows 2003 Server Enterprise Edition- Internet Explorer 6 - Enhanced Security Configuration(default installation configuration):
An information box is displayed informing you that the Enhanced Security Configurationis enabled and the page is running scripting. You can disable this message.
JavaScript is running.
Note:
Even with JavaScript disabled, you can still display and navigate the SafeGuard Policy Editor helpsystem. However, certain functionality such as the Search cannot be displayed.
11
Administrator help
2.5 Compatibility with other SafeGuard products
This section describes the compatibility of Sophos SafeGuard 6 with other SafeGuard products.
Compatibility with SafeGuard LAN Crypt
Note the following:
■ SafeGuard LAN Crypt 3.7x and Sophos SafeGuard 6 can coexist on the same computer andare fully compatible.
Note:
If Sophos SafeGuard 6 is installed on-top of SafeGuard LAN Crypt, the installation programwill display a message that the SGLC Profile Loader is already in use. This message is causedby the fact that SafeGuard LAN Crypt and Sophos SafeGuard share common components andtherefore can be ignored. The affected components will be updated upon restart.
■ SafeGuard LAN Crypt with versions below 3.7x and Sophos SafeGuard 6 cannot coexist on thesame computer.
If you try to install Sophos SafeGuard 6 on a computer where SafeGuard LAN Crypt version3.6x or below is already installed, the installation is cancelled and an error message is displayed.
Compatibility with SafeGuard PrivateCrypto and SafeGuard PrivateDisk
Sophos SafeGuard 6 and the standalone products SafeGuard PrivateCrypto (version 2.30 andabove) and SafeGuard PrivateDisk (version 2.30 and above) can coexist on the same computer.
Compatibility with SafeGuard RemovableMedia
The SafeGuard Data Exchange component and SafeGuard RemovableMedia cannot coexist onthe same computer. Before you install the SafeGuard Data Exchange component on an endpoint,check if SafeGuard RemovableMedia is already installed. In this case you have to uninstall SafeGuardRemovableMedia before you install SafeGuard Data Exchange.
Local keys created with SafeGuard RemovableMedia below version 1.20 can be used by SafeGuardData Exchange on the Sophos SafeGuard protected endpoint. But they are not transferred to theSophos SafeGuard Database automatically.
Compatibility with SafeGuard Easy 4.x
When SafeGuard Easy 4.x and the SafeGuard Data Exchange component are installed on onecomputer, the SafeGuard Easy GINA mechanisms (especially Windows Secure Autologon - SAL)no longer work. As a workaround, SafeGuard Easy 4.x must be installed first and both productsshould only be uninstalled together (without a restart) to avoid GINA conflicts.
12
SafeGuard Easy
2.6 Security best practices
Sophos SafeGuard provides powerful data protection through encryption and additional logonauthentication.
By following the simple steps described here, you can mitigate risks and keep your company's datasecure and protected at all times and avoid putting company data at risk.
Avoid sleep mode
On Sophos SafeGuard protected computers, encryption keys might be accessible to attackers incertain sleep modes where the computer's operating system is not shut down properly andbackground processes are not terminated. Protection is enhanced when the operating system isalways shut down or hibernated properly.
Train users accordingly or consider centrally disabling sleep mode on endpoint computers thatare unattended or not in use:
■ Avoid sleep (stand-by/suspend) mode as well as hybrid sleep mode on Windows 7/WindowsVista. Hybrid sleep mode combines hibernation and sleep. Setting an additional passwordprompt after resume does not provide full protection.
■ Avoid locking desktops and switching off monitors or closing laptop lids as modes of protectionwhen not followed by a proper shut down or hibernation. Setting an additional passwordprompt after resume does not provide sufficient protection.
■ Instead, shut down or hibernate computers. Power-on Authentication is always activated whenthe computer is used the next time, thus providing full protection.
Note: It is important that the hibernation file resides on an encrypted volume. Typically itresides on C:\.
You can configure the appropriate power management settings centrally using Group PolicyObjects or locally through the Power Options Properties dialog on the computer's SystemControl. Set the Sleep button action to Hibernate or Shut down.
Implement a strong password policy
Implement a strong password policy and force password changes at regular intervals, particularlyfor computer logon.
Passwords should not be shared with anyone nor written down.
Train users to choose strong passwords. A strong password follows these rules:
■ It is long enough to be secure: Minimum 10 characters.
■ It contains a mixture of letters (upper and lower case), numbers and special characters/symbols.
■ It does not contain a commonly used word or name.
■ It is hard to guess but easy for remember and type accurately.
13
Administrator help
Do not disable Power-on Authentication
Power-on Authentication provides additional logon protection on the endpoint computer. WithSafeGuard full disk encryption, it is installed and enabled by default. For full protection, do notdisable it.
Protect against code injection
Code injection, for example DLL pre-loading attacks might be possible when an attacker is ableto place malicious code, for example executables, in directories that may be searched for legitimatecode by the Sophos SafeGuard encryption software. To mitigate this threat:
■ Install middleware loaded by the encryption software, for example token middleware indirectories that are inaccessible to external attackers. These are typically all sub-folders of theWindows and Programs directories.
■ The PATH environment variable should not contain components that point to folders accessibleto external attackers (see above).
■ Regular users should not have administration rights. Avoid Power Users group rights for regularusers under Windows XP.
Encryption best practices
■ Ensure that all drives have a drive letter assigned.
Only drives that have a drive letter assigned are considered for disk encryption/decryption.Consequently, drives without a drive letter assigned may be abused to leak confidential datain plain text.
To mitigate this threat: Do not allow users to change drive letter assignments. Set their userrights accordingly. Regular Windows users do not have this right by default.
■ Apply Fast Initial Encryption cautiously.
Sophos SafeGuard offers Fast Initial Encryption to reduce the time for initial encryption ofvolumes by only accessing the space that is actually in use. This mode leads to a less secure stateif a volume has been in use before it was encrypted with Sophos SafeGuard. Due to theirarchitecture, Solid State Disks (SSD) are affected even stronger than regular hard disks. Thismode is disabled by default.
■ Only use algorithm AES-256 for data encryption.
■ Prevent uninstallation.
To provide extra protection for endpoint computers you can prevent local uninstallation ofSophos SafeGuard in a Machine specific settings policy. Set Uninstallation allowed to Noand deploy the policy on the endpoint computers. Uninstallation attempts are cancelled andthe unauthorized attempts are logged.
If you use a demo version, you should not activate this policy setting or in any case deactivateit before the demo version expires.
14
SafeGuard Easy
Apply Sophos Tamper Protection to endpoint computers using Sophos Endpoint Security andControl version 9.5 or higher, see Sophos Tamper Protection (page 162).
15
Administrator help
3 Installation
Setting up Sophos SafeGuard involves the following:
Installation package/toolTask
SGNPolicyEditor.msiInstall SafeGuard Policy Editor on theadministrator computer.
1
SafeGuard Policy Editor Configuration WizardCarry out first-time configuration inSafeGuard Policy Editor automaticallycreating a default policy.
2
SafeGuard Policy Editor Policies navigation areaCustomize a copy of the default policy orcreate further new policies.
3
SafeGuard Policy Editor Configuration Package ToolPublish the policies into configurationpackage(s).
4
SGxClientPreinstall.msiOn the endpoints, install the pre-installationpackage that provides necessary requirements
5
for successful installation of the currentencryption software.
SGNClient.msiTo use SafeGuard Device Encryption(volume-based encryption) on the endpoints,install:
6
SGNClient_x64.msi (forWindows 7/WindowsVista 64-bit operatingsystems)
Note:
In addition, SophosSafeGuard DataExchange (file-basedencryption) can bemanually enabled in thispackage.
SGNClient_withoutDE.msi
SGNClient_withoutDE_x64.msi
To only use SafeGuard Data Exchange(file-based encryption, no POA) on theendpoints, install:
Generated <configpackage>.msiInstall the configuration package(s) on theendpoints.
7
16
SafeGuard Easy
3.1 Prepare for installation
Before you deploy Sophos SafeGuard, we recommend that you prepare as follows.
■ Make sure that you have Windows administrator rights.
■ .NET Framework 4 must be installed. It is provided in the Sophos SafeGuard product delivery.
■ If you want to install Microsoft SQL Server 2008 R2 Express automatically during SafeGuardPolicy Editor installation, you need to make sure that Microsoft Windows Installer 4.5 andadditionally .NET Framework 3.5 with at least Service Pack 1 is installed.
■ For hardware and software requirements, service packs and disk space required duringinstallation as well as for effective operation, see the system requirements section of the currentrelease notes version.
3.2 Install SafeGuard Policy Editor
Before you start:
■ You must have prepared for installation.
■ If you want to use an existing Microsoft SQL database server, you need the necessary SQLaccess rights and account data.
■ If you want to install Microsoft SQL Server 2008 R2 Express automatically during SafeGuardPolicy Editor installation, you need to make sure that Microsoft Windows Installer 4.5 andadditionally .NET Framework 3.5 with at least Service Pack 1 is installed.
To deploy the encryption software on the endpoints, first install SafeGuard Policy Editor on anadministrator's computer. You can also do the first time installation on a Windows server. Later,you can install it on multiple administrator computers, all connecting to the central SophosSafeGuard database on the server. The same account is used to access each instance of SafeGuardPolicy Editor.
1. Log on to the computer as an administrator.
2. From the product's install folder, double-click SGNPolicyEditor.msi. A wizard guides youthrough installation. Accept the default options.
You may be prompted to install Microsoft SQL Server 2008 R2 Express during SafeGuardPolicy Editor installation, if no SQL database instance is available. It is included in your productdelivery. Your Windows credentials are then used for the SQL user account. An SQL databaseinstance is necessary to store Sophos SafeGuard policy settings.
SafeGuard Policy Editor is installed. You now carry out first-time configuration within SafeGuardPolicy Editor.
Note: SafeGuard Policy Editor cannot be operated in a terminal server environment.
17
Administrator help
3.3 Carry out first-time configuration in SafeGuard Policy Editor
Make sure that you have Windows administrator rights.
SafeGuard Policy Editor first-time configuration provides comfortable assistance for quick andeasy Sophos SafeGuard implementation:
■ A default policy with pre-defined encryption and authentication settings is automatically createdto implement a company-wide security policy on endpoint computers.
■ All necessary requirements for the IT help desk to carry out recovery tasks are provided.
■ The necessary certificates and the connection to the database to store Sophos SafeGuard dataare created.
To start first-time configuration:
1. After installation, start SafeGuard Policy Editor from the Start menu. The Configuration Wizardis launched and guides you through the necessary steps.
2. On the Welcome page, click Next.
3.3.1 Create the database connection
A database is used to store all Sophos SafeGuard encryption policies and settings.
1. On the Database page, do one of the following:
■ For a first time installation, under Database, select Create a new database.■ For an additional installation or to reuse a previously created database, select the respective
database from the Database list. All databases available on the currently connected databaseserver are displayed. The corresponding settings are displayed under Database settings. Tochange them click Change, see Configure the database connection settings (page 18).
Note:
An existing database can be used when you want to install additional instances of SafeGuardPolicy Editor, for example to enable help desk staff to carry out Challenge/Response.
2. Click Next.
The connection to the database server is established.
3.3.1.1 Configure the database connection settings
1. In Database Connection under Database Server, select the respective SQL database serverfrom the list. All database servers available on your computer or network are displayed. (Thelist is updated every 12 minutes.)
2. Under Database on Server, select the respective database to be used.
18
SafeGuard Easy
3. Select Use SSL to secure the connection to this database server with SSL. However, SSLencryption requires a working SSL environment on the computer on which the selected SQLdatabase resides, which you have to set up in advance. For further information, see:http://www.sophos.com/support/knowledgebase/article/108339.html
4. Under Authentication, select the type of authentication to be used to access the database:
■ Select Use Windows NT Authentication to use your Windows credentials.
Note:
Use this type when your computer is part of a domain. However, additional mandatoryconfiguration is required as the user needs to be authorized to connect to the database. Forfurther information, seehttp://www.sophos.com/sophos/docs/eng/manuals/sgn_bpg_eng_installation_best_practice.pdf.
■ Select Use SQL Server Authentication to access the database with your SQL credentials.You are prompted to enter and confirm them. Where necessary, you can obtain thisinformation from your SQL administrator.
Note:
Use this type of authentication when your computer is not part of a domain. With SQLauthentication an upgrade to SafeGuard Management Center can be easily achieved later.Make sure that you select Use SSL to secure the connection to and from the database serverwhen you choose this type of authentication.
5. Click Check connection. If the authentication to the SQL database has been successful, acorresponding success message is displayed.
6. Click OK.
3.3.2 Create the security officer certificate (new database)
Carry out this step when you have created a new database. In a first time installation and whenyou use a new database, a security officer certificate is created for authentication purposes. Onlyone account is created per installation. As security officer, you access SafeGuard Policy Editor tocreate Sophos SafeGuard policies and configure the encryption software for the end users.
To create the security officer certificate:
1. On the Security Officer page, the security officer name (the current user name) is alreadydisplayed.
2. Enter and confirm a password that you need to access SafeGuard Policy Editor.
Keep this password in a safe place. If you lose it, you are not able to access SafeGuard PolicyEditor. Access to the account is needed to enable the IT help desk to carry out recovery tasks.
3. Click Next.
19
Administrator help
The security officer certificate is created and stored in the certificate store. Next create the companycertificate.
3.3.3 Import the security officer certificate (existing database)
Carry out this step when you use an existing database. When you use an existing database, thesecurity officer certificate needs to be imported. Only certificates generated by SafeGuard PolicyEditor may be imported. Certificates created by a PKI (for example Verisign) are not allowed tobe imported.
To import the security officer certificate:
1. On the Security Officer page, click Import.
2. Browse for the required certificate and confirm with Open.
3. Enter the password for the selected key file that you have used to authenticate at SafeGuardPolicy Editor.
4. Click Yes.
5. Enter and confirm a password for authenticating at SafeGuard Policy Editor.
6. Click Next and then Finish.
First-time configuration when using an existing database is completed. The remaining configurationsteps are only needed when you use a new database.
3.3.4 Create the company certificate
The company certificate is used to secure policy settings in the database and on Sophos SafeGuardprotected computers. It is needed to recover a broken database configuration, see Restore a databaseconfiguration by reinstalling SafeGuard Policy Editor (page 146).
1. On the Company page, enter a Company name. The name is limited to 64 characters. Makesure that Automatically create certificate is selected.
For a first time installation and when you have created a new database, Automatically createcertificate is already selected.
2. Click Next.
The newly created company certificate is stored in the database. Next back up the certificates.
3.3.5 Back up certificates
To restore a corrupt database or SafeGuard Policy Editor installation the security officer andcompany certificates are needed.
20
SafeGuard Easy
To back up the certificates:
1. On the Security officer and company certificate backup page, specify a safe storage locationfor the certificate backups. If you save them to the default storage location now, make sure thatyou export them to a safe location that can be accessed in cases of recovery, for example a USBflash drive, right after first-time configuration.
2. Click Next.
The certificates are backed up to the specified location. Next create the recovery key store.
3.3.6 Create a recovery key store
To enable recovery for endpoint computers, specific key recovery files are used which need to beacessed by IT help desk staff in cases of recovery. A network share to collect these files, withsufficient access permissions is created in this step. The key recovery files are encrypted by thecompany certificate and storing them on a network or even an external medium is therefore safe.
Note:
The network share must be located on a drive that has been formatted with NTFS. NTFS allowsfor setting the access permissions as required.
1. On the Recovery Keys page, click Next to confirm the defaults.
The following is created:
■ A network share where the recovery keys are saved automatically.
■ A default directory on the local computer where the recovery keys are saved automatically.
■ Default permissions for IT help desk staff to the network share: all members of the localadministrators group are added to the new Windows group SafeGuardRecoveryKeyAccess.
In a domain environment, this also includes the domain administrators group. WithinSafeGuard Policy Editor it is possible to create multiple configuration packages, for exampleone package for computers within a domain environment and an additional package forstandalone computers.
2. To change the defaults:
■ Click [...] next to Local path to change the local storage directory as required.■ If you clear Create network share, the end user is prompted for a location in which to save
the recovery key files once encryption has been completed.■ To display or change the group members that have access to the network share, click
Permissions. For further information, see Change permissions for the network share (page22).
The recovery key store with the relevant permissions is created.
Note:
21
Administrator help
The Sophos SafeGuard software attempts to connect to the network share for about 4 minutesand if unsuccessful, retries to connect to it after each Windows logon until the connection isestablished or until the recovery key files are backed up manually.
3.3.6.1 Change permissions for the network share
1. In Network Share Permissions, do either of the following:
■ Click Add local members to add local members with administrative rights for recoveryactions.
■ Click Add global members to add global members with administrative rights for recoveryactions.
2. Click OK.
A group SafeGuardRecoveryKeyAccess is created on the computer which contains all the membersdisplayed in Network Share Permissions.
The following NTFS permissions are automatically set on the specified local directory:
■ Everyone: Create files - The Sophos SafeGuard computer running in the context of the loggedin users is allowed to add files, but cannot browse the directory, delete or read files.
Note:
The "Create Files" permission is available in the Advanced Security Settings of a directory.
■ SafeGuardRecoveryKeyAccess: Modify - All users displayed in the Permissions dialog areallowed to read, delete and add files.
■ Administrators: Full Control
Sophos SafeGuard also removes permission inheritance on the directory to ensure that the abovepermissions are not accidentally overwritten.
The network share SafeGuardRecoveryKeys$ is created with this permission:
■ Everyone: Full Control
Note:
The resulting permissions are the intersection between NTFS permissions and share permissions.As the NTFS permissions are more restrictive, they apply.
If you want to set up a network share manually, we suggest that you use the same permissionsettings as described above. In this case, make sure that you disable permission inheritance on thedirectory manually.
3.3.7 Import licenses (new database)
A valid license file is needed to run Sophos SafeGuard in a productive environment. If there areno valid licences available, you cannot create configuration packages for deployment on endpoint
22
SafeGuard Easy
computers. You obtain the licenses from your sales partner. They must be imported into theSophos SafeGuard Database.
You can carry out this step, if you have created a new database. When you use an existing database,import the licences after first-time configuration is finished.
1. On the License page, do one of the following:
■ To import the licenses now, click [...] to browse for the valid license file. Select the file andclick Open. Click Next. The license file is imported into the Sophos SafeGuard databaseafter first-time configuration is completed. You can use the full version and createconfiguration packages.
■ To import the licenses later, click Next. You can use SafeGuard Policy Editor, but youcannot create configuration packages. To use the full version, import the license file afterfirst-time configuration is completed, see Import licenses (page 39).
3.3.8 Complete first-time configuration
1. Click Finish.
First-time configuration is completed. You have created the following:
■ A default policy to implement a company-wide security policy on the endpoint computers:
Power-on Authentication is enabled.
Volume-based encryption for all internal hard disks is enabled.
The user can recover a forgotten password with Local Self Help by answering predefinedquestions.
The help desk can recover passwords/access to data using Challenge/Response.
File-based encryption is enabled.
■ All necessary requirements for the IT help desk to carry out recovery tasks.
Note:
A file containing the configuration settings (Networkshare.xml) and events(ConfigurationOutput.xml) is stored in the Temp folder.
SafeGuard Policy Editor starts once the Configuration Wizard has closed. If you have not importeda valid license file during first-time configuration, import it now for full functionality of all SophosSafeGuard components, see Import licenses (page 39).
23
Administrator help
3.4 Configure additional instances of SafeGuard Policy Editor
SafeGuard Policy Editor must have been installed on the respective computer.
1. Start SafeGuard Policy Editor on the computer where you want to use it. The ConfigurationWizard is launched and guides you through the necessary steps.
2. On the Welcome page, click Next.
3. On the Database page, under Database, all databases available on the currently connecteddatabase server are displayed . Select the respective database from the list. The correspondingsettings are displayed under Database settings. To change them, click Change, see Configurethe database connection settings (page 18).
4. Click Next.
5. On the Security Officer page, select Import to import the security officer certificate associatedwith the selected database. Browse for the required certificate and click Open.
Only certificates generated by SafeGuard Policy Editor may be imported. Certificates createdby a PKI (for example VeriSign) are not allowed.
6. Enter the password for the certificate store.
7. Click Next and then Finish to complete the SafeGuard Policy Editor Configuration Wizard.
3.5 Setting up Sophos SafeGuard on endpoints
Sophos SafeGuard encryption software can be seamlessly integrated into the user's normalenvironment and is easy and intuitive to use. According to your deployment strategy, the endpointscan be equipped with different Sophos SafeGuard modules and configured to your requirements.
Security officers may carry out installation and configuration locally on the endpoints or as partof a centralized software distribution. A central install ensures a standardized installation onmultiple computers.
3.5.1 Sophos SafeGuard packages and features
The following table shows the installation packages and features of the Sophos SafeGuard encryptionsoftware on endpoint computers. You find the installation packages in the Installers folder of yourproduct delivery.
Note: When the operating system of the endpoint computer is Windows 7 64 bit or WindowsVista 64 bit, you may install the 64 bit variant of the installation packages (<packagename>_x64.msi).
Even if it is possible to only install a subset of features in a first-time installation, we recommendthat you install the complete SafeGuard full disk encryption package from the start.
24
SafeGuard Easy
ContentPackage
Pre-installation package
The package must be installed before installing any encryptioninstallation package. Provides endpoint computers with necessary
SGxClientPreinstall.msi
requirements for successful installation of the current encryptionsoftware.
SafeGuard full disk encryption packageSGNClient.msi
SGNClient_x64.msi
BaseEncryption,SectorBasedEncryption
Full disk encryption for internal and external hard disks. IncludesPower-on Authentication.
Select an installation of type Complete, Typical, Custom.
SecureDataExchange
SafeGuard Data Exchange: file-based encryption of data onremovable media on all platforms without re-encryption.
Select an installation of type Complete or Custom.
CloudStorage
File-based encryption of data stored in the cloud. Local copies ofdata stored in the cloud are always encrypted transparently. Tosend data to or receive data from the cloud, vendor-specificsoftware must be used.
Select an installation of type Complete or Custom.
SafeGuard file-based encryption package
No Power-on Authentication provided.
SGNClient_withoutDE.msiSGNClient_withoutDE_x64.msi
SecureDataExchange
File-based encryption of data on removable media on all platformswithout re-encryption.
Select an installation of type Complete, Typical or Custom.
CloudStorage
File-based encryption of data stored in the cloud. Local copies ofdata stored in the cloud are always encrypted transparently. Tosend data to or receive data from the cloud, vendor-specificsoftware must be used.
Select an installation of type Complete or Custom.
25
Administrator help
ContentPackage
SafeGuard Runtime package
Enables starting the computer from a secondary boot volume whenmultiple operating systems are installed and accessing these
SGNClientRuntime.msi
SGNClientRuntime_x64.msi
volumes when they are encrypted by a Sophos SafeGuardinstallation on the primary volume.
3.5.2 Restrictions
Note the restrictions for Sophos SafeGuard on endpoint computers described in the followingsections.
■ Sophos SafeGuard for Windows does not support Apple hardware and cannot be installed ina Boot Camp environment.
■ If using Intel Advanced Host Controller Interface (AHCI) on the computer, the boot hard diskmust be in Slot 0 or Slot 1. You can insert up to 32 hard disks. Sophos SafeGuard only runs onthe first two slot numbers.
■ Full disk encryption for volumes that are located on Dynamic and GUID partition table (GPT)disks is not supported. Dynamic and GUID partition table (GPT) disks are not supported. Insuch cases, the installation is terminated. If such disks are found on the computer at a latertime, they are not supported.
■ The SafeGuard full disk encryption module does not support systems that are equipped withhard drives attached through a SCSI bus.
■ Fast User switching is not supported.
Remote Desktop Logon
■ Sophos SafeGuard only allows one user session, so when a remote user logs on to the system,the remote connection attempt will fail unless the currently running session is shut down.
■ Remote logon with token is not supported.
3.5.3 Prepare endpoints
Before you install the encryption software, we recommend that you prepare as follows.
■ A user account must be set up and active on the endpoints.
■ Ensure that you have Windows administrator rights.
■ Create a full backup of the data on the endpoint.
■ Drives to be encrypted must be completely formatted and have a drive letter assigned to them.
26
SafeGuard Easy
■ Sophos provides a hardware configuration list to minimize the risk of conflicts between thePOA and your computer hardware. The list is contained in the encryption software installationpackage.
We recommend that you install an updated version of the hardware configuration file beforeany significant deployment of Sophos SafeGuard. The file is updated on a monthly basis andmade available from: http://www.sophos.com/support/knowledgebase/article/65700.html.
■ Check the hard disk(s) for errors with this command:
chkdsk %drive% /F /V /X
In some cases you might be prompted to restart the computer and run chkdsk again. Forfurther information, see: http://www.sophos.de/support/knowledgebase/article/107081.html.
You can check the results (log file) in the Windows Event Viewer:
Windows XP: Select Application, Winlogon.
Windows 7, Windows Vista: Select Windows Logs, Application, Wininit.
■ Use the Windows built-in defrag tool to locate and consolidate fragmented boot files, datafiles, and folders on local volumes. For further information, see:http://www.sophos.com/support/knowledgebase/article/109226.html.
■ Uninstall third party boot managers, such as PROnetworks Boot Pro and Boot-US.
■ If you have used an imaging/cloning tool, we recommend that you rewrite the MBR. To installSophos SafeGuard you need a clean, unique master boot record. By using imaging/cloningtools the master boot record might no longer be clean.
You can clean the master boot record by starting from a Windows DVD and using the commandFIXMBR within the Windows Recovery Console. For further information, see:http://www.sophos.com/support/knowledgebase/article/108088.html
■ If the boot partition on the computer has been converted from FAT to NTFS and the computerhas not been restarted since, restart the computer once. Otherwise the installation might notbe completed successfully.
3.5.3.1 Prepare for Cloud Storage
The Sophos SafeGuard module Cloud Storage offers file-based encryption of data stored in thecloud.
Cloud Storage makes sure that local copies of cloud data are encrypted transparently and remainencrypted when stored in the cloud.
The way users work with data stored in the cloud is not changed. The vendor-specific cloudsoftware remains unaffected and can be used in the same way as before to send data to or receivedata from the cloud.
27
Administrator help
To prepare endpoints for Cloud Storage:
■ The cloud storage software provided by the vendor must be installed on the endpoints whereyou want to install Cloud Storage.
■ The cloud storage software provided by the vendor must have an application or system servicestored on the local file system that synchronizes data between the cloud and the local system.
■ The cloud storage software provided by the vendor must store the synchronized data on thelocal file system.
Note: Cloud Storage only encrypts new data stored in the cloud. If data was already stored in thecloud before installing Cloud Storage, this data is not automatically encrypted. If it is to beencrypted, users first have to remove it from the cloud and then enter it again after Cloud Storagehas been installed.
3.5.3.2 Prepare for a "Modify" installation
If an existing Sophos SafeGuard installation is modified or if features are installed at a later time,the setup might complain that certain components (for example SafeGuard Removable MediaManager) are currently in use. This message is caused by the fact that the selected features sharecommon components that are currently in use and therefore cannot be upgraded immediately.This message can be ignored since the affected components will be automatically updated uponrestart.
This behavior applies to installation in attended and unattended mode.
3.5.4 Install encryption software and configuration package locally
If you want to carry out a trial installation on an endpoint computer, it might be useful to installSophos SafeGuard locally first.
Prerequisites:
■ Computers must have been prepared for encryption, see Prepare endpoints (page 26).
■ Decide which encryption package and features you need to install.
To install the encryption software locally:
1. Log on to the computer as an administrator.
2. Install the current pre-installation package SGxClientPreinstall.msi that provides the endpointcomputer with the necessary requirements for a successful installation of the current encryptionsoftware.
3. From the product's install folder, double-click the relevant encryption package (MSI). A wizardguides you through the necessary steps.
