The Management Password
Basics
The Management Password controls administrator access to Recover /B and the Help Desk Program.
Symantec Endpoint Encryption Policy Administrators or other support personnel who have access to the
Management Password snap-in must type the Management Password before they can export computer-specific hard disk recovery files (“Recover DAT File Generation” on page 54), run the One-Time Password Program (“One-Time Password Program” on page 42), or run Whole Disk Recovery Token ().
Because of the importance of the Management Password, you should establish a protocol for all Management Password changes. This will avoid the situation of one administrator changing the Management Password and preventing other administrators from performing help desk functions which require the Management Password. The Management Password should be stored in a safe location, as there is no mechanism available for recovering a lost Management Password.
Changing the Management Password
To change the Management Password, perform the following steps:
1. Open the Symantec Endpoint Encryption Manager.
2. In the navigation pane on the left, click on Symantec Endpoint Encryption Management Password.
Figure 5.1—Management Password Snap-in
3. In the pane on the right, type the existing Management Password, type a new Management Password of at least two and no more than 32 characters in length. Then type the new Management Password again to confirm.
4. Click OK. A confirmation message will be displayed.
Figure 5.2—Management Password Changed, Confirmation Message
5. Click OK.
One-Time Password Program
Basics
The One-Time Password (OTP) Program allows Windows users to recover from a forgotten password, PIN, or token with help desk assistance. It also allows users to regain access to their Windows computer after it has been locked for a failure to communicate with the Symantec Endpoint Encryption Management Server.
This assistance provides the user with a one-time password—called a response key—which allows the user to temporarily authenticate. A password-based user is then prompted to enter a new password.
To run the help desk side of the utility, you must:
Use a Manager Computer that has the Help Desk Program snap-in installed.
Log on to that computer using a Windows account that has been provisioned with read access to the Symantec Endpoint Encryption database, or log on to the Manager Console using SQL database credentials that will allow you to read the Symantec Endpoint Encryption database.
Know the Management Password.
Be certain of a user’s identity prior to assisting the user with OTP. If the user requesting help is contacting you from their desk, a simple way to help establish their identity is to call them back at the phone number listed in the organization’s phone directory.
Policy Administrator Guide Endpoint Support
Launch
When a user calls for One-Time Password recovery, open the Symantec Endpoint Encryption Manager, expand SEE Help Desk, and click on the SEE OTP Program snap-in.
Figure 5.3—One-Time Password, Welcome
Click Next to begin.
Management Password
If you haven’t already provided the Management Password this Manager Console session, the One-Time Password Program will request the Management Password.
Figure 5.4—One-Time Password, Management Password
Enter the Management Password and click Next.
Method
Basics
Two methods are available for assisting users: online and offline.
The online method is easier and more secure, but will not succeed unless the Client Computer has made contact with the Symantec Endpoint Encryption Management Server at least once following the registration of the user requiring assistance.
Ask the user what method is displayed on their screen. If it is online, continue to the next section. If it is offline, skip to “Offline” on page 47.
Policy Administrator Guide Endpoint Support
Online
After entering the Management Password, you will be prompted to select the method.
Figure 5.5—One-Time Password, Method Selection, Online
Select the Online option. Click Next.
Figure 5.6—One-Time Password, Online Method, Identifying Information
Ask the user to tell you their user name, domain, computer name, and the code that appears on their screen. Enter this data in the corresponding fields, then click Next.
The One-Time Password Program will confirm that the information you have entered corresponds to that stored in the Symantec Endpoint Encryption database.
Figure 5.7—One-Time Password, Online Method, Response Key
Read the response key to the user from left to right and ask the user to type those numbers into the corresponding blank data-entry fields that appear on the user’s screen.
Under each box is a checksum. Once the user has typed in the entire response key, ask the user to read back to you the checksums. If the user’s checksums agree with your checksums, the user has correctly entered the data. If a checksum is not in agreement, the user entered one or more response key digits incorrectly. Read the response key to the user again and determine the incorrect portion.
Once the user has entered the response key and the checksums agree, ask the user to click Next. Remain in contact with the user.
If the user gains access to Windows, click Yes.
If the user fails to gain access to Windows, click No. The wizard will initiate the offline method if you have not already tried it. Skip to “Offline” on page 47.
If the user correctly entered the response key, when the user clicks Next, they will gain access to Windows. If this is a user that forgot their password, remain in contact with the user to make sure they change their password. They should be prompted to do so either before or after Windows loads.
If they don’t get prompted and SSO is enabled, they are not connecting to the domain and this is a Windows issue. If they don’t get prompted and SSO is not enabled, have them open the User Client Console and change their password.
Policy Administrator Guide Endpoint Support
Offline
The offline method can be used if the online method fails or if the Client Computer has never checked in with the Management Server.
Figure 5.8—One-Time Password, Method Selection, Offline
Select the Offline option. Click Next.
