Symantec Endpoint Encryption Full Disk

(1)

Symantec Endpoint Encryption

Full Disk

Policy Administrator Guide

(2)

Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Symantec Corporation.

Authenti-Check is a registered trademark of GuardianEdge Technologies Inc. Microsoft, Active Directory, Windows, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation. Any other trademarks used herein are the property of their respective owners and are hereby acknowledged. Other product and company names mentioned herein may be the trademarks of their respective owners.

(3)

Policy Administrator Guide Contents

Figures

Figure 1.1—Architectural Overview . . . 3

Figure 2.1—Connecting to the Client Monitor . . . 6

Figure 2.2—Client Monitor Watchlists . . . 6

Figure 2.3—Creating a New Query . . . 7

Figure 2.4—Find Custom Search LDAP Query String . . . 8

Figure 2.5—Domain Admins Properties, Members . . . 9

Figure 2.6—SEE Manager, Watchlist Members Added . . . 9

Figure 4.1—Framework Computer Policy—Client Administrators . . . 14

Figure 4.2—Exporting HD Recovery Data from a Watchlist . . . 18

Figure 4.3—RSoP Report From an SEE Client . . . 20

Figure 4.4—SEE System Events . . . 22

Figure 4.5—The Management Password Snap-in . . . 23

Figure 5.1—Full Disk Computer Policy—Remote Decryption . . . 24

Figure 5.2—Full Disk Computer Policy—Autologon . . . 26

Figure 6.1—RecoverOTP Batch File, Usage . . . 31

Figure 6.2—RecoverOTP Batch File, Command Line for Export . . . 32

Figure 6.3—RecoverOTP Batch File, Export Completed . . . 32

Figure 6.4—Recover OTP Keys Utility . . . 33

Figure 6.5—Recover OTP Keys Utility, Connected to ADAM . . . 33

Figure 6.6—Recover OTP Keys Utility, Check OTP keys . . . 34

Figure 6.7—Recover OTP Keys Utility, OTP Key Pair Missing . . . 35

Figure 6.8—Confirm OTP Creation . . . 35

Figure 6.9—Recover OTP Keys Utility, OTP Key Pair Created . . . 36

Figure 6.10—RecoverOTP Batch File, Usage . . . 36

Figure 6.11—RecoverOTP Batch File, Command Line for Import . . . 37

Figure 6.12—RecoverOTP Batch File, Import Completed . . . 37

Figure 6.13—ADAM ADSI Edit, Bind to the ADAM Instance . . . 38

(6)

Policy Administrator Guide Introduction

1. Introduction

Overview

The duties of configuring and maintaining Symantec Endpoint Encryption (SEE) are split between two roles that have progressively fewer privileges: the Policy Administrator role and the Client Administrator role.

As a pre-requisite to reading this Guide, it is assumed that the SEE Server, SEE Manager, and SEE Clients have already been deployed. For instructions on creating client installation packages, refer to the Installation Guide. For information relevant to help desk personnel, such as emergency recovery procedures or clearing a lockout condition on the client, refer to the Client Administrator Guide. For information documenting the user experience of the SEE Client, refer to the User Guide. This Guide provides you with:

Descriptions of the SEE administrator roles,

An overview of the SEE architecture,

A list of services used by the system, along with their associated ports and protocols.

SEE Administrator Roles

Policy Administrators

Policy Administrators are created by a domain or higher-level administrator who delegates the necessary privileges to allow Policy Administrators to define end-point encryption policies for one or more OUs. Symantec recommends that Policy Administrators be allowed to create, edit, and apply GPOs to the specific OUs they are responsible for supporting. Policy Administrators create Client Administrators by assigning domain user accounts to the Client Administrator role using a policy.

Access to SEE snap-ins can be restricted on a per snap-in basis, giving the domain or higher-level administrator flexibility when assigning specific Policy Administrator duties. A list of typical duties that a Policy Administrator might perform:

Create SEE installer packages for deployment to clients;

Create and apply software installation policies for deploying SEE installer packages;

Create, edit, and apply SEE policies to specific OUs;

Create or remove Client Administrator accounts;

Remotely decrypt all disk partitions of selected SEE Clients;

Track encryption status of selected SEE Clients and export the status information;

Create files used by Client Administrators to perform data recovery for SEE Clients; and

Change the SEE Client Management Password.

Client Administrators

Client Administrators are created when a Policy Administrator assigns domain user accounts to the Client Administrator role using a policy. Client Administrators provide local support to SEE users and guarantee that SEE–protected computers are always accessible even when all SEE users have been removed from those computers.

(7)

Unlock an SEE–protected computer which has been locked as a result of failing to check-in with the SEE Server within a specified number of days.

Extend the client check-in due date so as to defer a scheduled lockout condition.

Decrypt a partition or partitions.

For details on how a Client Administrator can unregister users, extend the due date, unlock a computer, or decrypt partitions on the client, refer to the Client Administrator Guide.

Single Sign-On

Client Administrator accounts do not possess Single Sign-On (SSO). If an existing SEE user account that has Single Sign-On gets upgraded to a Client Administrator role, that account will no longer have Single Sign-On capability until the Client Administrator role is removed and the user registers again as a user.

Passwords

Client Administrators logging on to SEE–protected Client Computers using password authentication must first type their SEE passwords at the SEE logon screen, then type their Windows account passwords at the Windows logon screen. SEE maintains its own password for a Client Administrator separate from the Windows password, and these two passwords are never synchronized.

While it may seem convenient to set both passwords to the same value, default Windows policies will eventually cause the Windows password to expire, causing the Windows password to become out of sync with the SEE password. To mitigate potential confusion, we recommend that you avoid using the same Client Administrator password for logging on at both the SEE logon screen as well as the Windows logon screen.

Tokens

Client Administrators logging on to SEE–protected Client Computers using token authentication must insert their token and type their PIN once at the SEE logon screen, then re-insert their token and type their PIN again at the Windows logon screen.

SEE Architecture

SEE is based on a modular design that contains three functional components: SEE Framework, SEE Full Disk, and the SEE Server.

SEE Framework includes all the functionality that is extensible across the SEE suite. The Framework allows behavior that is common to SEE Full Disk and SEE Removable Storage to be defined in one place, thus avoiding potential inconsistencies.

SEE Full Disk secures a hard disk by encrypting it and requiring that users authenticate before allowing Windows to start. SEE Full Disk can lock out users if a required time-sensitive network connection

—

a check-in performed for security reasons

—

does not take place.

