Symantec Endpoint Encryption Full Disk

(1)

Full Disk

Policy Administrator Guide

(2)

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. GuardianEdge and Authenti-Check are either trademarks or registered trademarks of GuardianEdge Technologies Inc. (now part of Symantec). Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS

DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 “Commercial Computer Software - Restricted Rights” and DFARS 227.7202, et seq. “Commercial Computer Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 350 Ellis Street

(3)

Policy Administrator Guide Contents Client Administrators . . . 22 Registered Users . . . 24 Password Authentication . . . 26 Token Authentication . . . 27 Authentication Message . . . 27 Communication . . . 27 Single Sign-On . . . 27 Authenti-Check . . . 27 One-Time Password . . . 28 Startup . . . 29 Logon History . . . 29 Autologon . . . 29 Remote Decryption . . . 33 Client Monitor . . . 33 Local Decryption . . . 34 4. Policy Deployment . . . 35 Overview. . . 35

Active Directory Policies . . . 35

Basics . . . 35

Order of Precedence . . . 35

Forcing a Policy Update . . . 35

Native Policies . . . 36

Basics . . . 36

Symantec Endpoint Encryption Managed Computer Groups . . . 36

Policy Assignment . . . 38

Order of Precedence . . . 40

Forcing a Policy Update . . . 40

5. Endpoint Support . . . 41

The Management Password . . . 41

Basics . . . 41

Changing the Management Password . . . 41

One-Time Password Program . . . 42

Basics . . . 42

Launch . . . 43

Management Password . . . 44

Method . . . 44

Error Messages . . . 49

Whole Disk Recovery Token (WDRT) . . . 50

Basics . . . 50

Launch . . . 51

Management Password . . . 52

User Identity . . . 52

Token . . . 53

Hard Disk Recovery for Windows Computers . . . 53

Basics . . . 53

Recover DAT File Generation . . . 54

Appendix A. System Event Logging . . . 57

(5)

Framework System Events List . . . 57

Full Disk System Events List . . . 73

Appendix B. Authentication Method Changes . . . 81

Overview. . . 81

User Experience . . . 81

Appendix C. Policy Settings Honored by Mac Clients . . . 82

Glossary . . . 83

(6)

Policy Administrator Guide Figures

Figures

Figure 1.1—Sample Network Configuration . . . 1

Figure 1.2—SQL Server Logon Prompt . . . 3

Figure 2.1—Group Policy Results Wizard, User Selection . . . 18

Figure 2.2—RSoP Report From a Symantec Endpoint Encryption Client . . . 19

Figure 3.1—Framework Computer Policy, Client Administrators Options . . . 22

Figure 3.2—Add New Client Administrator Dialog . . . 23

Figure 3.3—Framework Computer Policy, Registered Users Options . . . 24

Figure 3.4—Framework Computer Policy, Password Authentication Options . . . 26

Figure 3.5—Framework Computer/User Policy, Authenti-Check Options . . . 27

Figure 3.6—Framework Computer/User Policy, One-Time Password Options . . . 28

Figure 3.7—Full Disk Computer Policy, Startup Options . . . 29

Figure 3.8—Full Disk Computer Policy, Autologon Options . . . 31

Figure 3.9—Full Disk Computer Policy, Client Monitor Options . . . 33

Figure 4.1—Symantec Endpoint Encryption Managed Computers, Add New Group . . . 37

Figure 4.2—Name New Group Dialog . . . 37

Figure 4.3—SEE Unassigned, Computer Highlighted . . . 38

Figure 4.4—Symantec Endpoint Encryption Managed Computers Groups Dialog . . . 38

Figure 4.5—Symantec Endpoint Encryption Managed Computers Group Selected . . . 39

Figure 4.6—Policy Selection Dialog . . . 39

Figure 4.7—Native Policy Assignment Confirmation . . . 39

Figure 4.8—Symantec Endpoint Encryption Managed Computers Policy Assigned . . . 40

Figure 5.1—Management Password Snap-in . . . 41

Figure 5.2—Management Password Changed, Confirmation Message . . . 42

Figure 5.3—One-Time Password, Welcome . . . 43

Figure 5.4—One-Time Password, Management Password . . . 44

Figure 5.5—One-Time Password, Method Selection, Online . . . 45

Figure 5.6—One-Time Password, Online Method, Identifying Information . . . 45

Figure 5.7—One-Time Password, Online Method, Response Key . . . 46

Figure 5.8—One-Time Password, Method Selection, Offline . . . 47

Figure 5.9—One-Time Password, Offline Challenge Key . . . 47

Figure 5.10—One-Time Password, Offline Response Key . . . 48

Figure 5.11—One-Time Password, User Record Not Found . . . 49

Figure 5.12—One-Time Password, Invalid Code Synchronization . . . 49

Figure 5.13—Whole Disk Recovery Token, Welcome . . . 51

Figure 5.14—Whole Disk Recovery Token Program, Management Password . . . 52

Figure 5.15—Whole Disk Recovery Token Program, Identify User . . . 52

Figure 5.16—Whole Disk Recovery Token Program, Token Characters . . . 53

Figure 5.17—Manager Console, Computer in Need of Recovery Highlighted . . . 54

Figure 5.18—Management Password Prompt . . . 54

Figure 5.19—Recovery Password Prompt . . . 55

Figure 5.20—Recovery Data Export Dialog . . . 55

(7)

Tables

Table 1.1—Active Directory and Native Policies Compared . . . 2

Table 2.1—Client Computer Data Available from Main Window of Users and Computers and Basic Reports . . . 8

Table 2.2—Client Computer Data Available from Computer Info Tab . . . 8

Table 2.3—Client Computer Data Available from Framework Tab . . . 9

Table 2.4—Client Computer Data Available from Full Disk Tab . . . 9

Table 2.5—Client Computer Data Available from Removable Storage Tab . . . 10

Table 2.6—Client Computer Data Available from Associated Users Tab . . . 10

Table 2.7—Fixed Drives Data . . . 11

Table 2.8—Directory Services Synchronization Data . . . 11

Table 2.9—Admin Log Data . . . 12

Table 2.10—Client Log Data . . . 14

Table 2.11—Device Exemptions Report . . . 14

Table 2.12—Symantec Endpoint Encryption Version Numbers and Equivalent GuardianEdge Version Numbers . 17 Table A.1—Framework System Events . . . 57

Table A.2—Full Disk System Events . . . 73

Table B.1—Effect of a Change in Authentication Method on Existing User Accounts . . . 81

(8)

Policy Administrator Guide Introduction

1. Introduction

Overview

Symantec Endpoint Encryption Full Disk protects data on laptops and PCs from the threat of theft or loss with strong, centrally managed encryption, auditing, and policy controls for hard disks and partitions, ensuring that the loss of a machine and its data does not result in disclosure required by corporate policy or government regulation. As part of Symantec Endpoint Encryption, Full Disk leverages existing IT infrastructures for seamless deployment,

administration, and operation.

