Symantec Endpoint Encryption Full Disk

Full Disk

Authenti-Check is a registered trademark of GuardianEdge Technologies Inc. Microsoft, Active Directory, Windows, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation. Any other trademarks used herein are the property of their respective owners and are hereby acknowledged. Other product and company names mentioned herein may be the trademarks of their respective owners.

Contents

1. Introduction . . . 1

Overview. . . 1

Symantec Endpoint Encryption . . . 1

Basics . . . 1

Architecture . . . 1

Directory Service Synchronization . . . 2

Endpoint Containers . . . 2

Active Directory and Native Policies . . . 3

Installation and Policy Settings . . . 3

SEE Roles . . . 4 Policy Administrators . . . 4 Client Administrators . . . 5 User . . . 5 2. Reporting . . . 6 Overview. . . 6

SEE Users and Computers . . . 7

SEE Server Reports . . . 7

Computer Status Report . . . 7

Computers not Encrypting to RS . . . 7

Computers with Decrypted Drives . . . 7

Computers with Specified Users . . . 8

Computers without Full Disk Installed . . . 8

Computers without Removable Storage Installed . . . 8

Non-Reporting Computers . . . 8

Resultant Set of Policy (RSoP) . . . 8

Windows System Events . . . 10

3. Policy Creation . . . 12

Overview. . . 12

Active Directory Policies . . . 12

Native Policies . . . 13 Policy Options. . . 13 Client Administrators . . . 13 Registered Users . . . 14 Password Authentication . . . 15 Authentication Message . . . 16 Communication . . . 16 Single Sign-On . . . 16 Authenti-Check . . . 16 One-Time Password . . . 17 Startup . . . 18 Logon History . . . 18 Autologon . . . 18 Remote Decryption . . . 19 Client Monitor . . . 20 Local Decryption . . . 20

4. Policy Deployment . . . 21

Overview. . . 21

Active Directory Policies . . . 21

Basics . . . 21

Order of Precedence . . . 21

Forcing a Policy Update . . . 21

Native Policies . . . 22

Basics . . . 22

SEE Managed Computer Groups . . . 22

Policy Assignment . . . 24

Order of Precedence . . . 26

Forcing a Policy Update . . . 26

5. Endpoint Support . . . 27

The Management Password . . . 27

Basics . . . 27

Setting the Management Password . . . 27

Changing the Management Password . . . 27

One-Time Password Program . . . 28

Basics . . . 28

Launch . . . 29

SQL Server Logon Information . . . 29

Management Password . . . 30

Method . . . 30

Error Messages . . . 35

Hard Disk Recovery . . . 36

Basics . . . 36

Recover DAT File Generation . . . 36

6. Server Configuration . . . 39

Overview. . . 39

Configuration Editor . . . 39

Basics . . . 39

Database Configuration Tab . . . 39

Directory Sync Services Configuration . . . 40

Web Server Configuration . . . 41

Directory Sync Service Status . . . 42

Appendix A . . . 43

Framework System Events List . . . 43

Full Disk System Events List . . . 56

Glossary . . . 62

Figures

Figure 1.1—Architectural Overview . . . 1

Figure 2.1—Group Policy Results Wizard, User Selection . . . 9

Figure 2.2—RSoP Report From an SEE Client . . . 10

Figure 3.1—Framework Computer Policy, Client Administrators Options . . . 13

Figure 3.2—Framework Computer Policy, Registered Users Options . . . 14

Figure 3.3—Framework Computer Policy, Password Authentication Options . . . 15

Figure 3.4—Framework Computer/User Policy, Authenti-Check Options . . . 16

Figure 3.5—Framework Computer/User Policy, One-Time Password Options . . . 17

Figure 3.6—Full Disk Computer Policy, Startup Options . . . 18

Figure 3.7—Full Disk Computer Policy, Autologon Options . . . 19

Figure 3.8—Full Disk Computer Policy, Client Monitor Options . . . 20

Figure 4.1—SEE Managed Computers, Add New Group . . . 23

Figure 4.2—Name New Group Dialog . . . 23

Figure 4.3—SEE Unassigned, Computer Highlighted . . . 24

Figure 4.4—SEE Managed Computers Groups Dialog . . . 24

Figure 4.5—SEE Managed Computers Group Selected . . . 25

Figure 4.6—Policy Selection Dialog . . . 25

Figure 4.7—Native Policy Assignment Confirmation . . . 25

Figure 4.8—SEE Managed Computers Policy Assigned . . . 26

Figure 5.1—Management Password Snap-in . . . 27

Figure 5.2—Management Password Changed, Confirmation Message . . . 28

Figure 5.3—One-Time Password, Welcome . . . 29

Figure 5.4—SQL Server Logon Prompt . . . 29

Figure 5.5—One-Time Password, Management Password . . . 30

Figure 5.6—One-Time Password, Method Selection, Online . . . 31

Figure 5.7—One-Time Password, Online Method, Identifying Information . . . 31

Figure 5.8—One-Time Password, Online Method, Response Key . . . 32

Figure 5.9—One-Time Password, Method Selection, Offline . . . 33

Figure 5.10—One-Time Password, Offline Challenge Key . . . 33

Figure 5.11—One-Time Password, Offline Response Key . . . 34

Figure 5.12—One-Time Password, User Record Not Found . . . 35

Figure 5.13—One-Time Password, Invalid Code Synchronization . . . 35

Figure 5.14—Manager Console, Computer in Need of Recovery Highlighted . . . 37

Figure 5.15—Management Password Prompt . . . 37

Figure 5.16—Recovery Password Prompt . . . 37

Figure 5.17—Recovery Data Export Dialog . . . 38

Figure 5.18—Recovery Data Export Success Message . . . 38

Figure 6.1—Configuration Editor, Database Configuration Tab . . . 39

Figure 6.2—Configuration Editor, Directory Sync Services Configuration Tab . . . 40

Figure 6.3—Configuration Editor, Web Server Configuration Tab . . . 41

Tables

Table 1.1—Active Directory and Native Policies Compared . . . 3

Table 1.2—Client Administrator Levels of Privilege . . . 5

Table 2.1—Data Available About Client Computers That Have Checked In . . . 6

Table 6.1—Synchronization Service Status Values . . . 42

Table A.1—Framework System Events . . . 43

1. Introduction

Overview

Symantec Endpoint Encryption Full Disk protects data on laptops and PCs from the threat of theft or loss with strong, centrally managed encryption, auditing, and policy controls for hard disks and partitions, ensuring that the loss of a machine and its data does not result in disclosure required by corporate policy or government regulation. As part of Symantec Endpoint Encryption, SEE Full Disk leverages existing IT infrastructures for seamless deployment, administration, and operation.

