• No results found

EMBASSY Remote Administration Server (ERAS) Administrator Manual

N/A
N/A
Protected

Academic year: 2021

Share "EMBASSY Remote Administration Server (ERAS) Administrator Manual"

Copied!
28
0
0

Loading.... (view fulltext now)

Full text

(1)

ERAS v 2.8  Wave Systems Corp. 2011

EMBASSY

®

Remote Administration Server

(ERAS) Administrator Manual

Part III – BitLocker, Trusted Platform Module, SafeNet ProtectDrive and Dell BIOS & CV Management

ERAS Version 2.8 DocumentVersion 1.0.0.20

(2)

2 Contents | Wave Systems Corp.  2011

Contents

Contents ... 3

1. Remote Administration of BitLocker ... 4

1.1 BitLocker Management Wizard ... 4

Additional Management Features ... 6

1.2 BitLocker Requirements ... 6

1.3 BitLocker by Default ... 6

1.4 BitLocker Decryption in ERAS ... 6

1.5 BitLocker without a TPM ... 7

1.6 BitLocker ERAS Limitations ... 7

1.7 Recovery ... 7

1.8 User Forgot PIN ... 7

1.9 User Motherboard Broken ... 7

1.10 Move Data Drive to Other PC ... 7

1.11 TPM Management using ESC with BitLocker ... 7

1.12 FIPS Compliance ... 8

2. Remote Administration of TPM-enabled Clients ... 9

ERAS identities and authorizations ... 9

ERAS to provision TPM-enabled clients ... 9

2.1 ERAS TPM management functions ...10

TPM Activation ...10

TPM enrollment & ownership ...10

Managing TPM ...10

TPM Management Wizard ...11

Managing Multiple TPMs ...12

2.2 TPM Management Tab ...13

Adding delegated owner ...14

Remove a Delegated Owner ...15

TPM Status ...15

Query a TPM / Update Status ...15

TPM Enable / TPM Disable ...15

Change ownership ...16

TPM Physical Presence authorized operations commands ...16

(3)

3 Contents | Wave Systems Corp.  2011

ProtectDrive Connector installation ...17

ProtectDrive Management ...18

Get Recovery Password ...19

ProtectDrive Backup and Recovery Procedure ...20

Backup Procedure ...20

Recovery Procedure ...22

4. BIOS and ATA Hard Drive passwords management ...23

System BIOS Management Tab ...23

BIOS ATA HDD Password Setup ...23

5. ControlVault Management ...27

CV User Management ...28

(4)

4 Remote Administration of BitLocker | Wave Systems Corp.  2011

1.

Remote Administration of BitLocker

ERAS 2.8 will manage “BitLocker Ready” clients with Windows 7 Ultimate or Enterprise installed. The client will also be required to have the ERASService account added as a local administrator account. This is not a requirement if the management is done as a workgroup or non-trusted domain machine; instead the requirement is to have the

installation of the ERASConnector.

To enable BitLocker management from ERAS, go to the Server Settings UI and enabled BitLocker management by setting the value of Enable BitLocker Management to True. It may also be necessary to enable BitLocker Group Policy Settings (i.e. to use 256 bit key encryption or use of no TPM and changes to characters or character length are a few that will require editing of these policies) for modifying the default deployment.

1.1 BitLocker Management Wizard

Note that at the bottom one can check the box to skip device management.

BitLocker has the ability to encrypt an OS or data partitions. Management can be performed by the use of the

Computer Management Wizard or from the BitLocker Management Tab. First right-click on the device to be managed and select the Manage Devices Menu, then select Manage BitLocker

Volume(s)... this will display the Computer Management Wizard as seen on the left. At this point one is free to add additional computer(s) by clicking the Add computers… button, then click on Continue.

Enable Auto Unlock box can also be checked to enable this feature.

The left dropdown next to Initialization Type of the following volume types :

 OS Volume

 First Data Volume

Then the right dropdown menu provide for different authentication methods:

 Startup Key

 Startup Password

 TPM

 TPM w/PIN

 TPM w/Startup Key  TPM w/PIN & Startup Key

(5)

5 Remote Administration of BitLocker | Wave Systems Corp.  2011

The BitLocker Management Tab can be accessed by highlighting the computer on the ERAS console and performing right-click then select properties then choose BitLocker Management tab. This tab displays the volume(s)

currently being managed by BitLocker. The drive, volume type and encryption status are displayed along with the total size of the partition and available free space.