The SEE Server stores the status information, encrypted keying material, and hard disk recovery data transmitted by each SEE Client Computer. The status information is retrieved and displayed by the SEE Manager console.

SEE has four main user interfaces:

The SEE Manager console;

The SEE Client console;

The SEE Full Disk pre-Windows authentication process; and

(8)

SEE Full Disk is installed on and protects the Client Computers, where two kinds of SEE accounts exist: registered user accounts and Client Administrator accounts. The SEE Client software:

Is installed when a Policy Administrator pushes out the software and installation settings from the Manager and the Client Computer installs them;

Contains panels and behavior that reflect (are customized by) the installation settings and the policy updates chosen by Policy Administrators;

Provides the user interface (UI) to locally encrypt and decrypt hard disk partitions; and

Can optionally connect to the SEE Server over the network, thus checking in as well as reporting important data about user accounts and disk encryption.

Architecture

Refer to Figure 1.1 to view the SEE components, communications protocols between components, and their interrelationships. Included in this diagram are the protocols used for communication between SEE Client Computers, the SEE Server, and Active Directory. While the diagram shows all clients as members of the same domain, multi-domain configurations within a single Active Directory forest are supported.

Figure 1.1—Architectural Overview

Services and Associated Ports/Protocols

Refer to the following table to see a list of each service, and its associated default port(s) and protocol(s), as shown in Figure 1.1.

Table 1.1—Service Ports and Protocols

Service Port/Protocol Tunn el Fire wall LDA P LDAP Client LDAP Client _your-org.com Gro up Po licy (RP C/ SM B) SEE Server Replica LD_AP Client LDAP your-org.com VPN Domain Controller Clien t Mon itor LDAP Data Multimaster Replication SEE Server Manager Computer Client

(9)

LDAP ping 389/UDP

RPC Endpoint Mapper 135/TCP, 135/UDP

Global Catalog LDAP 3268/TCP

Global Catalog LDAP over SSL 3269/TCP

Kerberos* 88/TCP, 88/UDP

Domain Name Service (DNS)* 53/TCP, 53/UDP Windows Internet Naming Service (WINS) resolution* 1512/TCP, 1512/UDP

WINS replication* 42/TCP, 42/UDP

* Optional

Table 1.1—Service Ports and Protocols (Continued)

(10)

Policy Administrator Guide Client Monitor

2. Client Monitor

Overview

The SEE Client Monitor snap-in retrieves encryption status and other information stored in the SEE Server by SEE Client Computers. The Client Monitor snap-in allows you to set up custom Watchlists to monitor the status of selected users and computers.

Initial Encryption of the Hard Disk

The initial encryption process is typically configured to begin immediately following installation. It begins with the first hard disk partition and other partitions are queued to encrypt one after the other automatically. Encryption occurs transparently in the background, allowing the user to continue using the computer normally during the process. If the user performs a normal shutdown of the computer before the initial encryption process has completed, initial encryption automatically resumes when the computer is powered on again.

Depending on the installation or policy settings, the SEE Client Computer can attempt to store important data in the SEE Server immediately upon installation and again at a specified interval. The SEE Client then attempts to store status updates at a specified interval in the SEE Server, again depending on the installation or policy settings.

The following information is transmitted by the SEE Client Computer in encrypted form to the SEE Server:

Computer name;

User name(s);

Account name (i.e., complete Windows domain or local account name);

Role (i.e., Client Administrator or registered user);

Last check-in date;

Encryption status for each partition (encrypting, encrypted, decrypting, decrypted);

One-Time Password and Recover /B information;

Version of SEE Framework installed; and

Version of SEE Full Disk installed.

The Client Monitor snap-in of the SEE Manager retrieves this information and displays the status in a Client Monitor Watchlist.

Client Monitor Watchlist Creation

1. Open the SEE Manager, expand the Active Directory Users and Computers container to your-org.com, and then Users. Click and drag to select, or hold the CTRL key down and click to highlight individual user and/or computer objects in their respective containers.

2. Drag the selected users and/or computers and drop them onto the SEE Client Monitor module in the console tree. The first time you drag a user or computer and drop them onto the SEE Client Monitor snap-in, the ADAM

(11)

Figure 2.1—Connecting to the Client Monitor

3. In the ADAM Administrator Account window, type the credentials of the ADAM Administrator account established when the SEE Server was installed, then click OK.

4. Open the File menu and select Save. This saves the SEE Manager with the Watchlist, along with any computer or user objects you added to the Watchlist. If you are a member of the ADAM Administrators group, you will not be prompted for the ADAM Administrator credentials when you open the SEE Manager. To remove a user or computer object from the Watchlist, select the object or objects, right-click, and choose either Remove Selected

Users from Watchlist or Remove Selected Computers from Watchlist.

(12)

Auto Refresh Interval

Each Watchlist can be set to periodically refresh at a preset interval. To do this, perform the following steps:

1. Select a Watchlist, right-click, and choose Auto Refresh Interval.

2. In the Auto Refresh Interval window, type the number of minutes at which you want the Watchlist contents to be refreshed, then click OK.

The Auto Refresh Interval only controls how often the Watchlist reads status data from the SEE Server, and not how often the SEE Client reports status data to the SEE Server. The interval at which the client reports its status data to the SEE Server is controlled by installation settings and policy updates.

Watchlists Based on Group Membership

Although you cannot create a Watchlist by dragging an Active Directory group object and dropping it onto the Client Monitor snap-in, you can achieve the same result by executing a custom LDAP query using the Active Directory Users and Computers snap-in. This section details how to specify and execute a query string based on group membership. Once the query operation has completed and returned a list of user accounts meeting the search criteria, you can drag these accounts to the Client Monitor snap-in and create a new Watchlist whose contents reflect the group membership.

Selecting All Members of the Domain Admins Group

1. Open the SEE Manager from the Windows Start menu.

2. In the navigation pane on the left, expand the Active Directory Users and Computers snap-in. Right-click on

Saved Queries, point to New and select Query.

Figure 2.3—Creating a New Query

(13)

4. From the Find drop-down list, select the option Custom Search. The Find Common Queries window changes to the Find Custom Search window.