Symantec Endpoint Encryption

Basics

SEE is comprised of SEE Full Disk, SEE Removable Storage, and SEE Framework. SEE Framework includes all the functionality that is extensible across SEE. It allows behavior that is common to both SEE Removable Storage and SEE Full Disk to be defined in one place, thus avoiding potential inconsistencies.

Architecture

The following diagram depicts a sample mixed network and the interrelationships between SEE components.

Figure 1.1—Architectural Overview

The Active Directory domain controller and SEE Management Server are required. your-org.com Client your_tree Novell eDirectory Server Client Client Client Client Active Directory Domain Controller Manager Computer SEE Management Server Database Server LDAP ODBC Group Policy HTTP(S)/SOAP

A database server is recommended, but the SEE database instance can also be configured to reside on the SEE Management Server. The machine hosting the SEE database instance must be a member of the Active Directory forest/domain.

The Manager Console can be installed on multiple Manager Computers. It can also be installed on the SEE Management Server. It must reside on a computer that is a member of the Active Directory forest/domain. The Novell eDirectory tree and Active Directory group policy communications are optional.

Directory Service Synchronization

Synchronization with Active Directory and/or Novell eDirectory is an optional feature. If enabled, then the SEE Management Server will obtain the organizational hierarchy of the specified forest, domain, and/or tree and store this information in the SEE database. It also keeps this information up to date. This improves performance during Client Computer communications with the SEE Management Server, as the SEE Management Server will be able to identify the Client Computer without having to query the Active Directory domain controller and/or the Novell eDirectory server.

When you open the SEE Manager, you will have your Active Directory and/or Novell endpoints organized just the way that they are in the directory service, easing your deployment activities.

In addition, you will have records of computers that reside in the designated forest, domain, or tree, even if these computers do not have any SEE products installed and/or have never checked in with the SEE Management Server. This will allow you to run reports to assess the success of a given deployment and gauge the risk that your

organization may face due to unprotected endpoints.

The timing of the synchronization event differs according to the directory service. Whereas Novell informs the SEE Management Server of any changes that may occur, the SEE Management Server needs to contact Active Directory to obtain the latest information. Synchronization with Active Directory is set to occur once every fifteen minutes.

Endpoint Containers

Basics

The SEE Manager will place each endpoint into one or more of the following containers:

„ Active Directory Computers,

„ Novell eDirectory Computers, or

„ SEE Managed Computers.

Active Directory/Novell eDirectory Computers

No computers will be placed in the Active Directory Computers or Novell eDirectory Computers containers unless synchronization with the directory service is enabled.

If synchronization with Active Directory is enabled, the Active Directory Computers container will be populated with the computers in the Active Directory forest/domain. If synchronization with Novell is enabled, the Novell eDirectory Computers container will hold the computers in the Novell tree. If synchronization with both directory services is enabled and the computer is managed by both, it will appear in both containers. Computer and user objects located within the Active Directory and/or Novell containers cannot be moved or modified with SEE snap-ins.

SEE Managed Computers

Computers located within the Active Directory Computers and/or Novell eDirectory Computers containers will not be shown in the SEE Managed Computers container.

Only computers that have checked in with the SEE Management Server will be shown in the SEE Managed Computers container. Whether a computer is placed in the SEE Managed Computers container or not following check in will vary depending on whether synchronization is enabled or not.

„ If synchronization is not enabled, all Client Computers that have checked in will be placed in the SEE Managed Computers container.

„ If synchronization is enabled, only Client Computers that have checked in that do not reside within the designated Active Directory forest/domain and/or Novell tree will be placed in the SEE Managed Computers container. Computers located within the SEE Managed Computers container should be grouped into the organizational structure that you desire.

Active Directory and Native Policies

Active Directory policies are designed for deployment to the users and computers residing within your Active Directory forest/domain. Active Directory policies can be created and deployed whether synchronization with Active Directory is enabled or not.

Native policies are designed for deployment to computers that are not managed by Active Directory. Should you wish to deploy native policies to computers that are managed by Active Directory, you must turn synchronization with Active Directory off.

The following table itemizes the differences between Active Directory and native policies.

Installation and Policy Settings

Basics

While the majority of the installation settings can be overridden with policy updates, certain installation settings cannot. Furthermore, three SEE Full Disk settings do not have a corresponding installation setting, and can only be defined by pushing out a policy update.

Installation Only Settings

The following SEE Framework installation setting cannot be changed later by policy update:

„ Encryption—AES encryption strength

The following SEE Full Disk installation settings cannot be changed later by policy update:

„ Encryption—settings related to initial encryption (the Disk Partitions and Advanced Options sections of this

panel);

„ Installer Customization—location of the client database files; and

„ Startup—custom image bitmap file.

Table 1.1—Active Directory and Native Policies Compared

Active Directory Policies Native Policies

Certain policies are deployed to users and others are

deployed to computers. Policies can only be applied to computers. Policies applied in Local, Site, Domain, OU

(LSDOU) order of precedence.

Policies are applied in Computer, Subgroup, Group (CSG) order of precedence.

Single pane policy creation/deployment. Each pane must be visited when creating the policy. Policies are obtained from the domain controller

and applied at each reboot.

Policies are applied when the client checks in with the SEE Management Server.

An immediate policy update can be forced using the

gpupdate \force or secedit command.

An immediate policy update can be forced by clicking

Note that although a custom image bitmap file cannot be changed by a policy setting once the SEE client software has been deployed, a custom image could be effectively hidden at a later time by pushing out a Startup policy that causes the Symantec logo to be displayed instead.

Policy Only Settings

The following SEE Full Disk settings can only be defined using a policy:

„ Autologon—the active period and number of restarts that control the Autologon feature;

„ Remote Decryption—decryption of all disk partitions; and

„ OTP Communication Unlock—the ability of users to use the One-Time Password program to regain access to

their computer after it has been locked for a failure to communicate.

SEE Roles

Policy Administrators

As the Policy Administrator, you perform centralized administration of SEE. Your primary tool is the Manager Console, installed on the Manager Computer. The Manager Console contains the following SEE snap-ins:

„ Symantec Endpoint Encryption Management Password—allows you to change the Management Password.

„ Symantec Endpoint Encryption Software Setup—is used to create client installation packages.

„ Symantec Endpoint Encryption Native Policy Manager—escorts you through the process of creating a computer

policy for clients not managed by Active Directory, such as Novell and other clients.