Symantec Endpoint Encryption is comprised of Full Disk, Removable Storage, and Framework. Framework includes all the functionality that is extensible across Symantec Endpoint Encryption. It allows behavior that is common to both Removable Storage and Full Disk to be defined in one place, thus avoiding potential inconsistencies.

The following diagram depicts a sample network configuration of Symantec Endpoint Encryption.

Figure 1.1—Sample Network Configuration

The Active Directory domain controller and Symantec Endpoint Encryption Management Server are required. Multiple domains, forests, trees, and Symantec Endpoint Encryption Management Servers are supported.

A database server is recommended, but the Symantec Endpoint Encryption database can also reside on the Symantec Endpoint Encryption Management Server. If a database server is chosen to host the Symantec Endpoint Encryption database, the database server can be located inside or outside of Active Directory.

The Manager Console can be installed on multiple Manager Computers. It can also be installed on the Symantec Endpoint Encryption Management Server. It must reside on a computer that is a member of Active Directory.

(9)

The Novell eDirectory tree, Active Directory group policy communications, and TLS/SSL encryption are optional.

Directory Service Synchronization

Synchronization with Active Directory and/or Novell eDirectory is an optional feature. If enabled, then the Symantec Endpoint Encryption Management Server will obtain the organizational hierarchy of the specified forest, domain, and/or tree and store this information in the Symantec Endpoint Encryption database. It also keeps this information up to date. This improves performance during Client Computer communications with the Management Server, as the Management Server will be able to identify the Client Computer without having to query the Active Directory domain controller and/or the Novell eDirectory server.

When you open the Manager Console, you will have your Active Directory and/or Novell endpoints organized just the way that they are in the directory service, easing your deployment activities.

In addition, you will have records of computers that reside in the designated forest, domain, or tree, even if these computers do not have any Symantec Endpoint Encryption products installed and/or have never checked in with the Management Server. This will allow you to run reports to assess the success of a given deployment and gauge the risk that your organization may face due to unprotected endpoints.

The timing of the synchronization event differs according to the directory service. Whereas Novell informs the Management Server of any changes that may occur, the Management Server needs to contact Active Directory to obtain the latest information. Synchronization with Active Directory is set to occur once every fifteen minutes.

Active Directory and Native Policies

Active Directory policies are designed for deployment to the users and computers residing within your Active Directory forest/domain. Active Directory policies can be created and deployed whether synchronization with Active Directory is enabled or not.

Native policies are designed for deployment to computers that are not managed by Active Directory. Should you wish to deploy native policies to computers that are managed by Active Directory, you must turn synchronization with Active Directory off.

The following table itemizes the differences between Active Directory and native policies. Table 1.1—Active Directory and Native Policies Compared

Active Directory Policies Native Policies

Certain policies are deployed to users and others are deployed to computers.

Policies can only be applied to computers.

Policies applied in Local, Site, Domain, OU (LSDOU) order of precedence.

Policies are applied in Computer, Subgroup, Group (CSG) order of precedence.

Single pane policy creation/deployment. Each pane must be visited when creating the policy. Policies are obtained from the domain controller

and applied at each reboot.

Policies are applied when the client checks in with the Symantec Endpoint Encryption Management Server. An immediate policy update can be forced using the

gpupdate \force or secedit command.

An immediate policy update can be forced by clicking

Check In Now from the User Client Console.

(10)

Manager Console

Basics

The Manager Console contains the following Symantec Endpoint Encryption snap-ins:

 Symantec Endpoint Encryption Management Password—allows you to change the Management Password. The

Management Password controls administrator access to two Full Disk help desk functions: Recover /B and the Help Desk Program.

 Symantec Endpoint Encryption Software Setup—is used to create client installation/migration packages.

 Symantec Endpoint Encryption Native Policy Manager—escorts you through the process of creating a computer

policy for clients not managed by Active Directory, such as Novell and other clients.

 Symantec Endpoint Encryption Users and Computers—displays the organizational structure of your Active

Directory forest and/or Novell tree; allows you to organize clients not managed by either Active Directory or Novell into groups; provides the ability to export computer-specific Recover DAT files necessary for Recover /B.

 Symantec Endpoint Encryption Reports—includes reports to allow you to obtain endpoint data, Policy

Administrator activity logs, and directory service synchronization configuration. In addition, you will be able to export computer-specific Recover DAT files and create your own custom reports.

 SEE Help Desk Program (optional)—enables you to assist Windows or Mac users that forgot their credentials.

You can also assist Windows users that have been locked out for a failure to communicate with the Management Server.

It also contains the following Microsoft snap-ins to help you manage your Active Directory computers:

 Active Directory Users and Computers—allows you to both view and modify your Active Directory

organizational hierarchy.

 Group Policy Management—lets you manage group policy objects and launch the Group Policy Object Editor

(GPOE). Within the GPOE you will find Symantec Endpoint Encryption snap-in extensions that allow you to create and modify Symantec Endpoint Encryption user and computer policies for Active Directory–managed computers.

Depending on your responsibilities, you may not have access to all of these snap-ins. These restrictions, if any, will be effected as part of the privileges associated with your Windows account.

Database Access

Your Windows account may have been provisioned with rights to access the Symantec Endpoint Encryption database. If so, ensure that you are logged on to Windows with this account before launching the Manager Console. If you are not logged on to Windows with read and write access to the Symantec Endpoint Encryption database at the time that you launch the Manager Console, you will be prompted for your SQL or Windows credentials.

(11)

The Server name and Initial catalog fields will contain the information that was provided when this Manager Console was installed. In general, you should not modify the default contents of these fields. Circumstances that require you to edit these entries would be unusual, such as the loss of your primary Symantec Endpoint Encryption database. In such a situation, you could edit the Server name and Initial catalog fields to connect to a disaster recovery site. The syntax used in the Server name field is as follows:

computer name,port number\instance name

While the NetBIOS name of the server hosting the Symantec Endpoint Encryption database will always be required, the TCP port number will only be necessary if you are using a custom port, and the instance name will only be needed if you are using a named instance. The custom port number would need to be preceded by a comma and the instance name by a backslash.