The disk can be selected and refreshed with the Refresh button and the Uninitialized and Managed button reside above where BitLocker Volume information is displayed, at the bottom. It is possible to right-click and pauses / resume during the encryption process on the chosen volume. In order to access BitLocker Volume Key Management one must click on the Mange button.

The BitLocker Volume Key Management Tab allows for the management of security settings of the BitLocker drive.

The following buttons allow for changes for the descriptions noted on the left of the management window. The top portion of the window allows for the reset of pin or passphrase, enabling of auto unlock and suspension of key. Below allows for key recovery and reset of the recovery password key. This also allows the Administrator to retrieve the recovery password key by clicking on Get Password. Please note that you will not be able to retrieve passwords for a drive in FIPS mode.

(6)

6 Remote Administration of BitLocker | Wave Systems Corp.  2011 Additional Management Features

BitLocker Volume Security Setting Reset PIN

Enable Auto-Unlock Suspend Key Protectors BitLocker Recovery Settings

Reset Password Reset Key Export Key

Allows Administrator to reset PIN Allows for volume unlock at startup

Authentication to volume can be toggled off

Allows Administrator to reset password Allows a reset of TPM BEK in cases of recovery Allows the export of a BEK recovery file

1.2 BitLocker Requirements

 ERAS 2.8 – Please reference ERAS Installation Guide for requirements and environment

 BitLocker Domain Clients with either Windows 7 Ultimate or Windows 7 Enterprise (with BitLocker ready partition)

 Ensure ERASService account is added to Administrator group on the client machine for WMI communication such as with ERAS clients on the domain.

o This requirement is not needed for Foreign Client since this is resolved with the ERASConnector.msi during client initiated management

 Windows 2008 R2 Domain Controller to deploy BitLocker GPO *Using BitLocker default setting

1.3 BitLocker by Default

ERAS does add Startup Key option to BitLocker Data Volume as a default setting. Below is a table summary of BitLocker default settings as seen both by ERAS versus Windows 7.

Volume Type TPM Password PIN Startup Key

ERAS

OS TPM Only Startup Key

Data Password Startup Key

WINDOWS 7 (Ultimate or Enterprise)

OS TPM Only No PIN No Startup Key

Data Password Only

By default it uses the AES encryption algorithm in CBC mode with a 128 bit key, combined with a diffuser for additional disk encryption specific security not provided by AES. The diffuser layer is termed by Microsoft as an “Elephant” diffuser

There is a policy for fixed data drive called "Configure use of passwords for fixed data drives.”

Passwords will be supported with the default settings, which do not include password complexity requirements and require only 8 characters.

1.4 BitLocker Decryption in ERAS

ERAS still owns the volume while it is decrypting. You can still get recovery pin and password. It’s only after volume is fully decrypted that the volume is free from its ownership of ERAS. As an artifact of this behavior, when one uninitializes a BitLocker drive the following message will appear “Un-initialize has been successful.” Yet ERAS ownership is only released once the volume is fully decrypted.

(7)

7 Remote Administration of BitLocker | Wave Systems Corp.  2011 1.5 BitLocker without a TPM

If the client computer does not have a TPM, BitLocker can only be used with the Startup key on USB flash drive as the only authentication method to the OS volume. This will also require editing of the BitLocker Group Policy Setting. 1.6 BitLocker ERAS Limitations

• No remote management of BitLocker To Go

• BitLocker Data Recovery Agent (DRA) option is not supported by ERAS

• TPM must be enabled & activated as a pre-requisite for ERAS management of the TPM

1.7 Recovery

ERAS helpdesk provides recovery password and recovery key in case users need to recover the BitLocker enabled disk.

1.8 User Forgot PIN

User must obtain recovery password or recovery key to unlock drive. User asks ERAS operator or Helpdesk to reset his/her PIN.

1.9 User Motherboard Broken

User can connect the hard disk to other motherboard, get recovery password or key, start the OS. Then ERAS operator shall disable or delete the TPM protector and recreate a new TPM protector with the new motherboard (TPM) by use of the ‘Reset Key’ button.

1.10 Move Data Drive to Other PC

The auto unlock will not work anymore. User must obtain recovery password or recovery key to unlock drive from Helpdesk.

1.11 TPM Management using ESC with BitLocker

As mentioned earlier, BitLocker management does not require Wave software to be installed on the client. In the case where TPM management is a requirement, Wave ETS software can be used for management of the TPM and as key protector. This also requires the ERASConnector or ERASProvider to be installed prior to initializing the OS Volume with BitLocker. If this is done after BitLocker has already initialized the OS volume then ERAS will not be able to manage the TPM.