Figure 2.4—Find Custom Search LDAP Query String

5. Click the Advanced tab, and in the Enter LDAP Query field, type the following query string:

(objectCategory=user)(memberOf=CN=Domain Admins,CN=Users,DC=your-org,DC=com)

6. After verifying that you have entered the query string correctly, click OK.

7. Click OK to save and execute your new query. The query results will display in the pane on the right. Table 2.1 —LDAP Query String Description

Query Term Description Syntax Examples

objectCategory= The category of the object you are

searching for.

objectCategory=user objectCategory=computer

memberOf=CN= The Active Directory group of which each

user object is a member.

memberOf=CN=Domain Admins memberOf=CN=Domain Users CN= The container or organizational unit in

which the group resides.

CN=Computers OU=Human Resources DC= The name of your domain and forest. Each

(14)

Figure 2.5—Domain Admins Properties, Members

Note that in this sample scenario, the Domain Admins Properties window indicates that all three selected accounts are located in the Users container.

8. You may execute a saved query again either by selecting the query and pressing F5, or by right-clicking the saved query and selecting Refresh.

9. Select the user objects returned by the query, then drag them and drop them onto the Client Monitor snap-in to create a new Watchlist, or drag them and drop them onto an existing Watchlist.

Figure 2.6—SEE Manager, Watchlist Members Added

Once the Watchlist has been populated with computers on which the SEE Client has been installed, the Watchlist will reflect encryption status and other information about the SEE Client Computers.

(15)

Client Computer Check-In Verification

Watchlists can also be use to verify Client Computer check-ins. This is especially important if a lock-out has been configured by installation settings or policy updates. At a minimum, Client Computers should check in at least once and recently recovered Client Computers should check in immediately following recovery.

Ensuring That Recently Deployed Clients Check In

When deploying SEE Full Disk, it is important that all Client Computers to which SEE Full Disk has been deployed make contact with the SEE Server at least one time. During the initial contact with the SEE Server, a Client Computer stores its client-specific keying and other information. If the hard disk of the Client Computer needs to be recovered later on, this client-specific information is extracted from the SEE Server and used by support personnel when performing Recover /B. If the Client Computer has SEE Full Disk installed but has not made contact with the SEE Server, the client-specific recovery information will be unavailable from the SEE Server, and hard disk recovery operations will be limited to Recover /A and /D.

A Watchlist can be used to identify computers which may have not checked in. To check for these computers, create a Watchlist populated with the computers to which you have deployed SEE Full Disk. Because the SEE Server will contain no information from these computers, the Watchlist columns for these computers will be blank.

Having now identified those computers which have failed to check in, you may now target them using other tools such as Resulting Set of Policies (RSoP) reports and system event logs to help determine if there were problems installing the SEE Client installer packages.

Ensuring That Recently Recovered Clients Check In

After a successful execution of Recover /D or /B on a Client Computer, make sure that the Client Computer checks in at least once so that the new data can be stored in the SEE Server.

(16)

Policy Administrator Guide Client Policy Settings

3. Client Policy Settings

Overview

You can create a new SEE policy to override and completely replace any existing SEE policies or installation settings that are below it in the Local, Site, Domain, OU (LSDOU) order.

Two settings may only be defined by pushing out a policy update. The majority of the installation settings can be overridden with policy updates.

Policy Only

The following SEE Full Disk settings can only be defined using a policy:

The window of time during which the Autologon feature remains active; and

Whether to begin immediate decryption of all disk partitions of computers receiving this policy.

Policy Updates to Installation Settings

The following SEE Framework installation settings can be changed later by policy update:

The custom message shown to users who are having trouble with authentication;

Whether the One-Time Password and/or the Authenti-Check authentication assistance methods are available;

Pre-defined Authenti-Check questions that users may be required to answer when they register;

Client Administrator accounts;

How often the SEE Client Computer reports its status to the SEE Server;

The credentials used by the SEE Client Computer for accessing the SEE Server;

Whether users use Single Sign-On (SSO);

SEE password complexity, expiration, and reuse requirements (if SSO is disabled);

How many times in succession a user can enter an incorrect password before incurring a 60-second delay;

A password necessary to register as an SEE user;

Whether users authenticate with passwords or tokens;

The custom message shown to new users forced to register;

The maximum number of SEE users that can register on a given computer; and

Whether token users can use an expired certificate.

The following SEE Full Disk installation settings can be changed later on with policy updates:

Logon instructions and legal warning text shown to users who are logging on;

Whether Client Administrators and/or registered users can decrypt disk partitions;

Whether Client Computers are locked if they do not access the SEE Server within a specified number of days; and

(17)

Policy Administrator Guide Client Policy Settings

Forcing a Policy Update

Active Directory policy changes take approximately 90 minutes and no more than 120 minutes to push out to Client Computers. To accelerate this, you can force an immediate policy update.

Windows XP Clients

1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER. A command prompt will open.

2. Type the following command at the command prompt:

gpupdate /force

and press ENTER.

3. A message will appear in the command prompt window after a few seconds indicating that the update has taken place. The message will prompt you to confirm a restart. Type Y and press ENTER to restart the Client Computer.

Windows 2000 Clients

1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER. A command prompt will open.

2. Type the following command at the command prompt:

secedit /refreshpolicy machine_policy /enforce

and press ENTER.

3. The secedit command will not prompt you to restart. If the policy you are updating includes any computer policies, you will have to restart the computer manually to complete the update.

(18)

Policy Administrator Guide SEE Framework

4. SEE Framework

Creating Client Administrator Accounts

The initial list of Client Administrators is specified as part of the SEE installation settings. These settings represent the persistent, baseline list of Client Administrators. If you wish to change or update this baseline list, you must create a GPO containing a new set of Client Administrator settings. When a new Client Administrator policy is applied, it completely overrides the baseline Client Administrator installation settings, as well as any other Client Administrator GPOs beneath it in order of GPO precedence. If you wish to update the password of a single Client Administrator out of a list of 20 Client Administrators, you can load the list of Client Administrators from a previously created installation settings package. This will populate the GPO panel with the list of all Client Administrators account information (including password hashes) specified when the installation settings package was created.

As with any SEE policy settings panel, you may, in the absence of other Client Administrator policies beneath it in the precedence chain, revert to the baseline Client Administrator installation settings by selecting the option Restore

the installation settings.

To specify Client Administrator accounts as part of a policy setting, you will create a new Group Policy Object (GPO) or edit an existing GPO. Inside the navigation tree of the Group Policy Object Editor (GPOE) window, expand

Computer Configuration, expand Software Settings, expand Symantec Endpoint Encryption, expand Symantec Endpoint Encryption Framework, click on Client Administrators, and select the Change these settings option.