28
SafeGuard Easy
4. In the wizard, accept the defaults on all subsequent dialogs.
Note:
In a first-time installation, we recommend that you select a Complete installation from thestart. To only install a subset of features, choose a Custom installation and activate/deactivatethe features to your requirements.
Sophos SafeGuard is installed on the endpoint computer.
5. In the SafeGuard Policy Editor, configure the encryption software to your requirements:
■ Use the predefined default policy for quick and easy policy deployment automatically createdduring first-time configuration in SafeGuard Policy Editor.
■ If the default policy does not cover all your specific requirements, edit it or create your ownpolicies in the SafeGuard Policy Editor, see Working with policies (page 41).
For example, your deployment strategy might require setting up administrative access tothe computer for service staff. In this case you need to define a specific policy and create aconfiguration package containing these policies.
6. Publish the policies to a configuration package, see Working with configuration packages (page45).
7. Install the relevant configuration package (MSI) on the computer.
8. After installation, make sure that endpoint computers are restarted twice to activatePower-on-Authentication. The computer must be restarted for a third time to perform a backupof the kernel data on every Windows boot.
Make sure that the computer is not put into hibernation, sleep or hybrid sleep mode beforethe third restart to successfully complete the kernel backup.
Sophos SafeGuard is installed and configured according to the previously created policies on theendpoint computer. See the User Help (chapters First logon after Sophos SafeGuard installation)for the behavior of the computer after Sophos SafeGuard installation.
Additional configuration may be required to ensure that the POA functions correctly on eachhardware platform. Most hardware conflict issues can be resolved using the Hotkeys feature builtinto the POA. For further information, see Supported Hotkeys in Power-on Authentication (page97).
3.5.5 Install encryption software and configuration packages with a script
For a central installation, we recommend that you prepare a script using the Windows Installercomponent msiexec. Msiexec automatically carries out a pre-configured Sophos SafeGuardinstallation. As source and destination for the installation can be specified, a standard installationon multiple endpoints is provided.
Prerequisites:
■ Computers must have been prepared for encryption, see Prepare endpoints (page 26).
29
Administrator help
■ Decide which encryption package and features you need to install, see Sophos SafeGuard packagesand features (page 24).
To install the encryption software centrally:
1. On the administrator computer, create a folder called Software to use as a central store for allapplications.
2. Use a software deployment tool such as Microsoft System Center Configuration Manager, IBMTivoli, or Enteo Netinstall to carry out central installation on the endpoints. The followingmust be included in the order mentioned:
Note: When carrying out the installation through Active Directory, use a separate group policyobject (GPO) for each package and sort them in the order mentioned below to guarantee asuccessful installation.
DescriptionOption
The mandatory package provides the endpoints with thenecessary requirements for a successful installation of thecurrent encryption software.
Note:
If this package is not installed, installation of the encryptionsoftware is aborted.
Pre-installation packageSGxClientPreinstall.msi
Note: For a list of available packages, see Sophos SafeGuardpackages and features (page 24).
Encryption software installationpackage
Use the configuration package created before in SafeGuardPolicy Editor. Make sure that you delete all outdatedconfiguration packages.
Configuration package for endpoints
3. Create a script with the commands for the pre-configured installation. The script must listwhich features of the encryption software you want to install, see Sophos SafeGuard features(ADDLOCAL) (page 32). Open a command prompt, and then type the scripting commands.For the command-line syntax, see Command options for central installation (page 31).
4. Distribute this package to the endpoints using company software distribution mechanisms.
The installation is executed on the endpoints. The endpoints are then ready for use of SophosSafeGuard.
5. After installation, make sure that endpoints are restarted twice to activatePower-on-Authentication. Computers must be restarted for a third time to perform a backupof the kernel data on every Windows boot.
Make sure that computers are not put into hibernation, sleep or hybrid sleep mode before thethird restart to successfully complete the kernel backup.
30
SafeGuard Easy
Additional configuration may be required to ensure that Power-on Authentication (POA) functionscorrectly on each hardware platform. Most hardware conflicts can be resolved using the Hotkeysbuilt into the POA. Hotkeys can be configured in the POA after installation or by an additionalconfiguration setting passed to the Windows Installer command msiexec. For further information,see:
http://www.sophos.com/support/knowledgebase/article/107781.html
http://www.sophos.com/support/knowledgebase/article/107785.html
3.5.5.1 Command options for central installation
When you install Sophos SafeGuard on the endpoints centrally, we recommend that you use theWindows Installer component msiexec. Msiexec is included in Windows XP, Vista and Windows7. For further information, see: http://msdn.microsoft.com/en-us/library/aa367988(VS.85).aspx.
Command line syntax
msiexec /i <path+msi package name> /qn ADDLOCAL=ALL | <Features> <parameter>
The command line syntax consists of:
■ Windows Installer parameters, which, for example log warnings and error messages to a fileduring the installation.
■ Sophos SafeGuard features, which are to be installed, for example full disk encryption.
■ Sophos SafeGuard parameters, to specify the installation directory, for example.
Command options
You can select all available options using msiexec.exe at the command prompt. The main optionsare described below.
DescriptionOption
Specifies the fact that this is an installation./i
Installs with no user interaction and does not display a user interface./qn
Lists the features that are to be installed. If the option is not specified, allfeatures intended for a standard installation are installed. For list of feature
ADDLOCAL=
parameters for the ADDLOCAL option, see Sophos SafeGuard features
(ADDLOCAL) (page 32).
Installs all the available features.ADDLOCAL=ALL
31
Administrator help
DescriptionOption
Forces or suppresses a restart after installation. If nothing is specified, therestart is forced after installation.
REBOOT=Force |ReallySuppress
Logs all warnings and error messages in the specified log file. Theparameter /Le <path + filename> only logs error messages.
/L* <path + filename>
Specifies the directory in which the Sophos SafeGuard encryption softwareis to be installed. If no value is specified, the default installation directorywill be <SYSTEM>:\PROGRAM FILES\SOPHOS.
Installdir= <directory>
3.5.5.2 Sophos SafeGuard features (ADDLOCAL)
For a central installation, you must define in advance which Sophos SafeGuard features are to beinstalled on the endpoint computers. List the feature after typing the option ADDLOCAL in thecommand.
■ Separate the features by comma, not by space.
■ Observe upper and lower case.
■ If you select a feature, you also need to add all feature parents to the command line.
■ You must list the features Client and Authentication by default.
Note:
Even if it is possible to only install a subset of features in a first-time installation, we recommendthat you install the Full Disk Encryption feature from the start.
The following tables list the Sophos SafeGuard features that can be installed on the endpointcomputers. For further information, see Sophos SafeGuard packages and features (page 24).
Features for SafeGuard full disk encryption
The table lists the available features for the SafeGuard full disk encryption package (SGNClient.msi,SGNClient_x64.msi) to be listed in the ADDLOCAL option.
FeatureFeature Parents
AuthenticationClient
Mandatory. You must list Authentication and its parent featureClient by default.
CredentialProvider
For computers with Windows Vista, Windows 7 you must selectthis feature. It enables logon via the Credential Provider.
Client, Authentication
32
SafeGuard Easy
FeatureFeature Parents
SectorBasedEncryptionClient, BaseEncryption
SecureDataExchangeClient
CloudStorageClient
Features for SafeGuard file-based encryption
The table lists the available features for the SafeGuard file-based encryption package(SGNClient_withoutDE.msi, SGNClient_withoutDE_x64.msi) to be listed in the ADDLOCALoption.
FeatureFeature Parents
AuthenticationClient
You must list the feature Authentication and its parent featureClient by default.
SecureDataExchangeClient
CloudStorageClient
Sample command for volume-based encryption
The command given below has the following effect:
■ The endpoint computers are provided with the necessary requirements for successful installationof the encryption software.
■ Sophos SafeGuard Power-on Authentication is installed.
■ Sophos SafeGuard volume-based encryption is installed.
■ A log file is created.
■ The configuration package is run.
33
Administrator help
Example:
msiexec /i F:\Software\SGxClientPreinstall.msi /qn /log I:\Temp\SGxClientPreinstall.log
msiexec /i F:\Software\SGNClient.msi /qn /log I:\Temp\SGNClient.log
ADDLOCAL=Client,Authentication,BaseEncryption,SectorBasedEncryption,CloudStorage Installdir=C:\Program Files\Sophos\Sophos SafeGuard
msiexec /i F:\Software\SGnConfig.msi /qn /log I:\Temp\SGNConfig.log
3.5.6 FIPS-compliant installation
The FIPS certification describes security requirements for encryption modules. For examplegovernment bodies in the USA and in Canada require FIPS 140-2-certified software for particularlysecurity-critical information.
Sophos SafeGuard uses FIPS-certified AES algorithms. By default, a new, faster implementationof the AES algorithms is installed that has not yet been FIPS-certified.
To use the FIPS-certified variant of the AES algorithm, set the FIPS_AES property to 1 wheninstalling the Sophos SafeGuard encryption software.
This can be done in two ways:
■ Add the property to the command line script:msiexec /i F:\Software\SGNClient.msi FIPS_AES=1
■ Use a transform.
3.5.7 Installation on endpoints with self-encrypting, Opal-compliant hard drives
Sophos SafeGuard supports the vendor-independent Opal standard for self-encrypting hard drives.
To ensure that the support of self-encrypting, Opal-compliant hard drives follows the standardclosely, two types of check are carried out at the installation of the Sophos SafeGuard encryptionsoftware on the endpoints:
■ Functional checks
34
SafeGuard Easy
Functional checks include, among others, checking whether the drive identifies itself as an"OPAL" hard drive, whether communications properties are correct and whether all Opalfeatures required for Sophos SafeGuard are supported by the drive.
■ Security checks
Security checks ensure that only Sophos SafeGuard users are registered on the drive and thatonly Sophos SafeGuard users own the keys used to software-encrypt non-self-encrypting drives.If other users are found to be registered at installation, Sophos SafeGuard automatically triesto disable these users. This is a functionality required by the Opal standard with the exceptionof a few default "authorities" which are required to run an Opal system.
Note: The security checks are repeated when an encryption policy for the drive is applied aftersuccessful Opal-mode installation. If they fail in this case, drive management has been manipulatedoutside of Sophos SafeGuard in the meantime. In this case, Sophos SafeGuard denies access tothe drive and a corresponding message is displayed.
If any of these checks fail in an unrecoverable way, installation does not fall back to software-basedencryption. Instead, all volumes on the Opal disk remain unencrypted.
If you want to force that no Opal checks are performed, use the following command line syntax:
MSIEXEC /i <name_of_selected_client_msi>.msi OPALMODE=2
Some Opal hard drives may have potential security issues. There is no way to automaticallydetermine which privileges have been assigned to an unknown user/authority that has alreadybeen registered on the drive when Sophos SafeGuard installation/encryption is carried out. If thedrive refuses the command to disable such users, Sophos SafeGuard falls back to software encryptionto ensure maximum security for the Sophos SafeGuard user. As we cannot give any securityguarantees for the hard drives themselves, we have implemented a special installation switch toenable you to use drives which may have potential security risks at your own discretion. For a listof hard drives this installation switch is needed for as well as for further information on supportedhard drives, see the Sophos SafeGuard Release Notes.
Add the property to the command line script:
MSIEXEC /i <name_of_selected_client_msi>.msi IGNORE_OPAL_AUTHORITYCHECK_RESULTS=1
The internal property of the .msi has the same name, if you want to modify it using a transform.
35
Administrator help
3.6 Installing Sophos SafeGuard on endpoints with multiple operatingsystems
The Sophos SafeGuard encryption software can be installed to protect its data even if severaloperating systems are installed on separate volumes of the endpoint's hard drive (runtime system).Sophos SafeGuard Runtime enables the following when it is installed on volumes with an additionalWindows installation:
■ The Windows installation residing on these volumes can be started by a boot manager.
■ Partitions on these volumes that have been encrypted by a full Sophos SafeGuard installationwith the defined machine key can successfully be accessed.
3.6.1 Requirements and restrictions
Note the following:
■ Sophos SafeGuard Runtime does not provide any Sophos SafeGuard features or functionality.
■ Sophos SafeGuard Runtime only supports those operating systems that are also supported bythe Sophos SafeGuard encryption software.
■ Operation of USB keyboards may be restricted.
■ Only boot managers that become active after Power-on Authentication are supported.
■ Support for third party boot managers is not guaranteed.We recommend that you use Microsoftboot managers.
■ Sophos SafeGuard Runtime cannot be updated to a full Sophos SafeGuard installation.
■ The Runtime installation package must be installed before the full version of the SophosSafeGuard encryption package is installed.
■ Only volumes encrypted with the defined machine key in Sophos SafeGuard can be accessed.
3.6.2 Prepare for installation of Sophos SafeGuard Runtime
To set up Sophos SafeGuard Runtime, carry out the following preparations in the order shown:
1. Make sure that those volumes on which Sophos SafeGuard Runtime is to run are visible at thetime of installation and can be addressed by their Windows name (for example C:).
2. Decide on which volume(s) of the hard drive Sophos SafeGuard Runtime is to be installed. Interms of Sophos SafeGuard, these volumes are defined as "secondary" Windows installations.There can be several secondary Windows installations. Use the following package:SGNClientRuntime.msi (or respective 64-bit variant when the computer‘s operating systemis Windows 7/Windows Vista 64-bit).
36
SafeGuard Easy
3. Decide on which volume of the hard disk the full version of the Sophos SafeGuard encryptionsoftware is to be installed. In terms of Sophos SafeGuard, this volume is defined as the “primary“Windows installation. There can only be one primary Windows installation. Use the followingpackage: SGNClient.msi (or respective 64 bit variant when the computer's operating systemWindows 7/Windows Vista 64-bit).
3.6.3 Install Sophos SafeGuard Runtime
1. Select the required secondary volume(s) of the hard disk where you want to install SophosSafeGuard Runtime.
2. Start the secondary Windows installation on the selected volume.
3. Install the runtime installation package on the selected volume.
4. In the next dialog of the installer, confirm the defaults.You do not need to select special features.
5. Select an installation folder for the runtime installation.
6. Click Finish to complete the runtime installation.
7. Select the primary volume of the hard drive where you want to install Sophos SafeGuardencryption package.
8. Start the primary Windows installation on the selected volume.
9. Start the pre-installation package SGxClientPreinstall.msi to provide endpoint computers withthe necessary requirements for successful installation of the current encryption software.
10. Install the Sophos SafeGuard encryption package on the selected volume.
11. Create the configuration package and deploy it on the endpoint computer.
12. Encrypt both volumes with the defined machine key.
3.6.4 Start up from a secondary volume using a boot manager
1. Start the computer.
2. Log on at the Power-on Authentication with your credentials.
3. Start the boot manager and select the required secondary volume as the boot volume.
4. Restart the computer from this volume.
Each volume encrypted with the defined machine key can be accessed.
37
Administrator help
4 Log on to SafeGuard Policy Editor
1. Start SafeGuard Policy Editor from the Start menu. A logon dialog is displayed.
2. Enter the security officer credentials defined during first-time configuration and click OK.
SafeGuard Policy Editor is opened.
Note:
Two security officers must not use the same Windows account on the same computer. Otherwiseit is not possible to separate their access rights properly.
38
SafeGuard Easy
5 Licenses
To use the Sophos SafeGuard components, valid licenses are required. For token usage, theappropriate token licences are needed. After purchasing the software, customers receive a licensefile with the licenses obtained from their sales partner.
The license file is an .XML file with a signature and contains the following information:
■ Company name
■ Date issued
■ Number of licenses purchased per component or feature (for example SafeGuard Policy Editor,Sophos SafeGuard Client, Device Encryption)
■ Token license information
■ License expiry date
■ License type (regular for full licenses)
The license file must be imported into the Sophos SafeGuard Database. For further information,see Import licenses (new database) (page 22) and Import licenses (page 39).
A license is valid if the following applies:
■ The license type is regular.
■ The license has not expired. The license becomes invalid one month after the expiry date.
■ The license file contains at least one SafeGuard Policy Editor license and either one DeviceEncryption license or one Data Exchange license.
Note: If you have not imported a valid license or your license has expired, you cannot createconfiguration packages for deployment on the endpoint computer. When users log on to endpointcomputers, a message is displayed indicating that a demo version is used.
5.1 Token licenses
For token or smartcard usage, token licenses are required. If the appropriate licenses are notavailable, you cannot create policies for tokens in the SafeGuard Policy Editor.
5.2 Import licenses
To use Sophos SafeGuard in a productive environment, valid licenses are required. If there are novalid licences available, you cannot create configuration packages for deployment on endpointcomputers. You receive the license file from your sales partner. It must be imported into theSophos SafeGuard Database. For new databases, you can import the license files during first-timeconfiguration, see Import licenses (new database) (page 22).
39
Administrator help
To import licenses for existing databases:
1. Log on to the SafeGuard Policy Editor with the password set during first-time configuration.
2. In the navigation area, click Users.
3. In the navigation window on the left-hand side, click the root node.
4. In the Licenses tab, click Import license file....
5. Select the license file you want to import and click Open.
The Apply license? dialog is displayed showing the license file contents.
6. Click the Apply license button.
The license file containing the necessary licenses is imported into the Sophos SafeGuard database.
In the Licenses tab, the imported licenses are displayed. The tab shows the following licenseinformation:
DescriptionColumn
An icon shows the license status (valid, warning error)for the component or feature in question.
State (icon)
Shows the licensed component or feature (for example,SafeGuard Policy Editor, Sophos SafeGuard Client,Device Encryption).
Feature
Shows the number of licenses purchased for the relevantcomponent or feature.
Purchased Licenses
Shows the number of licenses used for the relevantcomponent of feature.
Used Licenses
Shows the license expiry date.Expires
Shows the license type. For full licenses this is regular.Type
After you have imported a valid license file, you can create configuration packages for deploymenton endpoint computers, see Working with configuration packages (page 45).
40
SafeGuard Easy
6 Working with policies
The following sections explain how to manage policies, for example how to create, group and backup policies.
A default policy is automatically created during first-time configuration in SafeGuard Policy Editor,see Carry out first-time configuration in SafeGuard Policy Editor (page 18).
For a description of all policy settings available with Sophos SafeGuard, see Default policies (page60) and Policy Settings (page 65).
6.1 Create policies
1. Log on to SafeGuard Policy Editor with the password set during first-time configuration.
2. In the navigation area, click Policies.
3. In the navigation window, right-click Policy Items and select New.
4. Select the policy type. A dialog for naming the new policy is displayed.
5. Enter a name and optionally a description for the new policy.
Policies for Device Protection:
When creating a policy for device protection, you must also specify the target for deviceprotection. Possible targets are:
■ Mass storage (boot volumes/other volumes)
■ Removable media
■ Optical drives
■ Cloud storage
For each target, a separate policy has to be created. Later, you can combine the individualpolicies in a policy group named Encryption, for example.
6. Click OK.
The new policy is displayed in the Policies navigation area, below Policy Items on the left. In theaction area on the right, all settings for the selected policy type are displayed and can be changed.
6.2 Editing policy settings
When you select a policy in the navigation window, you can edit the policy settings in the actionarea.
Note:
41
Administrator help
A red icon in front of a not configured setting indicates that for this policy settinga value has to be defined. To be able to save the policy, you first have to select asetting other than not configured.
Setting policy settings to default values
In the toolbar the following icons are available for setting policy settings:
Displays default values for policy settings that have not been configured (setting notconfigured).
Sets marked policy setting to not configured.
Sets all policy settings in an area to not configured.
Sets the default value for the marked policy.
Sets all policy settings in an area to the default value.
Differentiating between machine- and user-specific policies
Policy is applied to machines only, not users.Policy color blue
Policy is applied to machines and usersPolicy color black
6.3 Policy groups
Sophos SafeGuard policies need to be combined in policy groups before they can be included ina configuration package. A policy group may contain different policy types.
If you include policies of the same type in a group, the settings are merged automatically. In thiscase, you can define priorities for using the settings. The settings of a policy with a higher priority
42
SafeGuard Easy
overwrite the settings of a policy with a lower priority. If an option is set to not configured, thesetting will not be overwritten in a policy of a lower priority.
Note:
Overlapping policies assigned to a group might result in incorrect calculation of the priorities.Ensure that you use disjunctive policy settings.
Exception concerning Device Protection:
Policies for device protection are only merged, if they were defined for the same target (for example,the boot volume). If they are for different targets, the settings will be added.
6.3.1 Combine policies into groups
Prerequisites:
The individual policies of different types must have been created beforehand.
Sophos SafeGuard policies need to be combined in policy groups before they can be published toa configuration package. A policy group may contain different policy types.
1. In the SafeGuard Policy Editor navigation area, click Policies.
2. In the navigation window, right-click Policy Groups and select New.
3. Click New Policy Group.
A dialog for naming the policy group is displayed.
4. Enter a unique name and optionally a description for the policy group. Click OK.
The new policy group is displayed in the navigation window under Policy Groups.
5. Select the policy group.
The action area shows all elements required for grouping the policies.
6. To add the policies to the group, drag them from the list of available policies to the policy area.
7. You can define a Priority for each policy by arranging the policies in order using the contextmenu.
If you include policies of the same type in a group, the settings are merged automatically. Inthis case, you can define priorities for using the settings. The settings of a policy with a higherpriority overwrite the settings of a policy with a lower priority. If an option is set to notconfigured, the setting is not overwritten in a policy of a lower priority.
Exception concerning Device Protection:
Policies for device protection are only merged, if they were defined for the same target (forexample, the boot volume). If they are for different targets, the settings are added.
8. On the File menu, click Save.
43
Administrator help
The policy group now contains the settings of the individual policies. Next publish it to aconfiguration package.
6.3.2 Policy grouping results
The result of policy grouping is displayed separately.
To display the result, click the Resulting tab.
■ For each policy type a separate tab is shown.
The settings resulting from combining the individual policies into a group are displayed.
■ For policies for device protection, a tab is shown for each policy target (for example, bootvolumes, drive X etc.).
6.4 Back up policies and policy groups
You can create backups of policies and policy groups as XML files. If necessary, the relevantpolicies/policy groups can then be restored from these XML files for editing.
1. In the Policies navigation window, select the policy/policy group under Policy Items or PolicyGroups.
2. Right-click to display the context menu and select Backup Policy.
Note:
The Backup Policy command is also available in the Actions menu.
3. In the Save As dialog, enter a file name and storage location for the backup (XML file). ClickSave.
The backup of the policy/policy group is stored as an XML file in the specified location.
6.5 Restore policies and policy groups
1. In the navigation window, select Policy Items/Policy Groups.
2. Right-click to display the context menu and select Restore Policy.
Note:
The Restore Policy command is also available in the Actions menu.
3. Select the XML file from which the policy/policy group is to be restored and click Open.
The policy/policy group is restored.
44
SafeGuard Easy
7 Working with configuration packages
Sophos SafeGuard protected computers receive their encryption policies by way of configurationpackages created in SafeGuard Policy Editor. For successful operation of Sophos SafeGuard onthe endpoint computers, you need to create a configuration package containing the relevant policygroups and distribute it to the endpoint computers.
Whenever you change any policy settings, you have to create new configuration packages anddistribute them to the endpoint computers.
The following sections explain how to publish policies into configuration packages and distributethem to the endpoint computers.
Note:
Check your network and computers regularly for outdated or unused configuration packages and,for security reasons, make sure that you delete them.
7.1 Publish policies to a configuration package
Note:
Policies are transferred to the endpoints inside a configuration package. After creating a new policyor editing an existing one, make sure that you carry out the following steps.
To create a configuration package:
1. In SafeGuard Policy Editor, select the Configuration Package Tool from the Tools menu.
2. Click Add Configuration Package.
3. Enter a name of your choice for the configuration package.
4. Specify a Policy Group, which must have been created beforehand in SafeGuard Policy Editor,to be applied to the computers.
5. Under Key Backup Location, specify a shared network path for storing the key recovery file.Enter the share path in the following form: \\networkcomputer\, for example\\mycompany.edu\. If you do not specify a path here, the end user will be prompted to namea storage location for this file when first logging on to the endpoint after installation.
The key recovery file is needed to enable recovery of Sophos SafeGuard protected computersand is generated on each Sophos SafeGuard protected computer.
Note:
Make sure that you save this key recovery file at a file location accessible to the help desk, forexample a shared network path. Alternatively, the files can be provided to the help desk withdifferent mechanisms. This file is encrypted by the company certificate. It can therefore besaved to any external media or to the network in order to make it available to the help desk forrecovery purposes. It can also be sent by e-mail.
45
Administrator help
6. Under POA Group, you can select a group of POA users to be assigned to the endpoint. POAusers offer access for administrative tasks on the endpoint after the Power-on Authenticationhas been activated. To assign POA users, the POA group must have been created beforehandin the Users area of the SafeGuard Policy Editor.
7. If required, select CCO. For more information, see Company Certificate Change Orders (page48).
8. Specify an output path for the configuration package (MSI).
9. Click Create Configuration Package.
The configuration package (MSI) has been created in the specified location. You now need todistribute this package to the Sophos SafeGuard endpoints.
7.2 Distributing configuration packages
Configuration packages have to be installed on the endpoint computers after installation of theSophos SafeGuard encryption software or after any change in the configuration settings.
Distribute the configuration package using your company software distribution mechanisms orinstall it manually on the endpoint computers.
Note:
To change the policy settings for a Sophos SafeGuard protected computer, create a newconfiguration package including the changed policies and distribute it to the computer.
Note:
Installing a configuration package from a previous version on an endpoint that has been upgradedto the latest version is not supported. If you try to install an older configuration package over anewer one, the installation is aborted.
For security reasons, delete all outdated or unused configuration packages.
46
SafeGuard Easy
8 Exporting the company and security officer certificates
In a Sophos SafeGuard installation, the following two items are critical and must be backed up ina safe location:
■ The company certificate stored in the Sophos SafeGuard Database.
■ The security officer certificate residing in the certificate store of the computer on whichSafeGuard Policy Editor is installed.
Both certificates can be exported in form of .p12 files to back them up. A corrupted SafeGuardPolicy Editor installation or a corrupted database configuration can be restored by importing therelevant certificate (.p12 file).
Note:
We recommend that you carry out this task right after first-time configuration in SafeGuard PolicyEditor.
8.1 Export the company certificate
1. On the SafeGuard Policy Editor Tools menu, click Options.
2. Select the Certificates tab and click the Export button in the Company Certificate section.
3. You are prompted to enter a password for securing the exported file. Enter a password, confirmit and click OK.
4. Enter a file name and storage location for the file and click OK.
The company certificate is exported as a .p12 file to the defined location and can be used forrecovery purposes.
8.2 Export the security officer certificate
To back up the security officer certificate of the logged on officer:
1. On the SafeGuard Policy Editor Tools menu, click Options.
2. Select the Certificates tab and click the Export button in the Certificate of <Administrator>section.
3. You are prompted to enter a password for securing the exported file. Enter a password, confirmit and click OK.
4. Enter a file name and storage location for the file and click OK.
The security officer certificate of the currently logged on officer is exported as a .p12 file to thedefined location and can be used for recovery purposes.
47
Administrator help
9 Company Certificate Change Orders
Company Certificate Change Orders (CCOs) are used to:
■ Moving a SafeGuard Enterprise standalone client to a different environment by exchangingendpoints company certificate with the company certificate of the target environment.
Note: Creating CCOs is only allowed for Master Security Officers.
9.1 Replace the company certificate
Replacing the company certificate is necessary when you want to move an endpoint from onestandalone environment to a different one. The endpoint to be moved needs to have the companycertificate of the environment it is to be moved to. Otherwise the client does not accept policiesof the new environment. Since the necessary tasks on both sides can be carried out withManagement Center as well as Policy Editor, in the following description the term managementtool is used for both. Their range of functions concerning company certificate replacement isidentical.
The following prerequisites must be met:
Decide which is your source and which is your target Management Center/Policy Editorenvironment. The source Management Center/Policy Editor is the one you used for creating theconfiguration packages for the endpoints that are to be moved. The target ManagementCenter/Policy Editor is the one the endpoints will be moved to.