„ Symantec Endpoint Encryption Users and Computers—displays the organizational structure of your Active

Directory forest and/or Novell tree; allows you to organize clients not managed by either Active Directory or Novell into groups; provides the ability to export computer-specific Recover DAT files necessary for Recover /B.

„ Symantec Endpoint Encryption Server Reports—includes Computer Status, Computers not Encrypting to RS,

Computers with Decrypted Drives, Computers with Specified Users, Computers without Full Disk Installed, Computers without Removable Storage Installed, and Non-Reporting Computers reports. Each report provides the ability to export computer-specific Recover DAT files necessary for Recover /B.

„ Symantec Endpoint Encryption One-Time Password Program (optional)—enables you to assist users who can’t

get into Windows because they forgot their credentials or have been locked out for a failure to communicate with the SEE Management Server.

It also contains the following Microsoft snap-ins to help you manage your Active Directory computers:

„ Active Directory Users and Computers—allows you to both view and modify your Active Directory

organizational hierarchy.

„ Group Policy Management—lets you manage group policy objects and launch the Group Policy Object Editor

(GPOE). Within the GPOE you will find SEE snap-in extensions that allow you to create and modify SEE user and computer policies for Active Directory–managed computers.

Depending on your responsibilities, you may not have access to all of these snap-ins. These restrictions, if any, will be effected as part of the privileges associated with your Windows account.

Your Windows account may have been provisioned with rights to access the SEE database. If so, ensure that you are logged on to Windows with this account before launching the Manager Console.

Client Administrators

Client Administrators provide local support to SEE users and guarantee that SEE Full Disk–protected computers are always accessible even when all SEE users have been removed from those computers. Each Client Computer must have at least one Client Administrator account.

As Policy Administrator, you are responsible for creating and maintaining Client Administrator accounts using the SEE Manager. Because Client Administrator accounts are managed entirely by SEE and do not relate to Windows accounts, Client Administrators can support users who are not a part of the domain.

One of three privilege levels will be assigned to each Client Administrator account. At least one Client Administrator account with a privilege level of high must exist on each workstation.

Client Administrators should be trusted in accordance with their assigned level of privilege.

There must be at least one Client Administrator on each workstation to allow hard disk recovery. Client

Administrator passwords are managed by you and cannot be changed at the Client Computer. This single-source password management allows Client Administrators to remember only one password as they move among many Client Computers. If password(s) were local to each computer, then remembering multiple passwords would become unwieldy.

Client Administrator accounts have the following restrictions:

„ Client Administrators do not have either of the authentication assistance methods (Authenti-Check and One-Time Password) available.

„ Client Administrators cannot use Single Sign-On.

User

SEE Full Disk protects the data stored on the Client Computer by encrypting it and requiring valid credentials to be provided before allowing Windows to load. Only the credentials of registered users and Client Administrators will be accepted by SEE Full Disk. During the registration process, users set their SEE credentials, allowing them to power the machine on from an off state and gain access to Windows. At least one user is required to register with SEE on each Client Computer.

A wizard guides the user through the registration process, which involves a maximum of four screens. The registration process can also be configured to occur without user intervention.

Authentication to SEE Full Disk can be configured to occur in one of three ways:

„ Single Sign-On enabled—The user will be prompted to authenticate once each time they restart their computer.

„ Single Sign-On not enabled—The user must log on twice: once to SEE Full Disk and then separately to Windows.

„ Automatic authentication enabled—The user is not prompted to provide credentials to SEE Full Disk; the

authentication process is transparent. This option relies on Windows to validate the user’s credentials.

To ensure the success of this product in securing your encrypted assets, do not define users as local administrators or give users local administrative privileges.

Table 1.2—Client Administrator Levels of Privilege Level Can Unlock

Computer

Can Extend Next Communication Due Date

Can Run Recover Program Can Decrypt Hard Disk Can Unregister Users High • • • • • Medium • • • • Low • • •

2. Reporting

Overview

The SEE Manager features several tools to retrieve data stored in the SEE database. These reporting tools will allow you to:

„ Assess the success of a deployment,

„ Gauge the risk that your organization may face due to unsecured endpoints,

„ Locate individual computers for the purpose of exporting the computer-specific Recover DAT file necessary for Recover /B,

„ Identify computers that have not checked in within a certain number of elapsed days,

„ Find out all of the computers that a user has registered on, and

„ Determine the SEE policy currently being enforced by protected endpoints.

If Active Directory and/or Novell synchronization is enabled, you will be able to obtain the computer names and directory service location of any computer located on your forest, domain, or tree—even if the computer has never checked in with the SEE Management Server. While only the computer and directory service location of these computers will be available, the absence of additional data will allow you to identify computers that are unprotected or have not checked in.

The following table describes the data that will be available about Client Computers that have succeeded in checking in with the SEE Management Server.

Table 2.1—Data Available About Client Computers That Have Checked In

Column Heading Data Displayed Explanation

Computer name computer name Computer name

Group name* group name Location of the computer within SEE Users and Computers

Last Check-in time/date stamp The time and date of the last connection that the Client Computer made with

the SEE Management Server

Decrypted partition letter(s) The letter(s) of any decrypted partition(s) on this computer Decrypting partition letter(s) The letter(s) of any partition(s) on this computer in the process of

decrypting

Encrypted partition letter(s) The letter(s) of any encrypted partition(s) on this computer

Encrypting partition letter(s) The letter(s) of the partition(s) on this computer in the process of encrypting FR Version n.n.n The three digit version number of SEE Framework that is currently installed HD Version n.n.n The three digit version number of SEE Full Disk that is currently installed HD Installation Date time/date stamp The time and date on which SEE Full Disk was installed

Serial Number serial number|Not Available

The System Management BIOS (SMBIOS) serial number from WMI_SystemEnclosure class. If the data does not exist on the client, the value will either be blank or Not Available will be displayed.

Asset Tag asset tag|No Asset Tag|No

Asset Information

The System Management BIOS (SMBIOS) asset tag from

WMI_SystemEnclosure class. If the data does not exist on the client, the value will either be blank or No Asset Tag/No Asset Information will be displayed.

Part Number part number

The System Management BIOS (SMBIOS) asset tag from

WMI_SystemEnclosure class. This data may not exist on the client, in which case it will be blank.

SEE Users and Computers

The SEE Users and Computers snap-in allows you to export data about a specific group into a comma-delimited format (CSV). This can be useful for generating reports on a per-group basis. You might also want to consider your reporting needs when you create your groups (“SEE Managed Computer Groups” on page 22).