To use a SQL account, select SQL Authentication and type the SQL user name in the User name field. Otherwise, select Windows Authentication and type the Windows account name in NetBIOS format in the User name field. Type the account password in the Password field. Click Connect to authenticate.

If you don’t wish to authenticate to the Symantec Endpoint Encryption database at this time, click Cancel. You may receive one or more error messages following cancellation. You will receive additional prompts upon attempting to access the individual Symantec Endpoint Encryption snap-ins in the console.

Endpoint Containers

Basics

The Symantec Endpoint Encryption Manager will place each endpoint into one or more of the following containers:

 Active Directory Computers,

 Novell eDirectory Computers, or

 Symantec Endpoint Encryption Managed Computers.

Active Directory/Novell eDirectory Computers

No computers will be placed in the Active Directory Computers or Novell eDirectory Computers containers unless synchronization with the directory service is enabled.

If synchronization with Active Directory is enabled, the Active Directory Computers container will be populated with the computers in the Active Directory forest/domain. If synchronization with Novell is enabled, the Novell eDirectory Computers container will hold the computers in the Novell tree. If synchronization with both directory services is enabled and the computer is managed by both, it will appear in both containers. Computer and user objects located within the Active Directory and/or Novell containers cannot be moved or modified with Symantec Endpoint Encryption snap-ins.

Symantec Endpoint Encryption Managed Computers

Computers located within the Active Directory Computers and/or Novell eDirectory Computers containers will not be shown in the Symantec Endpoint Encryption Managed Computers container.

Only computers that have checked in with the Management Server will be shown in the Symantec Endpoint Encryption Managed Computers container. Whether a computer is placed in the Symantec Endpoint Encryption Managed Computers container or not following check in will vary depending on whether synchronization is enabled or not.

 If synchronization is not enabled, all Client Computers that have checked in will be placed in the Symantec Endpoint Encryption Managed Computers container.

(12)

Computers located within the Symantec Endpoint Encryption Managed Computers container should be grouped into the organizational structure that you desire.

Deleted Computers

The Deleted Computers container stores Symantec Endpoint Encryption–managed computers that have been deleted, allowing you to restore the computer and revert its deletion.

Symantec Endpoint Encryption–managed computers will remain in the Manager Console even after the client-side software has been uninstalled. To complete the uninstallation of an Symantec Endpoint Encryption–managed computer, locate the computer within the Symantec Endpoint Encryption Managed Computers container. Right-click the computer and select Delete. The computer will be removed from the Symantec Endpoint Encryption Managed Computers container and placed in the Deleted Computers container.

Should you fail to delete the computer from the Symantec Endpoint Encryption Managed Computers container following uninstallation and then reinstall, you will find two computers with the same name in the Symantec Endpoint Encryption Managed Computers container. Locate the computer with the older last check-in date, right-click it, and select Delete.

Symantec Endpoint Encryption Roles

Policy Administrators

As the Policy Administrator, you perform centralized administration of Symantec Endpoint Encryption. Using the Manager Console and the Manager Computer, you perform one or more of the following tasks:

 Update and set client policies.

 Run reports.

 Change the Management Password.

 Run the Help Desk Program.

 Create the computer-specific Recover DAT file necessary for Recover /B.

Client Administrators

Basics

Client Administrators provide local support to Symantec Endpoint Encryption users.

Client Administrator accounts are created and maintained from the Symantec Endpoint Encryption Manager. Client Administrator accounts are managed entirely by Symantec Endpoint Encryption, independent of operating system or directory service, allowing Client Administrators to support a wide range of users.

Client Administrator passwords are managed from the Manager Console and cannot be changed at the Client Computer. This single-source password management allows Client Administrators to remember only one password as they move among many Client Computers.

Mac Client

Each Mac client must have at least and no more than one Client Administrator account. The Client Administrator account is specified within the client installation package or policy. It will be created on the client at the time that the encryption of the boot disk is manually initiated. The Client Administrator account cannot be deleted by the user, ensuring administrative access to the Client Computer. The Client Administrator authenticates with a password. Privilege level is ignored by the Mac client. The Client Administrator account cannot be used to initiate encryption.

Windows Client

(13)

Each Client Administrator account can be assigned any of the following individual administrative privileges:

 Unregister users—allows Client Administrators to unregister registered users from the Administrator Client

Console;

 Decrypt drives—provides Client Administrators with the right to decrypt encrypted disks and partitions from the

Administrator Client Console or through the use of Recover /D;

 Extend lockout—permits Client Administrators to extend the Client Computer’s next communication date using

the Administrator Client Console; and

 Unlock—enables Client Administrators to unlock Client Computers that have been locked for failure to

communicate with the Symantec Endpoint Encryption Management Server. Client Administrators are always able to authenticate to Client Computers.

Client Administrators should be trusted in accordance with their assigned level of privilege.

Each Client Computer must have one default Client Administrator account. The default Client Administrator account has all administrative privileges and authenticates using a password. Only Client Administrators that authenticate with a password and have all administrative privileges can perform hard disk recovery. Up to 1024 total Client Administrator accounts can exist on each Client Computer.

Client Administrator accounts have the following restrictions:

 Client Administrators do not have either of the authentication assistance methods (Authenti-Check and One-Time Password) available.

 Client Administrators cannot use Single Sign-On.

User

Basics

Full Disk protects the data stored on the Client Computer by encrypting it and requiring valid credentials to be provided before allowing the operating system to load. Users set their own Symantec Endpoint Encryption credentials, which allow them to power the machine on from an off state and gain access to the operating system. Only the credentials of registered users and Client Administrators will be accepted by Full Disk.

Mac Client

Upon manual initiation of encryption, a user account must be created. Up to 119 users can be added.

Windows Client

At least one user is required to register with Symantec Endpoint Encryption on each Client Computer. A wizard guides the user through the registration process, which involves a maximum of five screens. The registration process can also be configured to occur without user intervention.

Authentication to Full Disk can be configured to occur in one of three ways:

 Single Sign-On enabled—The user will be prompted to authenticate once each time they restart their computer.

 Single Sign-On not enabled—The user must log on twice: once to Full Disk and then separately to Windows.

 Automatic authentication enabled—The user is not prompted to provide credentials to Full Disk; the

authentication process is transparent. This option relies on Windows to validate the user’s credentials. A maximum of 1024 users can be allowed during the creation of the installation package and can be changed by policy.

