The Management Password
Basics
The Management Password is used by SEE to control administrator access to two help desk functions: Recover /B and the One-Time Password Program.
SEE Policy Administrators or other support personnel who have access to the Management Password snap-in must type the Management Password before they can export computer-specific hard disk recovery files (see “Recover DAT File Generation” on page 36), or run the One-Time Password Program.
The Management Password snap-in is not applicable if your SEE Manager was installed in serverless mode.
Because the Management Password is shared among support personnel, you should establish a protocol for all Management Password changes. This will avoid the situation of one administrator changing the Management Password and preventing other administrators from performing help desk functions which require the Management Password. The Management Password should be backed up and stored in a safe location, as there is no mechanism available for recovering a lost Management Password.
Setting the Management Password
The Management Password is set during the initial installation of the SEE Manager. During subsequent installations of the SEE Manager, the fact that the Management Password has already been set will be detected by the installer, and it will not be necessary to set the Management Password again.
Changing the Management Password
To change the Management Password, perform the following steps:
1. Open the SEE Manager.
2. In the navigation pane on the left, click on Symantec Endpoint Encryption Management Password.
Figure 5.1—Management Password Snap-in
3. In the pane on the right, type the existing Management Password, type a new Management Password between 16–
32 characters in length, and type the new Management Password again to confirm.
4. Click OK. A confirmation message will be displayed.
Figure 5.2—Management Password Changed, Confirmation Message
5. Click OK.
One-Time Password Program
Basics
The One-Time Password (OTP) Program allows users to recover from a forgotten password with help desk
assistance. It also allows users to regain access to their computer after it has been locked for a failure to communicate with the SEE Management Server.
This assistance provides the user with a one-time password—called a response key—which allows the user to temporarily authenticate. The user is then prompted to enter a new password.
To run the help desk side of the utility, you must:
Use a Manager Computer that has the OTP snap-in installed.
Log on to that computer using a Windows account that has been provisioned with read access to the SEE database, or have SQL database credentials that will allow you to read the SEE database.
Know the Management Password.
Be certain of a user’s identity prior to assisting the user with OTP. If the user requesting help is contacting you from their desk, a simple way to help establish their identity is to call them back at the phone number listed in the organization’s phone directory.
Launch
When a user calls for One-Time Password recovery, open the SEE Manager and click on the One-Time Password snap-in.
Figure 5.3—One-Time Password, Welcome
Click Next to begin.
SQL Server Logon Information
If you are currently logged on to Windows as a user that does not have sufficient privileges to read the SEE database, you will be prompted to provide SQL Server database credentials.
Figure 5.4—SQL Server Logon Prompt
Enter SQL database credentials that will allow you read access to the SEE database. Click Connect.
Management Password
Following successful authentication to the SEE database, the One-Time Password Program will request the Management Password.
Figure 5.5—One-Time Password, Management Password
Enter the Management Password and click Next.
Method
Basics
Two methods are available for assisting users: online and offline.
The online method is easier and more secure, but will not succeed unless the Client Computer has made contact with the SEE Management Server at least once following the registration of the user requiring assistance.
Ask the user what method is displayed on their screen. If it is online, continue to the next section. If it is offline, skip to “Offline” on page 33.
Online
After entering the Management Password, you will be prompted to select the method.
Figure 5.6—One-Time Password, Method Selection, Online
Select the Online option. Click Next.
Figure 5.7—One-Time Password, Online Method, Identifying Information
The One-Time Password Program will confirm that the information you have entered corresponds to that stored in the SEE database.
Figure 5.8—One-Time Password, Online Method, Response Key
Read the response key to the user from left to right and ask the user to type those numbers into the corresponding blank data-entry fields that appear on the user’s screen.
Under each box is a checksum. Once the user has typed in the entire response key, ask the user to read back to you the checksums. If the user’s checksums agree with your checksums, the user has correctly entered the data. If a checksum is not in agreement, the user entered one or more response key digits incorrectly. Read the response key to the user again and determine the incorrect portion.
Once the user has entered the response key and the checksums agree, ask the user to click Next. Remain in contact with the user.
If the user gains access to Windows, click Yes.
If the user fails to gain access to Windows, click No. The wizard will initiate the offline method if you have not already tried it. Skip to “Offline” on page 33.
If the user correctly entered the response key, when the user clicks Next, they will gain access to Windows. Remain in contact with the user to make sure they change their password. They should be prompted to do so either before or after Windows loads.
If they don’t get prompted and SSO is enabled, they are not connecting to the domain and this is a Windows issue. If they don’t get prompted and SSO is not enabled, have them open the User Client Console and change their password.
Offline
The offline method can be used if the online method fails or if the Client Computer has never checked in with the SEE Management Server.
Figure 5.9—One-Time Password, Method Selection, Offline
Select the Offline option. Click Next.
Ask the user to provide their OTP personal identifier, which should be displayed on their screen. Ensure that the personal identifier provided corresponds to the person requesting the One-Time Password. If the identifiers do not match, it could indicate that this person is not authorized to access the workstation. Symantec recommends that you halt the process and send a Client Administrator out to help the user in person.
Once you have verified the personal identifier, ask the user to provide you with the challenge key displayed on their screen. Type the digits into the fields on your screen from left to right.
Under each field is a checksum. It is internally generated and uniquely represents in shorter form the digits entered in each field. As you enter the challenge key, checksums appear under their fields. To verify that you have entered the correct challenge key, ask the user to read back to you the checksums. If the checksums agree with your checksums, you have correctly entered the data. If a checksum is not in agreement, ask the user to provide you with the challenge key again and check it against what you have typed.