(19)

Figure 4.1—Framework Computer Policy—Client Administrators

Either the NetBIOS name or the DNS domain name must be entered in the Account Domain box when specifying a Client Administrator account. All Client Administrator accounts you specify must be valid Windows domain accounts and must be in the same forest as the SEE Client Computers. Up to 50 Client Administrator accounts can be specified.

Your entries are validated when you click away from the Client Administrator Settings panel. If incorrect entries are found, the icon of the Client Administrator settings panel, as shown in the navigation tree of the GPOE window, will change to a warning icon to remind you to return to that panel and make the necessary corrections before closing the GPOE window.

Users Upgraded to Client Administrators

When an existing SEE user account is upgraded to Client Administrator status through a GPO, the existing SEE user account information is deleted from the local computer. Note that this only affects the SEE account on computers receiving the policy, and does not affect that user’s Windows domain account. However, because Client

(20)

different than the Windows password for that account. Additionally, the Authenti-Check and One-Time Password authentication assistance methods are not available to Client Administrators. When a registered user account is upgraded to Client Administrator status, any Authenti-Check questions and/or answers provided by that user are lost.

Authentication Methods

By default, all Client Administrator accounts use password authentication. When you specify each Client

Administrator account, you must type and confirm the password for that account. If your SEE deployment has been designed to use token authentication, you may select the option to use a token for individual Client Administrator accounts in the Framework Installation Settings or policy settings panels. When you select the token option, you will be prompted to locate the P7B certificate file associated with that Client Administrator account. The selected P7B file will be validated, and you will be prompted to choose the desired certificate from the list of valid certificates found on the P7B file.

Changing User Authentication Methods

You can force existing users to change how they authenticate to SEE. Users must successfully switch authentication methods by a date you specify. For example, a user who registered using password authentication can be forced to re-register using token authentication. Users who have not completed the re-registration process before the deadline will be denied access to Windows until they re-register.

To force existing users to switch authentication methods, perform the following steps:

1. Create a new GPO. Right-click the GPO, and click Edit.

2. Inside the navigation tree of the Group Policy Object Editor (GPOE) window, expand Computer Configuration, expand Software Settings, expand Symantec Endpoint Encryption, expand Symantec Endpoint Encryption

Framework, click on Registered Users, and select the Change these settings option.

3. In Authentication Method, select the authentication method you want to force users to switch to, either a

password or a token.

4. Select the Enforce this choice on existing SEE accounts check box.

5. Select a date (Month, Day, Year) from the drop-down lists. This date will be the deadline after which users will be forced to re-register using the new authentication method.

6. Close the GPOE window. In the GPMC inside the SEE Manager, link the GPO to the appropriate location in the Active Directory hierarchy.

Once the policy has been processed by the client and the client has rebooted, users will be prompted to re-register when logging on to Windows. Re-registration is optional until the deadline has elapsed. After the deadline, users are forced to re-register using the new authentication method.

All passwords, user names, and domain names typed into the recover.exe and

SEEHD_Access_Utility.exe utilities must consist solely of US English characters. If non-US English characters are used, Client Administrators will not be able to use these utilities successfully.

Single-Sign On will be unavailable to users not using the same authentication method for both Windows and SEE. Single-Sign On works normally when the authentication methods used in both environments are identical.

(21)

Full Disk Recovery CD Creation

If a Client Computer running SEE Full Disk encounters a serious error and cannot load Windows, a Recover CD allows a Client Administrator to boot.

The Recovery CD is a bootable medium that contains two recovery programs: Access.exe and Recover.exe, plus related files.

Access.exe is a 16-bit version of the Access Utility that addresses possible Windows problems. If a Client Admin-istrator succeeds in booting with the Access Utility, it indicates that the problem with the Client Computer is with its Windows installation.

Recover.exe is a program that tries to regain access to the hard disk and runs with three options:

The /A option attempts to repair damaged client database files.

The /D option attempts to repair damaged client database files and then to decrypt the hard disk.

The /B option is performed only if all other previous steps have failed and requires the assistance of Symantec Technical Support. This option reads from a computer-specific recovery file that contains an important cryptographic key. You create this data file for a particular Client Computer, usually when requested to do so by a Client Administrator. You add this DAT file to a Recover CD, but unlike the recovery programs on the CD, the data file is applicable only to the specific computer. See “Full Disk Recovery Data File Generation” on page 17 for details in creating the DAT file.

You should create a Recover CD immediately after SEE Full Disk installation.

The 16-bit Access Utility is included in the SEE Full Disk download package. However, due to Microsoft licensing requirements, Symantec separately mails you a CD that contains a 32-bit version of the utility. The 16-bit version runs in DOS and the 32-bit version runs in Windows PE (WinPE). The 32-bit version is recommended.

(22)

To create the Recover CD:

1. Make sure that you have CD-ROM burning software that supports the creation of bootable CDs. Some examples of this kind of software are Nero and Easy CD Creator.

2. Create a bootable CD.

3. Copy the following files from this directory C:\Program Files\Symantec\Symantec Endpoint Encryption Manager\Symantec Endpoint Encryption Full Disk\DOS to the bootable CD:

access.exe

ephdxlat.bin

ephdxlat.ovl

RECOVER.EXE

4. Label the CD as being the SEE Full Disk Recover CD and include the version number and the date. Any Client Administrator can use this Recover CD on any Client Computer (that is running that same version) and that fails to boot.

Full Disk Recovery Data File Generation

Prior to using the /B option of the recover.exe utility (Recover /B), you must first select the specific computer needing recovery from a Client Monitor Watchlist, authenticate using the Management Password, export the computer-specific Full Disk Recovery Data files, and finally transfer the recovery data files to removable media for use at the Client Computer. Typically, a Policy Administrator or other support person who has access to the Client Monitor snap-in and knows the credentials of the ADAM Administrator account can export the client-specific recovery data.

If you have not yet created a Client Monitor Watchlist containing the computer that needs to be recovered, do so now, using the following steps:

1. Open the SEE Manager, and in the navigation pane on the left, click on and expand the Active Directory Users and Computers snap-in.

2. Within your Active Directory hierarchy, select the computer object needing recovery, and drag and drop it on top of the SEE Client Monitor snap-in to create a new Watchlist.

3. Select the new Watchlist.

4. In the Watchlist window on the right (see Figure 4.2 for an example):

The BIN file will not be visible unless you change your settings in Windows Explorer so you can view hidden files.