SEE Server Reports

Computer Status Report

The Computer Status Report is used to retrieve the records of specific computers when you know their computer name. This can be useful under the following circumstances:

„ After deploying client installation packages using your third-party deployment tool of choice, run this report to ensure that the deployment was successful and that each client checks in. You should make sure that each client checks in at least once. During the check in process, the Client Computer sends data necessary for the online method of the One-Time Password Program and for the /B method of the Recover Program. Once you have identified Client Computers that have not checked in, you can target them using other tools such as Resultant Set of Policy (RSoP) reports and Windows system event logs to determine if there was a problem during installation.

„ Should a Client Computer fail to boot, you may need to export computer-specific recovery data necessary for Recover /B.

Type or paste the computer names in the Enter Computer Names field. Each should be on a separate line. The % character can be used as a wildcard. Once you have entered the computer names that you want to retrieve the records of, click Run. To refresh the data, click Run again.

Computers not Encrypting to RS

The Computers not Encrypting to RS report will retrieve the records of the following computers on your network:

„ Did not have SEE Removable Storage installed as of the time of last check-in.

„ Was not protected by a SEE Removable Storage Encrypt all or Encrypt new policy as of the time of last check in.

„ Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not be allowing users to write unencrypted files to removable devices.

Computers with Decrypted Drives

The Computers with Decrypted Drives report will retrieve the records of the following computers on your network:

RS Encryption Policy N/A N/A

RS Encryption Method N/A N/A

RS Executables N/A N/A

RS Access Utility N/A N/A

RS Master Cert N/A N/A

RS Password Aging N/A N/A

RS Version N/A N/A

RS Installation Date N/A N/A

* This column is not shown in the SEE Users and Computers snap-in.

Table 2.1—Data Available About Client Computers That Have Checked In (Continued)

„ Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not have a decrypted or decrypting partition.

Computers with Specified Users

The Computers with Specified Users report allows you to find out all of the computers that one or more users have registered on. Type the user names in the Enter User Names field. If you enter more than one user name, they should be separated by carriage returns. The % wildcard character is supported. Once the desired report parameters have been entered, click Run.

The records of the computers on which one or more of the specified users has registered will be retrieved and listed in the report results.

Computers without Full Disk Installed

The Computers without Full Disk Installed report will retrieve the records of the following computers on your network:

„ Did not have SEE Full Disk installed as of the time of last check-in.

„ Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not have SEE Full Disk installed.

Computers without Removable Storage Installed

The Computers without Removable Storage Installed report will retrieve the records of the following computers on your network:

„ Did not have SEE Removable Storage installed as of the time of last check-in.

„ Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These clients may or may not have SEE Removable Storage installed.

Non-Reporting Computers

The Non-Reporting Computers report allows you to obtain a list of computers that have not checked in with the SEE Management Server within a specified number of elapsed days. This report will help you ensure that the data in the SEE database remains fresh. It is also an essential complement to a lockout policy.

Enter the number of elapsed days in the Days Since Last Check-In field and click Run. The records of the computers on your network that have not checked in with the SEE Management Server within the specified number of days will be retrieved and listed.

Resultant Set of Policy (RSoP)

The Group Policy Management snap-in features a reporting facility which allows you to verify that the Active Directory policies you assigned to Client Computers or users were actually processed as intended. This report is known as a Resultant Set of Policies (RSoP) or Group Policy Report.

The initial SEE installation settings as deployed using the Framework and Full Disk client MSI packages (even if the MSI packages were deployed as GPOs) will not appear in the RSoP report. Only the results of Active Directory policy updates will be shown in the RSoP report.

To generate an RSoP report, perform the following steps:

1. Open the SEE Manager, and in the left pane, expand Group Policy Management, then expand Group Policy

Results.

2. With the Group Policy Results container selected, right-click and choose Group Policy Results Wizard. 3. The Group Policy Results Wizard launches. Click Next, then select the option Another Computer. 4. Browse to or type the name of the computer for which you wish to generate a Group Policy Report.

5. Click Next.

Figure 2.1—Group Policy Results Wizard, User Selection

6. To view both user and computer policies, select the user that you want to see the user policies of. If you are only interested in computer policies, select Do not display user policy settings in the results.

7. Click Next.

8. Click Next at the summary screen, then click Finish.

9. The Group Policy Results snap-in connects to the Client Computer, gathers the policy information into a report, and displays the information in several tabs of the content pane on the right.

10. Click on the Settings tab of the Group Policy Results window in the pane on the right.

11. This windows shows a collapsed view representing all the settings for the user/computer pair you selected. The view is divided into two sections: one section named Computer Configuration, and another section beneath it named User Configuration.

12. Within the section named Computer Configuration, locate the subsection named Administrative Templates. SEE uses registry based policies, and any SEE computer policies you create and apply will show up within the subsections Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/

Framework, and Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/ Full Disk.

For user settings, this pattern is mirrored in the User Configuration section of the Group Policy Results window. 13. Expand the Administrative Templates and then expand the Symantec Endpoint Encryption/Framework

section by clicking on the Show link on the right. That subsection will expand to reveal all Framework policies currently in effect.

Figure 2.2—RSoP Report From an SEE Client

Figure 2.2 shows that a Client Administrator policy has been applied. The Client Administrator mbrown

authenticates using a password and has a high level of privilege. The Client Administrator mwilliams authenticates using a password and has a high level of privilege.

Any level in the report hierarchy can be exported as an HTML file by right-clicking the name (for example, SEE/

Framework), choosing Save Report, and selecting a target location in which to save the HTML report.

Some SEE Active Directory policies create other settings in the client registry that are shown in the RSoP as Extra

Registry Settings. These represent internal registry values used by the particular SEE policy and can be ignored.

Windows System Events

All security-related system events are logged on the SEE Client Computer where they may be viewed remotely by an administrator using the Windows System Event viewer. To view SEE Full Disk–specific system events logged on a specific computer, perform the following steps:

1. Open a Run dialog from the Windows Start menu. 2. Type eventvwr.msc and click OK.

3. An Event Viewer console window opens showing the events on your local computer.

4. In the navigation pane on the left, right-click the top-level folder named Event Viewer (Local), and choose

Connect to another computer.

6. In the Select Computer dialog, type the name of a computer you wish to inspect the events of, and click OK. 7. In the navigation pane on the left, right-click the item named Application, and choose Connect to another

computer.

8. Choose View and click Filter to open the Application Properties window. 9. From the Event Source drop-down list box, choose Symantec and click Apply.