DCOM error message:

""Unable to set up DCOM connection between ERAS server and the client platform." can be caused by the Windows BitLocker wizard running on the client.

It is highly recommended that one reviews the ERAS BitLocker Deployment Guide and Microsoft documentation that has been referenced in ERAS Admin Manual prior to BitLocker deployment

(8)

8 Remote Administration of BitLocker | Wave Systems Corp.  2011 1.12 FIPS Compliance

Federal Information Processing Standard (FIPS) Group Policy settings in Windows 7 to require FIPS compliance: Please keep in mind if your organization is FIPS-compliant, Bitlocker-protected removable drives cannot be opened by computers running Windows XP or Windows Vista.

To use Bitlocker in a FIPS-compliant environment, you must enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, which can be found in the Local Group Policy Editor under: \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, before turning on Bitlocker.

When the drive is initialized as a BitLocker drive using FIPS the password recovery capabilities are removed meet FIPS compliance. Expect to see the following message upon trying to retrieve a password for a FIPS compliant BitLocker drive.

This means to recover a drive one needs to export a recovery key for that device from the ERAS database using the ‘Export Key’ from the BitLocker Volume Key Management UI.

(9)

9 Remote Administration of TPM-enabled Clients | Wave Systems Corp.  2011

2.

Remote Administration of TPM-enabled Clients

A TPM (Trust Platform Module) is embedded silicon that functions like an embedded smart card. It can be used to generate keys, store certificates and digitally sign. ERAS enables remote management of these TPMs that are embedded in the motherboards of the TPM-enabled PCs across the enterprise.

ERAS enables the digital identities in these TPMs to be linked to Active Directory identities and used as a strong cryptographic root of trust for a range of security applications, including:

• Strong network authentication • Machine identification

• Data protection • Secure messaging • Network access control ERAS identities and authorizations

The TPM delegation model allows the primary TPM Owner to delegate the ownership privileges to other individuals (entities) with the right to use a subset of authorized TPM commands

TPM Owner – This is the entity that owns and has the “title” to the platform. A TPM can only have one owner. In an enterprise environment it is recommended that TPM ownership be taken by Domain user account name allocated for ERAS Service and “ERAS Administrator”

TPM User – The user has access to TPM objects such as TPM keys. A TPM user is any entity that can present the authentication data for an object. A TPM user is any user that can present the authentication data for an object on that specific unit.

ERAS Administrator – A trustworthy person that performs ERAS administration functions. Can be TPM Owner, TPM User

ERAS to provision TPM-enabled clients

Provisioning of TPM-enabled clients using ERAS consists of the following steps: 1. Enrolling the TPM-enabled client in the ERAS management database

2. Taking ownership of the TPM on the client PC, this is the root of trust. In normal applications, ERAS will be the proxy owner of all the TPMs

3. Delegating ownership rights on the client platforms. This creates a user account on the TPM that is linked to a user identity as defined in Active Directory

4. Setting owner and user passwords. Establishing TPM authentication credentials for the owner and the user Using ERAS for management of deployed TPM-enabled clients consists of the following major steps:

1. Updating the configurations in the management database 2. Running queries

3. Generating reports 4. Adding and deleting users 5. Enabling or disabling TPMs 6. Changing owner passwords

7. Enrolling and managing delegated owners Password Complexity

(10)

10 Remote Administration of TPM-enabled Clients | Wave Systems Corp.  2011

2.1 ERAS TPM management functions

TPM Activation

TPM is an OPT-IN technology; the platform owner has to perform certain deliberate steps to enable TPM usage. On most machines, this requires a certain sequence of KEYs to be executed in BIOS mode. For this reason, TPM

activation cannot be executed remotely from ERAS.

Newer machines have a feature called “remote physical presence,” which allows remote activation. “Remote Physical Presence” has to be supported both in the BIOS and the OS, in order for ERAS to perform remote activation. BIOS support and software support for remote physical presence is a property of the PC platform dependent on the PC vendor.

TPM enrollment & ownership

TPM enrollment and ownership are ERAS functions that enable central IT to have exclusive ownership and administrative privileges over a TPM. Delegated owners can be added after the ownership is taken. Delegated owners can use the TPM but do not have administrative privileges.

Managing TPM

The following screenshots will allow the administrator to take ownership of the TPM on the remote machine via ERAS Console. For the purposes of this discussion the focus will be on a unit that does not contain a Trusted Drive, therefore only tabs pertaining to the TPM identification and management will be present when viewing the machine properties. Of course, the same steps would apply for a unit that had both a TPM and Trusted Drive. Expand

EMBASSY Remote Administration Server, expand Domain and then expand Computers in the left-hand pane. Highlight “Computers” on left, displaying a list of computers on the right.