To replace the company certificate:
1. On the target management tool, export the company certificate: On the Tools menu, clickOptions. Select the Certificates tab and click the Export button under Company Certificate.Enter and confirm a password for the certificate backup when prompted and select a destinationdirectory and filename when prompted. The company certificate is exported (cer file).
2. On the source management tool, on the Tools menu, click Options and select Create... in theRequest section. In the Create CCO dialog, browse for the target company certificate youexported on the target management tool (step 1). Make sure that it is the desired certificate.Click Create and select a destination directory and file name for the .cco file. Confirm that youwant to place a Company Certificate Change Order. Please note that a CCO is not bound tospecific endpoints. Using a CCO any client of the source environment can be moved.
3. On the target management tool you have to import the CCO created on the source ManagementCenter. On the Tools menu, click Configuration Package Tool and select the CCOs tab. ClickImport.
4. In the Import CCO dialog, select the CCO you created on the source management tool andenter a CCO name and optionally a description. Click OK.
48
SafeGuard Easy
5. On the target management tool, create a configuration package: On the Tools menu, clickConfiguration Package Tool > Standalone client package and add a new configuration package.Select the imported CCO from the drop-down menu in the CCO column. Specify a locationunder Configuration Package output path. Click Create Configuration package. Theconfiguration package is created in the specified location.
6. Install this configuration package on all endpoints you want to move from the sourceenvironment to the target environment.
9.2 Managing Company Certificate Change Orders
In the SafeGuard Policy Editor, on the Tools menu, click Configuration Package Tool. All createdCCOs are displayed on the CCOs tab.
Detailed information on the selected CCO is displayed in the lower part of the dialog.
In case the CCO was created for updating the company certificate the Source company certificateis the one to be renewed. In case the CCO was created to move endpoints it is the companycertificate of the environment which endpoints you want to move to a different environment.
The Destination company certificate is the new company certificate in case the CCO was createdfor updating the company certificate or the company certificate of the environment to which theendpoints are to be moved to.
Below the certificate details it is shown for which tasks the selected CCO can be used.
9.2.1 Import
Before a CCO that was created by a different management tool in order to change the companycertificate can be selected when creating configuration packages, it has to be imported.
Clicking Import... opens a dialog in which you can select and name the CCO. The name you enterhere is displayed on the CCOs tab of the Configuration package Tool.
9.2.2 Export
Using the Export functionality CCOs stored in the database can be exported and are than availableas .cco files.
49
Administrator help
10 Check the database integrity
When you log on to the database, database integrity is automatically verified. If this check resultsin any errors, the Verify Database Integrity dialog is displayed.
You can also start the database integrity check manually at any time after logon, to display theVerify Database Integrity dialog:
1. In the SafeGuard Policy Editor, on the Tools menu, select Database integrity.
2. To check the tables, click Check all or Check selected.
Erroneous tables are marked in the dialog.
3. To repair them, click Repair.
Erroneous database tables are repaired.
50
SafeGuard Easy
11 Administrative access to endpoint computers
Sophos SafeGuard offers two types of accounts to enable users to log on to endpoint computersand carry out administrative tasks after Sophos SafeGuard has been installed.
■ Service accounts for Windows logon
With service accounts, users (for example rollout operators, members of the IT team) can logon (Windows logon) to endpoint computers after the installation of Sophos SafeGuard withoutactivating the Power-on Authentication and without being added as users to the computers.Users included on a service account list are treated as guest users when logging on to theendpoint computer.
For further information, see Service account lists for Windows logon (page 51).
Note: Service account lists are assigned to endpoint computers through policies. They shouldbe assigned in the first Sophos SafeGuard configuration package you create for the configurationof the endpoint computers. Service Account lists can be updated by creating a new configurationpackage and deploying it to the endpoint computers before activation of the POA.
■ POA users for POA logon
POA users are predefined local accounts that enable users (for example members of the ITteam) to log on to endpoint computers to perform administrative tasks after the POA has beenactivated. POA users enable POA logon, there is no automatic logon to Windows. These usersare defined in the Users area of the SafeGuard Policy Editor (user ID and password) andassigned to the endpoint computers by means of POA groups included in Sophos SafeGuardconfiguration packages.
For further information, see POA users for POA logon (page 55).
11.1 Service account lists for Windows logon
A typical scenario for most implementations is that a rollout team installs new computers in anenvironment including the installation of Sophos SafeGuard. For installation or verificationreasons, rollout operators may log on to the respective computer before the end user receives thenew machine and is able to activate the Power-on Authentication.
Thus, the scenario may be as follows:
1. Sophos SafeGuard is installed on an endpoint computer.
2. After restarting the computer, the rollout operator logs on.
3. The rollout operator is added to the POA and the POA becomes active.
When the end user receives the computer, they will not be able to log on to the POA. The userneeds to perform a Challenge/Response procedure.
To ensure that administrative operations on a Sophos SafeGuard protected computer do not leadto an activation of the Power-on Authentication and the addition of rollout operators as users to
51
Administrator help
the computer, Sophos SafeGuard allows you to create service account lists for endpoint computers.The users included in these lists are treated as Sophos SafeGuard guest users.
With service accounts the scenario is as follows:
1. Sophos SafeGuard is installed on an endpoint computer.
2. After restarting the computer, a rollout operator included on a service account list logs on(Windows logon).
3. According to the service account list applied to the computer the user is identified as a serviceaccount and is treated as a guest user.
The rollout operator is not added to the POA and the POA does not become active. The end usercan log on and activate the POA.
Note:
Service Account Lists should be assigned in the first Sophos SafeGuard configuration package youcreate for the configuration of the endpoint computers. Service account lists can be updated bycreating a new configuration package with changed settings and deploying them to the endpointcomputers before activation of the POA.
11.1.1 Create service account lists and add users
1. In the navigation area, click Policies.
2. In the policy navigation window, select Service account lists.
3. In the context menu of Service account lists, click New > Service account list.
4. Enter a name for the service account list and click OK.
5. Select the new list under Service account lists in the policy navigation window.
6. Right-click in the action area to open the context menu for the service account list. In thecontext menu, select Add.
A new user line is added.
7. Enter the User Name and the Domain Name in the respective columns and press Enter. Toadd further users, repeat this step.
8. Save your changes by clicking the Save icon in the toolbar.
The service account list is now registered and can be selected for assignment when creating a policy.
11.1.1.1 Additional information for entering user and domain names
There are different methods for specifying users in service account lists using the two fields UserName and Domain Name. Restrictions also apply for valid input in these fields.
Covering different combinations for logging on
The two separate fields User Name and Domain Name per list entry allow you to cover all availablecombinations for logging on, for example "user@domain" or "domain\user".
52
SafeGuard Easy
To handle several user name/domain name combinations, you can use asterisks (*) as wildcards.An asterisk is allowed as the first sign, the last sign and the only sign.
For example:
■ User Name: Administrator
■ Domain Name: *
This combination specifies all users with the user name "Administrator" who log on to any networkor local machine.
The predefined domain name [LOCALHOST] available in the drop-down list of the DomainName field stands for the logon on any local computer.
For example:
■ User Name: "*admin"
■ Domain Name: [LOCALHOST]
This combination specifies all users whose user names end on "admin" and who log on to anylocal machine.
Users may log on in different ways, for example:
■ user: test, domain: mycompany or
■ user: test, domain: mycompany.com.
As domain specifications in the service account lists are not automatically resolved, there are threeways to specify the domain correctly:
■ You know exactly how the user is going to log on and enter the domain accordingly.
■ You create several service account list entries.
■ You use wildcards to cover all the different cases (user: test, domain: mycompany*).
Note:
To avoid any problems caused by the fact that Windows may not use the same character sequence,but truncate names, we recommend that you enter the FullQualifiedName and the NetBIOS nameor use wildcards.
Restrictions
Asterisks are only allowed as the first sign, the last sign and the only sign. Following are examplesof valid and invalid strings using asterisks:
■ Valid strings include admin*, *, *strator, *minis*.
■ Invalid strings include **, Admin*trator, Ad*minist*.
The following restrictions also apply:
■ The character ? is not allowed in user logon names.
53
Administrator help
■ The characters / \ [ ] : ; | = , + * ? < > " are not allowed in domain names.
11.1.2 Editing and deleting service account lists
As a security officer with the Modify service account lists right, you can edit or delete serviceaccount lists at any time:
■ To edit a service account list, double-click it in the policy navigation window. The serviceaccount list is opened and you can add, delete or modify user names on the list.
■ To delete a service account list, select it in the policy navigation window, open the contextmenu and select Delete.
11.1.3 Assign a service account list with a policy
1. Create a new policy of the type Authentication or select an existing one.
2. Under Logon Options, select the required service account list from the Service Account Listdrop-down list.
Note: The default setting is [No List], this means no service account list applies. Rolloutoperators logging on to the computer after installation of Sophos SafeGuard are not treated asguest users and may activate Power-on Authentication and be added to the computer. To undothe assignment of a service account list, select the option [No List].
3. Save your changes by clicking the Save icon in the toolbar.
You can now deploy the policy to the respective computers to make the service accounts availableon the computer.
Note:
If you select different service account lists in different policies which are all relevant according tothe RSOP (Resulting Set of Policies, the settings valid for a specific computer/group), the serviceaccount list assigned in the last policy applied overrules all previously assigned service accountlists. Service account lists are not merged.
11.1.4 Transferring the policy to the endpoint computer
Sophos SafeGuard protected computers receive policies by configuration packages created throughTools > Configuration Package Tool in the SafeGuard Policy Editor.
The configuration file can be distributed using company software distribution mechanisms or theconfiguration package can be installed manually on the endpoint computers.
Note:
The service account list functionality is especially helpful and important during initial installationin the rollout phase of an implementation. We therefore recommend that you include an
54
SafeGuard Easy
Authentication policy with the required service account list settings in the policy group transferredwith the first Sophos SafeGuard configuration package.
Note:
To change the policy settings for a Sophos SafeGuard protected computer, create a newconfiguration package including the changed policies and distribute it to the computer.
11.1.5 Logging on to an endpoint computer using a service account
At the first Windows logon after restarting the computer, a user included on a service account listlogs on to the computer as a Sophos SafeGuard guest user. This first Windows logon to thecomputer neither triggers a pending Power-on Authentication nor adds the user to the computer.The Sophos SafeGuard System Tray icon balloon tool tip "Initial user synchronization completed"is not displayed.
Service account status display on the endpoint computer
The guest user logon status can also be displayed through the System Tray Icon. For furtherinformation, see the Sophos SafeGuard User help, chapter System Tray icon and balloon tool tip(description of the user state field).
11.1.6 Log events
Actions performed regarding service account lists are reported by the following log events:
Sophos SafeGuard Policy Editor
■ Service account list <name> created
■ Service account list <name> modified
■ Service account list <name> deleted
Sophos SafeGuard endpoint computer
■ Windows user <domain/user name> logged on at <timestamp> to machine<domain/workstation name> as SGN service account.
■ New service account list <name> imported.
■ Service account list <name> deleted.
11.2 POA users for POA logon
After Sophos SafeGuard has been installed and the Power-on Authentication (POA) has beenactivated, access to endpoint computers to perform administrative tasks may be required. WithPOA users, users (for example, members of the IT team) can log on at the Power-on Authenticationon endpoint computers for administrative tasks without having to initiate a Challenge/Response
55
Administrator help
procedure. There is no automatic logon to Windows; users have to log on to Windows with theirexisting Windows accounts.
You can create POA users in the SafeGuard Policy Editor, group them into POA groups, andassign groups to endpoint computers using Sophos SafeGuard configuration packages. The usersincluded in the POA group assigned, are added to the POA and can log on using their predefineduser name and password.
11.2.1 Create POA users
1. In the navigation area of the SafeGuard Policy Editor, click Users.
2. In the Users navigation window under POA, select POA Users.
3. In the context menu of POA Users, click New > Create new user.
The Create new user dialog is displayed.
4. In the Full name field, enter a name (the logon name) for the new POA user.
5. Optionally, enter a description for the new POA user.
6. Enter a password for the new POA user and confirm it.
Note:
To enhance security, the password should adhere to certain minimum complexity requirements,for example, minimal length of 8 characters, mixture of numerical and alphanumerical charactersetc. If the password you have entered is too short, a warning message is displayed.
7. Click OK.
The new POA user is created and displayed under POA users in the Users navigation area.
11.2.2 Change the password for a POA user
1. In the navigation area of the SafeGuard Policy Editor, click Users.
2. In the Users navigation window under POA, POA Users, select the relevant POA user.
3. In the context menu of the POA user, select Properties.
The properties dialog for the POA user is displayed.
4. On the General tab under User Password, enter the new password and confirm it.
5. Click OK.
The new password applies for the relevant POA user.
11.2.3 Delete POA users
1. In the navigation area of the SafeGuard Policy Editor, click Users.
56
SafeGuard Easy
2. In the Users navigation window under POA, POA Users, select the relevant POA user.
3. Right-click on the POA user and select Delete from the context menu.
The POA user is deleted. It is no longer displayed in the Users navigation window.
Note:
If the user is part of one or several POA groups, the POA user is also removed from all groups.However, the POA user is still available on the endpoint until a new configuration package hasbeen created and assigned.
11.2.4 Create POA groups
To assign POA users to endpoints using configuration packages, they must be arranged in groups.When creating configuration packages, you can select a POA group for assignment.
1. In the navigation area of the SafeGuard Policy Editor, click Users.
2. In the Users navigation under POA, select POA Groups.
3. In the context menu of POA Groups, click New > Create new group.
The Create new group dialog is displayed.
4. In the Full name field, enter a name for the new POA group.
5. Optionally, enter a description for the new POA group.
6. Click OK.
The new POA group is created. It is displayed under POA Groups in the Users navigation area.You can now add users to the POA group.
11.2.5 Add users to POA groups
1. In the navigation area of the SafeGuard Policy Editor, click Users.
2. In the Users navigation window under POA, POA Group, select the relevant POA group.
In the action area of the SafeGuard Policy Editor on the right-hand side, the Members tab isdisplayed.
3. In the SafeGuard Policy Editor toolbar, click the Add icon (green plus sign).
The Select member object dialog is displayed.
4. Select the user you want to add to the group.
5. Click OK.
The POA user is added to the group and displayed in the Members tab.
Note:
57
Administrator help
You can also add users to groups by selecting the POA user in the navigation window and followingthe steps described above. The only difference is that the action area displays the Member of tabafter selecting the user. This tab shows the groups the user has been assigned to. The basic workflowis identical.
11.2.5.1 Removing members from POA groups
1. In the navigation area of the SafeGuard Policy Editor, click Users.
2. In the Users navigation window under POA, POA Group, select the relevant POA group.
In the action area of the SafeGuard Policy Editor on the right-hand side, the Members tab isdisplayed.
3. Select the user you want to delete from the group.
4. In the SafeGuard Policy Editor toolbar, click the Remove icon (red cross sign).
The user is removed from the group.
Note:
You can also remove members from groups by selecting the POA user in the navigation windowand following the steps described above. The only difference is that the action area displays theMember of tab after selecting the user. This tab shows the groups the user has been assigned to.The basic workflow is identical.
11.2.6 Assign POA users to endpoints
1. In the SafeGuard Policy Editor, select Configuration Package Tool from the Tools menu.
2. Select an existing configuration package or create a new one.
For details on creating a new configuration package, see Publish policies to a configurationpackage (page 45).
3. Specify a POA Group created beforehand in the Users area of the SafeGuard Policy Editor, tobe applied to the computers.
The default setting for the POA group is No list.
An empty group is available for selection by default. This group can be used to delete a POAgroup assignment on endpoints.
4. Specify an output path for the configuration package (MSI).
5. Click Create Configuration Package.
6. Deploy the configuration package (MSI) to the endpoints.
By installing the configuration package, the users included in the group are added to the POA onthe endpoints. The POA users are available for POA logon.
58
SafeGuard Easy
11.2.7 Change POA user assignment on endpoints
1. Create a new POA group or modify an existing one.
2. Create a new configuration package and select the new or modified POA group.
The new POA group is available on the endpoints, all users included are added to the POA. Thenew group overwrites the old one. POA groups are not merged.
11.2.8 Delete POA users from endpoint computers
POA users can be deleted from endpoints by assigning an empty POA group.
1. In the SafeGuard Policy Editor, select the Configuration Package Tool from the Tools menu.
2. Select an existing configuration package or create a new one.
3. Specify an empty POA Group created beforehand in the Users area of the SafeGuard PolicyEditor, or select the empty POA group that is available by default in the Configuration PackageTool.
4. Specify an output path for the configuration package (MSI).
5. Click Create Configuration Package.
6. Deploy the configuration package to the endpoint computers.
By installing the configuration package, all POA users are removed from the endpoint computers.This removes all relevant users from the POA.
11.2.9 Log on to an endpoint with a POA user
1. Switch on the computer.
The Power-on Authentication logon dialog is displayed.
2. Enter the User name and the Password of the predefined POA user.
You are not automatically logged on to Windows. The Windows logon dialog is displayed.
3. In the Domain field, select the domain <POA>.
4. Log on to Windows using your existing Windows user account.
59
Administrator help
12 Default policies
During first-time configuration within SafeGuard Policy Editor, a default policy with pre-definedencryption and authentication settings is automatically created.
After installation, the default policy with all individual policy items is displayed in the Policiesnavigation area of the SafeGuard Policy Editor.
Note:
The default policy can only be created during first-time configuration within SafeGuard PolicyEditor Configuration Wizard.
The following section lists the default policies available.
For a detailed description of the policy settings, see Policy Settings (page 65).
12.1 Available default policies
Note:
For options listed in the following table with the setting not configured, default values automaticallyapply. The relevant default values are indicated in brackets.
For a detailed description of the policy settings, see Policy Settings (page 65).
SettingsPolicy
Customization:Default General Settings Policy
Policy type: General Settings ■ Language used on client: Use OS languagesettings
Logon recovery:
■ Activate logon recovery after Windows LocalCache corruption: No
Local Self Help:
■ Enable Local Self Help: Yes
■ Minimal length of answers: 3
■ Users can define their own questions: Yes
Challenge/Response (C/R):
■ Enable logon recovery via C/R: Yes
■ Allow automatic logon to Windows: Yes
60
SafeGuard Easy
SettingsPolicy
Access:Default Authentication Policy
Policy type: Authentication ■ User may only boot from internal hard disk: Yes
Logon Options:
■ Logon mode: User ID/Password
■ Display unsuccessful logons for this user: No
■ Display last user logon: No
■ Disable 'forced logoff ' in workstation lock: No
■ Active user/domain preselection: Yes
■ Pass through to Windows: Let user choose freely
Failed Logons:
■ Maximum no. of failed logons: 16
■ Display "Logon failed" messages in POA:Standard
Lock Options:
■ Lock screen after X minutes inactivity: 0
■ Lock screen after resume: No
Password:Default Password Policy
Policy type: Password ■ Min. password length: 4
■ Max. password length: 128
■ Min. number of letters: 0
■ Min. number of digits: 0
■ Min. number of special characters: 0
■ Case sensitive: No
■ Keyboard row forbidden: No
■ Keyboard column forbidden: No
■ 3 or more consecutive characters forbidden: No
■ User name as password forbidden: No
■ Use forbidden password list: No
61
Administrator help
SettingsPolicy
Changes:
■ Password change allowed after min. (days): Notconfigured (Default value 0 applies.)
■ Password expires after (days): Not configured(Default value 999 applies.)
■ Notify of forced change before (days): Notconfigured (Default value 10 applies.)
General:
■ Password history length: 0
Encrypt all internal disks.Default Device Encryption Policy
Policy type: Device Protection ■ Media encryption mode: Volume-based
General Settings:
■ Algorithm to be used for encryption: AES256
■ Key to be used for encryption: Defined machinekey
Volume-based Settings:
■ User may add or remove keys to or fromencryption: Not configured (Default value Noapplies.)
■ Reaction to unencrypted volumes: Accept allmedia and encrypt
■ User may decrypt volume: No
■ Proceed on bad sectors: Yes
Encrypt removable mediaDefault Data Exchange Policy
Policy type: Device Protection ■ Media encryption mode: File-based
General Settings:
■ Algorithm to be used for encryption: AES256
■ Key to be used for encryption: Any key in userkey ring
File-based Settings:
■ Initial encryption of all files: Not configured(Default value Yes applies.)
62
SafeGuard Easy
SettingsPolicy
■ User may cancel initial encryption: Notconfigured (Default value No applies.)
■ User is allowed to access unencrypted files: Notconfigured (Default value Yes applies.)
■ User may decrypt files: Not configured (Defaultvalue No applies.)
■ User may define a media passphrase for devices:Yes
■ Copy SG Portable to Removable Media: Yes
■ User is allowed to decide about encryption: No
Power-on Authentication (POA):Default Machine Settings Policy
Policy type: Specific Machine Settings ■ Enable Power-on Authentication: Yes
■ Forbid guest user: Not configured (Default valueNo applies.)
Secure Wake on LAN (WOL):
■ Number of autologons: 0
■ Windows logon allowed during WOL: No
Display Options:
■ Display machine identification: Workstationname
■ Display legal notice: No
■ Display additional information: Never
■ Enable and show system tray icon: Yes
■ Show overlay icons in Explorer: Yes
■ Virtual Keyboard in POA: Yes
Installation Options:
■ Uninstallation allowed: Yes
■ Enable Sophos tamper protection: Yes
Note:
This setting only applies to endpoint computerswhere Sophos Endpoint Security and Controlversion 9.5 or higher is installed.
63
Administrator help
SettingsPolicy
Only log errors in the event log, discard others.Default Logging Policy
Policy type: Logging
64
SafeGuard Easy
13 Policy Settings
Sophos SafeGuard policies include all settings needed to implement a company-wide securitypolicy on endpoint computers.
Sophos SafeGuard policies can incorporate settings for the following areas (policy types):
■ General Settings
Settings for customization, logon recovery, background images, etc.
■ Authentication
Settings for logon mode, device lock, etc.
■ PIN
Defines requirements for used PINs.
■ Passwords
Defines requirements for user passwords.
■ Passphrases for SafeGuard Data Exchange
Defines the requirements for passphrases. Passphrases are used for secure data exchange withSafeGuard Data Exchange during key generation.
■ Device protection
Settings for volume- or file-based encryption (including settings for SafeGuard Data Exchangeand SafeGuard Portable): algorithms, keys, the drives on which data is to be encrypted, etc.
■ Specific machine settings
Settings for Power-on Authentication (activate/deactivate), secure Wake On LAN, displayoptions, etc.
■ Logging
Defines events to be logged.
13.1 General settings
ExplanationPolicy setting
CUSTOMIZATION
Language in which settings for Sophos SafeGuard aredisplayed on an endpoint computer. You can select a
Language used on client
supported language or the endpoint computer'soperating system language setting.
65
Administrator help
ExplanationPolicy setting
LOGON RECOVERY
The Windows Local Cache stores all keys, policies, usercertificates and audit files. All data stored in the local
Activate logon recovery after Windows LocalCache corruption
cache are signed and cannot be changed manually. Bydefault, logon recovery is deactivated when theWindows Local Cache is corrupted, this means it willbe restored automatically from its backup. In this case,no Challenge/Response procedure is required forrepairing the Windows Local Cache. If the WindowsLocal Cache is to be repaired explicitly using aChallenge/Response procedure, set this field to Yes.
Local Self Help
Determines whether users are permitted to log on totheir computers with Local Self Help if they have
Enable Local Self Help
forgotten their password. With Local Self Help, userscan log on by answering a specified number ofpreviously defined questions in the Power-onAuthentication. They can regain access to theircomputers even if neither telephone nor internetconnection are available.
Note:
For the user to be able to use Local Self Help, automaticlogon to Windows must be enabled. Otherwise, LocalSelf Help will not work.
Defines minimum character length for Local Self Helpanswers.
Minimal length of answers
In this field, you can specify the individual informationtext to be displayed in the first dialog when launching
Welcome text under Windows
the Local Self Help Wizard on the endpoint computer.Before specifying the text here, it has to be created andregistered.
As a security officer you can define the set of questionsto be answered centrally and distribute it to the
Users can define their own questions
endpoint computer in the policy. However, you canalso grant the users the right to define their ownquestions. To entitle users to define their ownquestions, select Yes.
Challenge / Response (C/R)
Determines whether for logon recovery, a user ispermitted to generate a challenge in the Power-on
Enable Logon Recovery via C/R
66
SafeGuard Easy
ExplanationPolicy setting
Authentication (POA) to regain access to theircomputer with a Challenge/Response procedure.
■ Yes: User is permitted to generate a challenge andthe Challenge button in the POA is active. In thiscase, the user can regain access to their computerwith a C/R procedure.
■ No: User is not permitted to issue a challenge andthe Challenge button in the POA is inactive. In thiscase, the user cannot initiate a C/R procedure toregain access to their computer.
Sophos SafeGuard also offers the logon recoverymethod Local Self Help. It can be activated with thepolicy setting Enable Local Self Help.
Allows a user to log on to Windows automatically afterauthentication using Challenge/Response.
Allow automatic logon to Windows
■ Yes: User is automatically logged on to Windows.
■ No: Windows logon screen appears.
Example: A user has forgotten their password. Afterthe Challenge/Response procedure, Sophos SafeGuardlogs the user on at the computer without a SophosSafeGuard password. In this case automatic Windowslogon is switched off and the Windows logon screen isdisplayed. The user cannot log on because they do notknow the Sophos SafeGuard password (= Windowspassword). Yes allows automatic logon and the user isable to move on from the Windows logon screen.
Displays information text when a Challenge/Responseprocedure is initiated in POA. For example: “Please
Information text
contact Support Desk on telephone number01234-56789.” Before you specify a text here, you mustcreate it as a text file in the Policies navigation areaunder Information text.
IMAGES
Prerequisite: New images must be registered in thepolicy navigation area of the SafeGuard Policy Editorunder Images. The images will only be available afterregistration. Supported formats: .BMP, .PNG, .JPEG.
Replaces the blue background bitmap with theSafeGuard design for the background of your choice.
Background image in POA
Background image in POA (low resolution)Customers might for example use the company logo
67
Administrator help
ExplanationPolicy setting
in POA and at Windows logon. Maximum file size forall background bitmaps: 500 KB
Normal:
■ Resolution: 1024x768 (VESA mode)
■ Colors: unlimited
Low:
■ Resolution: 640x480 (VGA mode)
■ Colors: 16 colors
Replaces the Sophos SafeGuard bitmap displayed inthe POA logon dialog. For example, the company logocan be displayed in this dialog.
Logon image in POA
Logon image in POA (low resolution)
Normal:
■ Resolution: 413 x 140 pixels
■ Colors: unlimited
Low:
■ Resolution: 413 x 140 pixels
■ Colors: 16 colors
FILE ENCRYPTION
For file-based encryption by SafeGuard Data Exchange,you can specify applications as trusted to grant them
Trusted Applications
access to encrypted files. This is for example necessaryto enable antivirus software to scan encrypted files.
Enter the applications you want to define as trusted inthe editor list box of this field. Applications must beentered as fully qualified paths.
For file-based encryption by SafeGuard Data Exchange,you can specify applications as ignored to exempt them
Ignored Applications
from transparent file encryption/decryption. Forexample, if you define a backup program as an ignoredapplication, encrypted data backed up by the programremains encrypted.
Enter the applications you want to define as ignoredin the editor list box of this field. Applications must beentered as fully qualified paths.
68
SafeGuard Easy
ExplanationPolicy setting
For file-based encryption by SafeGuard Data Exchange,you can exclude entire devices (for example disks) fromfile-based encryption.
In the editor list box, select Network to select apredefined device, or enter the required device names
Ignored Devices
to exclude specific devices from encryption. For furtherinformation, see Displaying attached and ignored devicesfor SafeGuard Data Exchange configuration (page 106).