(14)

Policy Administrator Guide Reporting

2. Reporting

Overview

Basics

The Manager Console reporting tools allow you to obtain information about:

 Client Computers,

 Policy Administrator activities, and

 Directory service synchronization.

Client Computers Data Available from Users and Computers and Basic Reports

Basics

At the time that a Client Computer succeeds in checking in with the Symantec Endpoint Encryption Management Server, it sends information about itself that is stored in the Symantec Endpoint Encryption database. This section discusses the data available about Client Computers from the following snap-in and reports:

 “Symantec Endpoint Encryption Users and Computers” on page 14;

 “Computer Status Report” on page 15;

 “Computers not Encrypting to Removable Storage” on page 15;

 “Computers with Decrypted Drives” on page 15;

 “Computers with Expired Certificates” on page 15;

 “Computers with Specified Users” on page 15;

 “Computers without Full Disk Installed” on page 16;

 “Computers without Removable Storage Installed” on page 16;

 “Non-Reporting Computers” on page 16; and

 “Custom Reports” on page 17.

Basic data is shown in the main window and you can double-click a record of interest or right-click it and select

Show Selection to obtain further details.

(15)

Main Window

The following table itemizes the data available about Client Computers from the main window. Columns that will be displayed but not populated by Full Disk are identified as not applicable (N/A).

Computer Info Tab

After double-clicking the record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Computer Info tab.

Table 2.1—Client Computer Data Available from Main Window of Users and Computers and Basic Reports

Column Heading Data Displayed Explanation

Computer name computer name Computer name

Group name* group name Location of the computer within Symantec Endpoint Encryption Users and

Computers

Last Check-In time/date stamp The time and date of the last connection that the Client Computer made with

the Management Server

Decrypted drive letter(s) or disk ID(s) The drive letter(s) or disk ID(s) of any decrypted drives and/or partitions on

this computer

Decrypting drive letter(s) or disk ID(s) The drive letter(s) or disk ID(s) of any drive and/or partitions on this

computer that are in the process of decrypting

Encrypted drive letter(s) or disk ID(s) The drive letter(s) or disk ID(s) of any encrypted drive and/or partitions on

this computer

Encrypting drive letter(s) or disk ID(s) The drive letter(s) or disk ID(s) of any drives and/or partitions on this

computer that are in the process of encrypting

Version n.n.n The three digit version number of Full Disk that is currently installed

Installation Date time/date stamp The time and date on which Full Disk was installed

RS Device Access Control* N/A N/A

RS Encryption Policy N/A N/A

RS Encryption Method† N/A N/A

RS On-Demand

Encryption* N/A N/A

RS Access Utility* N/A N/A

RS Self-Extracting

Archives* N/A N/A

* This column is not shown in the Symantec Endpoint Encryption Users and Computers snap-in.

† This column is not shown in the reports.

Table 2.2—Client Computer Data Available from Computer Info Tab

Group group name Location of the computer within Symantec Endpoint Encryption Users and

Computers

OS operating system name The name of the installed operating system

OS Type 32-bit|64-bit The number of bits of memory supported by the installed operating system

Serial Number serial number

(16)

Framework Tab

After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Framework tab.

Full Disk Tab

After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Full Disk tab.

Asset Tag asset tag

The System Management BIOS (SMBIOS) asset tag from

WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank.

Part Number time/date stamp

The System Management BIOS (SMBIOS) asset tag from

WMI_SystemEnclosure class. This data may not exist on the client, in which case it will be blank.

Table 2.3—Client Computer Data Available from Framework Tab

FR Version n.n.n The three digit version number of Framework that is currently installed

FR Installation Date time/date stamp The time and date on which Framework was installed

Last Check-In Time time/date stamp The time and date of the last connection that the Client Computer made with

the Management Server SSL Certificate Expiration

Date time/date stamp The time and date of the client-side TLS/SSL certificate’s expiration

Table 2.4—Client Computer Data Available from Full Disk Tab

FD Version n.n.n The three digit version number of Full Disk that is currently installed

FD Installation Version time/date stamp The time and date on which Full Disk was installed

Last Check-in time/date stamp The time and date of the last connection that the Client Computer made with

the Management Server SSL Certificate Expiration

Date time/date stamp The time and date of the client-side TLS/SSL certificate’s expiration Partition drive letter The drive letter of the partition that is encrypted, encrypting, decrypted, or

decrypting

Encryption start time time/date stamp The date and time that encryption was initiated Encryption end time time/date stamp The date and time that encryption completed Decryption start time time/date stamp The date and time that decryption was initiated Decryption end time time/date stamp The date and time that decryption completed

Decryption initiated by user name The user name of the user or Client Administrator that initiated decryption

Table 2.2—Client Computer Data Available from Computer Info Tab (Continued)

(17)

Removable Storage Tab

After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Removable Storage tab.

Associated Users Tab

After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Associated Users tab for Windows endpoints. The Associated Users tab will contain one row of data per registered user or Client Administrator on the Windows Client Computer. If this is a Mac record, no data will be available from the Associated Users tab.

Table 2.5—Client Computer Data Available from Removable Storage Tab

RS Device Access Control N/A N/A

RS Encryption Policy N/A N/A

RS On-Demand Encryption N/A N/A

RS Encryption Method N/A N/A

RS Exempted File Type N/A N/A

RS Recovery Certificate N/A N/A

RS Workgroup Key N/A N/A

RS Device Exclusions N/A N/A

RS Passwords N/A N/A

RS Password Aging N/A N/A

RS Access Utility N/A N/A

RS Self-Extracting Archives N/A N/A

RS Version N/A N/A

RS Last Upgrade Date N/A N/A

RS Installation Version N/A N/A

Table 2.6—Client Computer Data Available from Associated Users Tab

User Name user name The user name of the registered user or Client Administrator account

User Type Reg User|Client Admin If the account is that of a registered user, Reg User will be displayed. If the

account is that of a Client Administrator, Client Admin will be displayed.

Authentication Method Password|Token|Password

and Token|Unauthenticated

If the user or Client Administrator uses a password to authenticate,

Password will be displayed. If the user or Client Administrator uses a token

to authenticate, Token will be displayed. If this is a user and the user has the option to register both a password and a token, Password and Token will be displayed. If the Client Computer has been configured to use automatic authentication, Unauthenticated will be displayed.