Right-click and Select “Manage Device then select TPM...” Note that this same path can be used to manage all device items as mentioned earlier starts the Manage Device Wizard.

Step A. First window of “Manage Device” with client to be managed displayed

Step B. Window where one selects to take ownership

To remotely manage TPMs, it is first necessary to enroll them in ERAS. The enrollment process results in the creation of an entry, corresponding to the target client computer in the ERAS.

(11)

11 Remote Administration of TPM-enabled Clients | Wave Systems Corp.  2011 TPM Management Wizard

Step B displays the area in which to place a check mark by clicking inside the box which starts the process of taking TPM ownership. It is on Domain user account name allocated for ERAS Service by default. As the Administrator clicks on “Continue” he/she will be directed through Step D, where communication is occurring between ERAS and the TPM on the remote client and finally completed in Step D.

Step C. Select from ERAS service account or domain user

This management can also be performed from the properties window. Below is an example of properties window also being accessed from the ERAS console. In the diagram labeled “TPM Management” tab, the “Domain user account name allocated for ERAS Service” ownership, which have just been established, is shown in the TPM Management tab selected for the Machine “LSM4300XP.” The ownership can be changed or other non-administrative users (TPM User) of the TPM can be added as a delegated owner, such as the normal user of that machine to allow them their own credentials to access the TPM.

(12)

12 Remote Administration of TPM-enabled Clients | Wave Systems Corp.  2011 Managing Multiple TPMs

An administrator can manage multiple clients with TPM at once. This is done by using the left pane of ERAS as seen below.

Left pane view of ERAS

Right-Click on “Computers,” and see multiple computers in the list. In this example there are only three clients connected to the ERAS server. Select “Manage TPM” and follow screen as seen below:

Add Computer” or “Remove Computer” is available on the right sideof Select Computers UI. At this point one would follow the steps as seen above in Steps A through Steps D.

Provisioning Model for Computers “Not Reachable”

For all computers “not reachable” on the network the following is true:

 Foreign Clients are always unreachable and all management operations are postponed.

 Computer not connected to the domain are not reachable and will have operations postponed.

(13)

13 Remote Administration of TPM-enabled Clients | Wave Systems Corp.  2011

2.2 TPM Management Tab

• TPM Management

“TPM Management” tab “TPM Management” tab contains the following buttons:

 Enable

 Disable

 Reset Auth Lock Out

 Manage WSKS – feature is currently under development and is disabled

 Add

 Remove

 Change Ownership

 Clear Ownership

 Request Operation

 TPM Physical Presence authorized operations (drop-down menu)

Overview of Step A through Steps D – The steps to perform enrollment: 1. Right-click on “Computers” in the left pane of the ERAS console 2. Select “Manage Device then TPM…

3. In the Select Computers, user can:

• Select client platforms that are displayed • Add computers that are not currently displayed • Remove computers

(14)

14 Remote Administration of TPM-enabled Clients | Wave Systems Corp.  2011 TPM Management Tab

1. In the Manage TPM – Options screen, users can:

• Take TPM Ownership with ERAS (Domain user account name allocated for ERAS Service) • Assign ownership to a Domain User

• Click “Next” 2. Manage TPM – Summary

• This screen will display all the actions that have been selected • This screen will display all the target PCs

• Click “Back” to modify the scheduled action • Click “Finish” to execute the scheduled actions 3. Manage TPM – Status

• The status on this screen indicates “processing” or “completed”

• When the Status is completed, this screen summarizes the actions that have been performed by the ERAS server

• Clicking on computer names provides a summary status of the actions executed for that client Adding delegated owner

A delegated user is allowed to use the TPM to create and protect keys. Wave ETS client software manages the TPM access privileges within the client. ETS supports the following TPM authentication mechanisms: Biometric, PKI or password/ PIN. The user must authenticate to the TPM before any TPM protected keys can be used.

1. Once a TPM-enabled PC has been enrolled, ERAS can be used to add delegated users 2. In the domain tree, select the target computer

3. Right-click and select the Properties 4. Select the TPM Management tab 5. Click “Add” and “Next

6. Enter the users to be added

7. One or more users can be added to a PC in one step

8. Select password to choose whether a shared password or individual passwords will be set for the delegated users

9. The password must be conveyed to the user out of band (i.e., via E-mail)

10. The delegated owner password set in ERAS is only meant for the purpose of transferring access control to the delegated owners. Delegated owners should be required to substitute a private password once they get TPM access.