10. This filters the event log for that computer to show SEE Framework and SEE Full Disk events. Drag the Application Properties window away from the Event Viewer window, but leave it open.

11. In the right pane of the Event Viewer window, double-click the top-most event entry to open the Event Properties window for that event.

The Description field contains information about that particular SEE Full Disk event. To inspect other events in the log, use the up and down arrow buttons in the upper right of the Event Properties window.

To filter out all events other than a desired event, click on the Application Properties window. In the Event ID field, type the number of the event you are interested in, then click Apply. The Event Viewer window will update and filter out all event IDs other than the one you specified.

For a complete list of all SEE–specific system events, their event code numbers, and descriptions of the events, refer to “Framework System Events List” on page 43 and “Full Disk System Events List” on page 56.

SEE Full Disk System Events generated in Windows log the user account information associated with that event in the User field of the Event Properties window, while SEE Full Disk Events generated in the Pre-Windows environment log the user account information in the Description field of the Event Properties window.

3. Policy Creation

Overview

Before creating a policy, you will need to know whether the recipient computers are managed by Active Directory or not. While the individual policy options are the same regardless of the deployment mechanism, the process of creating the policies is quite different.

This chapter discusses the following:

„ How to create Active Directory policies using SEE snap-in extensions in the Group Policy Object Editor (GPOE);

„ Creation of native policies using the SEE Native Policy Manager; and

„ The individual policy options themselves.

Active Directory Policies

To create an Active Directory policy, expand the Group Policy Management snap-in, expand your forest, expand

Domains, expand the domain, and expand Group Policy Objects.

„ To edit an existing GPO, right-click the GPO and select Edit.

„ To create a new GPO, right-click Group Policy Objects and select New. The Group Policy Object Editor (GPOE) will launch.

„ To edit or create a computer policy, expand Computer Configuration, expand Software Settings, and expand

Symantec Endpoint Encryption. Then expand Symantec Endpoint Encryption Framework and/or Symantec Endpoint Encryption Full Disk Edition, according to your needs.

„ To edit or create a user policy, expand User Configuration, expand Software Settings, and expand Symantec

Endpoint Encryption. Then expand Symantec Endpoint Encryption Framework and/or Symantec Endpoint Encryption Full Disk Edition, according to your needs.

Each Active Directory policy panel features three radio buttons at the top:

„ Do not change these settings—this option is the default option. It specifies that no changes to existing policies or

installation settings will be made.

„ Change these settings—click this option if you want to specify a policy update. When this option is selected, the

fields below it will become available. These fields will not be defaulted to the policies currently in effect, they will just display generic defaults.

„ Restore the installation settings—click this option to apply a policy that instructs the client to disregard any

existing policies and return to the settings that were specified in its installation package.

When the Change these settings option is selected, your entries are validated when you click away from the panel. Any incorrect entries will be highlighted in red, and the icon for the panel, as shown in the navigation tree of the GPOE window, will change to a warning icon to remind you to return to that panel and make the necessary corrections before closing the GPOE window.

For a detailed discussion of the options that will become available when the Change these settings option is selected, refer to “Policy Options” on page 13.

Native Policies

To create a native policy, right-click the SEE Native Policy Manager and select Create New Policy. When naming a policy, observe the following:

„ Each name must be unique and cannot have been assigned to any other native policy.

„ Names are case-insensitive.

„ Leading and trailing spaces will be deleted.

To edit a native policy, expand the SEE Native Policy Manager. Locate the policy that you want to edit and highlight it.

For a detailed discussion of the options available for modification within the SEE Native Policy Manager, continue to the next section.

Policy Options

Client Administrators

When creating a Client Administrator policy, it must contain all Client Administrator accounts that are authorized to access the workstation. Any Client Administrator accounts not listed in this policy will not be able to authenticate to the Client Computer.

Figure 3.1—Framework Computer Policy, Client Administrators Options

At least one Client Administrator account must be specified.

You can import a list of Client Administrators from a previously created installation settings package. Click Load

from installation settings, select the previously created SEE Framework client installer package, then click Open.

The GPO panel will populate with the Client Administrator account information specified when the installation settings package was created.

Registered Users

Basics

The Registered Users pane can be used to change the way that users authenticate to, register with, or get unregistered from SEE.

Figure 3.2—Framework Computer Policy, Registered Users Options

Authentication Method

In Authentication Method, select the authentication method you want SEE to effect.

„ Click on Require registered users to authenticate with a password.

„ Select Do not require registered users to authenticate to the SEE to enable automatic authentication. This option is designed for kiosk environments. If it is selected, users will not need to provide valid credentials to SEE Full Disk before Windows loads and your organization will rely on Windows for user authentication. It will reduce the security of the Client Computer but increase the transparency of the user experience. The registration process will be silent and automatic as well—unless a registration password is specified. Coupling automatic authentication with a registration password serves to avoid reaching the maximum registered user limit and to limit the number of users that can gain access to the User Client Console.

Registration

To allow any Windows user the ability to register, click the option Any Windows user can register for a SEE

account. To allow only those users who know a special registration password to be able to register, click Users must know this password to register, and type the password in the adjacent field and again to confirm. Each user will be

required to know the administrator-defined registration password before they can register for an SEE account. Specify the maximum number of SEE registered user accounts which can be created on each computer. New users will not be permitted to register after the maximum number of accounts has been reached.

Specify a custom message users will see when they are forced to register after grace restarts expire. The custom message can be from 0–900 characters in length, or you can use the default message. Note that the custom registration message field ignores any carriage returns you type or paste in.

Specify the number of grace restarts, i.e., the number of times, from 0–99, that the computer can restart before the first user who logs on will be forced to register for an SEE account and see the custom registration message. This setting can effectively allow users to defer registration. To force the first user to register immediately, set this value to zero.

Unregistration

Unregistration selects whether to allow users to only be unregistered manually by Client Administrators, or whether to also automatically unregister users who do not log on after a specified period, from 1–365 days. This setting is useful in a kiosk environment where many infrequent users can fill up the maximum number of available SEE accounts on a given computer. Use caution with this setting so that users do not have their accounts deleted unexpectedly.

Password Authentication

Use the Password Authentication panel to set or change the logon delay and/or to set the criteria that new passwords must meet, if Single Sign-On is not enabled.

Figure 3.3—Framework Computer Policy, Password Authentication Options

Under Password Attempts, select the Limit password and Authenti-Check attempts check box to set the number of incorrect passwords or Authenti-Check answers a user can type in succession before the system will introduce a one minute delay between further logon attempts. You can also specify the time in minutes that must elapse after the last incorrect attempt occurred, after which the one minute delay behavior is lifted.