User Domain name of domain or

tree|computer name

(18)

Fixed Drives Tab

After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the Fixed Drives tab will contain one row of data per physical disk drive on the Client Computer.

Directory Services Synchronization Data

Your current synchronization parameters are stored in the Symantec Endpoint Encryption database and can be retrieved using the following Symantec Endpoint Encryption Reports:

 “Active Directory Forests Synchronization Status” on page 15, and

 “Novell eDirectory Synchronization Status” on page 16.

One row of data per forest or tree will be listed. The following table identifies the data that will be available from these reports.

Last Logon Time time/date stamp

If a user, the time and date of the last User Client Console logon. If a Client Administrator, the time and date of the last Administrator Client Console logon.

Registration Time time/date stamp

The time and date on which this user registered. If this is a Client Administrator account, the time and date on which the account was created either by MSI or policy update.

Table 2.7—Fixed Drives Data

Disk ID digit

The number of the physical disk, as assigned by the operating system. The operating system will assign a number to each physical disk. The first physical disk will be assigned the number 0 and the rest of the assigned numbers will increment sequentially.

Volume(s) drive letter

The alphabetical letter assigned by the operating system to the logical drive will be identified in this cell. If the drive has been divided into partitions, the letter of each partition will be displayed, separated by commas.

Serial Number number

The serial number of the physical disk will be displayed. This information is obtained from the device properties. If this data could not be obtained from the device properties, the value will be blank.

Table 2.8—Directory Services Synchronization Data

Forest/Tree Name forest or tree name The name of the forest or tree that you are synchronizing with will be

identified in this column.

Administrator Name user name

The user name that is being used to authenticate to the directory service server of this forest or tree will be provided in this column. This corresponds to the Active Directory or Novell synchronization account. Administrator Domain* domain The Active Directory domain of the Active Directory synchronization

account for this forest will be identified.

Last Synchronization time date stamp The time and date of the last successful synchronization with this forest or

tree will be supplied.

Table 2.6—Client Computer Data Available from Associated Users Tab (Continued)

(19)

Admin Log Data

Each time the Policy Administrator makes a change using the Manager Console, the action will be logged.

The Admin Log provides a detailed log of all Policy Administrator activities. Log entries can be filtered according to inclusive date and time, user name, and computer name. The following table identifies the data that will be available in the Admin Log report.

Total Computers number

The total number of computers in this forest or tree as of the last synchronization will be noted here. This includes all of the computers, not just the Symantec Endpoint Encryption–protected endpoints.

* This column is not shown in the Novell eDirectory Synchronization Status report.

Table 2.9—Admin Log Data

Date-Time time date stamp The time and date on which the activity

occurred

User user name The Windows user name of the Policy

Administrator that initiated the activity

Computer computer name

The computer name of the Manager Computer from which the activity was initiated

Table 2.8—Directory Services Synchronization Data (Continued)

(20)

Activity Description

Changed Symantec Endpoint Encryption management password —

Created native policy policy name —

Renamed native policy ‘old policy name’ to ‘new policy name’ —

Deleted native policy ‘policy name’ —

Edited native policy ‘policy name’ —

Created new Symantec Endpoint Encryption Managed computer group

‘group name’ —

Renamed Symantec Endpoint Encryption Managed computer group ‘old

group name’ to ‘new group name’ —

Deleted Symantec Endpoint Encryption Managed computer group ‘group

name’ —

Assigned native policy ‘policy name’ to group ‘group name’ — Unassigned native policy ‘policy name’ from group ‘group name’ — Changed assigned native policy for group ‘group name’ from native policy

‘old policy name’ to native policy ‘new policy name’ —

Deleted Symantec Endpoint Encryption Managed Computer ‘computer

name’ —

Moved Symantec Endpoint Encryption Managed Computer ‘computer

name’ from group ‘old group name’ to ‘new group name’ —

Restored Symantec Endpoint Encryption Managed Computer ‘computer

name’ —

Exported Recover DAT file for computer ‘computer name’ — Initiated One-Time Password online method for user ‘user name’ on

computer ‘computer name’ Symantec Endpoint Encryption GUID ‘Symantec Endpoint Encryption GUID of computer’

— Initiated One-Time Password offline method for user ‘user name’ — Created Framework client installation package ‘MSI package name’ — Created Full Disk client installation package ‘MSI package name’ — Created Removable Storage client installation package ‘MSI package

name’ —

Created Autologon MSI package ‘MSI package name’ —

Table 2.9—Admin Log Data (Continued)

(21)

Client Events Data

A subset of the Windows system events from Windows Client Computers will be available from the Client Events report. The following table identifies the data that will be available in the Client Events report for Windows endpoints. No client events data for Mac clients will be available.

Device Exemptions Report Data

The following table details the data available from the Device Exemptions report.

Symantec Endpoint Encryption Users and Computers

The Symantec Endpoint Encryption Users and Computers snap-in allows you to obtain data about a specific group. This data can be printed or exported into a comma-delimited format (CSV). This can be useful for generating reports on a per-group basis.

You might also want to consider your reporting needs when you create your groups (“Symantec Endpoint Encryption Managed Computer Groups” on page 36).

Symantec Endpoint Encryption Reports

Basics

The Symantec Endpoint Encryption Reports snap-in contains a number of reports that will assist you in managing your endpoints and your synchronization(s).

After obtaining the data, you can export it into comma-delimited format (CSV) for further manipulations in the tool of your choice. Alternatively, you can print the report directly from the Manager Console.

Should you choose to print the report, you can choose which columns to include by right-clicking the report in the console tree and selecting Configure Columns Displayed. Alternatively, select Configure Columns Displayed from the Action menu.

Table 2.10—Client Log Data

Date-Time time date stamp The time and date on which the activity occurred

User user name The Windows user name of the user that initiated the activity

Computer Name computer name The computer name of the Windows Client Computer on which the event was logged Event

Description description text

Framework events 4, 6, 8, 11,14, 15, 16, 18, 19, 21, 124, 183, 184, and 246. Full Disk events 1004, 1008, 1012, 1014, 1015, 1019, 1023, 1027, 1028, 1107, 1108, 1109, 1110, 1111, 1114, 1119, 1120, and 1123. Refer to Appendix A “System Event Logging” on page 57 for the text of each event.

Table 2.11—Device Exemptions Report

Computer Name N/A N/A

Last Check-In N/A N/A

RS Exempted

Product ID N/A N/A

RS Exempted

Vendor ID N/A N/A

(22)

Active Directory Forests Synchronization Status

The Active Directory Forest Synchronization Status report provides the latest details of your Active Directory synchronization parameters and status (“Directory Services Synchronization Data” on page 11).