11. Click Finish

ERAS will enroll the selected users as delegated users. Before enrolling the users, ERAS verifies that they have valid accounts in Active Directory. If the user forgets their TPM password, ERAS can be used to reset the delegated user password to a new value.

(15)

15 Remote Administration of TPM-enabled Clients | Wave Systems Corp.  2011 Remove a Delegated Owner

Removing a “Delegated Owner” may be required when a user no longer needs access to a given platform. This could occur when a user leaves an organization, or when a given computer is re-purposed for another department or is sold.

1. Select the target computer from the MMC view 2. Right-click and select “Properties

3. Select the “TPM Management” tab

4. Select the “Delegated Owner,” or select multiple-delegated owners using the ctrl key 5. Click “Remove

TPM Status

In case if in BIOS TPM Security is On and TPM Activation is deactivated it is still disabled, inactive. The reason for this status TPM is unable to respond on requests.

• TPM Security: Off means - no power to TPM chip

• TPM Security ON, TPM Activation - Disabled - power on, but not functioning (no response to requests), since it is unable to report status.

• TPM Security ON, TPM Activation - Enabled - fully functional, and then it will be able to report its status. Query a TPM / Update Status

• ERAS has a management database, which contains all TPM settings that are required for management of the TPM

• It is possible to view the current values of the management database, as well update the database, by querying the TPM on the client PC

To view the status of PC enrolled in the ERAS repository • Select the “target computer” from the MMC view • Right-click and select “Properties

• Select the various tabs to view the ERAS status entries, corresponding to the last status-refresh performed on the TPM

To refresh the status of a PC record in the ERAS repository • Select the “target computer” from the MMC view • Right-click and select “Refresh

• The new values in the ERAS database can then be viewed as outlined above TPM Enable / TPM Disable

When a TPM is disabled using ERAS, none of the programmed settings are modified; however, all administrative and all user functions are blocked.

If the TPM is later enabled, then all the original settings are preserved. This includes ownership, delegated users, etc.

(16)

16 Remote Administration of TPM-enabled Clients | Wave Systems Corp.  2011 Change ownership

Knowledge of the current owner password is required, in order to take ownership of a TPM that already has an owner. The following instructions assume that the TPM has not previously been enrolled into ERAS.

1. Locate the computer

 TPM status will be unknown, never refreshed 2. Right-click and select “Refresh

 ERAS will detect the TPM and change the ICON 3. Right-click and select “Properties

4. Select the “TPM Management” tab 5. There will be a “Register owner” button 6. Click “Register owner.” Click “Next

7. Select the new owner type: ERAS administrator or domain user 8. Click “Next,” Enter the password of the existing owner

9. If a domain user is selected to be the new owner, then a new password must be entered 10. If ERAS administrator is selected, the password is automatically generated

11. Click “Submit

TPM Physical Presence authorized operations commands  Activate the device

 Allow the installation of device owner  Clear the device

 Clear, enable, and activate the device  Deactivate the device

 Deactivate, disable, and prevent the installation of a device owner

 Disable the device

 Enable and activate the device  Enable the device

 Enable, activate, and allow the installation of a device owner

 No request

 Prevent the installation of a device owner The following prerequisites are necessary for Physical Presence commands:

1. Supported client platform

(17)

17 SafeNet ProtectDrive clients with ERAS | Wave Systems Corp.  2011

3. SafeNet ProtectDrive clients with ERAS

ERAS has the ability to remotely mange SafeNet ProtectDrive clients. ProtectDrive is a software-based FDE (Full Disk Encryption) solution which is provided for systems that do not support self-encrypting hard drives. The behavior of initialization and adding users will be the same as with self-encrypting hard drives. Enabling security from ERAS will start the software encryption process of the drive in the background on the client machine.

The installation of the ERAS client on these systems first requires the installation of the SafeNet ProtectDrive client software versions. Provided are the following general steps for the preparation of a ProtectDrive client to join ERAS.

ProtectDrive Connector installation

1. Uninstall any pre-existing TDMRemoteConfig or Wave Embassy software on the client

2. Install SafeNet ProtectDrive. In order to disable local management, install SafeNet ProtectDrive using the remote option. This requires a pre-existing cert or one to be created. See SafeNet documentation for more details.

3. Install Embassy Security for ProtectDrive.msi

4. Install ERASConnector or ERASProvider depending on management prefrences.

5. If any change of default SafeNet options are required, perform the SafenetConfig.xml installation prior to initializing SafeNet ProtectDrive.