Immediately after SEE Full Disk is installed on a Client Computer, Client Computers try to contact the SEE Server to store client-specific files necessary for hard disk recovery. If this contact does not occur, the only recovery options available will be Recover /A and /D. Recover /A and /D do not require the client-specific recovery files stored in the SEE Server. For this reason, it is critical to make sure when using Client Monitor Watchlists that each Client Computer succeeds in checking in at least once.

(23)

Figure 4.2—Exporting HD Recovery Data from a Watchlist

a) Select the computer of interest, right-click it, and choose Export HD Recovery Data. A window opens prompting you to enter the Management Password.

b) Type the Management Password into the field.

c) Click OK.

4. After successfully authenticating, a second window opens. At the prompt:

a) Enter a Recovery Password containing only US English characters. If you specify a recovery password con-taining non-English characters, an error message will be displayed. This password is used for protecting the recovery files you are about to export. The Client Administrator must enter this password before they can run Recover /B on that computer. The recover.exe utility only provides support for passwords containing US English characters.

b) At the next prompt, select a destination location for the recovery files. Navigate to the desired location and click OK. A success dialog displays after the files have been successfully saved.

c) Click OK to continue.

The recovery data consists of the following files: EPHDXLAT.BIN, recover.dat, recover.exe, ephdxlat.ovl, and access.exe.

The recovery data files are always exported using these same filenames. To avoid confusion when exporting hard disk recovery data for multiple computers, be sure to save them to separate folders with unique names that are identifiable with their associated computers.

Copy these files to bootable media, such as a bootable CD or a floppy formatted as a startup disk. The boot CD or floppy may now be given to the Client Administrator to perform the Recover /B operation at the Client Computer.

Auditing and Logging

Auditing and logging facilities allow you to verify that intended policy changes were actually received and successfully processed on Client Computers. You can also check for the occurrence of individual SEE events on a given Client Computer. This information is spread across three separate sources:

Data exported from a Client Monitor Watchlist;

(24)

The Windows System Event viewer.

Exporting Watchlist Data

In the SEE Manager, create a new Client Monitor Watchlist by selecting the user and /or computer objects of interest, then dragging and releasing them on top of the Client Monitor snap-in.

1. Select New Watchlist, right-click, and choose Export.

A window appears prompting you for a name and location for the exported text file. By default, it uses the name of the Watchlist as the name of the file.

2. Navigate to the desired location and click OK to save the file with the default name New Watchlist.txt.

The export operation creates two files at the target location you selected: New Watchlist.txt and New Watchlist statistics.txt.

The file New Watchlist.txt is a semicolon-delimited text version of the contents of the Watchlist. The same column headings visible in the Watchlist appear on the first line, with data for each user and computer object appearing on subsequent lines. The order in which the user and computer data appear reflect the sort order at the time the Watchlist data was exported. The default column headings exported are Computer, Name, Account, Role, Last Check-In (date and time), and HD Encryption (status).

The file New Watchlist statistics.txt contains the following statistics about the user and computer objects in the Watchlist:

Number of computers;

Number of distinct SEE user accounts, including Client Administrators;

Number of computers with SEE Full Disk installed;

Number of computers with encrypted hard drives; and

Number of computers with non-encrypted hard drives.

You may import the exported Watchlist data text files into other applications for further processing, customized report generation, and output.

Using the Group Policy Results Wizard

The Group Policy Management snap-in features a reporting facility which allows you to verify that the SEE policies you assigned to Client Computers or users were actually processed as intended. This report is known as a Resultant Set of Policies (RSoP) or Group Policy Report.

The initial SEE installation settings as deployed using the Framework and Full Disk client MSI packages will not appear in the RSoP report, and only those settings deployed using SEE GPOs will be shown in the RSoP.

To generate an RSoP report, perform the following steps:

1. Open the SEE Manager, and in the left pane, expand Group Policy Management, then expand Group Policy

Results.

2. With the Group Policy Results container selected, right-click and choose Group Policy Results Wizard.

3. The Group Policy Results Wizard launches. Click Next, then select the option Another Computer.

4. Type the name of the computer for which you wish to generate a Group Policy Report, then click Next.

(25)

8. Click on the Settings tab of the Group Policy Results window in the pane on the right.

9. This windows shows a collapsed view representing all the settings for the user/computer pair you selected. The view is divided into two sections: one section named Computer Configuration, and another section beneath it named User Configuration.

10. Within the section named Computer Configuration, locate the sub-section named Administrative Templates.

The SEE uses registry-based policies, and any SEE computer policies you create and apply will show up within the sub-sections Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/

Framework, and Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/Full Disk.

For user settings, this pattern is mirrored in the User Configuration section of the Group Policy Results window.

11. Expand the Administrative Templates and then expand the Symantec Endpoint Encryption/Framework section by clicking on the Show link on the right. That sub-section will expand to reveal all Framework policies currently in effect.

Figure 4.3—RSoP Report From an SEE Client

Figure 4.3 shows that a Client Administrator policy has been applied, and that both Client Administrators, mbrown and mwilliams, use password authentication and can unregister SEE accounts.

Any level in the report hierarchy can be exported as an HTML file by right-clicking the name (for example,

Symantec Endpoint Encryption/Framework), choosing Save Report, and selecting a target location in which to

(26)

Some SEE policies create other settings in the client registry which show up in the RSoP as Extra Registry Settings. These represent internal registry values used by the particular SEE policy and can be ignored.

Windows System Event Viewer Monitoring

All security-related system events are logged on the SEE Client where they may be viewed remotely by an administrator using the Windows System Event viewer. To view SEE–specific system events logged on a specific computer, perform the following steps:

1. Open a Run dialog from the Windows Start menu.

2. Type eventvwr.msc and click OK.

3. An Event Viewer console window opens showing the events on your local computer.

4. In the navigation pane on the left, right-click the top-level folder named Event Viewer (Local), and choose

Connect to another computer.

5. In the Select Computer dialog, make sure that the Another computer option is selected, then click Browse.

6. In the Select Computer dialog, type the name of a computer you wish to inspect the events of, and click OK.

7. In the navigation pane on the left, right-click the item named Application, and choose Connect to another

computer.

8. Choose View and click Filter to open the Application Properties window.

9. From the Event Source drop-down list box, choose Encryption Anywhere and click Apply.

10. This filters the event log for that computer to show only SEE events. Drag the Application Properties window away from the Event Viewer window, but leave it open.

11. In the right pane of the Event Viewer window, double-click the top-most event entry to open the Events Properties window for that event.

The Description field contains information about that particular SEE event. To inspect other events in the log, use the up and down arrow buttons in the upper right of the Events Properties window.