Client Events

The Client Events report provides you with a subset of the events logged on the endpoint (“Client Events Data” on page 14). Client events can be filtered according to inclusive date and time, user name, and computer name.

Computer Status Report

The Computer Status Report is used to retrieve the records of specific computers when you know their computer name. This can be useful for Windows clients under the following circumstances:

 After deploying Windows client installation packages using your third-party deployment tool of choice, run this report to ensure that the deployment was successful and that each client checks in. You should make sure that each Windows client checks in at least once. During the check in process, the Windows Client Computer sends data necessary for the online method of the One-Time Password Program and for the /B method of the Recover Program. Once you have identified Windows Client Computers that have not checked in, you can target them using other tools such as Resultant Set of Policy (RSoP) reports and Windows system event logs to determine if there was a problem during installation.

 Should a Windows Client Computer fail to boot, you may need to export computer-specific recovery data necessary for Recover /B.

Type or paste the computer names in the Enter Computer Names field. Each should be on a separate line. The % character can be used as a wildcard. Once you have entered the computer names that you want to retrieve the records of, click Run. To refresh the data, click Run again.

Computers not Encrypting to Removable Storage

The Computers not Encrypting to Removable Storage report will retrieve the records of the following computers on your network:

 Did not have Removable Storage installed as of the time of last check-in.

 Was not protected by a Removable Storage Encrypt all, Encrypt new, or Encrypt to CD/DVD policy as of the time of last check in.

 Resides on a forest or tree that is synchronized with the Symantec Endpoint Encryption Management Server and has not checked in. These clients may or may not be allowing users to write unencrypted files to removable devices.

Computers with Decrypted Drives

The Computers with Decrypted Drives report will retrieve the records of the following computers on your network:

 Had one or more decrypted or decrypting drives and/or partitions as of the time of last check-in.

 Resides on a forest or tree that is synchronized with the Management Server and has not checked in. These clients may or may not have a decrypted or decrypting drive or partition.

Computers with Expired Certificates

The Computers with Expired Certificates report will retrieve the records of the clients with client-side TLS/SSL certificates due to expire within the specified number of days from the current day. Enter the number of days until expiration in the Days the Certificate Will Expire field and click Run. For example, to see all of the clients with certificates due to expire within the next ninety days, type 90 in the Days the Certificate Will Expire field and click

Run.

Computers with Specified Users

(23)

should be separated by carriage returns. The % wildcard character is supported. Once the desired report parameters have been entered, click Run.

The records of the computers on which one or more of the specified users has registered will be retrieved and listed in the report results.

Computers without Full Disk Installed

The Computers without Full Disk Installed report will retrieve the records of the following computers on your network:

 Did not have Full Disk installed as of the time of last check-in.

 Resides on a forest or tree that is synchronized with the Management Server and has not checked in. These clients may or may not have Full Disk installed.

Computers without Removable Storage Installed

The Computers without Removable Storage Installed report will retrieve the records of the following computers on your network:

 Did not have Removable Storage installed as of the time of last check-in.

 Resides on a forest or tree that is synchronized with the Management Server and has not checked in. These clients may or may not have Removable Storage installed.

Device Exemptions Report

The Device Exemptions report allows you to obtain a list of the devices exempted from encryption on a given computer (“Device Exemptions Report Data” on page 14).

Percentage of Encrypted Endpoints

The Percentage of Encrypted Endpoints report provides you with a pie chart display of the percentage of computers that are encrypted versus the percentage that are not. The numerical breakdown is provided beneath the chart. Mac clients will not be included in this report.

Full Disk Client Deployment

The Full Disk Client Deployment report provides you with a pie chart comparison of the percentage of computers installed with Full Disk versus the percentage that are not. You can filter the results based on date. The numerical breakdown is provided beneath the chart. Mac clients will not be included in this report.

Framework Deployment

The Full Disk Client Deployment report provides you with a pie chart comparison of the percentage of computers installed with Framework versus the percentage that are not. You can filter the results based on date. The numerical breakdown is provided beneath the chart.

Non-Reporting Computers

The Non-Reporting Computers report allows you to obtain a list of computers that have not checked in with the Symantec Endpoint Encryption Management Server within a specified number of elapsed days. This report will help you ensure that the data in the Symantec Endpoint Encryption database remains fresh. It is also an essential complement to a lockout policy.

Enter the number of elapsed days in the Days Since Last Check-In field and click Run. The records of the computers on your network that have not checked in with the Symantec Endpoint Encryption Management Server within the specified number of days will be retrieved and listed.

Novell eDirectory Synchronization Status

(24)

Custom Reports

The custom reports feature allows you to create your own reports that you can run or edit at a later time. You can create subfolders to organize your custom reports. Right-click Custom Report and choose New Report to open the Query Editor. Click Save when you are done and type in a name for the new report.

Specify the filter criteria for your custom report in the three tabs of the Query Editor. For a list of all possible filter criteria, see Table 2.1 on page 8.

While only Symantec Endpoint Encryption version numbers will be available in the Client Version area, the selection of a Symantec Endpoint Encryption version number will result in the retrieval of not only the records of Client Computers installed with the selected Symantec Endpoint Encryption version, but also the Client Computers installed with the equivalent GuardianEdge Framework version. For example, if you select the 7.0.3 check box, the records of 7.0.3 clients will be retrieved—as well as the records of GuardianEdge Framework 9.3.0 and 9.3.1 clients. If you have GuardianEdge clients, consult the following table for the full mapping.

Resultant Set of Policy (RSoP)

The Group Policy Management snap-in features a reporting facility which allows you to verify that the Active Directory policies you assigned to Client Computers or users were actually processed as intended. This report is known as a Resultant Set of Policies (RSoP) or Group Policy Report.

To generate an RSoP report, perform the following steps:

1. Open the Symantec Endpoint Encryption Manager, and in the left pane, expand Group Policy Management, then expand Group Policy Results.

2. With the Group Policy Results container selected, right-click and choose Group Policy Results Wizard. 3. The Group Policy Results Wizard launches. Click Next, then select the option Another Computer. 4. Browse to or type the name of the computer for which you wish to generate a Group Policy Report. 5. Click Next.