ProtectDrive Management

ERAS management of ProtectDrive FDE is the same as with self-encrypting hard drives. Initializing the drive takes ownership and adds a user(s) to the drive. To lock the drive go through the “Manage…” buttons then click on “Enable” to begin the encryption process. Software FDE encryption takes several hours. For more information please refer to the ProtectDrive Administration Manual

Red lock will appear in Windows Gina indicates that ProtectDrive is installed

ProtectDrive License File

The ProtectDrive license file, received from SafeNet, is placed in the same folder as the PD installer package BEFORE the PD installation.

(18)

18 ProtectDrive Connector installation | Wave Systems Corp.  2011

1. Place SafenetConfig.xml on a file system accessible by clients, such as a network share 2. Modify SafenetConfig.xml to

include the ProtectDrive options desired.

3. Configure the Protected Drive Configuration Policy, (part of the ESDGPO package) to point to the file location of

SafenetConfig.xml

4. Deploy the Protected Drive Configuration Policy to clients.

As with any ERAS client, the same requirements for remote administration apply here: 1. Verify that DCOM port: TCP 135 is open on the client machine

2. If WMI is already used for other systems management functions, the required ports are already open 3. Vista and Windows 7 clients require that Remote Administration is a selected exception in the firewall ProtectDrive Management

In order to manage ProtectDrive client machine from ERAS please make sure that ProtectDrive management is enabled from the Server Settings UI. ProtectDrive remote functionality is supported through ERAS including support enabling encryption for more than one partition or volume on a client computer using a single management license, smart card support and backup of drive recovery keys. The various ProtectDrive configurations and enablement and control of particular features such as FIPS mode is supported in conjunction by enabling the above Wave policy that points to the SafenetConfig.xml file as discussed above. From ERAS upon initializing the drive one is provided the choice to enable for smartcard support. Please reference the ProtectDrive Administration Manual provided with the particular version of the deployed ProtectDrive for any additional details.

(19)

19 ProtectDrive Connector installation | Wave Systems Corp.  2011 Get Recovery Password

This action displays an ASCII string that can be used by a remote user to get access to a locked Trusted Drive. It can be used in the case where a user forgets their drive password. The reported value can be passed out-of band. (Email or TXT)

View from client machine of pre-boot screen

Initialization experience for ProtectDrive can be done From the ERAS console one can navigate to the properties of the ProtectDrive client. There are additional options that allow to Disable/Enable Encryption or Refresh the volume by performing a right-click on the particular volume. Also when one navigates to the “Manage” UI, there is an Export button to allow for the exporting of Backup Credential keys for ProtectDrive. This allows for drive restoration. One will need to review the SafeNet ProtectDrive Administration Manual to determine steps needed to use these files.

SafeNet ProtectDrive encrypted drives must login to local machine in order to use the recovery password

The “Recovery Password” is used with the User name: Recovery_Agent

(20)

20 ProtectDrive Connector installation | Wave Systems Corp.  2011 ProtectDrive Backup and Recovery Procedure

All details can be found in SafeNet ProtectDrive Enterprise Version Administration Guide under the following:

 Review Chapter 10 Extraordinary Authentication Scenarios for ‘Create the Recovery Disk Key’.

Review Chapter 11 RapidRecoveryTM Disaster Recovery Tools for ‘Backup.exe’

The Backup.exe must be run after each disk encryption status change or license update.

Backup Procedure

A. Install SafeNet ProtectDrive with Master Key

1. On ERAS, create Master Security Key (PdMaster.pfx) and Recovery Support Key.

2. ERAS provides the keys from Step 1 above to client. When installing SafeNet PD software on client machine, ERAS will pass these keys as parameters to the client for installation.

3. On Client, install SafeNet PD with the keys provided. B. Create EFS backup files

1. ERAS admin initializes the PD and encrypts drive.

2. After each encryption status change or license update, ERAS Admin should store backup files by click the Backup button. Backup button should do the following steps:

i. ERAS calls GetUserStoreXmlFile() to get UserStore.xml file.

ii. ERAS calls GetBackupFileNames() to get a list of backup file names. Each file name included full file path and name. A comma is used as a delimiter between each file.

iii. ERAS calls GetBackupFile() with the file name (including the full file path) to get the backup file. C. Create a Recovery Disk Key

1. Please see SafeNet Admin Guide chapter 10 “Creating a Disaster Recovery Disk Key” section for details. 2. Run rpadmin.exe (available from SafeNet installation CD, \Tools folder)

(21)

21 ProtectDrive Connector installation | Wave Systems Corp.  2011

3. Click Disk Key Recovery tab

4. For Master Security Ceritificate Key:

i. Check the PFX file radio button, then browse to the Master Security Key (PdMaster.pfx) location ii. Enter the password for the Master Security Key

5. For Backup File-set Location:

i. Browse to the backup file set location (The file set was saved on ERAS after running the Backup steps, ERAS should provide this file set).