For file-based encryption by SafeGuard Data Exchange,you can configure persistent encryption. With
Enable persistent encryption
persistent encryption, copies of encrypted files will beencrypted, even when they are saved in a location notcovered by an encryption rule.
This policy setting is activated by default.
For file-based encryption by Cloud Storage you canconfigure whether the user is allowed to set a default
User is allowed to set default key
key for encryption or not. If allowed the Set defaultkey command is added to the Windows Explorercontext menu of Cloud Storage synchronization folders.Users can use the command to specify separate defaultkeys to be used for encryption for differentsynchronization folders.
13.2 Authentication
The way users log on to their computer is determined in policy of the type Authentication.
ExplanationPolicy Setting
ACCESS
Determines whether users may start the computer from thehard drive and/or another medium.Yes: Users can only boot
Users may only boot from internalhard disk
from the hard disk. The POA does not offer the option to startthe computer with a floppy disk or other external media. No:Users may start the computer from hard disk, floppy disk orexternal medium (USB, CD etc.)
LOGON OPTIONS
69
Administrator help
ExplanationPolicy Setting
Determines how users need to authenticate themselves at thePOA.
Logon mode
■ User ID/Password: Users have to log on with their username and password.
■ Token
The user can only log on to the POA using a token orsmartcard. This process offers a higher level of security. Theuser is requested to insert the token at logon. User identityis verified by token ownership and PIN presentation. Afterthe user has entered the correct PIN, Sophos SafeGuardautomatically reads the data for user logon.
Note:
Once this logon process has been selected, users can onlylog on using a previously issued token.
You can combine the settings User ID/Password and Token.To test whether logon using a token works, first select bothsettings. Only deselect the User ID/Password logon mode,if authentication using the token was successful. You mustalso combine the two settings, if you want to allow LocalSelf Help for token logon.
■ Fingerprint: Select this setting to enable logon with LenovoFingerprint Reader. Users to whom this policy applies canthen log on with a fingerprint or a user name and password.This procedure provides the maximum level of security.When logging on, the user swipes his or her finger over thefingerprint reader. Upon successful recognition of thefingerprint, the Power-on Authentication process reads theuser's credentials and logs the user on to Power-onAuthentication. The system then transfers the credentials toWindows, and the user is logged on to the computer.
Note:
After selecting this logon procedure, the user can log on onlywith a pre-enrolled fingerprint or a user name and password.
Determines the type of token or smartcard to be used at theendpoint computer.
Non-cryptographic:
Logon options using token
Authentication at POA and Windows based on user credentials.
Specify a default PIN to enable the user to automatically log onat the Power-on Authentication using a token or smartcard.
PIN used for autologon with token
The user is requested to insert the token at logon and is then
70
SafeGuard Easy
ExplanationPolicy Setting
passed through the Power-on Authentication. Windows will bestarted.
PIN rules do not need to be observed.
Note:
■ This option is only available, if Token has been selected asLogon mode.
■ If this option is selected, then Pass through to Windowsmust be set to Disable pass-through to Windows.
Displays (setting: Yes) after logon at the POA and Windows adialog showing information on the last failed logon (username/date/time).
Display unsuccessful logons for thisuser
Displays (setting: Yes) after logon at the POA and Windows adialog showing information on the
Display last user logon
■ last successful logon (user name/date/time)
■ last user credentials of the logged on user
If users wish to exit the endpoint computer for a short timeonly, they can click Block workstation to block the computerfor other users and unlock it with the user password.
No: The user who has locked the computer as well as anadministrator can unlock it. If an administrator unlocks the
Disable “forced logoff ” inworkstation lock
computer, the currently logged on user is logged offautomatically. Yes: Changes this behavior. In this case, only theuser can unlock the computer. The administrator cannot unlockit and the user will not be logged off automatically.
Note: This setting only takes effect under Windows XP.
Yes: The POA saves the user name and domain of the last loggedon user. Users therefore do not need to enter their user namesevery time they log on.
No: The POA does not save the user name and the domain ofthe last logged on user.
Activate user/domain preselection
To prevent administrative operations on a Sophos SafeGuardprotected computer leading to an activation of the Power-on
Service Account List
Authentication and the addition of rollout operators as usersto the computer, Sophos SafeGuard offers service account listsfor Sophos SafeGuard endpoint computers. The users includedin these lists are treated as Sophos SafeGuard guest users.
71
Administrator help
ExplanationPolicy Setting
Before you select a list here you must first create the lists in thePolicies navigation area under Service Account Lists.
Note:
For the user to be able to grant other users access to theircomputer, the user has to be permitted to deactivate logonpass-through to Windows.
Pass through to Windows
■ Let user choose freely
The user can decide by selecting/deselecting this option inthe POA logon dialog whether automatic logon at Windowsis to be performed.
■ Enforce pass-through to Windows
The user will always be automatically logged on to Windows.
■ Disable pass-through to Windows
After the POA logon, the Windows logon dialog will bedisplayed. The user has to log on to Windows manually.
FAILED LOGONS
Determines how many times a user can attempt to log on usingan invalid user name or password. After incorrectly entering a
Maximum no. of failed logons
user name or password three times in a row for instance, a fourthattempt will lock the computer.
Defines level of detail for messages on failed logons:Display "Logon failed" messages inPOA
■ Standard: Shows a short description.
■ Verbose: Displays more detailed information.
TOKEN OPTIONS
Defines behavior after removing the token from the computer:
Possible actions include:
Action if token logon status is lost
■ Lock Computer
■ Present PIN dialog
■ No Action
Determines whether the token may be unblocked at logon.Allow unblocking of token
LOCK OPTIONS
72
SafeGuard Easy
ExplanationPolicy Setting
Determines the time after which an unused desktop isautomatically locked. The default value is 0 minutes in whichcase the desktop will not be locked.
Lock screen after X minutes inactivity
Determines whether the screen is locked if a token is removedduring a session.
Lock screen at token removal
Determines whether the screen is locked if the computer isreactivated from standby mode.
Lock screen after resume
13.3 Create forbidden PIN lists for use in policies
For policies of the type PIN a list of forbidden PINs can be created to define character sequenceswhich must not be used in PINs. PINs are used for token logon. For further information, seeTokens and smartcards (page 119).
Note:
In the lists, forbidden PINs are separated by a line break.
The text files containing the required information have to be created before you can register themin the SafeGuard Policy Editor. The maximum file size for text files is 50 KB. Sophos SafeGuardonly uses Unicode UTF-16 coded texts. If you create the text files in another format, they will beautomatically converted when they are registered.
To register text files:
1. In the policy navigation area, right-click Information text and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
3. Click [...] to select the previously created text file. If the file needs to be converted, a messagewill be displayed.
4. Click OK.
The new text item is displayed as a subnode below Information text in the policy navigation area.If you select a text item, its contents are displayed in the window on the right-hand side. The textitem can now be selected when creating policies.
Proceed as described to register further text items. All registered text items are shown as subnodes.
Note:
Using the Modify Text button, you can add new text to existing text. When clicking this button,a dialog is displayed for selecting another text file. The text contained in this file is appended tothe existing text.
73
Administrator help
13.4 Syntax rules for PINs
In policies of the type PIN, you define settings for token PINs.
PINs can contain numbers, letters and special characters (for example + - ; etc.). However, whenissuing a new PIN, do not use any character with the combination ALT + < character > as thisinput mode is not available at Power-on Authentication.
Note:
Define PIN rules either in the SafeGuard Policy Editor or in the Active Directory, not both.
ExplanationPolicy Setting
RULES
Specifies how many characters a PIN must comprise whenchanged by the user. The required value can be entereddirectly or increased/reduced using the arrow keys.
Min. PIN length
Specifies the maximum number of characters a PIN maycomprise when changed by a user. The required value can
Max. PIN length
be entered directly or increased/reduced using the arrowkeys.
These settings specify that a PIN may not consistexclusively of letters, numbers or special characters, but
Min. number of letters
Min. number of digitsof a combination of at least two (for example 15flower
Min. number of special charactersetc). These settings are only practical, if a minimum PINlength of greater than 2 has been defined.
This setting is only effective with Use forbidden PIN listand User name as PIN forbidden.
Example 1: You have entered "board" in the list offorbidden PINs. If the Case sensitive option is set to Yes,
Case sensitive
additional password variants such as BOARD, BoaRD willnot be accepted and logon will be denied.
Example 2: "EMaier" is entered as a user name. If optionCase sensitive is set to Yes and option User name as PINforbidden is set to No, user EMaier cannot use any variantof this user name (for example "emaier" or "eMaiER") asa PIN.
Consecutive key sequences include for example "123" or"qwe". A maximum of two adjacent characters on the
Keyboard row forbidden
keyboard is allowed. Consecutive key sequences relateonly to the alphanumerical keyboard area.
74
SafeGuard Easy
ExplanationPolicy Setting
Refers to keys arranged consecutively in columns on thekeyboard such as "yaq1", "xsw2" or "3edc" (but not "yse4",
Keyboard column forbidden
"xdr5" or "cft6"!). A maximum of two adjacent symbolsin a single keyboard column is permitted. If you disallowkeyboard columns, combinations like these are rejectedas PINs. Consecutive key sequences relate only to thealphanumerical keyboard area.
Activation of this option disallows key sequences3 or more consecutive characters forbidden
■ which are consecutive series of ASCII code symbolsin both ascending and descending order ("abc"; "cba";";<" etc.).
■ which consist of three or more identical symbols ("aaa"or "111").
Determines whether user name and PIN may be identical.
Yes: Windows user name and PIN must be different.
User name as PIN forbidden
No: Users may use their Windows user names as PINs.
Determines whether certain character sequences must notbe used for PINs. The character sequences are stored inthe list of forbidden PINs (for example .txt file).
Use forbidden PIN list
Defines character sequences which must not be used forPINs. If a user uses a forbidden PIN, an error message willbe displayed.
Prerequisite:
List of forbidden PINs
A list (file) of forbidden PINs must be registered in theSafeGuard Policy Editor in the Policies navigation areaunder Information text. The list is only available afterregistration.
Maximum file size: 50 KB
Supported format: Unicode
Defining forbidden PINs
In the list, forbidden PINs are separated by a space or linebreak.
Wildcard: Wildcard character "*" can represent anycharacter and any number of characters in a PIN.Therefore *123* means that any series of characterscontaining 123 will be disallowed as a PIN.
75
Administrator help
ExplanationPolicy Setting
Note:
■ If the list contains only a wildcard, the user will nolonger be able to log on to the system after a forcedpassword change.
■ Users must not be permitted to access the file.
■ The Use forbidden PIN list option must be activated.
CHANGES
Determines the period during which a PIN must not bechanged. This setting prevents the user from changing aPIN too many times within a specific period.
Example:
PIN change after min. (days)
User Miller defines a new PIN (for example "13jk56").The minimum change interval for this user (or group towhich this user is assigned) is set to five days. After twodays the user wants to change the PIN to "13jk56". ThePIN change is rejected because Mrs. Miller may only definea new PIN after five days have passed.
If the maximum period of validity is activated, the userhas to define a new PIN after the set period has expired.
PIN change after max. (days)
A warning message is displayed "n" days before PIN expiryreminding the user to change their PIN in "n" days.Alternatively, the user may change the PIN immediately.
Notify of forced change before (days)
GENERAL
Determines when previously used PINs can be reused.
It makes sense to define the history length in conjunctionwith the PIN change after max. (days) setting.
PIN history length
Example:
The PIN history length for user Miller is set to 4, and thenumber of days after which the user must change theirPIN is 30. Mr. Miller is currently logging on using the PIN"Informatics". After the 30 day period expires, he is askedto change his PIN. Mr. Miller types in "Informatics" asthe new PIN and receives an error message that this PINhas already been used and he needs to select a new PIN.Mr. Miller cannot use PIN "Informatics" until after thefourth request to change the PIN (in other words PINhistory length = 4).
76
SafeGuard Easy
13.5 Create forbidden password list for use in policies
For policies of the type Password a list of forbidden passwords can be created to define charactersequences which must not be used in passwords.
Note:
In the lists, forbidden passwords are separated by line breaks.
The text files containing the required information have to be created before registering them inthe SafeGuard Policy Editor. The maximum files size for text files is 50 KB. Sophos SafeGuardonly uses Unicode UTF-16 coded texts. If you create the text files in a different format, they willbe automatically converted when they are registered.
To register text files:
1. In the policy navigation area, right-click Information text and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
3. Click [...] to select the previously created text file. If the file needs to be converted, a messagewill be displayed.
4. Click OK.
The new text item is displayed as a subnode below Information text in the policy navigation area.If you select a text item, its contents are displayed in the window on the right-hand side. The textitem can now be selected when creating policies.
Proceed as described to register further text items. All registered text items are shown as subnodes.
Note:
Using the Modify Text button, you can add new text to existing text. When clicking this buttona dialog is displayed for selecting another text file. The text contained in this file is appended tothe existing text.
13.6 Syntax rules for passwords
In policies of the type Password, you define rules for passwords used to log on to the system.
Passwords can contain numbers, letters and special characters (for example + - ; etc.). However,when issuing a new password, do not use any character with the combination ALT + < character>as this input mode is not available at Power-on Authentication.
Note:
The enforcement of password rules and password history can only be guaranteed if the SGNcredential provided is used consistently. Define password rules either in the SafeGuard PolicyEditor or in the Active Directory, not both.
77
Administrator help
ExplanationPolicy Setting
PASSWORD
Specifies how many characters a password must comprisewhen changed by the user. The required value can be
Min. password length
entered directly or increased/reduced using the arrowkeys.
Specifies the maximum number of characters a passwordmust comprise when changed by a user. The required
Max. password length
value can be entered directly or increased/reduced usingthe arrow keys.
These settings specify that a password may not consistexclusively of letters, numbers or special characters, but
Min. number of letters
Min. number of digitsmust consist of a combination of at least two (for example
Min. number of special characters 15flower etc). These settings are only practical, if aminimum password length of greater than 2 has beendefined.
This setting is only effective with Use forbidden passwordlist and User name as password forbidden.
Example 1: You have entered “board” in the list offorbidden passwords. If Case sensitive is set to Yes,
Case sensitive
additional password variants such as BOARD, BoaRD willnot be accepted and logon will be denied.
Example 2: “EMaier” is entered as a user name. If optionCase sensitive is set to Yes and option User name aspassword forbidden is set to NO, user EMaier cannot useany variant of this user name (for example “emaier“ or“eMaiER“) as a password.
Consecutive key sequences include for example “123” or“qwe” A maximum of two adjacent characters on the
Keyboard row forbidden
keyboard is allowed. Consecutive key sequences relateonly to the alphanumerical keyboard area.
Refers to keys arranged consecutively in columns on thekeyboard such as “yaq1”, “xsw2” or “3edc” (but not
Keyboard column forbidden
“yse4”, “xdr5” or “cft6”!). A maximum of two adjacentsymbols in a single keyboard column is permitted. If youdisallow keyboard columns, combinations like these arerejected as passwords. Consecutive key sequences relateonly to the alphanumerical keyboard area.
78
SafeGuard Easy
ExplanationPolicy Setting
Activation of this option disallows key sequences3 or more consecutive characters forbidden
■ which are consecutive series of ASCII code symbolsin both ascending and descending order (“abc”;“cba”;“;<” etc.).
■ which consist of three or more identical symbols (“aaa”or “111”).
Determines whether user name and password may beidentical.
Yes: Windows user name and password must be different.
User name as password forbidden
No: Users may use their Windows user names aspasswords.
Determines whether certain character sequences must notbe used for passwords. The character sequences are storedin the list of forbidden passwords (for example .txt file).
Use forbidden password list
Defines character sequences which must not be used forpasswords. If a user uses a forbidden password, an errormessage will be displayed.
Important prerequisite:
List of forbidden passwords
A list (file) of forbidden passwords must be registered inthe SafeGuard Policy Editor in the policies navigation areaunder Information text. The list is only available afterregistration.
Maximum file size: 50 KB
Supported format: Unicode
Defining forbidden passwords
In the list, forbidden passwords are separated by a linebreak. Wildcard: The wildcard character “*” can representany character and any number of characters in a password.Therefore *123* means that any series of characterscontaining 123 will be disallowed as a password.
■ If the list contains only a wildcard, the user will nolonger be able to log on to the system after a forcedpassword change.
■ Users must not be permitted to access the file.
■ Option Use forbidden password list must be activated.
CHANGES
79
Administrator help
ExplanationPolicy Setting
Determines the period during which a password may notbe changed. This setting prevents the user from changinga password too many times within a specific period.
Example:
Password change allowed after min. (days)
User Miller defines a new password (for example“13jk56”). The minimum change interval for this user (orgroup to which this user is assigned) is set to five days.After two days the user wants to change the password to“74jk56”. The password change is rejected because userMiller may only define a new password after five days havepassed.
If the maximum period of validity is activated, the userhas to define a new password after the set period hasexpired.
Password expires after (days)
A warning message is displayed “n” days before passwordexpiry reminding the user to change their password in
Notify of forced change before (days)
“n” days. Alternatively, the user may change the passwordimmediately.
GENERAL
Determines when previously used passwords can bereused. It makes sense to define the history length in
Password history length
conjunction with the Password expires after (days)setting.
Example:
The password history length for user Miller is set to 4, andthe number of days after which the user must change theirpassword is 30. Mr Miller is currently logging on usingthe password “Informatics”. After the 30 day periodexpires, he is asked to change his password. Mr Millertypes in “Informatics” as the new password and receivesan error message that this password has already been usedand he needs to select a new password. Mr Miller cannotuse password “Informatics” until after the fourth requestto change the password (in other words password historylength = 4).
13.7 Passphrase rules for SafeGuard Data Exchange
The user must enter a passphrase which is used to generate local keys for secure data exchange inSafeGuard Data Exchange. In policies of the type Passphrase, you define the relevant requirements.
80
SafeGuard Easy
For further information of SafeGuard Data Exchange, see SafeGuard Data Exchange (page 104).
For further details of SafeGuard Data Exchange and SafeGuard Portable on the endpoint refer tothe Sophos SafeGuard User Help, chapter SafeGuard Data Exchange.
ExplanationPolicy Setting
Defines the minimum number of characters for thepassphrase from which the key is generated. The required
Min. passphrase length
value can be entered directly or increased/reduced usingthe arrow keys.
Defines the maximum number of characters for thepassphrase. The required value can be entered directly orincreased/reduced using the arrow keys.
Max. passphrase length
This setting specifies that a passphrase may not consistexclusively of letters, numbers or symbols, but must
Min. number of letters
Min. number of digitsconsist of a combination of at least two (for example 15
Min. number of special characters flower etc). This setting is only practical if a minimumpassphrase length of greater than 2 has been defined.
This setting is effective when User name as passphraseforbidden is active.
Example: “EMaier” is entered as a user name. If the optionCase sensitive is set to Yes and User name as passphrase
Case sensitive
forbidden is set to No, user EMaier cannot use any variantof this user name (for example emaier or eMaiER) as apassphrase.
Consecutive key sequences include for example “123” or“qwe” A maximum of two adjacent characters on the
Keyboard row forbidden
keyboard is allowed. Consecutive key sequences relateonly to the alphanumerical keyboard area.
Refers to keys arranged consecutively in columns on thekeyboard such as “yaq1”, “xsw2” or “3edc” (but not
Keyboard column forbidden
“yse4”, “xdr5” or “cft6”!). A maximum of two adjacentcharacters in a single keyboard column is permitted. Ifyou disallow keyboard columns, these combinations arerejected for passphrases. Consecutive key sequences relateonly to the alphanumerical keyboard area.
Activation of this option disallows key sequences3 or more consecutive characters forbidden
■ which are consecutive series of ASCII code symbolsin both ascending and descending order (“abc”;“cba”;“;<” etc.).
■ which consist of three or more identical symbols (“aaa”or “111”).
81
Administrator help
ExplanationPolicy Setting
Determines whether the user name and passphrase maybe identical.
Yes: Windows user name and passphrase must bedifferent.
User name as passphrase forbidden
No: Users may use their Windows user names aspassphrases.
13.8 Device Protection
The core of Sophos SafeGuard is the encryption of data on different data storage devices. Encryptioncan be volume- or file-based with different keys and algorithms. In policies of the type DeviceProtection, you define the settings for data encryption on different data storage devices. Thesepolicies also include settings for SafeGuard Data Exchange and SafeGuard Portable. For furtherinformation, see SafeGuard Data Exchange (page 104). For further details on SafeGuard DataExchange and SafeGuard Portable on the endpoint computer, see the Sophos SafeGuard UserHelp, chapter SafeGuard Data Exchange.
When creating a policy for device protection, you first have to specify the target for deviceprotection. Possible targets are:
Mass storage (boot volumes/other volumes)
Removable media
Optical drives
Cloud Storage Definitions
For each target, create a separate policy.
DescriptionPolicy Setting
Used to protect devices (PCs, Notebooks) and all typesof removable media.
The primary objective is to encrypt all data stored on localor external storage devices. The transparent operating
Media encryption mode
method enables users to continue to use their usualapplications, for example Microsoft Office.
Transparent encryption means that all encrypted data(whether in encrypted directories or volumes) isautomatically decrypted in the main memory as soon asit is opened in a program. A file is automaticallyre-encrypted when it is saved.
82
SafeGuard Easy
DescriptionPolicy Setting
The following options are available:
■ No Encryption
■ Volume-based (= transparent, sector-basedencryption)
Ensures that all data is encrypted (incl. boot files,swapfiles, idle files/hibernation files, temporary files,directory information etc.) without the user havingto change normal operating procedures or considersecurity.
For further information, see Volume-based full diskencryption (page 100).
■ File-based (= transparent, file-based encryption(Smart Media Encryption)
Ensures that all data is encrypted (apart from BootMedium and directory information) with the benefitthat even optical media such as CD/DVD can beencrypted or data can be swapped with externalcomputers on which SafeGuard is not installed(provided policies permit).
For further information, see File-based full diskencryption (page 102).
GENERAL SETTINGS
Sets the encryption algorithm.
List of all usable algorithms with respective standards:
Algorithm to be used for encryption
AES256: 32 bytes (256 bits)
AES128: 16 bytes (128 bits)
Defines which key is used for encryption. For SophosSafeGuard encryption, only an automatically generated
Key to be used for encryption
machine key is used for volume-based encryption. Forfile-based encryption only local keys created by the usercan be used.
The following option is available:
Defined machine key:
The machine key is used - the user CANNOT select a key.
83
Administrator help
DescriptionPolicy Setting
This setting determines whether the user can generate alocal key on their computer or not.
Local keys are generated on the endpoint computer basedon a passphrase entered by the user. The passphraserequirements can be set in policies of the type Passphrase.
User is allowed to create a local key
Note:
As only local keys are used for file-based encryption, theuser has to be able to create local keys, if policies forfile-based encryption are to become effective.
Local keys are not backed up and cannot be used forrecovery. Only the defined machine key can be used inthis case.
The default setting of this field (not configured) allowsthe user to create local keys.
VOLUME-BASED SETTINGS
Yes: Sophos SafeGuard users may add/remove keysto/from a key ring. The dialog is displayed from thecontext menu command Encryption/Encryption tab.
No: Sophos SafeGuard users may not add additional keys.
User may add or remove keys to or fromencrypted volume
Defines how Sophos SafeGuard handles unencryptedmedia.
The following options are available:
Reaction to unencrypted volumes
■ Reject (= text medium is not encrypted)
■ Accept only blank media and encrypt
■ Accept all media and encrypt
Allows the Sophos SafeGuard user to decrypt the volumewith a context menu command in Windows Explorer.
User may decrypt volume
Select this setting to enable the fast initial encryptionmode for volume-based encryption. This mode reduces
Fast initial encryption
the time needed for initial encryption on endpointcomputers.
Note:
This mode may lead to a less secure state.
For further information, see Fast initial encryption (page100).
84
SafeGuard Easy
DescriptionPolicy Setting
Specifies whether encryption should proceed or bestopped if bad sectors are detected. The default setting isYes.
Proceed on bad sectors
FILE-BASED SETTINGS
Automatically starts initial encryption for a volume afteruser logon. The user may need to select a key from thekey ring beforehand.
Initial encryption of all files
Enables a user to cancel initial encryption.User may cancel initial encryption
Defines whether a user may access unencrypted data ona volume.
User is allowed to access unencrypted files
Enables a user to decrypt individual files or wholedirectories (with the Windows Explorer extension<right-click>).
User may decrypt files
Enables a user to define a media passphrase on theircomputer. The media passphrase makes it possible to
User may define a media passphrase fordevices
easily access all local keys used on computers withoutSafeGuard Data Exchange by using SafeGuard Portable.
If this option is switched on, SafeGuard Portable is copiedto any removable media connected to the endpointcomputer.
Removable Media only
Copy SG Portable to target
SafeGuard Portable enables the exchange of encrypteddata with removable media without the recipient havingSophos SafeGuard installed.
The recipient can decrypt and re-encrypt the encryptedfiles using SafeGuard Portable and the correspondingpassphrase. The recipient can re-encrypt files withSafeGuard Portable or use the original key for encryption.
SafeGuard Portable does not have to be installed or copiedto the recipient's computer but can be used directly fromthe removable media.
The folder specified here will be created on all removablemedia and mass storage devices. Files that are copied tothis folder will always stay plain.
Plaintext folder
With this policy setting, you can allow the user to decideabout encryption of files on removable media and massstorage devices:
User is allowed to decide about encryption
■ If you set this option to Yes, a dialog is displayed onthe endpoint computer when users plug in removable
85
Administrator help
DescriptionPolicy Setting
media. In this dialog, they can decide whether datashould be encrypted. Users have to make this decisioneverytime the plug in removable media.
■ If you set this option to Yes, remember user settings,users can select the option Remember this settingand do not show this dialog again to have their choiceremembered for the relevant device. In this case, thedialog will not be displayed for the relevant deviceagain.
If the user selects No in the dialog displayed on theendpoint computer, neither initial nor transparentencryption occurs.
13.9 Specific machine settings - basic settings
ExplanationPolicy Setting
POWER-ON AUTHENTICATION (POA)
Defines whether POA is permanently switched onor off.
Note:
For security reasons we strongly recommend thatyou keep the POA switched on. Deactivating the
Enable Power-on Authentication
POA reduces the system security to Windows logonsecurity and increases the risk of unauthorized accessto encrypted data.
Defines whether guest users can log on to Windowson the endpoint computer.
Forbid guest user
Defines whether users may delete other users fromthe Power-on Authentication. If you select Yes, the
User may delete POA users
command User Machine Assignments is availablefrom the system tray icon menu on the endpointcomputer. This command shows a list of users whocan log an at the Power-on Authentication. In thedialog displayed, users can be removed from the list.After users have been removed, they can no longerlog on at the Power-on Authentication.
86
SafeGuard Easy
ExplanationPolicy Setting
The Secure Wake on LAN (WOL) settings enableendpoint computers to prepare for software rollouts
Secure Wake on LAN (WOL)
in which the necessary parameters such as temporarydeactivation of POA and a time interval for Wakeon LAN can be imported directly into and analyzedby the endpoint computer.
Note:
Deactivating the POA - even for a limited numberof boot processes - reduces the level of security ofyour system!
For further information on Wake on LAN, seeSecure Wake on LAN (WOL) (page 117).
Defines the number of restarts while Power-onAuthentication is switched off for Wake on LAN.
This setting temporarily overwrites the EnablePower-on Authentication setting until the
Number of auto logons
automatic logons reach the preset number.Power-on Authentication is then reactivated.Example: the number of automatic logons is set totwo, “Enable Power-on Authentication” is switchedon. The computer starts twice withoutauthentication through the POA.
For Wake on LAN, we always recommend allowingthree more restarts than necessary to overcomeany unforeseen problems.
Determines whether Windows logon is permittedduring Wake on LAN, for example for a softwareupdate. This setting is analyzed by the POA.
Windows logon allowed during WOL
Date and time can be either selected or input for thestart and end of the Wake on LAN (WOL).