Under each box is a checksum. Once you have typed in the entire challenge key, ask the user to read back to you the checksums. If the user’s checksums agree with your checksums, you have correctly entered the data. If a checksum is not in agreement, you entered one or more challenge key digits incorrectly. Ask the user to read you the challenge key again and determine the incorrect portion. Most likely, the first mismatching checksum will be below the incorrect portion of the challenge key.
Once you have verified and entered the correct challenge key, click Next.
Figure 5.11—One-Time Password, Offline Response Key
Read the response key to the user from left to right and ask the user to type those numbers into the corresponding blank data-entry fields that appear on the user’s screen.
Under each box is a checksum. Once the user has typed in the entire response key, ask the user to read back to you the checksums. If the user’s checksums agree with your checksums, the user has correctly entered the data. If a checksum is not in agreement, the user entered one or more response key digits incorrectly. Read the response key to the user again and determine the incorrect portion.
Once the user has entered the response key and the checksums agree, ask the user to click Next. If they entered the response key correctly, they will gain access to Windows. Stay on the phone with the user to make sure they change their password. They should be prompted to do so either before or after Windows loads. If they don’t get prompted and SSO is enabled, they are not connecting to the domain and this is a Windows issue. If they don’t get prompted and SSO is not enabled, have them open the User Client Console and change their password.
Accept the default option button selection of Yes and click Next.
If the user fails to gain access to Windows, select the No option button and click Next.
Error Messages
User Record Not Found
This error is applicable to the online method only. After entering the user’s identifying information and clicking Next (Figure 5.7 on page 31), if the computer record is found on the SEE Management Server, but not the user record, the following message will be displayed.
Figure 5.12—One-Time Password, User Record Not Found
This error indicates that the Client Computer in question has succeeded in making contact with the SEE Management Server at least once, but that the user in question was not registered as of the last point of contact.
You should proceed with caution because although human or computer error could have caused this condition, it is also possible that the person you are speaking to is trying to exploit these possibilities to gain access to a computer that s/he is not authorized to access.
Use the SEE Server Reports to help you determine the root cause of the situation. Ask the user if they have registered and when and cross-check their claims with the data stored in the SEE database.
If you are sure that the user is authorized, try the offline method.
If not, send a Client Administrator to help the user in person.
Invalid Code Synchronization
This error is applicable to the online method only. If the user record exists, but the code stored in the SEE database does not agree with the code that the user read to you, an error dialog box appears, similar to the following:
Figure 5.13—One-Time Password, Invalid Code Synchronization
The code on the Client Computer has digits that are incremented each time the One-Time Password Program runs to completion on the Client Computer. When the Client Computer checks in with the SEE Management Server, these codes are synchronized. There are three possible causes of this error:
The user has completed the One-Time Password process multiple times without reconnecting to the SEE Management Server.
This is an unauthorized party attempting to guess the response key by triggering the One-Time Password Program over and over.
You can proceed with the recovery assistance process, even when codes are out of sync between the Client Computer and the SEE Management Server; but you should consider taking extra precautions to identify the user.
If you decide to proceed, from the error message box click OK, and then from the Client Computer information screen, click Next; otherwise, click Cancel.
Hard Disk Recovery
Basics
The Recover Program that tries to regain access to the hard disk and runs with three options:
The /A option attempts to repair damaged client database files.
The /D option attempts to repair damaged client database files and then to decrypt the hard disk.
The /B option is performed only if all other previous steps have failed and requires the assistance of Symantec Technical Support. This option reads from a computer-specific recovery file that contains an important
cryptographic key. You create this data file for a particular Client Computer, usually when requested to do so by a Client Administrator. This option is not available for silent clients that have never checked in with the SEE Management Server.
Recover DAT File Generation
Should the Recover /A and /D options fail, you may be called upon to locate and export recovery data sent by a specific Client Computer and stored in the SEE database.
1. Open the Manager Console.
2. Expand the Symantec Endpoint Encryption Server Reports snap-in.
3. Highlight the Computer Status Report.
4. Type the name
Immediately after SEE Full Disk is installed on a Client Computer, Client Computers that are not silent try to contact the SEE Management Server to store Client Computer-specific files necessary for hard disk recovery.
If this contact does not occur, the only recovery options available will be Recover /A and /D. Recover /A and /D do not require computer-specific recovery information stored in the SEE Management Server. For this reason, it is critical to make sure that each Client Computer succeeds in checking in at least once.
Figure 5.14—Manager Console, Computer in Need of Recovery Highlighted
5. Click Recover.
6. You will be prompted to enter the Management Password.
Figure 5.15—Management Password Prompt
7. Enter the Management Password and click OK.
8. You will be prompted to enter a password to protect the Recover DAT file.
Figure 5.16—Recovery Password Prompt
9. Enter a Recovery Password of at least 16 characters and no more than 32 characters. The Client Administrator must enter this password before they can run Recover /B on that computer. Symantec recommends a high entropy password containing mixed case, numbers, and special characters not found in a dictionary.
10. Enter the same password again in the Confirm password field. Then click OK.
11. You will be presented with a browse dialog.
Figure 5.17—Recovery Data Export Dialog
12. Navigate to the desired destination of the Recover DAT file. Because the Client Administrator will need this file while running the Recover Program from a Windows PE CD/DVD, you should either save the file to a network location that will be accessible from the Client Computer or to removable media other than CD.
13. Assign an informative name to the file. Because the file is computer-specific, you might consider using the name of the computer in need of recovery. Because the recover data will change following a successful recovery, consider using the current date and time.
14. Click OK.
Figure 5.18—Recovery Data Export Success Message
15. Click OK on the confirmation message.
16. Provide the media containing the file or the network location of the file to the Client Administrator. Also inform the Client Administrator of the Recovery Password. Due to the sensitive nature of the Recovery Password, consider using a secure channel.