6. For Disk Key Output:

i. Browse to a location where you want to save the Disk Key file, then enter the Disk Key File name (e.g. diskkey.dke)

ii. Enter and confirm passphrase

(22)

22 ProtectDrive Connector installation | Wave Systems Corp.  2011 Recovery Procedure

1. To recover the Disk, make sure you have

i. decdisk.exe (available from SafeNet installation CD, \Tools folder) ii. the encrypted *.dke file generated from previous steps

iii. the corresponding passphrase iv. the backup files

2. To recover a hard disk in the event that a ProtectDrive-encrypted computer fails to boot to Window: i. Boot the affected PC into DOS mode

ii. From cmd, decrypt the hard disk using the ProtectDrive decdisk utility. Make sure you use the /dk option.

i. e.g. decdisk –dk diskkey.dke iii. Enter the passphrase

iv. Select the disk to be decrypted

v. After decrypting, run rmbr /o /r /rp <backup-files-path> (to remove the Protect Drive preboot authentication).

vi. Reboot

vii. Unplug network

viii. After reboot, uninstall SafeNet ProtectDrive ix. Re-install SafeNet ProtectDrive

x. Repair PD Connector xi. Plug network

(23)

23 BIOS and ATA Hard Drive passwords management | Wave Systems Corp.  2011

4. BIOS and ATA Hard Drive passwords management

System BIOS Management Tab

This tab manages a machine's administrator, system, and ATA hard drive passwords remotely. Management actions include set, reset, clear, and view passwords. All actions are logged in ERAS server logs.

For the System BIOS management, ERAS shall randomly generate passwords to set the administrator password, BIOS password and ATA HDD Password. If a Trusted Drive user password is already set, this will disable the ATA HDD password. The “Clear” button shall set the password to empty. The “View” button shall display the generated password in the textbox adjacent to the type of password.

The BIOS and ATA HDD password are viewable and all these operations are available on the command-line. The ERAS administrator has the ability to create a script to reset the viewable passwords and schedule the script to run after the password has been disclosed to the user.

BIOS ATA HDD Password Setup

BIOS ATA HDD Password operations require a reboot of local (client) machine. Following is a sample to demonstrate how to perform “set” operation of HDD password for a given machine.

Domain Client connected to network 1. Open Properties – select BIOS tab

2. Click on ‘Set’ for HDD Password – It will prompt you to reboot the machine after the operation is successfully executed.

3. Now, reboot the client machine

4. At pre-boot you will see the prompt –[Ignore / Modify] dialog. --> Click on “Modify”. Please note that in order to utilize remote BIOS management a minimum of ESC 2.5 (and higher) software is a requirement for the remote client.

(24)

24 BIOS and ATA Hard Drive passwords management | Wave Systems Corp.  2011

5. Now go back to ERAS console and open properties for desired machine the go to BIOS Tab. Click “Refresh”

6. You will see that your operation has executed successfully

Domain Client disconnected from network 1. Open Properties – select BIOS tab

2. Click on ‘Set’ for HDD Password – It will prompt you to reboot the machine after the operation is successfully executed.

3. Since the client is offline, operation goes to Postponed Operations Queue. 4. Client eventually comes online.

5. ECC from client machine will then connect to ERAS and pick up this pending operation. 6. ECC performs the HDD operation.

7. Now, reboot the client machine.

8. At pre-boot you will see the prompt – [Ignore / Modify] dialog. --> Click on “Modify”. 9. Now go back to ERAS console and open properties for desired machine the go to BIOS Tab. 10. Click “Refresh”

11. You will see that your operation has executed successfully

Non-Trusted Domain Client

1. Open Properties – select BIOS tab

2. Set HDD Password – It will prompt you to reboot the machine after the operation is successfully executed.

3. This is Foreign Client so operations are postponed.

4. ECC from client machine will eventually connect to ERAS and pick up this pending operation. 5. ECC performs the HDD operation.

6. Now, reboot the client machine

7. At pre-boot you will see the prompt – [Ignore / Modify] dialog. --> Click on “Modify”. 8. Now go back to ERAS console and open properties for desired machine the go to BIOS Tab. 9. Click on ‘Refresh’ – Operation is postponed.

10. ECC from client machine will eventually connect to ERAS and pick up this pending operation. 11. ECC performs “refresh BIOS” operation.