Date format: MM/DD/YYYY Time format: HH:MM
Start of time slot for external WOL start
End of time slot for external WOL start
The following input combinations are possible:
■ Defined start and end of WOL.
■ End of WOL is defined, start is open
■ No entries: no time interval has been set for theendpoint computer
For a planned software rollout, you should set thetime frame for the WOL such that the scheduling
87
Administrator help
ExplanationPolicy Setting
script can be started early enough to allow allendpoint computers sufficient time for starting.
WOLstart: The starting point for the WOL in thescheduling script must be within the time intervalset in the policy. If no interval is defined, WOL isnot locally activated on the Sophos SafeGuardendpoint computer.
WOLstop: This command is carried out irrespectiveof the final point set for the WOL.
DISPLAY OPTIONS
Displays either the computer name or a defined textin the POA title bar.
If the Windows network settings include thecomputer name this is automatically incorporatedinto the basic settings.
Display machine identification
The text to be displayed in the POA title bar.
If you have selected Defined name in the Displaymachine identification field, you can enter the textin this input field.
Machine identification text
Displays a text box with configurable content whichis displayed before authentication in the POA. In
Display legal notice
some countries a text box with certain content mustbe displayed by law.
The box needs to be confirmed by the user beforethe system continues.
Before specifying a text, the text has to be registeredas a text item under Information text in the policynavigation area.
The text to be displayed as a legal notice.
In this field, you can select a text item registeredunder Information text in the policy navigationarea.
Legal notice text
Displays a text box with a configurable contentwhich appears after the legal notice (if activated).
You can define whether the additional informationis to be displayed
Display additional information
■ Never
■ Every system start
88
SafeGuard Easy
ExplanationPolicy Setting
■ Every logon
The text to be displayed as additional information.
In this field, you can select a text item registeredunder Information text in the policy navigationarea.
Additional information text
In this field you can define how long (in seconds)additional information is to be displayed.
You can specify the number of seconds after whichthe text box for additional information are closed
Show for (sec.)
automatically. The user can close the text box at anytime by clicking OK.
Through the Sophos SafeGuard System Tray Iconthe user can access all user functions quickly and
Enable and show the system tray icon
easily on their computer. In addition, informationabout the Sophos SafeGuard status (new policiesreceived etc.) can be displayed in balloon tool tips.
Yes:
The system tray icon is displayed in the informationarea of the taskbar and the user is continuallyinformed in the balloon tool tips about the statusof Sophos SafeGuard.
No: The system tray icon is not displayed. No statusinformation for the user via the balloon tool tips.
Silent:
The system tray icon is displayed in the informationarea of the taskbar but there is no status informationfor the user in the balloon tool tips.
Defines whether Windows key symbols will beshown to indicate the encryption status of volumes,devices, folders and files.
Show overlay icons in Explorer
Defines whether a virtual keyboard can be shownon request in the POA dialog for entering thepassword.
Virtual Keyboard in POA
INSTALLATION OPTIONS
Determines whether uninstallation of SophosSafeGuard is allowed on the endpoint computers.
Uninstallation allowed
When Uninstallation allowed is set to No, SophosSafeGuard cannot be uninstalled, even by a user
89
Administrator help
ExplanationPolicy Setting
with administrator rights, while this setting is activewithin a policy.
Activates/deactivates Sophos Tamper Protection. Ifyou have allowed uninstallation of Sophos
Enable Sophos tamper protection
SafeGuard in the policy setting Uninstallationallowed, you can set this policy setting to Yes, toensure that uninstallation attempts are checked bySophos Tamper Protection to prevent casualremoval of the software.
If Sophos Tamper Protection does not allowuninstallation, any uninstallation attempts will becanceled.
If Enable Sophos tamper protection is set to No,uninstallation of Sophos SafeGuard will not bechecked or prevented by Sophos Tamper Protection.
Note: This setting only applies to endpointcomputers using Sophos Endpoint Security andControl version 9.5 or higher.
TOKEN SUPPORT SETTINGS FOR PKCS #11 MODULE 1
Registers the PKCS#11 Module of a token.
The following options are available:
Module name
■ ActiveIdentity ActivClient
■ ActiveIdentity ActivClient (PIV)
■ AET SafeSign Identity Client
■ Aladdin eToken PKI Client
■ a.sign Client
■ Charismatics Smart Security Interface
■ Estonian ID-Card
■ Gemalto Access Client
■ Gemalto Classic Client
■ Gemalto .NET Card
■ IT Solution trustware CSP+
■ RSA Authentication Client 2.x
■ RSA Smart Card Middleware 3.x
■ Siemens CardOS API
90
SafeGuard Easy
ExplanationPolicy Setting
■ T-Systems NetKey 3.0
■ Unizeto proCertum
Licenses
Note that the use of the respective middleware forthe standard operating system requires a licenseagreement with the relevant Manufacturer. Forinformation on where to obtain the licenses from,seehttp://www.sophos.com/support/knowledgebase/article/116585.html.
For Siemens licences, contact
Atos IT Solutions and Services GmbH
Otto-Hahn-Ring 6
D-81739 Muenchen
Germany
This setting is used for problem solving with specifictokens. Our Support team will providecorresponding settings as required.
Services to wait for
13.10 Logging
Events for Sophos SafeGuard are logged in the Windows Event Viewer. To specify the events tobe logged in the Windows Event Viewer, create a policy of the type Logging and select the requiredevents by clicking on them.
Many different events from different categories (for example Authentication, Encryption, etc.)are available for selection. We recommend that you define a strategy for logging, and determinethe events necessary according to reporting and auditing requirements.
91
Administrator help
14 Power-on Authentication (POA)
Sophos SafeGuard identifies the user even before the operating system starts up. To do this, theSophos SafeGuard specific system core starts before this. It is protected against modifications andis saved, hidden, on the hard disk. Only when the user has been properly authenticated in thePOA, is the actual operating system (Windows) started from the encrypted partition. The user islogged on automatically to Windows later. The procedure is the same when the endpoint computeris switched back on from hibernation (Suspend to Disk).
The Sophos SafeGuard Power-on Authentication offers:
■ A graphical user interface with mouse support and draggable windows, so it is easy to read anduse.
■ A graphical layout which, following guidelines, can be adapted by corporate computers(background image, logon image, welcome message, etc.).
■ Support for Windows user accounts and passwords even pre-boot, no more separate credentialswhich the user has to remember
■ Support for Unicode and therefore also foreign language passwords and user interfaces
14.1 Logon delay
On a Sophos SafeGuard protected computer, a logon delay applies if a user provides incorrectcredentials during authentication at Windows or at the Power-on Authentication. With everyfailed logon attempt the delay is increased. After a failed logon a dialog displays the remainingdelay time.
You can specify the number of logon attempts allowed in a policy of the type Authenticationusing the Maximum no. of failed logons option. When the maximum number of failed logon
92
SafeGuard Easy
attempts has been reached, the computer is locked. For unlocking their computer, users have toinitiate a Challenge/Response procedure.
14.2 Configuring the Power-on Authentication
The POA dialog consists of these components:
■ Logon image
■ Dialog text
■ Language of the keyboard layout
You can change the look of the POA dialog to suit your preferences by using policy settings in theSafeGuard Policy Editor.
14.2.1 Background and logon image
By default the background and logon images that appear in the POA are in SafeGuard design.However, different images can be shown, for example the company's logo.
Background and logon images are defined in a policy of the type General Settings.
For usage in Sophos SafeGuard, background and logon images must fulfill certain requirements:
Background image
Maximum file size for all background images: 500 KB
Sophos SafeGuard supports two variants for background images:
■ 1024x768 (VESA mode)
Colors: no restrictions
Option in policy type General Settings: Background image in POA
■ 640x480 (VGA mode)
Colors: 16
93
Administrator help
Option in policy type General Settings: Background image in POA (low resolution)
Logon image
Maximum file size for all logon images: 100 KB
Sophos SafeGuard supports two variants for logon images:
■ 413x140
Colors: no restrictions
Option in policy type General Settings: Logon image in POA
■ 413x140
Colors: 16
Option in policy type General Settings: Logon image in POA (low resolution)
Images, information texts and lists have to be created as files (BMP, PNG, JPG or text files) firstand can then be registered in the navigation window.
14.2.1.1 Register images
1. In the Policies navigation area, right-click Images and select New > Image.
2. Enter a name for the image in the Image Name field.
3. Click [...] to select the previously created image.
4. Click OK.
The new image is shown as a subnode of Images in the policy navigation area. If you select theimage, it is be displayed in the action area. The image can now be selected when creating policies.
Proceed as described to register further images. All registered images are shown as subnodes.
Note:
You can use the Modify Image button to change the picture assigned.
14.2.2 User defined information text in the POA
You can customize the POA to display the following user-defined information texts:
■ Information text to be displayed upon initiating a Challenge/Response procedure for logonrecovery (for example: “Please contact Support Desk on telephone number 01234-56789.”)
You can set an information text by using the option Information text in policy of the typeGeneral Settings
■ Legal notices to be displayed after logging on to the POA
You can set a legal notice text by using the option Legal notice text in policy of the type SpecificMachine Settings
94
SafeGuard Easy
■ Text for additional information to be displayed after logging on to the POA
You can set an additional information text by using the option Additional information textin policy of the type Specific Machine Settings.
14.2.2.1 Register information texts
The text files containing the required information have to be created before registering them inthe SafeGuard Policy Editor. The maximum files size for information texts is 50 KB. SophosSafeGuard only uses Unicode UTF-16 coded texts. If you do not create the text files in this format,they will be automatically converted when they are registered. Special characters should thereforebe used with caution in the legal notice text created for the POA. Some of these characters maynot be displayed properly.
To register information texts:
1. In the Policies navigation area, right-click Information text and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
3. Click [...] to select the previously created text file. If the file needs to be converted, a messagewill be displayed.
4. Click OK.
The new text item is displayed as a subnode below Information text in the policy navigation area.If you select a text item, its contents will be displayed in the window on the right-hand side. Thetext item can now be selected when creating policies.
Proceed as described to register further text items. All registered text items will be shown assubnodes.
Note:
You can use the Modify Text button to add new text to existing text. When you click this button,a dialog is displayed for selecting another text file. The text contained in this file is appended tothe existing text.
14.2.3 Language for POA dialog text
After installation of the Sophos SafeGuard encryption software, the POA dialog text is displayedin the default language set in Windows' Regions and Language Options on the endpoint whenSophos SafeGuard was installed.
You can change the language of the POA dialog text after Sophos SafeGuard has been installed byusing one of the two following methods:
■ Change the default language in the Windows Regions and Language Options on the endpoint.After the user has restarted the computer twice, the new language setting is active in the POA.
■ Create a policy of the type General Settings, set the language in the field Language used onclient and deploy the policy to the endpoint.
95
Administrator help
Note: If you define a policy and deploy them to the endpoint, the language set in the policy appliesinstead of the language specified by Windows' Regions and Language Options.
14.2.4 Keyboard Layout
Almost every country has its own keyboard layout. The keyboard layout in the POA is significantwhen entering user names, passwords and response code.
As the default, Sophos SafeGuard adopts the keyboard layout in the POA which was set in Windows'Regional and Language Options for the Windows default user at the time Sophos SafeGuard wasinstalled. If “German” is the keyboard layout set under Windows, the German keyboard layoutwill be used in the POA.
The language of the keyboard layout being used is displayed in the POA, for example “EN” forEnglish. Apart from the default keyboard layout, the US keyboard layout (English) can also beused.
There are certain exceptions:
■ The keyboard layout is supported, but the absence of a font (for example for Bulgarian) meansthat only special characters are displayed in the User Name field.
■ No specific keyboard layout is available (for example Dominican Republic). In these cases, thePOA falls back on the original keyboard layout. For the Dominican Republic, this is “Spanish”.
■ When the user name and password consist of characters that are not supported by the chosenkeyboard layout or the fallback layout, the user cannot log on at the POA.
Note:
All the unsupported keyboard layouts use the US keyboard layout as the default. This also meansthat the only characters that are recognized and can be keyed in are those which are supported inthe US keyboard layout. So users can only log on to the POA if their user name and password iscomposed of characters that are supported by the US keyboard layout or the respective fallbackkeyboard of their language.
Virtual keyboard
Sophos SafeGuard provides a virtual keyboard which users can show/hide at the POA and whichallows them to use on-screen keys to enter credentials.
As a security officer you can activate/deactivate the display of the virtual keyboard in a policy ofthe type Specific Machine Settings using the Virtual Keyboard in POA option.
Virtual keyboard support must be activated/deactivated with a policy setting.
The virtual keyboard supports different layouts and it is possible to change the layout using thesame options as for changing the POA keyboard layout.
96
SafeGuard Easy
14.2.4.1 Change the keyboard layout
The Power-on Authentication keyboard layout, including the virtual keyboard layout, can bechanged retrospectively.
1. Select Start > Control Panel > Regional and Language Options > Advanced.
2. In the Regional Options tab, select the required language.
3. In the Advanced tab, select Apply all settings to the current user account and to the defaultuser profile under Default user account settings.
4. Click OK.
The POA remembers the keyboard layout used for the last successful logon and automaticallyenables it for the next logon. This requires two restarts of the endpoint computer. If the rememberedkeyboard layout is deactivated in Regional and Language Options, it is still used until the userselects a different one.
Note:
You must change the language of the keyboard layout for non-Unicode programs.
If the language you want is not available on the computer, Windows may prompt you to installit. After you have done so, you must restart the computer twice so that the Power-on Authenticationcan read in the new keyboard layout and can set it.
You can change the required keyboard layout for the Power-on Authentication using the mouseor keyboard (Alt+Shift).
To see which languages are installed and available on the system, select Start > Run > regedit >HKEY_USERS\.DEFAULT\Keyboard Layout\Preload.
14.3 Supported Hotkeys in Power-on Authentication
Certain hardware settings and functionalities can lead to problems when starting endpointcomputers, causing the system to hang. The Power-on Authentication supports a number ofhotkeys for modifying these hardware settings and deactivating functionalities. Furthermore, greyand black lists covering functions known to cause problems are integrated in the .msi file installedon the computer.
We recommend that you install an updated version of the POA configuration file before anysignificant deployment of Sophos SafeGuard. The file is updated on a monthly basis and madeavailable to download from: http://www.sophos.com/support/knowledgebase/article/65700.html .
You can customize this file to reflect the hardware of a particular environment.
Note:
When you define a customized file, only this will be used instead of the one integrated in the .msifile. The default file will be applied only when no POA configuration file is defined or found.
To install the POA configuration file, enter the following command:
97
Administrator help
MSIEXEC /i <Client MSI package> POACFG=<path of the POA configuration file>
You can help us improve hardware compatibility by executing a tool that we provide to collecthardware relevant information only. The tool is very easy to use. The collected information isadded to the hardware configuration file.
For further information, see http://www.sophos.com/support/knowledgebase/article/110285.html .
The following hotkeys are supported in the POA:
■ Shift F3 = USB Legacy Support (off/on)
■ Shift F4 = VESA graphic mode (off/on)
■ Shift F5 = USB 1.x and 2.0 support (off/on)
■ Shift F6 = ATA Controller (off/on)
■ Shift F7 = USB 2.0 support only (off/on)
USB 1.x support remains as set by Shift F5.
■ Shift F9 = ACPI/APIC (off/on)
USB Hotkeys dependency matrix
CommentUSB 2.0USB 1.xLegacyShift F7Shift F5Shift F3
3.onononoffoffoff
Defaultononoffoffoffon
1., 2.offoffonoffonoff
1., 2.offoffonoffonon
3.offonononoffoff
offonoffonoffon
offoffonononoff
2.offoffonononon
1. Shift F5 disables both USB 1.x and USB 2.0.
Note:
Pressing Shift F5 during startup time will considerably reduce the time it takes to launch thePOA. However, please be aware that if the computer uses a USB keyboard or USB mouse, theymight be disabled when you press Shift F5.
2. If no USB support is active, the POA tries to use BIOS SMM instead of backing up and restoringthe USB controller. The Legacy mode may work in this scenario.
98
SafeGuard Easy
3. Legacy support is active, USB is active. The POA tries to backup and restore the USB controller.The system might hang depending on the BIOS version used.
You can specify changes that can be carried out using hotkeys when installing Sophos SafeGuardencryption software using a .mst file. This is done using the appropriate call in combination withmsiexec.
Defines whether VESA or VGA mode is used.0 = VESA mode (standard)1 = VGAmode
NOVESA
Defines whether Legacy Support is activated after POA log on.0 = Legacy Supportactivated 1 = Legacy Support not activated (standard)
NOLEGACY
Defines whether USB devices are supported by the POA. 0 = USB support is activated(standard)1 = no USB support
ALTERNATE:
Defines whether int13 device driver is used.0 = standard ATA device driver (default)1= Int13 device driver
NOATA
Defines whether ACPI/APIC support is used.0 = no ACPI/APIC support (default)1= ACPI/APIC support active
ACPIAPIC
14.4 Disabled POA and Lenovo Rescue and Recovery
If the Power-on Authentication is disabled on the computer, the Rescue and Recoveryauthentication should be enabled to protect against access to encrypted files from the Rescue andRecovery environment.
For details on activating the Rescue and Recovery authentication, refer to the Lenovo Rescue andRecovery documentation.
99
Administrator help
15 Full disk encryption
The core of Sophos SafeGuard is the encryption of data on different data storage devices. Full diskencryption can be volume- or file-based with different keys and algorithms.
Files are encrypted transparently. When users open, edit and save files, they are not prompted forencryption or decryption.
You can specify settings for full disk encryption in a security policy of the type Device Protection.For further information, see Working with policies (page 41) and Device Protection (page 82).
15.1 Volume-based full disk encryption
With volume-based full disk encryption, all data on a volume (including boot files, pagefiles,hibernation files, temporary files, directory information etc.) are encrypted. Users do not have tochange normal operating procedures or consider security.
Note:
■ Volume-based encryption/decryption is not supported for drives without a drive letter assigned.
■ For Windows 7 Professional, Enterprise and Ultimate, a system partition is created on endpointcomputers without a drive letter assigned. This system partition cannot be encrypted by SophosSafeGuard.
■ If an encryption policy exists for a volume or a volume type and encryption of the volume fails,the user is not allowed to access it.
■ Endpoints can be shut down and restarted during encryption/decryption.
■ If decryption is followed by an uninstallation, we recommend that the endpoint is not suspendedor hibernated during decryption.
■ If after volume encryption a new policy is applied to an endpoint computer that allowsdecryption, the following applies: After a complete volume-based encryption, the endpointcomputer must be restarted at least once before decryption can be started.
15.1.1 Fast initial encryption
Sophos SafeGuard offers fast initial encryption as a special mode for volume-based encryption. Itreduces the time needed for initial encryption (or final decryption) of volumes on endpointcomputers by accessing only disk space that is actually in use.
For fast initial encryption, the following prerequisites apply:
■ Fast initial encryption only works on NTFS-formatted volumes.
■ NTFS-formatted volumes with a cluster size of 64 KB cannot be encrypted with the fast initialencryption mode.
100
SafeGuard Easy
Note:
This mode leads to a less secure state if a disk has been employed before its current usage withSophos SafeGuard. Unused sectors may still contain data. Fast initial encryption is thereforedisabled by default.
To enable fast initial encryption, select the volume-based setting Fast initial encryption in a policyof the type Device Protection, see Device Protection (page 82).
Note:
For volume decryption, the fast initial encryption mode will always be used, regardless of thespecified policy setting. For decryption, the prerequisites listed also apply.
15.1.2 Volume-based encryption and Windows 7 system partition
For Windows 7 Professional, Enterprise and Ultimate, a system partition is created on endpointcomputers without a drive letter assigned. This system partition cannot be encrypted by SophosSafeGuard.
15.1.3 Volume-based encryption and Unidentified File System Objects
Unidentified File System Objects are volumes that cannot be clearly identified as plain ordevice-encrypted by Sophos SafeGuard. If an encryption policy exists for an Unidentified FileSystem Object, access to this volume will be denied. If no encryption policy exists, the user canaccess the volume.
Note:
If an encryption policy with Key to be used for encryption set to an option that enables keyselection (for example, Any key in user key ring) exists for an Unidentified File System Objectvolume, there is a period of time between the key selection dialog being displayed and access beingdenied. During this time period the volume can be accessed. As long as the key selection dialog isnot confirmed, the volume is accessible. To avoid this, specify a preselected key for encryption.For further information on the relevant policy settings, see Device Protection (page 82). This periodof time also occurs for Unidentified File System Object volumes connected to an endpointcomputer, if the user has already opened files on the volume when an encryption policy takeseffect. In this case, it cannot be guaranteed that access to the volume will be denied as this couldlead to data loss.
15.1.4 Encryption of volumes with enabled Autorun functionality
If you apply an encryption policy to volumes for which Autorun is enabled, the following canoccur:
■ The volume is not encrypted.
■ If the volume is an Unidentified File System Object, access is not denied.
101
Administrator help
15.2 File-based full disk encryption
File-based full disk encryption ensures that all data is encrypted, apart from Boot Medium anddirectory information. With file-based encryption, even optical media such as CD/DVD can beencrypted. Also, data can be exchanged with external computers on which Sophos SafeGuard isnot installed, if policies permit.
Note:
Data encrypted using “file-based encryption” cannot be compressed. Nor can compressed databe file-based encrypted.
Note:
Boot volumes are never file-based encrypted. They are automatically exempted from file-basedencryption, even if a corresponding rule is defined.
To apply file-based encryption to endpoint computers, create a policy of the type Device Protectionand set the Media encryption mode to File-based. For further information, see Device Protection(page 82).
15.2.1 Default behavior when saving files
Since applications behave differently when saving files, Sophos SafeGuard offers two ways forhandling encrypted files, that have been modified.
If a file is encrypted with a different key than the default key of the volume and you edit the fileand save it, you may expect the original encryption key to be preserved, since you are editing afile, not creating a new one. But many applications save files by performing a combination of save,delete, and rename operations (for example Microsoft Office). If they do so, the default SophosSafeGuard setting is to use the default key for this encryption task and therefore change the keyused for encryption.
If you want to change this behavior and preserve the key used for encryption in any case, you canmodify a registry key on the endpoint computer.
To always use the same key as before when saving modified files:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\UTIMACO\SGLCENC]"ActivateEncryptionTunneling"=dword:00000001
To allow the use of a different key (default key) when saving modified files. This is the defaultsetting after installation:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\UTIMACO\SGLCENC]"ActivateEncryptionTunneling"=dword:00000000
102
SafeGuard Easy
Note:
Changes in this setting require a restart of the endpoint computer to become active.
103
Administrator help
16 SafeGuard Data Exchange
SafeGuard Data Exchange is used to encrypt data stored on removable media connected to aSophos SafeGuard endpoint computer and to exchange these data with other users. All encryptionand decryption processes run transparently and involve minimum user interaction.
Only users who have the appropriate keys can read the contents of the encrypted data. Allsubsequent encryption processes run transparently.
As a security officer, you define the specific settings in a policy of the type Device Protection withRemovable Media as the Device protection target.
16.1 Local Keys
SafeGuard Data Exchange supports encryption with local keys. Local keys are created on theendpoint computers and can be used to encrypt data on removable media. They are created byentering a passphrase.
If local keys are used to encrypt files on removable media, these files can be decrypted usingSafeGuard Portable on a computer without SafeGuard Data Exchange. When the files are openedwith SafeGuard Portable, the user is prompted to enter the passphrase that was specified whenthe key was created. If the user knows the passphrase, they can open the file.
Using SafeGuard Portable every user who knows the passphrase can get access to an encryptedfile on removable media. This way it is also possible to share encrypted data with partners whodo not have Sophos SafeGuard. They only need to be provided with SafeGuard Portable and thepassphrase for the files they should have access to.
If different local keys are used to encrypt files on removable media, you can even restrict accessto files. For example: You encrypt the files on a USB stick using a key with passphrase my_localkeyand encrypt a single file named ForMyPartner.doc using the passphrase partner_localkey. If yougive the USB stick to a partner and provide them with the passphrase partner_localkey, they onlyhave access to ForMyPartner.doc.
Note:
By default SafeGuard Portable is automatically copied to all removable media connected to thesystem. If you do not want SafeGuard Portable to be automatically copied to removable media,clear the Copy SG Portable to target option in a policy of the type Device Encryption.
Local keys are not backed up and cannot be used for recovery.
16.2 Media passphrase
SafeGuard Data Exchange allows you to specify that one single media passphrase for all removablemedia - except optical media - has to be created on the endpoint computers.
104
SafeGuard Easy
The media passphrase provides access to all local keys used in SafeGuard Portable. The user onlyhas to enter one single passphrase and gets access to all encrypted files in SafeGuard Portable,regardless of the local key used for encryption.
On every computer, a unique Media Encryption Key for data encryption is automatically createdfor each device. This key is protected with the media passphrase. On a computer with SafeGuardData Exchange, it is therefore not necessary to enter the media passphrase to access encrypted fileson the removable media. Access is granted automatically if the appropriate key is part of the user'skey ring.
Media passphrase functionality is available when the User may define a media passphrase fordevices option is activated in a policy of the type Device Protection.
When this setting becomes active on the computer, the user is automatically prompted to entera media passphrase, when they connect removable media for the first time. The user may alsochange the media passphrase and it will be synchronized automatically when the passphrase knownon the computer and the media passphrase of the removable media are out of sync.
If the user forgets the media passphrase, it can be recovered by the user without any need of a helpdesk.
Note:
To enable the media passphrase, activate the User may define a media passphrase for devicesoption in a policy of the type Device Encryption.This is only available, if you have selected Removable Media as Device Protection target.
On a Sophos SafeGuard protected computer without an activated media passphrase feature nokeys are available after installation has been completed since Sophos SafeGuard endpoint computersonly use local keys. Before encryption can be used, the user has to create a key.
If the media passphrase feature is activated in a removable media policy for Sophos SafeGuardprotected computers, the media encryption key is created automatically on the endpoint computerand can be used for encryption immediately after installation has been completed. It is availableas "predefined key" in the users key ring and is displayed as <user name> in dialogs for keyselection.
If available, the media encryption keys will also be used for all initial encryption tasks.
16.3 Configure trusted and ignored applications for SafeGuard DataExchange
You can define applications as trusted to grant them access to encrypted files. This is for examplenecessary to enable antivirus software to scan encrypted files.
You can also define applications as ignored to exempt them from transparent fileencryption/decryption. For example, if you define a backup program as an ignored application,encrypted data backed up by the program remains encrypted.
105
Administrator help
Note: Child processes will not be ignored.
1. In the Policies navigation area, create a new policy of the type General Settings or select anexisting one.
2. Under File Encryption, click the dropdown button of the Trusted Applications or IgnoredApplications field.
3. In the editor list box, enter the applications to be defined as trusted/ignored.
■ You can define multiple trusted/ignored applications in one policy. Each line in the editorlist box defines one application.
■ Application names must end with .exe.
■ Application names must be specified as fully qualified paths including drive/directoryinformation. Entering the file name only (for example "example.exe") is not sufficient. Forbetter usability the single line view of the application list only shows the file names separatedby semicolons.
4. Save your changes.
16.4 Configure ignored devices for SafeGuard Data Exchange
You can define devices as ignored to exclude them from the file encryption process. You can onlyexclude entire devices.
1. In the Policies navigation area, create a new policy of the type General Settings or select anexisting one.
2. Under File Encryption, click the dropdown button of the Ignored Devices field.
3. In the editor list box, enter the required device names to exclude specific devices fromencryption. This may be useful when you need to exclude systems from third party suppliers.
Note: You can display the names of the devices currently used in the system by using thirdparty tools (for example OSR's Device Tree). Sophos SafeGuard logs all devices it attaches toand you can display a list of attached and ignored devices by using registry keys. For furtherinformation, see Displaying attached and ignored devices for SafeGuard Data Exchangeconfiguration (page 106).