To filter out all events other than a desired event, click on the Application Properties window. In the Event ID field, type the number of the event you are interested in, then click Apply. The Event Viewer window will update and filter out all event IDs other than the one you specified.

(27)

Figure 4.4—SEE System Events

For a complete list of all SEE–specific system events, their event code numbers, and descriptions of the events, refer to “Framework System Events List” on page 40 and “Full Disk System Events List” on page 50.

The Management Password

The Management Password is used by SEE to control administrator access to two help desk functions: Recover /B and the One-Time Password Program. These two functions use the Management Password in the following ways:

SEE Policy Administrators or other support personnel who have access to the Management Password snap-in must type the Management Password before they can export computer-specific hard disk recovery files (see “Full Disk Recovery Data File Generation” on page 17).

SEE Client Administrators must type the Management Password before they are allowed to run the One-Time Password Program.

Because the Management Password is shared among support personnel, you should establish a protocol for all Management Password changes. This will avoid the situation of one administrator changing the Management Password and preventing other administrators from performing help desk functions which require the Management Password. The Management Password should be backed up in safe location, as there is no mechanism available for recovering a lost Management Password.

Setting the Management Password

During the initial installation of the SEE Manager, you will be prompted to type the Management Password. Thereafter, and for subsequent installations of the SEE Manager, the fact that the Management Password has already been set will be detected by the installer, and you will not be prompted to set the Management Password again.

When the Management Password is first set, a hash of the password is stored in the SEE Server. Therefore, the sequence of SEE Manager installation screens will be different depending on whether or not the SEE Manager has already been installed and the Management Password has already been set.

(28)

Changing the Management Password

To change the Management Password, perform the following steps:

1. Open the SEE Manager.

Figure 4.5—The Management Password Snap-in

2. In the navigation pane on the left, click on the Management Password snap-in.

3. In the pane on the right, type the existing Management Password, type a new Management Password between 16–32 characters in length, and type the new Management Password again to confirm.

4. Click OK. A dialog will appear confirming that the new password was accepted. Click OK.

If you are not a member of the ADAM Admins group, you will be prompted to authenticate to the SEE Server.

(29)

Policy Administrator Guide SEE Full Disk

5. SEE Full Disk

Remote Decryption

The remote decryption policy is used by Policy Administrators to decrypt all encrypted disk partitions on computers protected by SEE Full Disk without having to physically send a Client Administrator to the location(s) of the computers.

Client computers receiving this policy will commence decryption once the policy has been processed. Processing of the policy takes approximately five minutes.

Creating a Remote Decryption Policy

To create a remote decryption policy, perform the following steps:

1. Right-click Group Policy Objects on the navigation tree.

2. Click New. The New GPO (Group Policy Object Editor) window displays.

3. Type the name of the Group Policy Object you wish to create.

4. Click OK. The new Group Policy Object you created will be displayed in the navigation tree.

5. Right-click the new Group Policy Object on the navigation tree.

6. Click Edit. The Group Policy Object Editor (GPOE) displays.

7. Click Software Settings, expand Symantec Endpoint Encryption, expand Symantec Endpoint Encryption -

Full Disk Edition, then click Remote Decryption.

Figure 5.1—Full Disk Computer Policy—Remote Decryption

8. Choose the Change this Setting radio button.

(30)

10. Click Save.

11. Close the GPOE window.

12. Drag and drop to link the policy to the target location containing the computers you wish to decrypt.

13. Monitor decryption progress using the Client Monitor.

Monitoring Encryption Status

After you have deployed a remote decryption policy, you can monitor decryption progress of the computers in your Watchlist by examining the HD Encryption column of the Watchlist. The status of computer hard drive encryption states may be Decrypted, Mixed, Encrypted, or Encrypting. These states are defined in the following table.

Autologon

Basics

Autologon is used by Policy Administrators for remotely deploying software to computers protected by SEE Full Disk. Many software installation packages require one or more restarts of the target computer, and Autologon will automatically authenticate without user or administrator intervention. The Policy Administrator defines a window of time during which Autologon remains active, along with the total number of restarts that may occur within the defined period.

When either the total number of restarts has been reached, the defined time window has elapsed, or the computer shuts down for more than five minutes, the Autologon feature terminates. Once Autologon initiated by a given Full Disk Computer Policy Autologon GPO has terminated, subsequent invocations of the Autologon feature require that you either update the existing GPO and select new Autologon settings or create a new Full Disk Computer Policy Autologon GPO with the desired settings.

The Autologon policy will take effect approximately five minutes after receipt.

Because this policy temporarily bypasses the normal logon process for SEE Full Disk, computers receiving this policy will be in a state of heightened vulnerability while Autologon remains active. To minimize the associated risks, make certain that you carefully review the number of reboots allowed and the inclusive dates and times that Autologon will remain active before linking a GPO containing this policy.

Table 5.1—Partition Encryption States Status Definition

Decrypted The partitions are in a decrypted state.

Mixed The partitions are in mixture of neither fully encrypted nor fully decrypted states. Encrypted The partitions are in an encrypted state.

Encrypting The partitions are in the process of being encrypted. Decrypting The partitions are in the process of being decrypted.

(31)

Policy Creation

This section explains the options found on the Full Disk Computer Policy - Autologon panel shown in Figure 5.2.

Figure 5.2—Full Disk Computer Policy—Autologon

When the default option Boot only after user authentication to SEE is selected, the Autologon feature is deactivated, and Client Computers receiving the policy will only boot after user authentication. To activate the Autologon feature, select the Boot up to radio button and type the maximum number of Autologon restarts you wish to occur, from 1–999, in the text box.

Autologon will deactivate itself if either the specified number of restarts has been reached or the specified active period has elapsed. Autologon will also automatically deactivate itself five minutes after the computer has been shut down, thus limiting exposure should the computer be stolen while an Autologon policy is in effect.

When the Autologon feature is activated, use the eight controls provided to define the inclusive starting and ending period during which the Autologon feature will be active. The start and end dates and times must be within a valid range in order for the Autologon feature to function as intended.

Indefinite Autologon

Autologon can also be used to suppress SEE Full Disk authentication indefinitely. To turn on this indefinite Autologon mode, choose an ending year of --- in the drop-down list box. In this mode, it is recommended that good security practices to secure the computer be followed, such as setting a Windows administrator password and requiring token-based Windows authentication. Remove this policy to restore the secure authentication provided by

If a Client Computer has a pending lock out condition due to a failure to communicate within the period of time specified in either the Full Disk Installation Settings Client Monitor or Full Disk Computer Policy Client Monitor panels, an Autologon policy applied will pre-empt the lockout condition for as long as the Autologon policy is in effect. This is to ensure that a communication lockout condition does not disrupt the completion of the Autologon process.