12. Now open Properties again.

13. You will see that your operation has executed successfully.

When the BIOS password has been changed locally, the newly defined password must be communicated to ERAS Administrator (out-of-band) and must be entered from ERAS updated from console.

(25)

25 BIOS and ATA Hard Drive passwords management | Wave Systems Corp.  2011

Once the BIOS passwords are set, the “Set” button will transform to a “Change” button and the “View” and “Clear” buttons will be enabled. Also above the corresponding buttons will read a message (in green text here) indicating that the BIOS pass words are properly configured.

Set the BIOS Administrator Password

Click on the “Set” button to enter and confirm created password

Note that Dell BIOS does not accept special characters. Also special characters cannot be used for Dell computers for auto-generated passwords.

(26)

26 BIOS and ATA Hard Drive passwords management | Wave Systems Corp.  2011 View BIOS Administrator Password

After the BIOS Administrator Password has been set

Clear BIOS Administration Password

The BIOS system and ATA HDD passwords are configured in the same fashion.

Remote view BIOS management column

BIOS tab on ERAS appears with disabled buttons on unsupported client machines and regardless of deployment of ERASProvider or ERASConnector. This extra tab appears with disabled buttons. If desired this tab can be removed if BIOS management is disabled from the Server Settings UI

(27)

27 ControlVault Management | Wave Systems Corp.  2011

5. ControlVault Management

ControlVault (CV) management is isolated to select Dell platforms that contain CV hardware. Dell™ ControlVault™, is a hardware-based security solution that secures passwords, biometric templates, and security codes within firmware and locked away from a malicious application attack.

The CV is a storage device that allows the adding and removing of associated user information and the archiving and restoring of secure information as mentioned above. The BIOS system password is a pre-requisite to initializing the ControlVault™. If the BIOS system password is not set first, the administrator will be prompted to do so.

There are two types of passwords which can be managed for CV – Administrator password and CV firmware upgrade password. These passwords are set during initialize of CV. They can be changed but cannot be cleared. However, during un-initialize of CV, these passwords are cleared automatically.

All mentioned operations are available on the command-line so they can be scripted as well. Adding and removing CV user operations are available at the bottom of the window. There are no user accounts that can be created in a CV, though CV objects can be associated with a user.

(28)

28 | Wave Systems Corp.  2011 CV User Management

Add User – This operation associates the given user with the given machine’s CV. The actual user action however, can happen only on local machine (e.g. finger print enrollment).

Archive User – This operation will archive all available CV objects for the given user – from client machine to ERAS database. Any new object added on the local machine needs to re-archived to store it in ERAS database.

Restore User – This operation will transfer existing CV objects present in ERAS database for the given user to the given local machine. During this operation, existing CV objects (if any) will be over-written. Specific message will be given to the user to warn him about this operation.

Remove User – This operation will remove the association between given user and given local machine. It also deletes the existing CV objects for the given user on the given local machine. This is non-reversible. Specific message will be given to the user to warn him about this operation.

To perform any of the CV related operations, one needs to add following three tasks for the role: • ViewCVPasswords

• ManageCVPasswords • ManageCVUsers

CV Migration is not supported for Workgroup Foreign Client because the user is a local user linked to its client name.

CV migration is limited to un-trusted and trusted domain users only.

If a user's credentials are enrolled or restored to multiple machines, note that removing or adding credentials locally on one machine for a user will not change that same user's stored credentials in the ERAS database or on other machines.

References

Related documents

• The Wave Embassy Remote Administration Server software, and ERAS Software Configuration Bundle, are available today from your Dell account team. • Customer kits will be

As a conclusion, it can be stated that although some of the PMSs reviewed include the measurement of some social elements in their structure, there is a clear lack of a collaborative

Secondly I would also like to thank my parents and friends who helped me a lot in finali)ing Secondly I would also like to thank my parents and friends who helped me a lot in

2.1 Knowledge of methods to design social work and child welfare and attendance services for pupils, families and school staff to increase pupil success in school.. 2.2

financial interests. Joint current accounts are simple to set up with any bank. All of the people who want to open the account together have to provide suitable evidence of

Management LAN (FM LAN); see Enabling Remote Desktop Connection for Enterprise Output Manager Partition for more information on enabling Remote Desktop Connection over the FM LAN..

If the server is remote, that is, not on the same computer as the client, the name and password of any administrator account configured on the server will be required for access..

In August 2000, the Parks Australia North (PAN) division of Environment Australia commissioned the Centre for Aboriginal Economic Policy Research at the Australian National