„ Password Complexity—These include the minimum number of characters users’ SEE passwords must contain,

the set of non-alphanumeric characters users may have in their passwords, as well as the minimum number of non-alphanumeric characters, uppercase letters, lowercase letters, and digits users must have in their passwords.

„ Maximum Password Age—Leave this option at the default to not set an expiration date on user passwords. If

you select the option to set an expiration date on user passwords, type the number of days after which users’ passwords will expire, and type the number of days in advance users will be prompted to change their expiring passwords.

„ Password History—allow users to use any previously-used SEE password, or select the other option and type the

number of different passwords users must use before reverting to old passwords.

„ Minimum Password Age—Leave this option at the default to allow users to change their SEE passwords as

frequently as they wish, or select the other option and type the minimum number of days that must pass before users can change their passwords. Note that leaving this option at the default will effectively override the password history feature, since a user could quickly cycle through the required number of new passwords in order to keep an old, favorite password.

Authentication Message

To change the message shown to users who are having trouble authenticating, edit the text within the Instructions

for users who are having trouble with authentication field. For example, the phone number of your help desk may

have been provided in the message and you may need to update it.

Communication

Use the Communication panel to modify the interval at which the recipient computers will attempt to make contact with the SEE Management Server.

Single Sign-On

Select or deselect the Enable Single Sign-On check box for the desired effect.

Authenti-Check

Use the Authenti-Check panel to enable or disable Authenti-Check and/or to change the question-answer pair requirements.

Figure 3.4—Framework Computer/User Policy, Authenti-Check Options

Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s).

Select or deselect the Enable Authenti-Check check box according to the policy that you wish to effect. You can also adjust the other settings to your needs.

Authenti-Check is a self-help password recovery method for SEE Full Disk passwords. It does not recover SEE Removable Storage passwords.

One-Time Password

Use the One-Time Password panel to modify the availability of One-Time Password assistance, change the default message, update the personal identifier explanatory text, or adjust the availability of the OTP Communication Unlock feature.

Figure 3.5—Framework Computer/User Policy, One-Time Password Options

Select the Enable One-Time Password check box to make this Pre-Windows authentication assistance method available to SEE Full Disk users.

Within the Default method area, select the default method that the Client Computers will begin with when initiating a One-Time Password recovery attempt. Select Online if the clients are configured to connect to the SEE

Management Server. Select Offline if the clients are silent.

Type the instructions to be displayed to users when prompted to enter their One-Time Password personal identifier. Select the OTP Communication Unlock check box to allow users who have been locked out of their computers for a failure to communicate to regain access using the One-Time Password Program.

One-Time Password is a help-desk-assisted means for SEE Full Disk users to regain access to Windows. It is not relevant to SEE Removable Storage.

Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s).

Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s).

Startup

Use the Startup panel to revert to the Symantec startup image, change the logon instructions, or change the legal notice shown on the Startup screen.

Figure 3.6—Full Disk Computer Policy, Startup Options

Select The SEE logo to replace a custom image with the default image from SEE.

You can also use the Logon instructions and Legal notice fields to customize the text displayed on the Startup screen.

Logon History

Use the Logon History panel to change whether the SEE logon is prefilled with the user name and/or domain of the last successfully authenticated user.

Selecting the User name check box allows users to see the name and domain of the last user who logged on at the SEE pre-Windows logon screen. This will reduce the security of your Client Computers, so Symantec recommends deselecting both the User name and Domain check boxes.

Autologon

Autologon is used by Policy Administrators for remotely deploying software to computers protected by SEE Full Disk. Many software installation packages require one or more restarts of the target computer, and Autologon will automatically authenticate without user or administrator intervention. The Policy Administrator defines a window of time during which Autologon remains active, along with the total number of restarts that may occur within the defined period.

When either the total number of restarts has been reached, the defined time window has elapsed, or the computer shuts down for more than ten minutes, the Autologon feature terminates.

The Autologon policy will take effect approximately five minutes after receipt.

Because this policy temporarily bypasses the normal logon process for SEE Full Disk, computers receiving this policy will be in a state of heightened vulnerability while Autologon remains active. To minimize the associated risks, make certain that you carefully review the number of reboots allowed and the inclusive dates and times that Autologon will remain active before deploying this policy.

This panel cannot be used to change a custom image. To change a custom image, push out a new installation package.

If this policy will be effected on a computer operated by a visually impaired user who will be using audio cues in pre-Windows, ensure that the User name check box is deselected and that the Domain box is selected. This will allow the user to log on using the audio cues.

Figure 3.7—Full Disk Computer Policy, Autologon Options

When the default option Boot only after user authentication to SEE is selected, the Autologon feature is deactivated, and Client Computers receiving the policy will only boot after user authentication. To activate the Autologon feature, select the Boot up to option button and type the maximum number of Autologon restarts you wish to occur, from 1–999, in the text box.

Autologon will deactivate itself if either the specified number of restarts has been reached or the specified active period has elapsed. Autologon will also automatically deactivate itself five minutes after the computer has been shut down, thus limiting exposure should the computer be stolen while an Autologon policy is in effect.

When the Autologon feature is activated, use the eight controls provided to define the inclusive starting and ending period during which the Autologon feature will be active. The start and end dates and times must be within a valid range in order for the Autologon feature to function as intended.

Indefinite Autologon

Autologon can also be used to suppress SEE Full Disk authentication indefinitely. To turn on this indefinite Autologon mode, choose an ending year of --- in the drop-down list box. As computers will be in a heightened state of vulnerability for the duration of the Autologon, it is recommended that good security practices to secure the computer be followed, such as setting a Windows administrator password and requiring token-based Windows authentication. Remove this policy to restore the secure authentication provided by SEE Full Disk. Note that the five minute self-deactivation behavior is suppressed when indefinite Autologon mode is used.

Remote Decryption

Create a remote decryption policy to decrypt all encrypted disk partitions on one or more computers protected by SEE Full Disk. Client Computers receiving this policy will commence decryption once the policy has been processed. Processing of the policy takes approximately five minutes.

If a Client Computer has a pending lock out condition due to a failure to communicate within the period of time specified in either the Full Disk Installation Settings—Client Monitor or Full Disk Computer Policy— Client Monitor panels, an Autologon policy applied will pre-empt the lockout condition for as long as the Autologon policy is in effect. This is to ensure that a communication lockout condition does not disrupt the completion of the Autologon process.