(32)

SEE Full Disk. Note that the five minute self-deactivation behavior is suppressed when indefinite Autologon mode is used.

(33)

Policy Administrator Guide SEE Server

6. SEE Server

Overview

This chapter discusses various aspects of administration of the SEE Server instance(s), including details about the ADAM client account and ADAM Administrator account, instructions on how to back up and restore the SEE Server instance(s), as well as use of the Recover OTP Keys Utility and batch file.

ADAM Account Password Changes

The two domain user accounts created during the installation of the SEE Server are:

An ADAM Administrator domain user account which is used by the SEE snap-ins for communication with the SEE Server, and

An ADAM client domain user account which is used by the SEE Client Computers for communication with the SEE Server.

Additionally, when the SEE Server is installed on a domain controller, a domain account is created for use by the SEE Server instance.

Good security practice dictates that account passwords be changed regularly. For regular Windows user accounts, users are typically prompted to change their passwords in response to a Windows password policy. Because the ADAM accounts are not associated with specific users but instead are used by the SEE snap-ins and SEE Client application, any changes to the passwords for these accounts could cause an interruption in operation to either or both the administrative functions of SEE, or result in a communication failure between the SEE Server and the SEE Client Computers.

To prevent such failures from taking place while allowing for regular password changes for the ADAM accounts, you should observe the following if you plan to change the password or expire the account of the ADAM client account. Create a new GPO, enter the new ADAM client credentials in the Framework Computer Policy - Client Monitor settings panel, and apply this GPO containing the updated ADAM client information to all SEE Client Computers. This will ensure that the SEE Client Computers will have uninterrupted communication with the SEE Server.

SEE Server Backup and Restore

The need for a comprehensive back-up strategy goes beyond the obvious immediate goal of maintaining a high availability system. Making frequent backups provides the ability to quickly restore previously deleted objects or to roll back a set of modifications to a previous version with minimum impact on users. Although the scenarios presented here use the Windows backup utility, you may use any backup utility capable of doing a System State back-up.

The various data comprising the SEE system is stored in two places:

Active Directory holds the user, group, and policy information.

The SEE Server is the repository for all keying material, Full Disk recovery data, status, and other information generated by client workstations.

A full backup or restore of an SEE installation requires that all data files associated with both the Active Directory and the SEE Server environments be backed up or restored separately. Because most organizations already perform a regular backup of Active Directory, backing up the SEE Server is the only additional task necessary. This section shows the individual steps necessary for accomplishing a back-up and restore of the SEE data stored in the SEE Server.

(34)

SEE Server Backup and Restore Basics

Both Active Directory and the SEE Server may be backed up in place while they are running, however, they may be restored only when they are offline. Taking Active Directory off-line entails restarting in Directory Restore Mode. Because ADAM runs as a system service, taking the SEE Server offline only requires stopping the ADAM instance while the back-up is executing. The SEE Server instance may be restarted at the end of the back-up or restore operation. Back-ups made while the SEE Server or Active Directory is running may not reflect any changes written to them while the back-up operation is executing.

Authoritative Restore vs. Non-Authoritative Restore

Multiple 2003 Servers used together offer built-in load balancing and fault tolerance by replicating any directory changes between domain controllers. A server containing a current copy of data is said to be authoritative, while a non-authoritative domain controller would be one containing older data, such as one that has just been restored from a back-up and has not yet been updated.

It’s a good idea to run multiple domain controllers to take advantage of this fault-tolerant behavior, but if you are only operating a single domain controller and thus cannot update a restored server from a second one via replication, you will instead need to perform a partial or full authoritative restore using the ntdsutil command line utility.

A partial or full authoritative restore may also be necessary in cases where objects or subtrees have been deleted or corrupted, or if you wish to roll back object modifications to a previous version.

ADAM Components to be Backed up

Database and log files specific to the SEE Server instance reside in the path:

\%ProgramFiles%\Microsoft ADAM\Instance Name

where Instance Name is the SEE Server instance name.

ADAM application files and administration tools reside in the path:

\windir\ADAM

Example Scenarios for SEE Server Backup and Restore

The following scenario demonstrates a backup followed by an authoritative restore and verify.

Backing up an ADAM Instance

1. Click Start, point to All Programs, point to Accessories, point to System Tools, then click Backup.

2. In the Backup or Restore Wizard, click the link for Advanced Mode.

3. Click the Backup tab, and then, on the Job menu, click New.

4. From the Tools menu, click Options. In the Restore tab of Options, click Always replace the file on my

computer.

5. To select an instance of ADAM folders to back up, select the check box to the left of the folders. The following table lists default ADAM file directories:

DirectoryContents

\%ProgramFiles%\Microsoft ADAM\Instance Name

where Instance Name indicates the ADAM instance name Database files and log files

The application files and administration tools are stored in \%windir%\ADAM.

(35)

If a tape drive is not connected to the computer, the Backup destination option is unavailable and is automatically set to File.

2. In Backup media or file name:

When backing up files and folders to a file, type a path and file name for the backup (BKF) file, or click Browse to find a file.

If backing up files and folders to a tape, select the tape to use.

3. To select another backup option, such as the backup type and the backup log type, on the Tools menu, click

Options.

4. Click Start Backup, and then make any changes in the Backup Job Information dialog box.

5. To set advanced backup options, such as data verification or hardware compression, click Advanced.

6. Click Start Backup to start the backup operation.

Restoring an ADAM Instance

To restore a backup of an ADAM instance, stop the ADAM instance using the Services Administrative Tool and then use the Windows interface of Backup to perform the restore operation. If objects in the directory are inadvertently deleted or modified and if those objects are replicated in a configuration set, you must authoritatively restore those objects so that the correct version of the objects are replicated.

Non-Authoritative Restore of an ADAM Instance

1. After stopping the ADAM instance, open Backup. Click Start, point to All Programs, point to Accessories, point to System Tools, then click Backup.

2. In the Backup or Restore Wizard, click the link for Advanced Mode.

3. In Advanced Mode, click the Restore and Manage Media tab.

4. Select the backup file for the instance to restore by clicking its checkbox.

5. In Restore files to, click Original location.

6. From the Tools menu, click Options. In the Restore tab of Options, click Always replace the file on my

computer. Click OK.