Figure 5.9—One-Time Password, Offline Challenge Key
Ask the user to tell you each character of the OTP personal identifier that is displayed on their screen. Type this value in the Personal identifier box. Double-check the value with the user, as an incorrect entry here could cause the OTP process to fail.
Then ask the user to provide you with the challenge key displayed on their screen. Type the digits into the fields on your screen from left to right.
Under each field is a checksum. It is internally generated and uniquely represents in shorter form the digits entered in each field. As you enter the challenge key, checksums appear under their fields. To verify that you have entered the correct challenge key, ask the user to read back to you the checksums. If the checksums agree with your checksums, you have correctly entered the data. If a checksum is not in agreement, ask the user to provide you with the challenge key again and check it against what you have typed.
Under each box is a checksum. Once you have typed in the entire challenge key, ask the user to read back to you the checksums. If the user’s checksums agree with your checksums, you have correctly entered the data. If a checksum is not in agreement, you entered one or more challenge key digits incorrectly. Ask the user to read you the challenge key again and determine the incorrect portion. Most likely, the first mismatching checksum will be below the incorrect portion of the challenge key.
Once you have verified and entered the correct challenge key, click Next.
Figure 5.10—One-Time Password, Offline Response Key
Read the response key to the user from left to right and ask the user to type those numbers into the corresponding blank data-entry fields that appear on the user’s screen.
Under each box is a checksum. Once the user has typed in the entire response key, ask the user to read back to you the checksums. If the user’s checksums agree with your checksums, the user has correctly entered the data. If a checksum is not in agreement, the user entered one or more response key digits incorrectly. Read the response key to the user again and determine the incorrect portion.
Policy Administrator Guide Endpoint Support
Once the user has entered the response key and the checksums agree, ask the user to click Next. If they entered the response key correctly, they will gain access to Windows. If this is a password user, stay on the phone with the user to make sure they change their password. They should be prompted to do so either before or after Windows loads. If they don’t get prompted and SSO is enabled, they are not connecting to the domain and this is a Windows issue. If they don’t get prompted and SSO is not enabled, have them open the User Client Console and change their password.
Accept the default option button selection of Yes and click Next.
If the user fails to gain access to Windows, select the No option button and click Next.
Error Messages
User Record Not Found
This error is applicable to the online method only. After entering the user’s identifying information and clicking Next (Figure 5.6 on page 45), if the computer record is found in the Symantec Endpoint Encryption database, but not the user record, the following message will be displayed.
Figure 5.11—One-Time Password, User Record Not Found
This error indicates that the Client Computer in question has succeeded in making contact with the Management Server at least once, but that the user in question was not registered as of the last point of contact.
You should proceed with caution because although human or computer error could have caused this condition, it is also possible that the person you are speaking to is trying to exploit these possibilities to gain access to a computer that s/he is not authorized to access.
Use the Symantec Endpoint Encryption Reports to help you determine the root cause of the situation. Ask the user if they have registered and when and cross-check their claims with the data stored in the Symantec Endpoint Encryption database.
If you are sure that the user is authorized, try the offline method.
If not, send a Client Administrator to help the user in person.
Invalid Code Synchronization
This error is applicable to the online method only. If the user record exists, but the code stored in the Symantec Endpoint Encryption database does not agree with the code that the user read to you, an error dialog box appears, similar to the following:
Figure 5.12—One-Time Password, Invalid Code Synchronization
The code on the Client Computer has digits that are incremented each time the One-Time Password Program runs to completion on the Client Computer. When the Client Computer checks in with the Symantec Endpoint Encryption Management Server, these codes are synchronized. There are two possible causes of this error:
The user has completed the One-Time Password process multiple times without reconnecting to the Management Server.
This is an unauthorized party attempting to guess the response key by triggering the One-Time Password Program over and over.
You can proceed with the recovery assistance process, even when codes are out of sync between the Client Computer and the Management Server; but you should consider taking extra precautions to identify the user.
If you decide to proceed, from the error message box click OK, and then from the Client Computer information screen, click Next; otherwise, click Cancel.
Whole Disk Recovery Token (WDRT)
Basics
The Whole Disk Recovery Token (WDRT) snap-in allows you to assist Mac users that have forgotten their passwords.
This assistance provides the user with a string of characters which will allow the user to authenticate once.
To run the help desk side of the utility, you must:
Use a Manager Computer that has the Help Desk Program snap-in installed.
Log on to that computer using a Windows account that has been provisioned with read access to the Symantec Endpoint Encryption database, or log on to the Manager Console using SQL database credentials that will allow you to read the Symantec Endpoint Encryption database.
Know the Management Password.
Be certain of a user’s identity prior to assisting the user with WDRT. If the user requesting help is contacting you from their desk, a simple way to help establish their identity is to call them back at the phone number listed in the organization’s phone directory.
Policy Administrator Guide Endpoint Support
Launch
When a user calls for WDRT recovery, open the Symantec Endpoint Encryption Manager, expand SEE Help Desk, and click on the SEE Whole Disk Recovery Token (WDRT) snap-in.