When multiple Active Directory policies are in effect, their precedence on a Client Computer is defined according to the following order, from highest to lowest:

„ Indefinite Autologon GPO (highest precedence)

„ Autologon GPO

Client Monitor

Use the Client Monitor panel to modify the enforcement of client communication with the SEE Management Server.

Figure 3.8—Full Disk Computer Policy, Client Monitor Options

Click Do not enforce a minimum contact period with the SEE Server if you do not want to enforce regular contact with the SEE Management Server.

Click Lock computer after to force a computer lockout after a specified number of days without network contact. If you select this option, you can specify the number of days a computer may remain without network contact, from 0– 365. You can also specify how many days in advance, from 0–365, that users will be warned to connect to the network and avoid a lockout.

Note that the values you type in these two box are validated to ensure that users will always be warned prior to a lockout. For example, you will be prevented from specifying that the computer should be locked after five days without contact, and that the users should be warned 15 days before being locked out. If this case were allowed, the user could run the risk of being locked out 10 days before the warning is displayed.

Local Decryption

Select the Registered users can decrypt disk check box if you want to permit registered users to use the User Client Console to decrypt encrypted partitions.

Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s).

4. Policy Deployment

Overview

Policy deployment differs according to the type of policy that you are deploying.

„ Deployment of Active Directory policies is discussed in the next section.

„ Deployment of native policies is discussed in “Native Policies” on page 22.

Active Directory Policies

Basics

Active Directory policies are deployed using the Group Policy Management Console (GPMC) snap-in of the SEE Manager.

Order of Precedence

When a single computer or user object has two or more policies assigned to it, the Local, Site, Domain, OU (LSDOU) order of precedence and link order will be considered. Policies specific to a single computer or user object are considered local and have the highest order of precedence in the LSDOU chain.

If the policies are at the same LSDOU level, they will then be applied according to their link order. Those lowest in the link order will have the highest order of precedence.

Forcing a Policy Update

Basics

Active Directory policy changes take approximately 90 minutes and no more than 120 minutes to push out to Client Computers. To accelerate this, you can force an immediate policy update.

Windows XP Clients

1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER. A command prompt will open.

2. Type the following command at the command prompt:

gpupdate /force

and press ENTER.

3. A message will appear in the command prompt window after a few seconds indicating that the update has taken place. The message will prompt you to confirm a restart. Type Y and press ENTER to restart the Client Computer.

Windows 2000 Clients

1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER. A command prompt will open.

2. Type the following command at the command prompt:

secedit /refreshpolicy machine_policy /enforce

and press ENTER.

3. The secedit command will not prompt you to restart. If the policy you are updating includes any computer policies, you will have to restart the computer manually to complete the update.

Native Policies

Basics

Native policies are applied at the computer level: they cannot be assigned on a per user basis. Each policy will be comprehensive and contain all of the possible configurable settings.

Only one policy can be applied to a computer at a time. If no policy is assigned to a computer, it will revert to the settings specified in its original installation package.

Native policies are applied at the time that the Client Computer checks in with the SEE Management Server. If synchronization with Novell is enabled, the Novell computers will already be organized within the Novell eDirectory Computers container, just as they are organized within the Novell eDirectory tree. Native policies can be assigned to Novell computers, even if they have not checked in.

Clients in the SEE Managed Computers container cannot be assigned policies until:

„ They have checked in with the SEE Management Server.

„ They have been placed in a group other than SEE Unassigned.

The following section discusses the process of creating groups and placing Client Computers inside of them.

SEE Managed Computer Groups

Basics

Before you can assign policies to your SEE-managed computers, they need to be organized into groups. This can be done from any Manager Computer. The structure will be saved in the SEE database and available to all other Manager Computers.

The SEE Managed Computers container will only have two groups in by default: SEE Unassigned and Deleted Computers.

Clients located within the SEE Unassigned group do not have any policies assigned to them. Clients will be placed in the SEE Unassigned group if:

„ Synchronization with its directory service is not enabled.

„ The computer does not reside within the Active Directory forest/domain or Novell tree that you are synchronizing with.

In general, the Client Computer will appear in SEE Unassigned at the time that it checks in. However, if the Client Computer is manually deleted from the Active Directory domain or Novell tree, it will not appear in SEE Unassigned until the time of the next synchronization.

Client Computers within the SEE Unassigned group do not have any policies assigned to them. Such Client Computers are enforcing the settings specified within their original installation package.

Group Creation

The first step in organizing your SEE-managed computers is to create the groups that they will reside in. To add a group, right-click Symantec Endpoint Encryption Managed Computers.

Figure 4.1—SEE Managed Computers, Add New Group

Select Add New Group.

Figure 4.2—Name New Group Dialog

Enter the name of the new group. This name must be unique within its group. For example, the Finance group can have two subgroups named Laptops and Desktops and the Human Resources group can also have two subgroups named Laptops and Desktops. But there cannot be two top-level groups just below SEE Managed Computers named Human Resources.

Each name must be at least one character. Leading and trailing spaces will be deleted. Enter the desired name of the group and click OK.

Continue to add groups and subgroups until you have the desired structure.

Move Computers

Highlight SEE Unassigned. Locate the computer that you want to move and highlight it.

Figure 4.3—SEE Unassigned, Computer Highlighted

Click Move.

Figure 4.4—SEE Managed Computers Groups Dialog

Navigate to the desired destination group of the Client Computer. Highlight it and click OK. Each Client Computer can only reside in one group at a time.

Policy Assignment

Native policies can be assigned to individual computers, subgroups, or groups located within either the SEE Managed Computers container or the Novell eDirectory Computers container.

This section describes how to assign a policy to a group within the SEE Managed Computers container, but the instructions are fully extensible to your individual circumstance.

Begin by locating the recipient computer, subgroup, or group of the policy. Highlight the name of the recipient.

Figure 4.5—SEE Managed Computers Group Selected

Click Policy.

Figure 4.6—Policy Selection Dialog

Locate the native policy to be assigned to this group within the dialog and highlight it. Click OK.

Figure 4.8—SEE Managed Computers Policy Assigned

Following the successful assignment of the policy, the Manager Console will display the name of the policy now assigned to the group. The next time the Client Computers in this group check in with the SEE Management Server, they will download this policy and apply it.

Order of Precedence

Each computer can only have one policy assigned to it at any given time. Policies can be assigned to individual computers, subgroups, or entire groups. The rules of precedence are as follows: (1) Computer, (2) Subgroup, and (3) Group. Computer policies have the highest precedence.