7. Click Start Restore.

8. When the Confirm Restore dialog appears, click OK.

9. When the restore is done, click Close in the Restore Progress dialog.

After restoring a backup of an ADAM instance, perform the authoritative restore of the ADAM instance.

Authoritative Restore of an ADAM Instance

Open an ADAM tools command prompt.

1. Click Start, point to All Programs, point to ADAM, then click ADAM Tools Command Prompt.

2. At the command prompt, type dsdbutil.

3. At the dsdbutil prompt, type authoritative restore.

If data has been backed up from an NTFS volume, it is recommended that you restore the data to an NTFS volume which uses the same version of NTFS in order to prevent loss of data.

(36)

4. At the authoritative restore prompt, type one of the commands listed in the following table.

The ADAM instance has now been restored.

Backup and Restore of the OTP Keys

The OTP keys are critical key material used for various SEE tasks. These keys are created the very first time the SEE Framework is installed on a Manager Computer. The ability to restore an existing set of OTP keys from a backup is crucial to SEE Server recovery.

OTP Key Backup

When the OTP keys are created during the SEE Framework installation process, you are prompted to save a backup of the OTP keys. This backup, known as the random string backup, is encrypted using the Management Password.

You can also perform a backup of the OTP keys after they have been created. Using a batch file, RecoverOTP.bat, you can extract the OTP key data from the SEE Server and save it in standard LDF format.

Using the RecoverOTP Batch File

Note that the RecoverOTP batch file uses the ldifde.exe utility installed as part of ADAM and must be run from the SEE Server.

1. Launch the RecoverOTP batch file to see the command syntax. Table 6.1 —Authoritative Restore Commands

Command Description

restore database Performs authoritative restore of the entire directory database

restore object [dn] Performs authoritative restore of the directory object whose

distinguished name is represented by [dn]

restore subtree [dn] Performs authoritative restore of the directory subtree whose

(37)

2. Invoke the RecoverOTP batch file with the following command-line parameters:

RecoverOTP /export "[path]\filename.ldf" port username domain password

where [path] is the actual path on the SEE Server where you want to save the exported key file filename.ldf, port is the port used by the SEE Server, and username, domain, and password are the credentials of the ADAM administrator account.

Figure 6.2—RecoverOTP Batch File, Command Line for Export

The export process is shown in the following screen shot.

Figure 6.3—RecoverOTP Batch File, Export Completed

3. Once completed, press any key to exit the batch file. The OTP keys have now been exported and saved.

OTP Key Restore

Two methods are available for restoring OTP key data:

Recover OTP Keys Utility, and

RecoverOTP batch file.

The Recover OTP Keys Utility is a stand alone application that restores the OTP Key data from a random string backup file. The RecoverOTP batch file restores a previously saved LDF format backup to the SEE Server.

These tools are designed to be used in the following situations:

You are restoring to a freshly prepared SEE Server, the SEE Framework has not been installed, and the OTP keys have not been generated.

Any existing OTP keys have been manually deleted using ADAM ADSI Edit (see “Remove Existing OTP Keys” on page 37).

Whether restoring using either the Recover OTP Keys Utility or the batch file, the target SEE Server you are restoring to should not contain OTP keys.

(38)

Using the Recover OTP Keys Utility

1. Launch the Recover OTP Keys Utility, RecoverOTPKeys.exe.

Figure 6.4—Recover OTP Keys Utility

2. In the ADAM admin username and ADAM admin password boxes, type the credentials of the ADAM administrator account. Click Connect to ADAM. The status window shows a list of discovered ADAM instances.

(39)

3. Click Check OTP keys. This searches ADAM for an existing set of OTP keys. The status window shows the results of the search.

Figure 6.6—Recover OTP Keys Utility, Check OTP keys

In Figure 6.6, the status window indicates that existing OTP keys have been found and that they must be removed before continuing. If your ADAM instance contains existing OTP keys, see “Remove Existing OTP Keys” on page 37. If you are restoring to a fresh installation of the SEE Server that has not yet been populated with OTP keys, the status window indicates that the OTP key pair was not found in ADAM (see Figure 6.7).

(40)

Figure 6.7—Recover OTP Keys Utility, OTP Key Pair Missing

You are now ready to restore the OTP key pair from the random string backup you saved as part of the SEE Framework installation process.

4. Click Browse, navigate to the random string backup file and select it, then click OK.

5. In Management Password, type the 16–32 character Management Password you established when saving the random string backup. Type the password again in Confirm Password.

6. Click Create new OTP keys. The Confirm OTP creation dialog displays showing the LDAP address of the AdminsStore object being created in ADAM. Click Yes.

(41)

7. The status window of the Recover OTP Keys Utility indicates that the OTP key pair was sucessfully restored.

Figure 6.9—Recover OTP Keys Utility, OTP Key Pair Created

8. Click Close. The OTP keys have now been restored.

If you are running multiple SEE Servers, you should initiate a manual replication operation to make sure that all SEE Servers in the system will use the OTP keys you have just restored.

Using the RecoverOTP Batch File

Note that the Recover OTP batch file uses the ldifde.exe utility installed as part of ADAM and must be run from the SEE Server.

1. Launch the RecoverOTP batch file to see the command syntax.

(42)

In this example, we are importing a backup of the OTP keys that we exported previously using the same batch file.

2. Invoke the RecoverOTP batch file with the following command-line parameters:

RecoverOTP /import "[path]\filename.ldf" port username domain password

where [path] is the actual path on the SEE Server where the previously exported file filename.ldf was saved, port is the port used by the SEE Server, and username, domain, and password are the credentials of the ADAM administrator account.

Figure 6.11—RecoverOTP Batch File, Command Line for Import

3. The import process is shown in the following screen.

Figure 6.12—RecoverOTP Batch File, Import Completed

4. Once completed, press any key to exit the batch file. The OTP keys have now been restored.

If you are running multiple SEE Servers, you should initiate a manual replication operation to make sure that all SEE Servers in the system will use the OTP keys you have just restored.

Remove Existing OTP Keys

Use the following steps to manually remove the OTP keys from the SEE Server by binding to the ADAM instance and deleting the AdminsStore object.

1. Click Start, point to All Programs, point to ADAM, then click ADAM ADSI Edit. The ADAM ADSI Edit snap-in opens.

Exercise extreme caution when preforming this procedure, as objects deleted from ADAM can only be restored from a valid backup. Deleting other objects from the SEE Server can cause serious problems, such as loss of client connectivity and the ability to recover client data.