16.4.1 Displaying attached and ignored devices for SafeGuard Data Exchangeconfiguration
To help you when defining ignored devices, you can use registry keys to show which devices arebeing considered for encryption (attached devices) and which devices are currently being ignored.The list of ignored devices shows only devices that are actually available on the computer and arebeing ignored. If a device is set to be ignored in a policy and the device is not available on thecomputer, the device is not listed.
106
SafeGuard Easy
Use the following registry keys to display attached and ignored devices:
■ HKLM\System\CurrentControlSet\Control\Utimaco\SGLCENC\Log\AttachedDevices
■ HKLM\System\CurrentControlSet\Control\Utimaco\SGLCENC\Log\IgnoredDevices
16.5 Configure persistent encryption for SafeGuard Data Exchange
The contents of files encrypted by SafeGuard Data Exchange is being decrypted on-the-fly, if theuser owns the required key. When the content is saved as a new file in a location that is not coveredby an encryption rule, the resulting file will not be encrypted.
With persistent encryption, copies of encrypted files will be encrypted, even when they are savedin a location not covered by an encryption rule.
You can configure persistent encryption in policies of the type General Settings. The policy settingEnable persistent encryption is activated by default.
Note:
■ If files are copied or moved to an ignored device or to a folder to which a policy with encryptionMode Ignore applies, the Enable persistent encryption setting has no effect.
■ Copy operations are detected based on file names. When a user saves an encrypted file withSave As under a different file name in a location not covered by an encryption rule, the filewill be plain text.
16.6 Tracking files accessed on removable media
You can track files accessed on removable media. File access can be tracked regardless of anyencryption policy applying to files on removable media.
In a policy of the type Logging you can define the following:
■ An event to be logged when a file or directory is created on a removable device.
■ An event to be logged when a file or directory is renamed on a removable device.
■ An event to be logged when a file or directory is deleted from a removable device.
You can view the events logged in the Windows Event Viewer.
16.6.1 Configure file access tracking for removable media
1. In the SafeGuard Policy Editor, select Policies.
2. Create a new Logging policy or select an existing one.
In the action area on the right-hand side under Logging, all predefined events which can belogged are displayed. By clicking on the column headers you can sort the events by ID, Categoryetc.
107
Administrator help
3. To activate file access tracking for files stored on removable media, select the following logevents depending on your requirements:
■ ID 3020 File tracking CREATE■ ID 3021 File tracking RENAME■ ID 3022 File tracking DELETE
For all events selected, a green tick symbol is displayed in the relevant column.
4. Save your settings.
After assigning the policy the file access tracking on removable media is activated and the selectedevents are logged. You can view them in the Windows Event Viewer.
108
SafeGuard Easy
17 Cloud Storage
The module Cloud Storage offers file-based encryption of data stored in the cloud.
It does not change the way users work with data stored in the cloud. Users are still using the samevendor specific synchronization applications to send data to or receive data from the cloud. Thepurpose of Cloud Storage is to make sure that the local copies of data stored in the cloud isencrypted transparently and will therefore always be stored in the cloud in encrypted form.
In the SafeGuard Policy Editor, you create Cloud Storage Definitions (CSDs) and use them astarget in Device protection policies.
After a Cloud Storage policy has been assigned to endpoint computers, files in locations coveredby the policy are transparently encrypted without user interaction:
■ Encrypted files will be synchronized to the cloud.
■ Encrypted files received from the cloud can be modified by applications as usual.
To access Cloud Storage encrypted files on endpoint computers without Cloud Storage, SafeGuardPortable can be used to read encrypted files.
Note: Cloud Storage only encrypts new data stored in the cloud. If data is already stored in thecloud before installing Cloud Storage, this data will not automatically be encrypted. If you wantto encrypt this data, you have to remove it from the cloud first and then enter it again afterinstallation of Cloud Storage.
17.1 Requirements for Cloud Storage vendor software
To enable encryption of data stored in the cloud, the software provided by the cloud storagevendor:
■ must run on the computer where Cloud Storage is installed.
■ must have an application (or system service) that is stored on the local file system andsynchronizes data between the cloud and the local system.
■ must store the synchronized data on the local file system.
17.2 Create Cloud Storage Definitions (CSDs)
Note: Certain folders (for example the Dropbox installation folder ) may prevent the operatingsystem or applications from running when encrypted. When you create Cloud Storage Definitionsfor device protection policies, make sure that these folders are not encrypted.
1. In the Policies navigation area, select Cloud Storage Definitions.
2. In the context menu of Cloud Storage Definitions, click New > New cloud storage definition.
3. The New Cloud Storage definition dialog appears. Enter a name for the Cloud StorageDefinition.
109
Administrator help
4. Click OK. The Cloud Storage Definition appears with the entered name under the CloudStorage Definitions root node in the Policies navigation area.
5. Select the Cloud Storage Definition. In the work area on the right-hand side the content of aCloud Storage Definition is displayed:
■ Target name:
Is the name you entered initially. It is used for referencing the Cloud Storage Definition astarget in a policy of type Device Protection
■ Synchronization application:
Enter path and application that synchronizes the data with the cloud here (e.g.:<Desktop>\dropbox\dropbox.exe). The application must reside on a local drive.
■ Synchronization folder:
Enter the folder(s) that will be synchronized with the cloud here. Only local paths aresupported.
SafeGuard Cloud Storage supports placeholders for paths in the Synchronization applicationand Synchronization folder.
17.2.1 Supported Placeholders
The following placeholders can be used when specifying paths for Synchronization applicationand Synchronization folder. You can select these placeholders by clicking the dropdown buttonof the Path field.
Resolved to the following value on the endpointcomputer
Placeholder
The value of environment variable. Example:<%USERNAME%>.
Note: If environment variables contain severallocations (for example the PATH environment
<%environment_variable_name%>
variable), the paths will not be separated intomultiple rules. This causes an error and theencryption rule is invalid.
The file system directory that serves as a commonrepository for internet cookies. Typical path:C:\Documents and Settings\username\Cookies.
<Cookies>
The virtual folder that represents the MicrosoftWindows desktop.
<Desktop>
In Windows Vista and Windows 7, this is the virtualfolder that represents the My Documents desktop
<Documents>
110
SafeGuard Easy
Resolved to the following value on the endpointcomputer
Placeholder
item (equivalent to CSIDL_MYDOCUMENTS).In Windows XP, this is the file system directoryused to physically store a user's common repositoryof documents. Typical path: C:\Documents andSettings\username\My Documents.
The file system directory that serves as a commonrepository for the user's favorite items. Typical path:\Documents and Settings\username\Favorites.
<Favorites>
The file system directory that serves as a datarepository for local (non-roaming) applications.
<Local Application Data>
Typical path: C:\Documents andSettings\username\Local Settings\Application Data.
The file system directory that serves as a datarepository for music files. Typical path:
<Music>
C:\Documents and Settings\User\MyDocuments\My Music.
The file system directory that serves as a datarepository for image files. Typical path:
<Pictures>
C:\Documents and Settings\username\MyDocuments\My Pictures.
The file system directory that contains applicationdata for all users. Typical path: C:\Documents andSettings\All Users\Application Data.
<Program Data>
The Program Files folder. Typical Path: \ProgramFiles. For 64-bit systems, this will be expanded to
<Program Files>
two rules - one for 32-bit applications and one for64-bit applications.
The file system directory that serves as a commonrepository for music files for all users. Typical path:
<Public Music>
C:\Documents and Settings\AllUsers\Documents\My Music.
The file system directory that serves as a commonrepository for image files for all users. Typical path:
<Public Pictures>
C:\Documents and Settings\AllUsers\Documents\My Pictures.
The file system directory that serves as a commonrepository for video files for all users. Typical path:
<Public Videos>
C:\Documents and Settings\AllUsers\Documents\My Videos.
111
Administrator help
Resolved to the following value on the endpointcomputer
Placeholder
The file system directory that serves as a commonrepository for application-specific data. Typical
<Roaming>
path: C:\Documents andSettings\username\Application Data.
The Windows System folder. Typical path:C:\Windows\System32. For 64-bit systems, this will
<System>
be expanded to two rules - one for 32-bit and onefor 64-bit.
The file system directory that is used as a stagingarea for files waiting to be written on a CD. Typical
<Temporary Burn Folder>
Path: C:\Documents and Settings\username\LocalSettings\Application Data\Microsoft\CD Burning.
The file system directory that serves as a commonrepository for temporary internet files. Typical path:
<Temporary Internet Files>
C:\Documents and Settings\username\LocalSettings\Temporary Internet Files.
The user's profile folder. Typical path:C:\Users\username.
<User Profile>
The file system directory that serves as a commonrepository for video files. Typical path: A typical
<Videos>
path is C:\Documents and Settings\username\MyDocuments\My Videos.
The Windows directory or SYSROOT. Thiscorresponds to the environment variables
<Windows>
%windir% or %SYSTEMROOT%. Typical path:C:\Windows.
Any errors in placeholders are logged.
17.2.2 Placeholders for cloud storage provider
As an security officer can make use of placeholders for cloud storage providers to definesynchronization application and synchronization folders. These placeholders represent supported3rd party cloud storage applications. You can use the placeholder to specify a certain 3rd partyapplication as synchronization application and even use the same placeholder to point thesynchronization folders the 3rd party application actually uses for synchronization.
Placeholders for cloud storage provider are encapsulated by <! and !>.
Currently supported placeholders:
112
SafeGuard Easy
<!Dropbox!>
Example:
In case you use Dropbox as your cloud storage provider you can simply enter <!Dropbox!>for Synchronization application:. If you do not explicitly specify a synchronization folder,<!Dropbox!> is also copied into the list of folders under Synchronization folder.
Assuming
■ you used the placeholders <!Dropbox!> as synchronization application and<!Dropbox!>\encrypt as synchronization folder in the Cloud Storage Definition
■ Dropbox is installed on the endpoint
■ the user has d:\dropbox configured as folder to be synchronized with Dropbox:
When the Sophos SafeGuard endpoint receives a policy with CSD like this, it will automaticallytranslate the placeholders in the CSD to match the path of Dropbox.exe for the synchronizationapplication and it will read the Dropbox configuration and set the encryption policy on the folderd:\dropbox\encrypt.
17.2.3 Export and import Cloud Storage Definitions
As a security officer you can export and import Cloud Storage Definitions. A CSDs will be exportedas a XML file.
■ To export a CSD click Export Cloud Storage Definition... from the context menu of the desiredCloud Storage Definition in the Policy area.
■ To import a CSD click Import Cloud Storage Definition... from the context menu of thedesired Cloud Storage Definition in the Policy area.
Both commands can also be found in the Actions menu of the Policy Editor.
17.3 Create a device protection policy with target Cloud Storage
The Cloud Storage Definitions must have been created beforehand.
You define the settings to encrypt cloud storage data in a policy of the type Device protection.
1. In the Policies navigation area, create a new policy of the type Device protection.
2. Select a Cloud Storage Definition you created beforehand as target.
3. Click OK. The new policy is displayed in the navigation window below Policy Items. In theaction area, all settings for policy of type Device Protection are displayed and can be changed.
4. For the Media encryption mode setting select File based. Volume-based encryption is notsupported.
5. Under Algorithm to be used for encryption select the algorithm to be used for encrypting thedata in the synchronization folders defined in the CSD.
113
Administrator help
6. Set Key to be used for encryption to Any key in user keyring to define the key or the keys thatshall be used for encryption.
7. Set User is allowed to create a local key to Yes.
Note: Users should use the local keys for Cloud Storage encryption. This is particularlyimportant to share encrypted data stored in the cloud with users that do not have SophosSafeGuard installed. To create local keys, see Local Keys (page 104).
8. If you activate the Copy SG Portable to target setting, SafeGuard Portable, an application thatcan be used to read encrypted files on Windows computers that do not have Sophos SafeGuardinstalled, is copied to each synchronization folder.
9. The Plaintext folder setting allows you to define a folder that will be excluded from encryption.Data stored in subfolders of the defined plain text folder will also be excluded from encryption.SafeGuard Cloud Storage automatically creates empty plain folders in all synchronizationfolders defined in the Cloud Storage Definition.
114
SafeGuard Easy
18 Sophos SafeGuard and self-encrypting, Opal-complianthard drives
Self-encrypting hard drives offer hardware-based encryption of data when they are written to thehard disk. The Trusted Computing Group (TCG) has published the vendor-independent Opalstandard for self-encrypting hard drives. Different hardware vendors offer Opal-compliant harddrives. Sophos SafeGuard supports the Opal standard.
18.1 How does Sophos SafeGuard integrate Opal-compliant hard drives?
In the SafeGuard Policy Editor, you can create security policies and deploy them to endpointcomputers with self-encrypting Opal-compliant hard drives, just as for any other endpoint computerprotected by Sophos SafeGuard.
By supporting the Opal standard, we offer the full set of Sophos SafeGuard features to corporateusers of self-encrypting, Opal-compliant hard drives. In combination with Sophos SafeGuard,Opal-compliant hard drives offer enhanced security features.
18.2 Enhancement of Opal-compliant hard drives with Sophos SafeGuard
Sophos SafeGuard offers the following benefits in combination with self-encrypting, Opal-complianthard drives:
■ Power-on Authentication with graphical user interface
■ Support of non-cryptographic tokens and smartcards
■ Fingerprint logon support
■ Recovery (Local Self Help, Challenge/Response)
■ Encryption of removable media (for example USB sticks) with SafeGuard Data Exchange
18.3 Encryption of Opal-compliant hard drives
Opal-compliant hard drives are self-encrypting. Data is encrypted automatically when it is writtento the hard disk.
The hard drives are locked by an AES 128/256 key used as an Opal password. This password ismanaged by Sophos SafeGuard through an encryption policy.
115
Administrator help
18.4 Lock Opal-compliant hard drives
To lock Opal-compliant hard drives, the machine key has to be defined for at least one volumeon the hard drive in an encryption policy. In case the encryption policy includes a boot volume,the machine key is defined automatically.
1. In the SafeGuard Policy Editor, create a policy of the type Device Protection.
2. In the field Media encryption mode, select Volume-based.
3. In the field Key to be used for encryption, select Defined machine key.
4. Save your changes in the database.
5. Deploy the policy to the relevant endpoint computer.
The Opal-compliant hard drive is locked and can only be accessed by logging on to the computerat the Power-on Authentication.
18.5 Enable users to unlock Opal-compliant hard drives
As a security officer, you can enable users to unlock Opal-compliant hard drives on their endpointcomputers by using the Decrypt command from the Windows Explorer context menu.
1. In the SafeGuard Policy Editor, create a policy of the type Device Protection and include allvolumes on the Opal-compliant hard drive.
2. In the field Media encryption mode, select No encryption.
3. In the field User may decrypt volume, select Yes.
4. Save your changes in the database.
5. Deploy the policy to the relevant endpoint computer.
The user can permanently unlock the Opal-compliant hard drive on the endpoint computer. Datais still encrypted when written to the hard drive.
18.6 Logging of events for endpoint computers with Opal-complianthard drives
Events reported by endpoint computers with self-encrypting, Opal-compliant hard drives arelogged, just as for any other endpoint computer protected by Sophos SafeGuard. The events donot especially mention the computer type. Events reported are the same as for any other endpointcomputer protected by Sophos SafeGuard.
For further information, see Logging (page 91).
116
SafeGuard Easy
19 Secure Wake on LAN (WOL)
In the SafeGuard Policy Editor, you can define policy settings for Secure Wake on LAN (WOL)to prepare endpoint computers for software rollouts. If a relevant policy applies to endpointcomputers, the necessary parameters (for example POA deactivation and a time interval for Wakeon LAN) are transferred directly to the endpoint computers where parameters are analysed.
The rollout team can design a scheduling script using the commands provided to guaranteemaximum endpoint computer protection despite the deactivation of POA.
Note:
Deactivating the POA - even for a limited number of boot processes - reduces the security of yoursystem!
You define the settings for Secure Wake on LAN (WOL) in a policy of the type Specific MachineSettings.
19.1 Secure Wake on LAN example
The software rollout team informs the Sophos SafeGuard security officer about a software rolloutplanned for September 25th, 2011 between 03:00 and 06:00 am. Two reboots are required. Thelocal software rollout agent must be able to log on to Windows.
In the SafeGuard Policy Editor, the security officer creates a policy of the type Specific MachineSettings with the following settings and deploys it to the relevant endpoint computers.
ValuePolicy Setting
5Number of auto logons (0 = no WOL)
YesWindows logon permitted during WOL
24th Sept. 2011, 12:00Start of time slot for external WOL Start
25th Sept. 2011, 06:00End of time slot for external WOL Start
For further information on the individual settings, see Specific machine settings - basic settings (page86).
As the number of autologons is set to 5, the endpoint computer starts 5 times without authenticationthrough POA.
Note:
For Wake on LAN, we recommend allowing three more restarts than necessary to overcome anyunforeseen problems.
117
Administrator help
The security officer sets the time interval to 12 o'clock midday on the day before the softwarerollout. In this way, the scheduling script SGMCMDIntn.exe is started in time and WOL startsno later than the 25th September at 3:00 am.
The software rollout team produces two commands for the scheduling script:
■ Starting 24th Sept.2011, 12:15 am, SGMCMDIntn.exe -WOLstart
■ Starting 26th Sept.2011, 09.00 am SGMCMDIntn.exe -WOLstop
The software rollout script is dated 25.09.2011, 03:00. WOL can be explicitly deactivated again atthe end of the script by using SGMCMDIntn.exe -WOLstop.
All endpoint computers which log on before the 24th of September 2011 and which connect tothe rollout servers will receive the new policy and the scheduling commands.
Any endpoint computer on which the schedule triggers the command SGMCMDIntn -WOLstartbetween 24th Sept. 2011, 12:00 midday and 25th Sept. 2011, 06:00 am falls within the WOL timeinterval and therefore Wake on LAN will be activated.
118
SafeGuard Easy
20 Tokens and smartcards
Tokens and smartcards are hardware components that help an authorized user with theauthentication process on a computer system. They can be used to store certificates, digitalsignatures and biometric details. Data cannot be manipulated.
Nowadays, authentication with a user name and password often no longer meets the customer'sneed to have the best possible protection against external access. So, as an alternative and toimprove security, Sophos SafeGuard provides logon using non-cryptographic tokens andsmartcards.
Token logon is based on the principle of a two-stage authentication: A user has a token (ownership),but can only use the token, if they know the specific token password (knowledge). When a tokenor smartcard is used, users only need the token and a PIN for authentication.
Note: From Sophos SafeGuard's perspective, smartcards and tokens are treated in the same way.So the terms “token” and “smartcard” can be understood as the same thing in the product and inthe manual.
In the SafeGuard Policy Editor, you can specify policy settings for token logon.
20.1 Smartcards
To be able to use a smartcard with Sophos SafeGuard, a card reader and a card driver for thecomputer are both required as well as the smartcard. Also, for the smartcards and card readers tocommunicate with Sophos SafeGuard certain middleware, in the form of a PKCS#11 module, isrequired.
20.1.1 Smartcards and smartcard readers/drivers
Sophos SafeGuard supports non-cryptographic logon at the Power-on Authentication. Withnon-cryptographic smartcards, user ID and password are stored on the card.
■ Windows
On the Windows operating system level, PC/SC-compatible card readers are supported.The PC/SC interface regulates the communication between the PC and smartcard. Manyof these card readers are already a part of the Windows installation.
Smartcards require PKCS#11 compatible smartcard drivers if they are to be supported bySophos SafeGuard.
■ Power-on Authentication
Refer to the Release Notes for a detailed list of all the supported smartcards, smartcard readersand smartcard drivers.
119
Administrator help
With Power-on Authentication, the PC/SC interface is supported which regulates thecommunication between PC and smartcard. The supported smartcard drivers are a fixedimplementation and users may not add other drivers. The appropriate smartcard drivershave to be enabled by means of a policy in Sophos SafeGuard.
The interface for smartcard readers is standardized and many card readers have a USBinterface or an ExpressCard/54 interface and implement the CCID standard. In SophosSafeGuard this is a prerequisite to be supported with Power-on Authentication. Plus, onthe driver side, the PKCS#11 module has to be supported.
20.1.2 Supported smartcards with Power-on Authentication
Sophos SafeGuard supports a large number of smartcards and smartcard readers, plus commonsmartcard drivers with Power-on Authentication. With Sophos SafeGuard, tokens/smartcardswhich support 2.048-bit RSA operations are supported. As support for smartcards is enhancedfrom release to release, the tokens and smartcards supported in whatever is the current version ofSophos SafeGuard are listed in the release notes.
20.1.3 Supported middleware
The middleware in the list below is supported by the relevant PKCS#11 module. PKCS#11 is astandardized interface for connecting cryptographic tokens/smartcards to different software. Here,it is used for the communication between token/smartcard, the smartcard reader and SophosSafeGuard.
MiddlewareManufacturer
a.sign ClientA-Trust
ActivClient, ActivClient (PIV)ActivIdentity
SafeSign Identity ClientAET
eToken PKI ClientAladdin
Smart Security InterfaceCharismatics
Gemalto Access Client, Gemalto Classic Client, Gemalto.NET Card
Gemalto
IT Solution trustWare CSP+IT Solution GmbH
RSA Authentication Client 2.x, RSA Smart Card Middleware3.x
RSA
Estonian ID CardSertifitseerimiskeskus AS
120
SafeGuard Easy
MiddlewareManufacturer
CardOS APISiemens
NetKey 3.0T-Systems
proCertumUnizeto
Licenses:
Note that the use of the respective middleware for the standard operating system requires a licenseagreement with the relevant Manufacturer. For information on where to obtain the licenses from,see http://www.sophos.com/support/knowledgebase/article/116585.html.
For Siemens licences, contact
Atos IT Solutions and Services GmbH
Otto-Hahn-Ring 6
D-81739 München
Germany
The middleware is set in a Sophos SafeGuard policy of the type Specific Machine Settings underToken support settings PKCS#11 settings module 1 in the field Module name. The relevantconfiguration package must also be installed on the computer on which the SafeGuard PolicyEditor is running.
20.2 USB tokens
Like smartcards, USB tokens consist of a smartcard reader and a smartcard, both units beinglocated in a single casing.
20.2.1 Supported USB tokens with Power-on Authentication
Sophos SafeGuard supports a wide range of USB tokens. As a prerequisite, the smartcard usedmust be supported by the Power-on Authentication of Sophos SafeGuard and the respective driversmust also be supported. The USB tokens also have to be supported by the relevant middleware.
As support for tokens is enhanced from release to release, the tokens and smartcards supportedin the respective version of Sophos SafeGuard are listed in the Release Notes.
20.3 Assigning policies for tokens
When you assign policies you can specify other token options. These relate to:
■ PINs
121
Administrator help
■ Logon mode
■ Defining token PINs for POA autologon
■ What happens when the status of the token is no longer recognized
■ Unblocking the token
■ The middleware to be used (PKCS#11 module)
20.4 Using tokens to log on at the Power-on Authentication
Prerequisite: Make sure that the USB support is activated in the BIOS. The token support mustbe initialized and the token issued for you.
1. Plug the token into the USB interface.
2. Switch on the computer and wait until the Power-on Authentication stops.
3. Enter the token PIN.
You are logged on to Sophos SafeGuard.
20.4.1 Logon mode at the Power-on Authentication
There are two ways of logging on using a token. A combination of both logon methods is possible.
■ Logging on with user ID/password
■ Logging on with token
The security officer specifies the method to be used for users and computers in a policy of typeAuthentication.
20.5 Enable POA autologon with default token PINs
A default token PIN that is distributed by policy enables automatic user logon at the Power-onAuthentication. This avoids the need to issue each single token separately and enables users toautomatically log on at the Power-on Authentication without any user interaction.
When a token is used at logon and a default PIN is assigned to the computer, the user ispassed-through at the Power-on Authentication without having to enter a PIN.
As a security officer you can set the specific PIN in a policy of the type Authentication and assignit to different computers or computer groups, for example to all computers residing in the samelocation.
To enable autologon with a default token PIN:
1. In the SafeGuard Policy Editor, click Policies.
2. Select a policy of the type Authentication.
122
SafeGuard Easy
3. Under Logon Options in Logon mode, select Token.
4. In PIN used for autologon with token, specify the default PIN to be used for autologon. PINrules do not need to be observed in this case.
Note:
This setting is only available, if you select Token as possible Logon Mode.
5. In Pass through to Windows set Disable pass-through to Windows. If you do not select thissetting when a default PIN is specified, you will not be able to save the policy.
If you want to enable the Pass through to Windows option, you can later create another policyof the type Authentication with this option enabled and also deploy it on the relevant endpointcomputers, so that the RSOP finally has both policies active.
6. Optionally specify further token settings.
7. Save your settings and deploy the policy on the relevant endpoint computers.
If the autologon on the endpoint computer has been successful, Windows will be started.
If the autologon on the endpoint computer has failed, the user will be prompted to enter the tokenPIN at the Power-on Authentication.
123
Administrator help
21 Recovery options
For recovery, Sophos SafeGuard offers different options that are tailored to different scenarios:
■ Logon recovery using Local Self Help
Local Self Help enables users who have forgotten their password to log on to their computerswithout the assistance of a help desk. Even in situations where neither telephone nor networkconnections are available (for example aboard an aircraft), users can regain access to theircomputers. To log on, they answer a predefined number of questions in the Power-onAuthentication.
Local Self Help reduces the number of calls concerning logon recovery, thus freeing the helpdesk staff from routine tasks and allowing them to concentrate on more complex supportrequests.
For further information, see Recovery with Local Self Help (page 125).
■ Recovery using Challenge/Response
The Challenge/Response recovery mechanism is a secure and efficient recovery system thathelps users who cannot log on to their computers or access encrypted data. During theChallenge/Response procedure, the user provides a challenge code generated on the endpointcomputer to the help desk officer who in turn generates a response code that authorizes theuser to perform a specific action on the computer.
With recovery using Challenge/Response, Sophos SafeGuard offers different workflows fortypical recovery scenarios requiring help desk assistance.
For further information, see Recovery with Challenge/Response (page 130).
■ System recovery
Sophos SafeGuard offers different methods and tools for recovery regarding crucial systemcomponents and Sophos SafeGuard components, for example:
■ Corrupted MBR
■ Sophos SafeGuard kernel problems
■ Volume access problems
■ Windows boot problems
For further information, see System Recovery (page 143).
124
SafeGuard Easy
22 Recovery with Local Self Help
Sophos SafeGuard offers Local Self Help to enable users who have forgotten their password to logon to their computers without the assistance of the help desk. Local Self Help reduces the numberof calls concerning logon recovery, thus freeing the help desk staff from routine tasks and allowingthem to concentrate on more complex support requests.
With Local Self Help, users can, for example, regain access to their laptops in situations whereneither telephone nor network connections are available and where they cannot use aChallenge/Response procedure (for example, aboard an aircraft). Users can log on to their computerby answering a predefined number of questions in the Power-on Authentication.
As a security officer, you can define the set of questions to be answered centrally and distribute itto the computer in a policy. We provide you with a predefined question theme as a template. Youcan use this question theme as it is or modify it. In the relevant policy, you can also grant the usersthe right to define their own questions.
When Local Self Help has been enabled by the policy, a Local Self Help Wizard is available to guidethe end users through providing initial answers and editing the questions.
Recovery with Local Self Help is available for the following logon methods in the Power-onAuthentication:
■ Logon with user ID and password
■ Logon with fingerprint
■ Logon with non-cryptographic token, provided that logon with user ID and password has alsobeen enabled in a policy of the type Authentication.
For a detailed description of Local Self Help on the endpoint computer see the Sophos SafeGuardUser Help, chapter Recovery with Local Self Help.
22.1 Defining Local Self Help settings in a policy
You define the settings for Local Self Help in a policy of the type General Settings under LogonRecovery - Local Self Help. This is where you enable the function to be used on the endpointcomputers and define further rights and parameters.
Enabling Local Self Help
To activate Local Self Help for use on endpoint computers, select Yes in the Enable Local SelfHelp field.