For example, if a policy is applied to computer D9HCPD3, and another policy is applied to the Laptops subgroup in which it resides, the policy applied to the computer will take precedence over the policy that was applied to the Laptops subgroup.

Forcing a Policy Update

Registered users can force an immediate policy update by launching the User Client Console, opening the Check-In panel, and clicking Check in Now.

5. Endpoint Support

The Management Password

Basics

The Management Password is used by SEE to control administrator access to two help desk functions: Recover /B and the One-Time Password Program.

SEE Policy Administrators or other support personnel who have access to the Management Password snap-in must type the Management Password before they can export computer-specific hard disk recovery files (see “Recover DAT File Generation” on page 36), or run the One-Time Password Program.

The Management Password snap-in is not applicable if your SEE Manager was installed in serverless mode. Because the Management Password is shared among support personnel, you should establish a protocol for all Management Password changes. This will avoid the situation of one administrator changing the Management Password and preventing other administrators from performing help desk functions which require the Management Password. The Management Password should be backed up and stored in a safe location, as there is no mechanism available for recovering a lost Management Password.

Setting the Management Password

The Management Password is set during the initial installation of the SEE Manager. During subsequent installations of the SEE Manager, the fact that the Management Password has already been set will be detected by the installer, and it will not be necessary to set the Management Password again.

Changing the Management Password

To change the Management Password, perform the following steps: 1. Open the SEE Manager.

2. In the navigation pane on the left, click on Symantec Endpoint Encryption Management Password.

3. In the pane on the right, type the existing Management Password, type a new Management Password between 16– 32 characters in length, and type the new Management Password again to confirm.

4. Click OK. A confirmation message will be displayed.

Figure 5.2—Management Password Changed, Confirmation Message

5. Click OK.

One-Time Password Program

Basics

The One-Time Password (OTP) Program allows users to recover from a forgotten password with help desk

assistance. It also allows users to regain access to their computer after it has been locked for a failure to communicate with the SEE Management Server.

This assistance provides the user with a one-time password—called a response key—which allows the user to temporarily authenticate. The user is then prompted to enter a new password.

To run the help desk side of the utility, you must:

„ Use a Manager Computer that has the OTP snap-in installed.

„ Log on to that computer using a Windows account that has been provisioned with read access to the SEE database, or have SQL database credentials that will allow you to read the SEE database.

„ Know the Management Password.

Be certain of a user’s identity prior to assisting the user with OTP. If the user requesting help is contacting you from their desk, a simple way to help establish their identity is to call them back at the phone number listed in the organization’s phone directory.

Launch

When a user calls for One-Time Password recovery, open the SEE Manager and click on the One-Time Password snap-in.

Figure 5.3—One-Time Password, Welcome

Click Next to begin.

SQL Server Logon Information

If you are currently logged on to Windows as a user that does not have sufficient privileges to read the SEE database, you will be prompted to provide SQL Server database credentials.

Figure 5.4—SQL Server Logon Prompt

Management Password

Following successful authentication to the SEE database, the One-Time Password Program will request the Management Password.

Figure 5.5—One-Time Password, Management Password

Enter the Management Password and click Next.

Method

Basics

Two methods are available for assisting users: online and offline.

The online method is easier and more secure, but will not succeed unless the Client Computer has made contact with the SEE Management Server at least once following the registration of the user requiring assistance.

Ask the user what method is displayed on their screen. If it is online, continue to the next section. If it is offline, skip to “Offline” on page 33.

Online

After entering the Management Password, you will be prompted to select the method.

Figure 5.6—One-Time Password, Method Selection, Online

Select the Online option. Click Next.

The One-Time Password Program will confirm that the information you have entered corresponds to that stored in the SEE database.

Figure 5.8—One-Time Password, Online Method, Response Key

Read the response key to the user from left to right and ask the user to type those numbers into the corresponding blank data-entry fields that appear on the user’s screen.

Under each box is a checksum. Once the user has typed in the entire response key, ask the user to read back to you the checksums. If the user’s checksums agree with your checksums, the user has correctly entered the data. If a checksum is not in agreement, the user entered one or more response key digits incorrectly. Read the response key to the user again and determine the incorrect portion.

Once the user has entered the response key and the checksums agree, ask the user to click Next. Remain in contact with the user.

If the user gains access to Windows, click Yes.

If the user fails to gain access to Windows, click No. The wizard will initiate the offline method if you have not already tried it. Skip to “Offline” on page 33.

If the user correctly entered the response key, when the user clicks Next, they will gain access to Windows. Remain in contact with the user to make sure they change their password. They should be prompted to do so either before or after Windows loads.

If they don’t get prompted and SSO is enabled, they are not connecting to the domain and this is a Windows issue. If they don’t get prompted and SSO is not enabled, have them open the User Client Console and change their password.

Offline

The offline method can be used if the online method fails or if the Client Computer has never checked in with the SEE Management Server.

Figure 5.9—One-Time Password, Method Selection, Offline

Ask the user to provide their OTP personal identifier, which should be displayed on their screen. Ensure that the personal identifier provided corresponds to the person requesting the One-Time Password. If the identifiers do not match, it could indicate that this person is not authorized to access the workstation. Symantec recommends that you halt the process and send a Client Administrator out to help the user in person.

Once you have verified the personal identifier, ask the user to provide you with the challenge key displayed on their screen. Type the digits into the fields on your screen from left to right.

Under each field is a checksum. It is internally generated and uniquely represents in shorter form the digits entered in each field. As you enter the challenge key, checksums appear under their fields. To verify that you have entered the correct challenge key, ask the user to read back to you the checksums. If the checksums agree with your checksums, you have correctly entered the data. If a checksum is not in agreement, ask the user to provide you with the challenge key again and check it against what you have typed.

Under each box is a checksum. Once you have typed in the entire challenge key, ask the user to read back to you the checksums. If the user’s checksums agree with your checksums, you have correctly entered the data. If a checksum is not in agreement, you entered one or more challenge key digits incorrectly. Ask the user to read you the challenge key again and determine the incorrect portion. Most likely, the first mismatching checksum will be below the incorrect portion of the challenge key.

Once you have verified and entered the correct challenge key, click Next.

Figure 5.11—One-Time Password, Offline Response Key

Read the response key to the user from left to right and ask the user to type those numbers into the corresponding blank data-entry fields that appear on the user’s screen.

Under each box is a checksum. Once the user has typed in the entire response key, ask the user to read back to you the checksums. If the user’s checksums agree with your checksums, the user has correctly entered the data. If a checksum is not in agreement, the user entered one or more response key digits incorrectly. Read the response key to the user again and determine the incorrect portion.