Table 2.12—Symantec Endpoint Encryption Version Numbers and Equivalent GuardianEdge Version Numbers

Symantec Endpoint Encryption Version Number Equivalent GuardianEdge Version Number(s)

7.0.0 9.2.0 7.0.1 9.2.1 7.0.2 9.2.2 7.0.3 9.3.0, 9.3.1 7.0.4 9.4.0, 9.4.1 7.0.5 9.5.0 7.0.6 9.5.1, 9.5.1 Patch 1 7.0.7 — 7.0.8 9.5.3

(25)

Figure 2.1—Group Policy Results Wizard, User Selection

6. To view both user and computer policies, select the user that you want to see the user policies of. If you are only interested in computer policies, select Do not display user policy settings in the results.

7. Click Next.

8. Click Next at the summary screen, then click Finish.

9. The Group Policy Results snap-in connects to the Client Computer, gathers the policy information into a report, and displays the information in several tabs of the content pane on the right.

10. Click on the Settings tab of the Group Policy Results window in the pane on the right.

11. This windows shows a collapsed view representing all the settings for the user/computer pair you selected. The view is divided into two sections: one section named Computer Configuration, and another section beneath it named User Configuration.

12. Within the section named Computer Configuration, locate the subsection named Administrative Templates. Symantec Endpoint Encryption uses registry based policies, and any Symantec Endpoint Encryption computer policies you create and apply will show up within the subsections Computer Configuration, Administrative

Templates, Symantec Endpoint Encryption/Framework, and Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/Full Disk.

For user settings, this pattern is mirrored in the User Configuration section of the Group Policy Results window. 13. Expand the Administrative Templates and then expand the Symantec Endpoint Encryption/Framework

(26)

Figure 2.2—RSoP Report From a Symantec Endpoint Encryption Client

Figure 2.2 shows that a Client Administrator policy has been applied. The Client Administrator mbrown

authenticates using a password and has a high level of privilege. The Client Administrator mwilliams authenticates using a password and has a high level of privilege.

Any level in the report hierarchy can be exported as an HTML file by right-clicking the name (for example,

Symantec Endpoint Encryption/Framework), choosing Save Report, and selecting a target location in which to

save the HTML report.

Some Symantec Endpoint Encryption Active Directory policies create other settings in the client registry that are shown in the RSoP as Extra Registry Settings. These represent internal registry values used by the particular Symantec Endpoint Encryption policy and can be ignored.

Windows System Events

All security-related system events are logged on the Symantec Endpoint Encryption Client Computer where they may be viewed remotely by an administrator using the Windows System Event viewer. To view Full Disk–specific system events logged on a specific Windows computer, perform the following steps:

1. Open a Run dialog from the Windows Start menu. 2. Type eventvwr.msc and click OK.

3. An Event Viewer console window opens showing the events on your local computer.

4. In the navigation pane on the left, right-click the top-level folder named Event Viewer (Local), and choose

Connect to another computer.

(27)

7. In the navigation pane on the left, right-click the item named Application, and choose Connect to another

computer.

8. Choose View and click Filter to open the Application Properties window. 9. From the Event Source drop-down list box, choose Symantec and click Apply.

10. This filters the event log for that computer to show Framework and Full Disk events. Drag the Application Properties window away from the Event Viewer window, but leave it open.

11. In the right pane of the Event Viewer window, double-click the top-most event entry to open the Event Properties window for that event.

The Description field contains information about that particular Full Disk event. To inspect other events in the log, use the up and down arrow buttons in the upper right of the Event Properties window.

To filter out all events other than a desired event, click on the Application Properties window. In the Event ID field, type the number of the event you are interested in, then click Apply. The Event Viewer window will update and filter out all event IDs other than the one you specified.

For a complete list of all Symantec Endpoint Encryption–specific system events, their event code numbers, and descriptions of the events, refer to Appendix A “System Event Logging” on page 57.

(28)

Policy Administrator Guide Policy Creation & Editing

3. Policy Creation & Editing

Overview

Each client will have installation settings in place. Installation settings are created at the time that the client is installed and modified each time an upgrade package is applied. Policy settings will always take precedence over any installation settings on the client.

Symantec Endpoint Encryption provides two different types of policies. While each contains identical options, Active Directory policies are created and edited in quite a different manner from native policies.

This chapter discusses the following:

 How to create and/or edit Active Directory policies using Symantec Endpoint Encryption snap-in extensions in the Group Policy Object Editor (GPOE) (“Active Directory Policies” on page 21);

 How to create and/or edit native policies using the Symantec Endpoint Encryption Native Policy Manager (“Native Policies” on page 22); and

 The individual policy options themselves (“Policy Options” on page 22).

Active Directory Policies

To create or edit an Active Directory policy, expand the Group Policy Management snap-in, expand your forest, expand Domains, expand the domain, and expand Group Policy Objects.

 To edit an existing GPO, right-click the GPO and select Edit.

 To create a new GPO, right-click Group Policy Objects and select New. The Group Policy Object Editor (GPOE) will launch.

 To edit or create a computer policy, expand Computer Configuration, expand Software Settings, and expand

Symantec Endpoint Encryption. Then expand Framework and/or Full Disk, according to your needs.

 To edit or create a user policy, expand User Configuration, expand Software Settings, and expand Symantec

Endpoint Encryption. Then expand Framework and/or Full Disk, according to your needs.

Each Active Directory policy panel features three option buttons at the top:

 Do not change these settings—this option is the default option. It specifies that no changes to existing policies or

installation settings will be made.

 Change these settings—click this option if you want to specify a policy update. When this option is selected, the

fields below it will become available. These fields will not be defaulted to the policies currently in effect, they will just display generic defaults.

 Restore the installation settings—click this option to apply a policy that instructs the client to disregard any

existing policies and return to the settings that were specified in its installation package.

When the Change these settings option is selected, your entries are validated when you click away from the panel. Any incorrect entries will be highlighted in red, and the icon for the panel, as shown in the navigation tree of the GPOE window, will change to a warning icon to remind you to return to that panel and make the necessary corrections before closing the GPOE window.

(29)

For a detailed discussion of the options that will become available when the Change these settings option is selected, refer to “Policy Options” on page 22.

Native Policies

To create a native policy, right-click the Symantec Endpoint Encryption Native Policy Manager and select Create

New Policy. When naming a policy, observe the following:

 Each name must be unique and cannot have been assigned to any other native policy.

 Names are case-insensitive.

 Leading and trailing spaces will be deleted.

To edit a native policy, expand the Symantec Endpoint Encryption Native Policy Manager. Locate the policy that you want to edit and highlight it.