After the policy has become effective on the computers, this setting entitles the users to use LocalSelf Help for logon recovery. To be able to use Local Self Help, the users now have to activate thisrecovery method by answering a specified number from the set of questions received or by creatingand answering their own questions, depending on permission.
125
Administrator help
For this purpose, the Local Self Help Wizard is available through the System Tray Icon in theWindows taskbar after the computer has received the policy and has been restarted.
Configuring Local Self Help
You can set the following options for Local Self Help in a policy of the type General Settings:
■ Minimal length of answers
Define the minimum length of the answers in characters. The default is 1.
■ Welcome text under Windows
You can specify the individual information text to be displayed in the first dialog when theLocal Self Help Wizard is launched on the computer. Before specifying the text here, it has tobe created and registered.
■ Users can define their own questions
There are the following possible scenarios for the definition of questions for Local Self Help:
■ As a security officer, you define the questions and distribute them to the users. The usersare not permitted to define their own questions.
■ As a security officer, you define the questions and distribute them to the users. In addition,the users are permitted to define their own questions. When answering the minimumnumber of questions required for activating Local Self Help, the users can choose betweenpredefined questions and their own questions or use a combination of both.
■ You entitle the users to define their own questions. The users activate Local Self Help ontheir computers by defining and answering their own questions.
To entitle users to define their own questions, select Yes in the Users can define their own questionsfield.
22.2 Defining questions
To be able to use Local Self Help on the endpoint computer, the user has to answer and save apredefined number of questions. As a security officer with the required rights, you can specifyhow many questions the user has to answer to activate Local Self Help on the endpoint computer.You can also specify how many questions will be selected randomly in the POA. To log on at thePOA with Local Self Help, the user has to answer all questions displayed in the POA correctly.
As a security officer with the required rights, you can register and edit Local Self Help questionsin the SafeGuard Policy Editor.
126
SafeGuard Easy
22.3 Define the number of questions to be answered
You can define the number of questions to be answered during Local Self Help configuration andin the POA.
1. In the Policies navigation area, select Local Self Help questions.
2. In the action area under Local Self Help parameters, you can specify two different values forthe number of Local Self Help questions:
a) In the Minimum number of available questions/answers field, specify the number ofquestions the user has to answer in the Local Self Help Wizard to activate Local Self Helpon the endpoint computer.
The number of questions specified in this field must be available with answers on theendpoint computer for Local Self Help to be active.
b) In the Number of questions presented in POA field, specify the number of questions theuser has to answer in the POA when logging on with Local Self Help.
The questions displayed in the POA are selected randomly from the questions the user hasanswered in the Local Self Help Wizard.
The number specified in Minimum number of available questions/answers field must behigher than the number specified in Number of questions presented in POA field. If this isnot the case, an error message is displayed when you save your changes.
The defaults are:
■ Minimum number of available questions/answers: 10
■ Number of questions presented in POA: 5
3. Save your changes to the database.
The number of questions applies to the Local Self Help configuration deployed to endpointcomputers.
22.4 Using the template
A predefined question theme is available for Local Self Help. By default, this question theme isavailable in German and English in the policy navigation area under Local Self Help questions.
Optionally, the question theme is also available in other languages, for example French and Spanish.You can import these language versions into the policy navigation area.
Note: When end users enter answers in Japanese to activate Local Self Help on endpoint computers,they must use Romaji (Roman) characters. Otherwise the answers will not match when users enterthem in the Power-on Authentication.
You can use the predefined question theme as it is, edit it or delete it.
127
Administrator help
22.5 Import question themes
Using the import procedure, you can import additional language versions of the predefinedquestion theme or your own question lists created as .XML files.
1. Create a new question theme (see Create a new question theme and add questions (page 128)).
2. In the Policies navigation area, select the new question theme under Local Self Help questions.
3. Right-click in the action area to open the context menu for the question theme. In the contextmenu, select Import.
4. Select the required directory and question theme and click Open.
The imported questions are displayed in the action area. You can now save the question theme asit is or edit it.
22.6 Create a new question theme and add questions
You can create new question themes covering different topics, to provide users with several differentquestion themes to suite their preferences.
1. In the Policies navigation area, select Local Self Help questions.
2. Right-click Local Self Help questions and select New > Question Theme.
3. Enter a name for the question theme and click OK.
4. In the Policies navigation area, select the new question theme under Local Self Help questions.
5. Right-click in the action area to open the context menu for the question theme. In the contextmenu, select Add.
A new question line is added.
6. Enter your question and press Enter. To add further questions, repeat this step.
7. To save your changes, click the Save icon in the toolbar.
Your question theme is registered. It is automatically transferred with the policy of the type GeneralSettings that enables Local Self Help on the endpoint computers.
22.7 Edit question themes
1. In the Policies navigation area, select the required question theme under Local Self Helpquestions
128
SafeGuard Easy
2. You can now add, modify or delete questions.
■ To add questions, right-click in the action area, to display the context menu. In the contextmenu, click Add. A new line is added to the question list. Enter your question on the line.
■ To modify questions, click the required question text in the action area. The question ismarked by a pencil icon. Enter your changes on the question line.
■ To delete questions, select the required question by clicking on the grey box at the beginningof the question line in the action area and click Delete in the context menu of the question.
3. To save your changes, click the Save icon in the toolbar.
The modified question theme is registered. It is transferred with the policy of the type GeneralSettings that enables Local Self Help on the endpoint computers.
22.8 Delete question themes
To delete an entire question theme, right-click the required theme Local Self Help questions inthe Policies navigation area, and select Delete.
Note:
If you delete a question theme after users have answered some of these questions to activate LocalSelf Help on their computers, the users’ answers become invalid, as the questions no longer exist.
22.9 Register welcome texts
You can register a welcome text to be displayed in the first dialog of the Local Self Help Wizard.
The text files containing the required information have to be created before registering them inthe SafeGuard Policy Editor. The maximum file size for information texts is 50 KB. SophosSafeGuard only uses Unicode UTF-16 coded texts. If you do not create the text files in this format,they will be automatically converted when they are registered.
1. In the Policies navigation area, right-click Information text and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
3. Click [...] to select the previously created text file. If the file needs to be converted, a messageis displayed.
4. Click OK.
The new text item is displayed as a subnode below Information text in the Policies navigationarea. If you select a text item, its contents will be displayed in the window on the right-hand side.The text item can now be selected when creating policies.
Proceed as described to register further text items. All registered text items are shown as subnodes.
129
Administrator help
23 Recovery with Challenge/Response
To smoothen the workflow and to reduce help desk costs, Sophos SafeGuard provides aChallenge/Response recovery solution. Sophos SafeGuard offers help to users who fail to log onor to access encrypted data by providing a user-friendly Challenge/Response mechanism.
This functionality is integrated in the SafeGuard Policy Editor as a Recovery Wizard.
Benefits of Challenge/Response
The challenge/response mechanism is a secure and efficient recovery system.
■ No confidential data is exchanged in unencrypted form throughout the entire process.
■ There is no point in third parties eavesdropping on this procedure because the data cannot beused later or on any other devices.
■ The user can start working again quickly. No encrypted data is lost just because the passwordhas been forgotten.
Typical situations requiring help desk assistance
■ A user has forgotten the password at POA level and the computer has been locked.
Note:
Local Self Help allows you to have the current password displayed and to continue using it.This avoids the need to reset the password or to involve the help desk.
■ The Power-on Authentication local cache is partly damaged.
Sophos SafeGuard offers different recovery workflows for these typical scenarios enabling theusers to access their computers again.
23.1 Challenge/Response workflow
The Challenge/Response procedure is based on two components:
■ The endpoint computer on which the Challenge code is generated.
■ The SafeGuard Policy Editor where, as a help desk officer with sufficient rights, you create aresponse code that authorizes the user to perform the requested action on their computer.
1. On the endpoint computer, the user requests the challenge code. Depending on the recoverytype, this is either requested in the Power-on Authentication or using the KeyRecovery Tool.
A challenge code in form of an ASCII character string is generated and displayed.
2. The user contacts the help desk and provides the necessary identification as well as the challengecode to the help desk.
3. The help desk launches the Recovery Wizard in the SafeGuard Policy Editor.
130
SafeGuard Easy
4. The help desk selects the appropriate recovery type, confirms the identification informationand the challenge code and selects the required recovery action.
A response code in form of an ASCII character string is generated and displayed.
5. The help desk provides the user with the response code, for example by phone or text message.
6. The user enters the response code. Depending on the recovery type, this is either done in thePOA or using the KeyRecovery Tool.
The user is then permitted to perform the authorized action, for example resetting the password,and can resume working.
23.2 Launch the Recovery Wizard
To be able to perform a recovery procedure, make sure you have the required rights andpermissions.
1. Log on to the SafeGuard Policy Editor.
2. Click Tools > Recovery in the menu bar.
The SafeGuard Recovery Wizard is started. You can select which type of recovery you want to use.
23.3 Recovery types
Select which type of recovery you want to use. The following recovery types are provided:
■ Challenge/Response for password recovery
Sophos SafeGuard provides Challenge/Response when the user has forgotten their passwordor entered the password incorrectly too often.
Select recovery type Sophos SafeGuard Client (standalone).
Note:
Also see the logon recovery method Local Self Help, which does not require any help deskassistance.
■ Challenge/Response for regaining access to encrypted data
For complex recovery situation, for example when the POA is corrupted, access to encrypteddata can easily be regained with Challenge/Response. Specific files called Virtual Clients areused in this case.
Select recovery type Virtual Client.
131
Administrator help
23.4 Recover a password with Challenge/Response
Sophos SafeGuard provides Challenge/Response for example when the user has forgotten thepassword or entered the password incorrectly too often.
Recovery information needed for a Challenge/Response is based on the key recovery file. On eachendpoint computer this file is generated during deployment of the Sophos SafeGuard encryptionsoftware. The key recovery file must be accessible to the Sophos SafeGuard help desk, for exampleon a shared network path.
To facilitate searching and grouping of the key recovery files, the computer name is provided inthe file name: computername.GUID.xml. This allows for wildcard search with asterisks (*), forexample: *.GUID.xml.
Note:
When a computer is renamed, it will not be renamed accordingly in the computer's local cache.The local cache stores all keys, policies, user certificates and audit files. The new computer nametherefore has to be removed from the local cache so that only the previous name will remain, evenif a computer is renamed under Windows.
POA recovery actions
Challenge/Response for an endpoint can be initiated in the following situations:
■ The user has entered the password incorrectly too often at POA level and the computer hasbeen locked.
■ The user has forgotten the password.
■ A corrupted local cache needs to be repaired.
The Challenge/Response procedure will enable the computer to boot through Power-onAuthentication. The user is then able to log on to Windows.
Potential recovery use cases:
The user has typed the password incorrectly too often at POA level and the computer has beenlocked. But the user still knows the password.
The computer is locked, and the user is prompted to initiate a Challenge/Response procedure tounlock the computer. As the user still knows the correct password, there is no need to reset it. TheChallenge/Response procedure enables the computer to boot through Power-on Authentication.The user can then type the password correctly into the Windows logon dialog and is logged on toWindows.
The user has forgotten the password.
Note:
132
SafeGuard Easy
We recommend that you use Local Self Help to recover a forgotten password. Local Self Helpallows users to have the current password displayed and to continue using it. This avoids the needto reset the password or to involve the help desk.
When recovering a forgotten password with Challenge/Response a password reset is required.
1. The Challenge/Response procedure enables the computer to boot through Power-onAuthentication.
2. In the Windows logon dialog, the user does not know the correct password. The passwordneeds to be reset at Windows level. This requires further recovery actions outside the scope ofSophos SafeGuard, using standard Windows means.
We recommend using the following methods to reset the password at Windows level.
■ Using a service or administrator account available on the endpoint computer with therequired Windows rights.
■ Using a Windows password reset disk on the endpoint computer.
As a help desk officer, you can inform the user which procedure should be used and eitherprovide the additional Windows credentials or the required disk.
3. The user enters the new password that the help desk has reset at Windows level. The user thenneeds to change this password immediately to a value only known to the user. A new usercertificate is created based on the newly chosen Windows password. This enables the user tolog on to the computer again and to log on at Power-on Authentication with the new password.
Note:
Keys for SafeGuard Data Exchange: When a password is reset and a new certificate is created,local keys previously created for SafeGuard Data Exchange can still be used if the endpoint is amember of a domain. If the endpoint is a member of a workgroup, the user has to remember theSafeGuard Data Exchange passphrase to reactivate these local keys.
The local cache needs to be repaired
The local cache stores all keys, policies, user certificates and audit files. By default, logon recoveryis deactivated when the local cache is corrupted, this means that it is restored automatically fromits backup. In this case, no Challenge/Response procedure is required to repair the local cache.However, logon recovery can be activated by policy, if the local cache is to be repaired explicitlywith a Challenge/Response procedure. In this case, the user is prompted automatically to initiatea Challenge/Response procedure, if the local cache is corrupted.
23.4.1 Generate a response using the key recovery file
The key recovery file generated during installation of the Sophos SafeGuard encryption softwareneeds to be stored in a location that a help desk officer is able to access and the name of the filemust be known.
1. In the SafeGuard Policy Editor, select Tools > Recovery from the menu bar to open the RecoveryWizard.
133
Administrator help
2. In Recovery type, select Sophos SafeGuard Client.
3. Locate the required key recovery file by clicking the [...] button. For easier identification therecovery files carry the name of the computer: computername.GUID.xml.
4. Enter the challenge code the user has passed on to you and click Next. The challenge code isverified.
If the challenge code has been entered correctly, the recovery action requested by the SophosSafeGuard computer as well as the possible recovery actions are displayed. If the code has beenentered incorrectly, Invalid challenge is displayed below the block containing the error.
5. Select the action to be taken by the user and click Next.
6. A response code is generated. Communicate the response code to the user. A spelling aid isprovided. You may also copy the response code to the clipboard.
The user can enter the response code, perform the requested action and resume working.
23.5 Regain access to encrypted data with Challenge/Response
For complex recovery situation, for example when the POA is corrupted, access to encrypted datacan easily be regained with Challenge/Response. Specific files called Virtual Clients and additionaltools are used in this case:
■ Key Recovery file
On each endpoint the key recovery file is generated during deployment of the Sophos SafeGuardencryption software. It needs to be accessible to the help desk, for example on a shared networkpath.
■ Virtual Client file
Specific files called Virtual Clients are created in SafeGuard Policy Editor and are used asreference information in the database.
■ Sophos SafeGuard modified Windows PE recovery disk
The recovery disk is used for starting the endpoint from BIOS.
■ KeyRecovery Tool
The tool is used to start the Challenge/Response procedure. It is already available on the SophosSafeGuard modified Windows PE recovery disk. Additionally, you find it in the Tools directoryof your Sophos SafeGuard software delivery.
23.5.1 Virtual Clients
Virtual Clients are specific encrypted key files that are used for recovering an encrypted volumewhen no reference information on the computer is available in the database and Challenge/Responsewould usually not be supported. The Virtual Client is used as identification and referenceinformation during the Challenge/Response and is stored in the database.
134
SafeGuard Easy
To enable a Challenge/Response procedure in complex disaster situations, the Virtual Clients needto be created and distributed to the user before the Challenge/Response procedure. Access to thecomputer can then be regained with the help of these Virtual Clients, a KeyRecovery Tool and aSafeGuard modified Windows PE recovery disk available with your product.
23.5.2 Recovery workflow using Virtual Clients
To access the encrypted computer, the following general workflow applies:
1. Obtain the Sophos SafeGuard recovery disk from technical support.
The help desk may download the Windows PE recovery disk with the latest Sophos SafeGuardfilter drivers from the Sophos support site. For further information, see:http://www.sophos.com/support/knowledgebase/article/108805.html.
2. Create the Virtual Client in the SafeGuard Policy Editor.
3. Export the Virtual Client to a file.
4. Start the computer from the recovery disk.
5. Import the Virtual Client file into the KeyRecovery Tool.
6. Initiate the Challenge in the KeyRecovery Tool.
7. Confirm the Virtual Client in the SafeGuard Policy Editor.
8. Select the required recovery action.
9. Enter the challenge code in the SafeGuard Policy Editor.
10. Generate the response code in the SafeGuard Policy Editor.
11. Enter the response code into the KeyRecovery tool.
The computer can be accessed again.
23.5.3 Create a Virtual Client
Virtual Clients are specific encrypted key files that can be used for recovery in a Challenge/Responseprocedure as reference information on the computer.
Virtual Client files can be used by different computers and for several Challenge/Response sessions.
1. In the SafeGuard Policy Editor, select the Virtual Clients area.
2. In the left-hand navigation window, click Virtual Clients.
3. In the toolbar, click Add Virtual Client.
4. Enter a unique name for the Virtual Client and click OK. Virtual Clients are identified in thedatabase by these names.
5. Click the Save icon in the toolbar to save your changes to the database.
The new Virtual Client is displayed in the action area. Next you export it to a file.
135
Administrator help
23.5.4 Export a Virtual Client
Virtual Clients need to be exported to files in order to distribute them to the endpoint computersand use them for recovery. These files are always called recoverytoken.tok.
1. In the SafeGuard Policy Editor, select the Virtual Clients area.
2. In the left-hand navigation window, click Virtual Clients.
3. In the action area, search for the respective Virtual Client by clicking the magnifier icon. Theavailable Virtual Clients are displayed.
4. Select the respective entry in the action area and click Export Virtual Client in the toolbar.
5. Select a storage location for the Virtual Client file recoverytoken.tok and click OK.
Choose a safe place to store the file.
The Virtual Client has been exported to the file recoverytoken.tok.
6. Copy the Virtual Client file recoverytoken.tok to a removable medium. We recommend usinga memory stick.
Make sure that you keep the storage medium in a safe place. Make the files available to the helpdesk and on the endpoint computers as they are needed for a Challenge/Response with VirtualClients.
136
SafeGuard Easy
23.5.5 Start the computer from the recovery disk
Make sure that the boot sequence in the BIOS settings allows booting from CD.
1. On the endpoint computer, insert the recovery disk and start the computer. The integratedfile manager opens. At a glance, you can see the mounted volumes and drives.
The contents of the encrypted drive are not visible in the file manager. Neither the file system,nor the capacity and used/free space are indicated in the properties of the encrypted drive.
2. At the bottom of the file manager in the Quick Launch section, click the KeyRecovery icon toopen the KeyRecovery Tool. The Key Recovery Tool displays the key ID of the encrypted drives.
3. Find the key ID of the drives that you need to access. The key ID will be requested later on.
Next import the Virtual Client into the Key Recovery Tool.
137
Administrator help
23.5.6 Import the Virtual Client into the KeyRecovery Tool
Prerequisites:
■ The computer has been started from the recovery disk.
■ Make sure that the USB drive with the Virtual Client file recoverytoken.tok stored on it hasbeen mounted successfully.
1. In the Windows PE file manager, select the drive on which the Virtual Client is stored. The filerecoverytoken.tok is displayed on the right.
2. Select the file recoverytoken.tok and drag it to the drive in which the KeyRecovery Tool islocated. There, drop it into the Tools\SGN-Tools directory.
138
SafeGuard Easy
23.5.7 Initiate the Challenge in the KeyRecovery Tool
1. At the bottom of the Windows PE file manager in the Quick Launch section, click theKeyRecovery icon to open the KeyRecovery Tool. The KeyRecovery Tool displays the key IDof the encrypted drives.
The tool is started displaying a list of all volumes and their corresponding encryptioninformation (key ID).
2. Select the volume you want to decrypt and click Import by C/R to generate the Challenge Code.
For confirmation in the Sophos SafeGuard database the Virtual Client file is used and statedin the challenge. The Challenge Code is generated and displayed.
3. Communicate the Virtual Client name and the challenge code to the help desk, for exampleby phone or text message. A spelling aid is provided.
23.5.8 Generate a response using Virtual Clients
To access a Sophos SafeGuard protected computer and to generate a response using Virtual Clientstwo actions are required:
1. Confirm the Virtual Client in the SafeGuard Policy Editor database.
2. Select the requested recovery action. As only the key recovery file is available for decryption,this file needs to be selected so that a response code can be generated.
23.5.8.1 Confirm the Virtual Client
Prerequisite:
The Virtual Client must have been created in the SafeGuard Policy Editor in Virtual Clients andmust be available in the database.
1. In the SafeGuard Policy Editor, click Tools > Recovery to open the Recovery Wizard.
2. On the Recovery type page, select Virtual Client.
139
Administrator help
3. Enter the name of the Virtual Client the user has given to you. There are different ways to doso:
■ Enter the unique name directly.■ Select a name by clicking [...] in the Virtual Client section of the Recovery type dialog.
Then click Find now. A list of Virtual Clients is displayed. Select the required Virtual Clientand click OK. The Virtual Client name is then displayed in Recovery type under VirtualClient.
4. Click Next to confirm the name of the Virtual Client file.
Next select the requested recovery action.
23.5.8.2 Select the key recovery file
Prerequisite:
You must have selected the required Virtual Client in the SafeGuard Policy Editor Recovery Wizard.
The required key recovery file needed to regain access to the computer must be accessible to thehelp desk, for example on a network share.
1. In the Recovery Wizard, on the Virtual Client page, select the requested recovery action Keyrequested and click Next.
2. Activate Select key recovery file containing recovery key.
3. Click [...] next to this option to browse for the respective file. For easier identification therecovery files carry the name of the computer: computername.GUID.xml.
4. Confirm with Next. The window for entering the challenge code is displayed.
5. Enter the challenge code the user has passed on to you and click Next. The challenge code isverified.
If the challenge code has been entered correctly, the response code is generated. If the code hasbeen entered incorrectly, Invalid challenge is displayed below the block containing the error.
6. Pass the response code on to the user. A spelling aid is provided. You can also copy the responsecode to the clipboard.
23.5.9 Enter the response code in the KeyRecovery Tool
1. In the KeyRecovery Tool on the endpoint computer, enter the response code the help desk hasgiven to you.
The required recovery key is transferred within the response code.
140
SafeGuard Easy
2. Click OK. The drive selected for Challenge/Response has been decrypted.
3. To ensure that decryption has been successful, select the decrypted drive in the Windows PEfile manager:
The contents of the decrypted drive are now displayed in the file manager. The file system aswell as the capacity and used/free space are now indicated in the properties of the decrypteddrive.
Access to the data stored on this partition is recovered. As a result of the successful decryptionyou can read, write and copy data from or to the drive.
141
Administrator help
23.5.10 Delete Virtual Clients
Virtual Clients that are no longer needed can be deleted from the Sophos SafeGuard Database.
1. In the SafeGuard Policy Editor, select the Virtual Clients area.
2. In the left-hand navigation window, click Virtual Clients.
3. In the action area on the right, click the magnifier icon to search for the respective VirtualClient. The available Virtual Clients are displayed.
4. Select the required entry and click Delete Virtual Client in the toolbar.
5. Click the Save icon in the toolbar to save your changes to the database.
The Virtual Client is deleted from the database and can no longer be used in a Challenge/Responseprocedure.
142
SafeGuard Easy
24 System Recovery
Sophos SafeGuard encrypts files and drives transparently. Boot drives can also be encrypted, sodecryption functionalities such as code, encryption algorithms and encryption key must be availablevery early in the startup phase. Therefore encrypted information cannot be accessed if the crucialSophos SafeGuard modules are unavailable or do not work.
The following sections cover possible problems and recovery methods.
24.1 Recover data by starting from an external medium
This recovery type can be applied when the user can still log on at the POA but cannot access theencrypted volume any more. In this case, access to the encrypted data can be regained by startingthe computer using a Windows PE recovery disk customized for Sophos SafeGuard.
Prerequisites:
■ The user starting the computer from the external medium must have the right to do so. Thisright can either be configured in the SafeGuard Policy Editor within a policy of typeAuthentication (User may only boot from internal hard disk set to No) or can be obtainedfor a one-time use with a Challenge/Response procedure.
■ The computer must support starting from different media than the fixed hard drive.
To regain access to encrypted data on the computer:
1. Obtain the Sophos SafeGuard Windows PE disk from technical support.
The help desk may download the Windows PE recovery disk with the latest Sophos SafeGuardfilter drivers from the Sophos support site. For further information, see:http://www.sophos.com/support/knowledgebase/article/108805.html.
2. Log on at the Power-on Authentication with your credentials.
3. Insert the Windows PE recovery disk into the computer.
4. In the POA logon dialog under Continue booting from select external medium. The computeris started.
Access to the data stored on this partition is recovered.
Note:
Depending on the BIOS in use, booting from the disk may not work.
24.2 Corrupted MBR
For resolving problems with a corrupted MBR, Sophos SafeGuard offers the tool BE_Restore.exe.
For further information, see the Tools Guide.
143
Administrator help
24.3 Volumes
Sophos SafeGuard provides drive-based encryption. This includes saving encryption informationconsisting of the boot sector, primary and backup KSA and the original boot sector on each driveitself.
As soon as one of the units below is damaged, the volume cannot be accessed any longer:
■ either of the two Key Storage Areas (KSA)
■ original MBR
24.3.1 Boot sector
During the encryption process a volume's boot sector is swapped for the Sophos SafeGuard bootsector.
The Sophos SafeGuard boot sector holds information about
■ the location of the primary and backup KSA in clusters and sectors in relation to the start ofthe partition
■ the size of the KSA
Even if the Sophos SafeGuard boot sector is damaged, encrypted volumes cannot be accessed.
The tool BE_Restore can restore the damaged boot sector. For further information, see the ToolsGuide.
24.3.2 Original boot sector
The original boot sector is the one that is run after the DEK (Data Encryption Key) has beendecrypted and the algorithm and the key have been loaded to the BE filter driver.
If this boot sector is defective, Windows is unable to access the volume. Normally the commonerror message “Device is not formatted. Would you like to format it now? Yes/No” is displayed.
Nonetheless, Sophos SafeGuard will load the DEK for this volume. A tool that is used to repairthe boot sector needs to be compatible with the Sophos SafeGuard Upper Volume Filter.
24.4 Setting up WinPE for Sophos SafeGuard
To get access to encrypted drives with a computer's BOOTKEY within a WinPE environment,Sophos SafeGuard offers WinPE with the required Sophos SafeGuard function modules anddrivers. To start SetupWinPE for WinPE enter the following command:
SetupWinPE -pe2 <WinPE image file>
WinPE image file being the full path name of a WinPE image file
144
SafeGuard Easy
SetupWinPE makes all the changes needed.
Note:
Note that, with this type of WinPE environment, only encrypted drives that are encrypted withthe BOOTKEY can be accessed.
145
Administrator help
25 Restore a Sophos SafeGuard Database
To restore a Sophos SafeGuard Database you can create a new instance of the database based uponthe backed up security officer and company certificates by reinstalling SafeGuard Policy Editor.
This ensures that all Sophos SafeGuard endpoint computers still accept policies from the newinstance and avoids the need to set up and restore the whole database. Additionally, backed uppolicies can be reimported.
25.1 Restore a database configuration by reinstalling SafeGuard PolicyEditor
The following prerequisites must be met:
■ The company and security officer certificates of the relevant database configuration must havebeen exported to .p12 files and must be available and valid.
■ The passwords for the two .p12 files as well as for the certificate store must be known to you.
■ Make sure that you export the policies to backup files so that you can restore them afterwards.This will avoid that you have to set up your policy configuration from scratch.
To restore a corrupt database configuration:
1. Install the SafeGuard Policy Editor installation package afresh.
2. Start SafeGuard Policy Editor. The Configuration Wizard is started automatically.
3. On the Database page, select Create a new database. Under Database settings, configure theconnection to the database. Click Next.
4. On the Security Officer page, select the relevant security officer. Clear Automatically createcertificate. Click Import to browse for the backed up certificate file. Enter the respectivepassword for the security officer certificate store. Click Yes in the message that is displayed.The certificate is imported. Enter and confirm the security officer password to be used toauthenticate at SafeGuard Policy Editor. Click Next.