Figure 5.13—Whole Disk Recovery Token, Welcome
Click Next to begin.
Management Password
If you haven’t already provided the Management Password this Manager Console session, the Whole Disk Recovery Token program will request the Management Password.
Figure 5.14—Whole Disk Recovery Token Program, Management Password
Type the Management Password and click Next.
User Identity
You will be requested to provide the user’s identifying information.
Figure 5.15—Whole Disk Recovery Token Program, Identify User
Ask the user to read you the digits that appear next to UUID on their screen and type them into the Machine/Disk ID
Policy Administrator Guide Endpoint Support
Ask the user their user name and type it into the User Name box.
Click Next once you have completed your entries.
Token
If the identifying information is correct, you will be provided with the recovery token.
Figure 5.16—Whole Disk Recovery Token Program, Token Characters
If the data provided by the user and typed into the previous panel is valid, the Manager Console will generate a set of characters. Provide the characters to the user. The user must type these characters into the Token box on their screen.
Stay in contact with the user to verify that they have succeeded in regaining access to their Mac. Then accept the default option button selection of Yes and click Next.
If the user fails to gain access to the Mac, select the No option button and click Next.
Hard Disk Recovery for Windows Computers
Basics
The Recover Program tries to regain access to the hard disk of Windows computers. It runs with three options:
The /A option attempts to repair damaged client database files.
The /D option attempts to repair damaged client database files and then to decrypt the hard disk.
The /B option is performed only if all other previous steps have failed and requires the assistance of Symantec technical support. This option reads from a computer-specific recovery file that contains an important
cryptographic key. You create this data file for a particular Client Computer, usually when requested to do so by a Client Administrator. This option is not available for silent clients that have never checked in with the
Management Server.
Recover DAT File Generation
Should the Recover /A and /D options fail, you may be called upon to locate and export recovery data sent by a specific Client Computer and stored in the Symantec Endpoint Encryption database. All Client Computer reports offer the option to export recovery data. This option will only be available if Full Disk is installed on the Client Computer. As long as you have all or some of the computer name, you may find the Computer Status Report to be the most convenient.
1. Open the Manager Console.
2. Expand the Symantec Endpoint Encryption Reports snap-in.
3. Highlight the Computer Status Report.
Figure 5.17—Manager Console, Computer in Need of Recovery Highlighted
4. Type the name of the computer in need of recovery in the Enter Computer Names field.
5. Click Run.
6. Highlight the computer.
7. Click Recover.
8. You will be prompted to enter the Management Password.
Figure 5.18—Management Password Prompt
9. Enter the Management Password and click OK.
Immediately after Full Disk is installed on a Client Computer, Client Computers that are not silent try to contact the Management Server to store Client Computer–specific files necessary for hard disk recovery. If this contact does not occur, the only recovery options available will be Recover /A and /D. Recover /A and /D do not require computer-specific recovery information stored in the Management Server. For this reason, it is critical to make sure that each Client Computer succeeds in checking in at least once.
Policy Administrator Guide Endpoint Support
10. You will be prompted to enter a password to protect the Recover DAT file.
Figure 5.19—Recovery Password Prompt
11. Enter a Recovery Password of at least 16 characters and no more than 32 characters. The Client Administrator must enter this password before they can run Recover Program /B on that computer. Symantec recommends a high entropy password containing mixed case, numbers, and special characters not found in a dictionary.
12. Enter the same password again in the Confirm password field. Then click OK.
13. You will be presented with a browse dialog.
Figure 5.20—Recovery Data Export Dialog
14. Navigate to the desired destination of the Recover DAT file. Because the Client Administrator will need this file while running the Recover Program CD/DVD, you should either save the file to a network location that will be accessible from the Client Computer or to removable media other than CD.
15. Assign an informative name to the file. Because the file is computer-specific, you might consider using the name of the computer in need of recovery. Because the recover data will change following a successful recovery, consider using the current date and time.
16. Click OK.
Figure 5.21—Recovery Data Export Success Message
17. Click OK on the confirmation message.
18. Provide the media containing the file or the network location of the file to the Client Administrator. Also inform the Client Administrator of the Recovery Password. Due to the sensitive nature of the Recovery Password, consider using a secure channel.
Policy Administrator Guide System Event Logging
Appendix A. System Event Logging
Basics
This appendix itemizes the events logged by Symantec Endpoint Encryption on Windows Client Computers. The events are available from the Windows System Event Viewer.
Framework System Events List
The following table lists the individual Framework–generated Windows system events logged on the Client Computer. The column headings indicate the Event ID, the severity of the event (Error, Info, or Warning), and a description of the event indicating the type, source, or policy that generated the event (Internal, Program Action, Initial Setting, Settings Change, or Utility).
Table A.1—Framework System Events
Event
ID Severity Description Explanation
ID Severity Description Explanation