For a detailed discussion of the options available for modification within the Symantec Endpoint Encryption Native Policy Manager, continue to the next section.

Policy Options

Client Administrators

When creating a Client Administrator policy, it must contain all Client Administrator accounts that are authorized to access the workstation. Any Client Administrator accounts not listed in this policy will not be able to authenticate to the Client Computer.

Figure 3.1—Framework Computer Policy, Client Administrators Options

At least one default Client Administrator account must be specified. Only the default Client Administrator account will be sent to Mac clients. No more than 1024 Client Administrators accounts can be added.

You can import a list of Client Administrators from a previously created installation settings package. Click Load

client administrators from installation settings, select the previously created Framework client installer package,

(30)

Click Add to add a Client Administrator. Highlight an existing Client Administrator and click Edit to edit the account.

Figure 3.2—Add New Client Administrator Dialog

Only the names of the Add New Client Administrator and Edit Client Administrator dialogs differ. Each Client Administrator account must have credentials and a specified level of privilege.

Leave the Default admin check box selected to designate this Client Administrator as the default Client

Administrator account, otherwise deselect the check box. If you deselect the Default admin check box, the Level,

Authentication, and Admin Privileges controls become available.

The Default admin check box will be deselected and unavailable if you already added a default Client Administrator. The Admin Privileges section is only available if the Default admin check box is deselected. Select the Unregister

users check box to allow the Client Administrator to unregister users. Select the Decrypt drives check box to allow

the Client Administrator to decrypt encrypted disks and partitions, and to use the Recover /D option. Select the

Extend lockout check box to allow the Client Administrator to extend the Client Computer’s next communication

date. Select the Unlock check box to allow the Client Administrator to unlock Client Computers. Deselect all the check boxes to only allow the Client Administrator to authenticate to Client Computers and the Administrator Client Console.

The Level list box is only available if the Default admin check box is deselected. Click Level to set the desired privilege level for the Client Administrator. Note that the privileges you set in the Level list box will be ignored by Client Computers running Symantec Endpoint Encryption 8.0.0.

The Authentication list box is only available if the Default admin check box is deselected. Click Authentication to set the Client Administrator’s authentication method. If this is a native policy and you selected None (password

authentication only) when installing the Framework Manager, the list box will display Password and be

unavailable. If you selected one of the token types when installing the Framework Manager, the list box will have both Password and Token options available.

If you select the Password option, type the desired password for this Client Administrator account in the Password box. The password must be a minimum of two characters and no longer than 32. Type the password a second time in the Confirm password box.

If you select the token option, you will be prompted to locate the P7B certificate file associated with that Client Administrator account. The selected P7B file will be validated, and you will be prompted to choose the desired certificate from the list of valid certificates found in the P7B file.

The Level settings are provided for compatibility with legacy clients, and are completely independent of the

Admin Privileges settings. Use the Admin Privileges settings if your policy will apply exclusively to

(31)

Registered Users

Basics

The Registered Users panel can be used to change the way that users authenticate to, register with, or get unregistered from Symantec Endpoint Encryption.

Registered user policy settings will be ignored by Mac clients.

Figure 3.3—Framework Computer Policy, Registered Users Options

Authentication Method

In Authentication Method, select the authentication method you want Symantec Endpoint Encryption to effect.

 Clicking on Require registered users to authenticate with ensures that Full Disk authentication takes places before Windows loads. Select a password to have users authenticate with a password. Select a token to have users authenticate with a token. Select password or token to allow users authenticate using either a password or a token.

 Select Do not require registered users to authenticate to SEE to enable automatic authentication. This option is designed for kiosk environments. If it is selected, users will not need to provide valid credentials to Full Disk before Windows loads and your organization will rely on Windows for user authentication. It will reduce the security of the Client Computer but increase the transparency of the user experience. The registration process will be silent and automatic as well—unless a registration password is specified. Coupling automatic authentication with a registration password serves to avoid reaching the maximum registered user limit and to limit the number of users that can gain access to the User Client Console.

(32)

Once the policy has been processed and the Client Computer has rebooted, the user’s experience will vary. Refer to Appendix B “Authentication Method Changes” on page 81 for details of the user’s experience.

Registration

To allow any Windows user the ability to register, click the option Any Windows user can register for a SEE

account. To allow only those users who know a special registration password to be able to register, click Users must know this password to register, and type the password in the adjacent field and again to confirm. Each user will be

required to know the administrator-defined registration password before they can register for a Symantec Endpoint Encryption account.

Specify the maximum number of Symantec Endpoint Encryption registered user accounts which can be created on each computer. New users will not be permitted to register after the maximum number of accounts has been reached. Specify a custom message users will see when they are forced to register after grace restarts expire. The custom message can be from 0–900 characters in length, or you can use the default message. Note that the custom registration message field ignores any carriage returns you type or paste in.

Specify the number of grace restarts, i.e., the number of times, from 0–99, that the computer can restart before the first user who logs on will be forced to register for a Symantec Endpoint Encryption account and see the custom registration message. This setting can effectively allow users to defer registration. To force the first user to register immediately, set this value to zero.

Unregistration

(33)

Password Authentication

Use the Password Authentication panel to set or change the logon delay and/or to set the criteria that new passwords must meet, if Single Sign-On is not enabled. Only the settings in the Password Complexity area will be honored by the Mac client.

Figure 3.4—Framework Computer Policy, Password Authentication Options

Under Password Attempts, select the Limit password and Authenti-Check attempts check box to set the number of incorrect passwords or Authenti-Check answers a user can type in succession before the system will introduce a one minute delay between further logon attempts. You can also specify the time in minutes that must elapse after the last incorrect attempt occurred, after which the one minute delay behavior is lifted.

 Password Complexity—These include the minimum number of characters users’ Symantec Endpoint Encryption

passwords must contain, the set of non-alphanumeric characters users may have in their passwords, as well as the minimum number of non-alphanumeric characters, uppercase letters, lowercase letters, and digits users must have in their passwords.

 Maximum Password Age—Leave this option at the default to not set an expiration date on user passwords. If

you select the option to set an expiration date on user passwords, type the number of days after which users’ passwords will expire, and type the number of days in advance users will be prompted to change their expiring passwords.

 Password History—allow users to use any previously-used Symantec Endpoint Encryption password, or select

the other option and type the number of different passwords users must use before reverting to old passwords.

 Minimum Password Age—Leave this option at the default to allow users to change their Symantec Endpoint