5. On the Company page, clear Automatically create certificate. Click Import to browse for thebacked up certificate file that contains the valid company certificate. You are prompted to enterthe password specified for the certificate store. Enter the password and click OK to confirm it.Click Yes in the message that is displayed. The company certificate is imported.
6. On the Security officer and company certificate backup page, specify a storage location forthe certificate backups. Click Next.
7. On the Recovery Keys page, clear Create network share, click Next, then Finish.
The database configuration is restored. If you have backed up the previously created policies to afile, you may now import them back into SafeGuard Policy Editor.
146
SafeGuard Easy
26 Restore a corrupt SafeGuard Policy Editor installation
If the installation of SafeGuard Policy Editor is corrupted, but the database is still intact, theinstallation can be easily restored by reinstalling SafeGuard Policy Editor using the existing databaseas well as the backed up security officer certificate.
To restore the SafeGuard Policy Editor installation:
1. Reinstall the SafeGuard Policy Editor installation package. Start SafeGuard Policy Editor. TheConfiguration Wizard is started automatically.
2. On the Database page, select Use an existing database. Under Database name, select the nameof the database from the list. Under Database settings, configure the connection to the databaseif required. Click Next.
3. On the Security Officer page, do one of the following:
■ If the backed up certificate file can be found on the computer, it is displayed. Enter thepassword you use for authenticating at the SafeGuard Policy Editor.
■ If the backed up certificate file cannot be found on the computer, click Import. Browse forthe backed up certificate file and confirm with Open. Enter the password for the selectedcertificate file. Click Yes. Enter and confirm a password for authenticating at the SafeGuardPolicy Editor.
4. Click Next and then Finish to complete SafeGuard Policy Editor configuration.
The corrupt SafeGuard Policy Editor installation is restored.
147
Administrator help
27 About upgrading
SafeGuard Easy/Sophos SafeGuard Disk Encryption 5.5x or above can be directly upgraded to thelatest version of SafeGuard Easy 6 without changing any previous settings. If you want to upgradefrom older versions, you must first upgrade to version 5.50.
An upgrade to the latest version comprises upgrading the following components. Carry out theupgrade in the order shown below:
1. Sophos SafeGuard database
2. SafeGuard Policy Editor
3. Sophos SafeGuard encryption software on endpoint computers
Note:
From version 5.50 onwards the import of a valid license file is required. If the amount of licensesis exceeded, configuration packages can no longer be created. Please contact your sales partner inadvance to request a license file.
27.1 Upgrade the Sophos SafeGuard database and database schema
Prerequisites:
■ A Sophos SafeGuard database version 5.50 or above must be installed. Older versions mustfirst be upgraded to version 5.50.
■ SQL migration scripts are needed for the upgrade. You find them in the Tools directory ofyour product delivery. Make sure that they are present on the database computer.
■ .NET Framework 4 is required. It must be installed before the upgrade. It is provided in theSophos SafeGuard product delivery.
■ Make sure that you have Windows administrator rights.
To upgrade the Sophos SafeGuard database and database schema:
1. Close all instances of SafeGuard Policy Editor.
2. Create a backup of the Sophos SafeGuard database.
3. Open Microsoft SQL Server Management Studio Express.
4. In the Object Explorer, right-click the Sophos SafeGuard database and click Properties.
5. In the Database Properties window, select the Options page on the left. Under State, RestrictAccess, select SINGLE-USER mode for running the SQL migration scripts.
6. In the Object Explorer, right-click the Sophos SafeGuard database and click New Query.
148
SafeGuard Easy
7. Use the SQL migration scripts to update the database schema. The database must be convertedversion by version to the current version. Depending on the version installed, start the followingSQL scripts in sequence, for example:
a) 5.5x > 5.60: Run MigrateSGN550_SGN560.sql
b) 5.6x > 6.0: Run MigrateSGN560_SGN60.sql
If you have changed the default database name during installation, change the USE SafeGuardcommand in the script so that it reflects the current name accordingly.
8. In the Database Properties window, select the Options page on the left. Under State, RestrictAccess, select MULTI-USER mode.
9. Upgrade one instance of SafeGuard Policy Editor by installing the latest version of the SafeGuardPolicy Editor installation package (SGNPolicyEditor.msi) from the product's install folder. Forfurther information, see Upgrade SafeGuard Policy Editor (page 149).
10. Start the upgraded SafeGuard Policy Editor.
The database consistency is now checked automatically. If the cryptographic checksums ofsome tables are found incorrect, warning messages are displayed. To repair the tables selectRepair in the relevant dialog. The checksums for the modified tables are recalculated.
The latest version of the Sophos SafeGuard database is ready for use.
27.2 Upgrade SafeGuard Policy Editor
Prerequisites
■ SafeGuard Policy Editor version 5.50 or above must be installed. Older versions must first beupgraded to version 5.50.
■ SafeGuard Policy Editor does not need to be uninstalled.
■ The Sophos SafeGuard database has been upgraded to the latest version. For successfuloperation, version numbers of Sophos SafeGuard database and SafeGuard Policy Editor mustmatch.
■ .NET Framework 4 is required. It must be installed with the upgrade. You can find it in theproduct delivery.
■ Make sure that you have Windows administrator rights.
■ You need a valid licence file. Contact your sales partner in advance to request it.
To upgrade SafeGuard Policy Editor:
1. From the product's install folder, install the SafeGuard Policy Editor installation package. Youdo not need to run the Configuration Wizard again.
2. Import the license file.
SafeGuard Policy Editor has been upgraded to the latest version.
149
Administrator help
27.3 Upgrade endpoints
Prerequisites
■ Sophos SafeGuard encryption software version 5.50 or above must be installed on the endpoints.Older versions must first be upgraded to version 5.50.
■ The Sophos SafeGuard database and the SafeGuard Policy Editor must have already beenupgraded to the latest version.
■ Make sure that you have Windows administrator rights.
To upgrade the endpoints:
1. From the product's install folder, install the latest pre-installation packageSGxClientPreinstall.msi that provides the endpoint with the necessary requirements for asuccessful installation of the current encryption software.
Do not uninstall previous pre-installation packages.
2. From the product's install folder, install the latest version of the Sophos SafeGuard encryptionsoftware.
Windows Installer recognizes the features that are already installed and only installs these again.If Power-on Authentication is installed, an updated POA kernel is also available after a successfulupdate. Sophos SafeGuard is automatically restarted on the computer.
To install new features with the upgrade, select an installation of type Custom. Then select thenew features and the ones to be upgraded. With an unattended installation, use theADDLOCAL= property to select the features you want (existing and new).
3. In the SafeGuard Policy Editor that has been upgraded to the latest version, create a newconfiguration package and deploy it on the endpoints.
Note: Installing a configuration package from a previous version on an endpoint that has beenupgraded to the latest version is not supported. If you try to install an older configurationpackage over a newer one, the installation is aborted.
4. Delete all outdated or unused configuration packages on the endpoints for security reasons.
The latest version of the Sophos SafeGuard encryption software with the selected features is installedon the endpoints.
150
SafeGuard Easy
28 About migrating
This section describes migration scenarios that involve a change in your Sophos encryption softwarelicense. It covers migration of server-side software as well as endpoint software.
The following migration scenarios are described:
■ Migrating to SafeGuard Enterprise 6.
■ Migrating from SGE 4.5x/SDE 4.6x.
■ Migrating endpoints to a different license.
Note:
For an overview on product names, see About Sophos SafeGuard (SafeGuard Easy) (page 4).
For migrating to Sophos Disk Encryption 5.61 (managed through Sophos Enterprise Console 5.1)see the Sophos Disk Encryption 5.61 License migration guide.
28.1 Migrating to SafeGuard Enterprise
You can migrate SafeGuard Easy (SGE)/Sophos SafeGuard Disk Encryption (SDE) 5.5x or aboveto the SafeGuard Enterprise 6 suite with central management to make use of comprehensivemanagement features, for example user and computer management or extensive loggingfunctionality.
To migrate SGE/SDE 5.5x or above to SafeGuard Enterprise 6:
■ Migrate the management console.
■ Migrate the endpoints.
28.1.1 Migrate the management console
Prerequisites
■ You do not have to uninstall SafeGuard Policy Editor.
■ .NET Framework 4 with ASP.NET 4 is required. It must be installed before. It is provided inthe SafeGuard Enterprise product delivery.
■ Set up the latest version of SafeGuard Enterprise Server before migration. For furtherinformation, see the SafeGuard Enterprise Installation guide.
■ Make sure that you have Windows administrator rights.
To migrate the management console:
1. On the computer on which SafeGuard Policy Editor is installed, startSGNManangementCenter.msi from the product's install folder. A wizard guides you throughinstallation. Accept the default options.
151
Administrator help
2. If prompted, restart the computer.
3. Start the SafeGuard Management Center to carry out initial configuration. For furtherinformation, see the SafeGuard Enterprise Installation guide.
4. Configure the SafeGuard Enterprise policies to your needs.
SafeGuard Policy Editor has been migrated to SafeGuard Management Center.
28.1.2 Migrate endpoints
You can migrate Sophos SafeGuard protected endpoints with an unmanaged configuration to amanaged configuration. In this way, endpoints are defined in SafeGuard Management Center asobjects which can be managed and which have a connection to the SafeGuard Enterprise Server.
Prerequisites
■ SafeGuard Policy Editor has been migrated to SafeGuard Management Center.
■ Sophos SafeGuard encryption software on the endpoints does not have to be uninstalled.Sophos SafeGuard version 5.5x or above must be installed on the endpoints. Earlier versionsmust first be upgraded version by version to 5.50.
■ Back up the endpoint before starting the migration.
■ Make sure that you have Windows administrator rights.
To migrate endpoints:
1. Install the latest pre-installation package SGxClientPreinstall.msi that provides the endpointwith the necessary requirements for a successful installation of the current encryption software.
Do not uninstall previous pre-installation packages.
2. From the product's install folder, install the latest version of the respective Sophos SafeGuardencryption software.
Windows Installer recognizes the features that are already installed and only installs these again.If Power-on Authentication is installed, an updated POA kernel is also available after a successfulupdate (policies, keys etc.). Sophos SafeGuard is automatically restarted on the computer.
To install new features with the upgrade, select an installation of type Custom. Then select thenew features and the ones to be upgraded. With an unattended installation, use theADDLOCAL= property to select the features you want (existing and new).
3. In the SafeGuard Management Center, on the Tools menu, click Configuration Package Tool.Click Create Configuration Package (managed). A wizard guides you through the necessarysteps to create the configuration package.
4. Assign this configuration package to the Sophos SafeGuard computers using a group policy.
Authentication is disabled as the user-computer assignment is not migrated. After migrating,the endpoints are therefore unprotected!
152
SafeGuard Easy
5. The user needs to restart the endpoint. The first logon is still achieved with Autologon. Newkeys and certificates are assigned to the user.
6. The user needs to restart the endpoint for a second time and log on at the Power-onAuthentication. The computers are protected again only after the second restart.
7. Delete outdated and unused configuration packages.
The unmanaged Sophos SafeGuard protected computer is now connected to the SafeGuardEnterprise Server.
28.2 Migrating from SGE/SDE 4.x
You can migrate SafeGuard Easy (SGE) 4.5 and Sophos SafeGuard Disk Encryption 4.6x directlyto SafeGuard Easy 6.
To migrate from SGE 4.5x/SDE 4.6x:
■ Set up the management console SafeGuard Policy Editor.
■ Migrate the endpoints.
This section describes the necessary steps and explains which features can be migrated and detailsthe limitations.
28.2.1 Set up the management console
If you have no SafeGuard Policy Editor installed, install the latest version. For further information,see Install SafeGuard Policy Editor (page 17).
If you have a previous version of SafeGuard Policy Editor installed, upgrade to the latest version.For further information, see About upgrading (page 148).
28.2.2 Migrate endpoint computers
Direct endpoint migration has been tested and is supported for SafeGuard Easy 4.5x. A directupgrade should also work for versions between 4.3x and 4.4x.
Direct upgrade is not supported for versions older than 4.3x, so these must be upgraded toSafeGuard Easy 4.50 first.
Direct endpoint migration has been tested and is supported for Sophos SafeGuard Disk Encryption4.6x.
Hard drive encryption is being maintained, so there is no need to decrypt and re-encrypt the harddrive. It is not necessary either to uninstall SafeGuard Easy or Sophos SafeGuard Disk Encryption.
153
Administrator help
28.2.2.1 Prerequisites
The following prerequisites must be met:
■ SafeGuard Easy/Sophos SafeGuard Disk Encryption must be running on the following operatingsystem:
Windows XP Professional Workstation Service Pack 2, 3
■ Windows Installer Version 3.01 or higher has to be installed.
■ The hardware must meet the system requirements of SafeGuard Easy 6.
■ When using special software (for example Lenovo middleware), it must meet the systemrequirements of SafeGuard Easy 6.
■ Migration is supported if the hard disks are encrypted with the following algorithms: AES128,AES256, 3DES, IDEA.
■ Users need a valid Windows account and password. If they do not know their Windowspassword, because they have previously been logged on to Windows using Secure AutomaticLogon, the Windows user password has to be reset before migration and the new passwordhas to be forwarded to them.
28.2.2.2 Limitations
■ Migration of endpoints with only the SGNClient_withoutDE.msi package installed is notsupported. You have to uninstall this package first.
■ Only the SafeGuard full disk encryption package with the standard features can be installed(SGNClient.msi). If the SGNClient_withoutDE.msi package is to be installed in addition, thishas to be done in a separate step as a direct upgrade is not supported for this package.
■ The following installations cannot be migrated and a migration should not be attempted.
Note: If you start migrating in the following cases, an error message is displayed (error number5006).
Twin Boot installations
Installations with active Compaq Switch
Lenovo Computrace installations
Hard drives that are partially encrypted, for example with boot sector encryption only.
Hard drives with hidden partitions
Hard drives that have been encrypted with one of the following algorithms: XOR, STEALTH,DES, RIJNDAEL, Blowfish-8, Blowfish-16
Multi-boot scenarios with a second Windows or Linux partition
■ Removable media that have been encrypted with one of the following algorithms cannot bemigrated: XOR, STEALTH, DES, RIJNDAEL, Blowfish-8, Blowfish-16.
154
SafeGuard Easy
Note: There is a risk of data being lost in these cases. After migration, data on the removablemedium cannot be accessed with SafeGuard Easy any more.
■ Removable media with Super Floppy volumes cannot be transformed after migration.
■ Removable media can be converted to a SafeGuard Easy 6 compatible format. After conversion,an encrypted data medium can only be read with SafeGuard Easy 6 and only at the one endpointwhere it was converted.
28.2.2.3 Prepare endpoint computers
■ Prepare the endpoint computers for installation of the encryption software, see Prepare endpoints(page 26).
■ We recommend that you create a valid kernel backup and save this backup in a location thatcan always be accessed, for example a network share. For further information, see Saving thesystem kernel and creating emergency media in the SafeGuard Easy 4.5x/Sophos SafeGuard DiskEncryption 4.6x Help.
■ To reduce the risk of data loss, we recommend that you create a test environment for the firstmigration.
■ When migrating from older versions of SafeGuard Easy, first upgrade to version 4.50.
■ Leave the computers switched on throughout the migration process.
■ Users need a valid Windows account and password. If they do not know their Windowspassword, because they have previously been logged on to Windows using Secure AutomaticLogon, the Windows password has to be reset before migration and the new password has tobe forwarded to them.
Note: If users do not know their Windows password, they will not be able to log on to SafeGuardEasy 6. In this case pass-through to Windows is rejected. Thus, there is the risk of data loss asusers will not be able to access their computers anymore.
28.2.2.4 Which functionality is migrated
The table below shows which functionality is migrated and how it is handled in SafeGuard Easy6.
SafeGuard Easy 6MigrationSGE 4.5x/SDE 4.6x
The hard drive keys are protected by Power-onAuthentication. So they are at no time exposed. If
YesEncrypted hard drives
Boot Protection mode has been selected inSafeGuard Easy 6, the current version has to beuninstalled. The hard drive encryption algorithmis not changed by migration. Therefore the actualalgorithm for this type of migrated hard drive maydiffer from the general policy.
155
Administrator help
SafeGuard Easy 6MigrationSGE 4.5x/SDE 4.6x
Encrypted removable media remain encrypted anddata copied to it will be encrypted. You can access
YesEncrypted removable media(only applicable when migratingfrom SGE 4.5x) the encrypted data. Removable media that was
unencrypted before migration will stayunencrypted after migration.
Windows user names and passwords are used inSafeGuard Easy 6. So previous user names and
NoSGE/SDE user names andpasswords
passwords are not needed any longer. Aftermigration, the first user to log on to Windows isset as primary user within the POA (unless theyare specified on the Service Account list).
To make sure that all settings are consistent, noautomatic migration is executed. The policies haveto be reset in SafeGuard Easy 6.
NoPolicies
Pre-Boot Authentication (PBA) is replaced byPower-on Authentication (POA).
NoPre-Boot Authentication
The token/smartcard hardware can continue to beused in SafeGuard Easy 6. However, the credentials
To some degreeTokens/smartcards (onlyapplicable when migrating fromSGE 4.5x) are not migrated. The tokens used before therefore
need to be re-issued in SafeGuard Easy 6 and setup using policies. Credentials in file form ontoken/smartcards remain as such, but can only beused to log on to computers with SafeGuardEasy/Sophos SafeGuard Disk Encryption support.If necessary, the token/smartcard middleware inuse has to be upgraded to a version supported bySafeGuard Easy 6.
Fingerprint logon can continue to be used. Thefingerprint reader hardware and software has to
To some degreeLogon with Lenovo FingerprintReader
be supported by SafeGuard Easy 6 and thefingerprint user data have to be rolled out again.For further information on fingerprint logon, seeSafeGuard Easy 6 User help.
28.2.2.5 Start migration
Note:
The installation can be carried out on a running SGE/SDE system. No decryption of encryptedhard drives or volumes is necessary. It is best performed centrally in unattended mode. Installationusing the setup folder is not recommended.
156
SafeGuard Easy
Use the SafeGuard full disk encryption package (SGNClient.msi) from the product's install folderwith the standard feature set. The SafeGuard package SGNClient_withoutDE.msi cannot be usedfor migration.
To migrate the endpoints:
1. Double-click WIZLDR.exe from the SafeGuard Easy program folder of the endpoint that is tobe migrated. This starts the Migration Wizard.
2. In the Migration Wizard, enter the SYSTEM password and confirm with Next. In Destinationfolder, click Next and then click Finish. A migration configuration file SGEMIG.cfg is created.
3. In Windows Explorer, rename this file from SGEMIG.cfg to SGE2SGN.cfg.
Note: Owner/creator rights have to be set for this file and the file path where it is stored duringmigration. Otherwise, migration may fail and a message stating that SGE2SGN.cfg cannot befound is displayed.
4. Enter the “msiexec” command at the command prompt to install the following on the endpoints:the latest pre-installation package, the latest SafeGuard full disk encryption package. Add theparameter MIGFILE stating the file path of the migration configuration file SGE2SGN.cfg:
Example:
msiexec /i \\Distributionserver\Software\Sophos\SafeGuard\SGxClientPreinstall.msi
msiexec /i \\Distributionserver\Software\Sophos\SafeGuard\SGNClient.msi
/L*VX“\\Distributionserver\Software\Sophos\SafeGuard\%Computername%.log“
MIGFILE=\\Distributionserver\Software\Sophos\SafeGuard\SGE2SGN.cfg
■ If the migration has been successful, SafeGuard Easy 6 is ready on the computer.
■ If the migration fails, SafeGuard Easy/Sophos SafeGuard Disk Encryption can still be used onthe computer. In such cases, SafeGuard Enterprise is automatically removed.
28.2.2.6 Log on to the endpoint after migration
To log on to the endpoint after migration:
1. Restart the computer. The first logon is still achieved with Autologon. New keys and certificatesare assigned to the user.
2. Restart the computer for a second time. Log on at the Power-on Authentication. The computersare protected again only after the second restart.
3. To be able to decrypt the hard disk or add and remove keys for hard disk encryption, restartthe computer again.
After successful migration the following is available in SafeGuard Easy after logging on at thePower-on Authentication:
■ the keys and algorithms of encrypted volumes.
157
Administrator help
Encrypted volumes remain encrypted and the encryption keys are automatically converted toa Sophos SafeGuard compatible format.
■ the keys and algorithms for encrypted removable media.
They have to be converted to a Sophos SafeGuard compatible format.
28.2.2.7 Configure migrated endpoints
The endpoint computers are initially configured by configuration packages which, among otheraspects, activate the Power-on Authentication.
Prerequisites:
Endpoint configuration should take place only after the POA has been activated and the user haslogged on to Windows.
1. Create the initial configuration package in the SafeGuard Policy Editor with the required policysettings: Click Tools > Configuration Package Tool and create the initial configuration packagewith the required policy settings.
2. Install the configuration package on the endpoint computers.
Note: The policies transferred with the first Sophos SafeGuard configuration package have tocorrespond to the previous configuration of the SDE/SGE computer.
28.2.2.8 Convert keys for encrypted removable media
Encrypted removable media remain encrypted, but the keys have to be converted to a format thatis compatible with SafeGuard Easy 6.
The appropriate policy for volume-based encryption has to be present on the computer beforeconversion. Otherwise the keys are not converted.
Note:
After conversion, an encrypted data medium can only be read with SafeGuard Easy 6 and only atthe one endpoint computer where it was converted.
1. Detach the media from the computer and reinsert it. This ensures that you can decryptremovable media or add and remove keys for removable media encryption.
2. In Windows Explorer, double-click the media you want to access.
3. You are prompted to confirm the transformation of the encryption keys into a SafeGuard Easy6 compatible format.
■ If you confirm the conversion, full access to the migrated data is provided.■ If you reject the conversion, the migrated data can still be opened for reading and writing.
158
SafeGuard Easy
28.3 Migrate endpoints to a different license
You can migrate endpoints with only file-based encryption installed (SGNClient_withoutDE.msi)to also support SafeGuard full disk encryption (SGNClient.msi):
1. On the endpoint, uninstall the SGNClient_withoutDE.msi package.
2. Uninstall the relevant configuration package.
3. From the product's install folder, install the SGNClient.msi package. A wizard guides youthrough installation. Accept the default options, make sure to select a Complete setup to installall encryption features available.
4. Create a new configuration package and deploy it on the endpoint computer.
Note:
The local keys created during the installation of the SGNClient_withoutDE.msi installation packageare still available.
159
Administrator help
29 About uninstallation
This section covers the following topics:
■ Uninstallation best practices
■ Uninstalling Sopohs SafeGuard encryption software.
■ Preventing uninstallation of Sophos SafeGuard encryption software
■ Sophos Tamper Protection
29.1 Uninstallation best practice
When the Sophos SafeGuard encryption software is installed on the same computer as SafeGuardPolicy Editor, make sure that you follow this uninstallation procedure to be able to continue usingone of them:
1. Uninstall SafeGuard Policy Editor.
2. Uninstall the Sophos SafeGuard configuration package.
3. Uninstall the Sophos SafeGuard encryption software.
4. Install the package afresh that you want to continue using.
29.2 Uninstalling Sophos SafeGuard encryption software
Uninstalling the Sophos SafeGuard encryption software from endpoint computers involves thefollowing steps:
■ Decrypt encrypted data.
■ Uninstall the encryption software.
The appropriate policies must be effective on the endpoint computers to allow for decryptionand uninstallation.
29.2.1 Preventing uninstallation of Sophos SafeGuard encryption software
To provide extra protection for endpoint computers, we recommend that you can prevent localuninstallation of Sophos SafeGuard. In a Machine specific settings policy, set Uninstallationallowed to No and deploy the policy on the endpoints. Uninstallation attempts then are cancelledand the unauthorized attempts are logged.
Note:
If you use a demo version, you should not activate this policy setting or in any case deactivate itbefore the demo version expires to ensure easy uninstallation.
160
SafeGuard Easy
29.2.2 Decrypt encrypted data
The following prerequisites must be met:
■ To decrypt encrypted volumes, all volume-based encrypted volumes must have a drive letterassigned to them.
1. In SafeGuard Policy Editor, edit the current policy of the type Device Protection that is assignedto the computers you want to decrypt. Select the targets and set User may decrypt volume toYes.
2. Create a decryption policy of the type Device Protection, select the targets that are to bedecrypted and set the Media encryption mode to No encryption.
3. Create a configuration package that includes the updated policies and deploy it on the endpointsthat you want to decrypt.
4. On the endpoint that is to be decrypted, open Windows Explorer. Right-click the volume thatshould be decrypted and click Encryption > Decryption.
Make sure that the decryption is completed successfully.
Note: When decryption is followed by an uninstallation, we recommend that the endpoint isnot hibernated or suspended during decryption. We support but do not recommend that theendpoint is shut down and restarted during decryption.
29.2.3 Start uninstallation
The following prerequisites must be met:
■ Encrypted data has to be decrypted properly before uninstallation to be able to access itafterwards. The decryption process must be completed. Proper decryption is particularlyimportant when uninstallation is triggered by Active Directory.
All encrypted removable media must be decrypted before uninstalling the last accessibleSophos SafeGuard protected computer. Otherwise users may not be able to access theirdata any more. As long as the Sophos SafeGuard database is available, data on removablemedia can be recovered.
■ To uninstall SafeGuard full disk encryption, all volume-based encrypted volumes must havea drive letter assigned to them.
■ Make sure that you always uninstall the complete package with all features installed.
1. In SafeGuard Policy Editor, edit the policy of the type Machine-specific settings. SetUninstallation allowed to Yes.
2. Create a configuration package that includes the uninstallation policy and deploy it on theendpoints that you want to uninstall.
161
Administrator help
3. To start uninstallation, use one of the following methods:
■ To uninstall locally on the endpoint, select Start > Programs > Control Panel > Add orRemove Programs > Sophos SafeGuard Client > Remove.
■ To uninstall centrally, use the software distribution mechanism of your choice. Make surethat all required data has been decrypted properly before uninstallation starts.
29.3 Sophos Tamper Protection
Sophos Tamper Protection prevents casual removal of Sophos SafeGuard, even if the optionUninstallation allowed in the Machine specific settings policy that applies to the endpointcomputer is set to Yes or not configured.
Note:
Sophos Tamper Protection only applies to endpoint computers using Sophos Endpoint Securityand Control version 9.5 or higher.
You can activate Sophos Tamper Protection in a policy of the type Specific Machine Settings. Ifthe Uninstallation allowed option in this policy is set to Yes or not configured, the option EnableSophos tamper protection becomes available for selection.
If you set Enable Sophos tamper protection to Yes, any uninstallation attempt is explicitly checkedby Sophos Tamper Protection. If Sophos Tamper Protection does not allow uninstallation, theprocess will be canceled.
If you set Enable Sophos tamper protection to No, uninstallation of Sophos SafeGuard will notbe prevented.
If Enable Sophos tamper protection is set to not configured, the default value Yes applies.
162
SafeGuard Easy
30 Technical support
You can find technical support for Sophos products in any of these ways:
■ Visit the SophosTalk community at http://community.sophos.com/ and search for other userswho are experiencing the same problem.
■ Visit the Sophos support knowledgebase at http://www.sophos.com/support/.
■ Download the product documentation at http://www.sophos.com/support/docs/.
■ Send an email to [email protected], including your Sophos software version number(s),operating system(s) and patch level(s), and the text of any error messages.
163
Administrator help
31 Legal notices
Copyright © 1996 - 2012 Sophos Group. All rights reserved. SafeGuard is a registered trademarkof Sophos Group.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in anyform or by any means, electronic, mechanical, photocopying, recording or otherwise unless youare either a valid licensee where the documentation can be reproduced in accordance with thelicense terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, SophosGroup and Utimaco Safeware AG, as applicable.All other product and company names mentionedare trademarks or registered trademarks of their respective owners.
You find copyright information on third party suppliers in the Disclaimer and Copyright for 3rdParty Software document in your product directory.
164
SafeGuard Easy
