• No results found

Symantec Drive Encryption for Windows

N/A
N/A
Protected

Academic year: 2021

Share "Symantec Drive Encryption for Windows"

Copied!
16
0
0

Loading.... (view fulltext now)

Full text

(1)

Symantec™ Drive Encryption for

Windows

Technical Note

(2)
(3)

Released January 2014.

Legal Notice

Copyright (c) 2014 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, the Checkmark Logo, Norton Zone, PGP, Pretty Good Privacy, and the PGP

logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other

countries. Java is a registered trademark of Oracle and/or its affiliates. Other names may be trademarks of

their respective owners.

This Symantec product may contain third party software for which Symantec is required to provide

attribution to the third party ("Third Party Programs"). Some of the Third Party Programs are available under

open source or free software licenses. The License Agreement accompanying the Licensed Software does not

alter any rights or obligations you may have under those open source or free software licenses. For more

information on the Third Party Programs, please see the Third Party Notice document for this Symantec

product that may be available at

http://www.symantec.com/about/profile/policies/eulas/

, the Third Party

Legal Notice Appendix that may be included with this Documentation and/or Third Party Legal Notice

ReadMe File that may accompany this Symantec product.

The product described in this document is distributed under licenses restricting its use, copying, distribution,

and decompilation/reverse engineering. No part of this document may be reproduced in any form by any

means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS

AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A

PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH

DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR

INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR

USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO

CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in

FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer

Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer Software and Commercial

Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification,

reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the

U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation

350 Ellis Street

Mountain View, CA 94043

(4)
(5)

Contents

Introduction 1

Scenario 1: Troubleshooting common Windows issues

1

Scenario 2: Booting and accessing the server

1

System Requirements

3

Recommended Best Practices

5

Perform regular backups and back up the disk before you encrypt it

5

Ensure the health of the disk before you encrypt it

5

Know your RAID hardware and software

5

Maintain separate test and production servers, and production processes and procedures

6

Build and test recovery procedures

6

Be certain that you will have AC power throughout the encryption process

7

Follow installation procedures to install only the Symantec Drive Encryption drivers

8

Run a pilot test to ensure software compatibility

8

Understand how performance is affected

9

Perform disk recovery on decrypted disks

9

Remote rebooting of the Windows Server

9

(6)
(7)

1

Introduction

The purpose of this document is to define best practices for server system

administrators before they install Symantec Drive Encryption on Microsoft Windows Servers.

Symantec Drive Encryption for Windows Servers is intended for servers that are located in risky locations, such as kiosks or remote offices where server theft is possible.

As an overall best practice, encrypt your Windows Server with Symantec Drive Encryption, to protect your operating system and file system.

An encrypted server requires changes to normal operational, maintenance, and recovery procedures. Two scenarios follow that highlight some of those changes, in the areas of fixing typical Windows issues and rebooting and accessing the server.

In the Recommended Best Practices (on page 5) chapter, specific tasks that are related to encrypted servers are described.

Scenario 1: Troubleshooting common Windows issues

On an unencrypted server:

1 Change a registry value or driver 2 Make file system changes For an encrypted server:

1 Before encryption, create a customized Microsoft Windows Preinstallation Environment (Windows PE) disc with the Symantec Drive Encryption drivers loaded.

2 After encryption, use the customized Windows PE disc to authenticate to the disk. Authentication gives you access to the encrypted file system.

3 Modify the registry values or drivers.

Note: For information on how to create a Windows PE disc, go to the Symantec

Knowledgebase (http://www.symantec.com/business/support/index?page=home) and

search for TECH149060, “Windows Preinstallation Environment & BartPE Tools.”

Scenario 2: Booting and accessing the server

For an unencrypted server:

1 Install a service pack or updated driver. 2 Reboot.

(8)

2 Introduction

Scenario 2: Booting and accessing the server

1 Authenticate at the PGP BootGuard login screen prior to starting the Windows Server OS.

2 Install a service pack or updated driver. 3 Reboot.

Note: For remote access, use the provided PGP WDE Command Line "Boot Bypass"

feature. This feature lets you reboot a system one or more times without

(9)

2

System Requirements

Symantec Drive Encryption is supported on the following Windows Server versions: ƒ Windows Server 2012 R2 64-bit Edition with internal RAID 1 and RAID 5 ƒ Windows Server 2012 64-bit Edition with internal RAID 1 and RAID 5 ƒ Windows Server 2008 R2 64-bit Edition with internal RAID 1 and RAID 5 ƒ Windows Server 2008 64-bit Edition (Service Pack 1 and Service Pack 2) with

internal RAID 1 and RAID 5

Note: Dynamic disks and software RAID are not supported.

A broad array of other hardware may work well with Symantec Drive Encryption. However, Symantec Drive Encryption has been tested and is compatible with the hardware that is listed in this table:

OS tested

RAID version

Hardware tested

Windows Server 2012 R2 RAID 1 and RAID 5 LSI M1015 RAID controller on IBM X3650 M3 server

Windows Server 2012 RAID 1 and RAID 5 LSI M1015 RAID controller on IBM X3650 M3 server

Windows Server 2008 R2 RAID 5 PERC 6i integrated RAID controller Windows Server 2008 Service

Pack 2

(10)
(11)

3

Recommended Best Practices

Symantec Corporation recommends the best practices described in this chapter. They are useful for reviewing your server management operational business practices and for preparing to encrypt your disk with Symantec Drive Encryption. Follow the recommendations to prepare your server environment before encrypting your disk, to protect your data during and after encryption, and then follow them for normal server operations.

Perform regular backups and back up the disk before you

encrypt it

Before you install Symantec Drive Encryption and encrypt your disk, back up your disk. This backup ensures that you will not lose any data if your system is lost, stolen, or you cannot decrypt the disk.

Ensure the health of the disk before you encrypt it

Cyclic redundancy check (CRC) errors are not uncommon to encounter while you encrypt a hard disk. In standalone installations of Symantec Encryption Desktop, if Symantec Drive Encryption encounters a hard drive or partition with bad sectors, it pauses the encryption process. This pause lets you remedy the problem before you continue with the encryption process, thus avoiding potential disk corruption and lost data.

In a Symantec Encryption Management Server managed environment, Symantec Drive Encryption may encounter bad sectors on a hard drive or partition. If this situation happens, Symantec Drive Encryption logs an event in the server logs and the disk encryption continues.

Before you run Symantec Drive Encryption, use a third-party scan disk utility that performs a low-level integrity check and repairs any inconsistencies with the drive that can lead to CRC errors. Third-party software, such as SpinRite or Norton Disk Doctor can correct errors that would disrupt the encryption of the disk.

Note: As a best practice, highly fragmented disks should be defragmented before you encrypt the disk.

Know your RAID hardware and software

(12)

6 Recommended Best Practices

Maintain separate test and production servers, and production processes and procedures

Before rebuilding RAID, take a backup of the data using a backup utility.

Maintain separate test and production servers, and

production processes and procedures

Maintain a separate test and production environment. Modification of a production server should be strictly limited. Ensure that you use the test system to test software updates, driver updates, and Windows service packs before updating the production server.

Build and test recovery procedures

Be aware that changes to the normal server operations and maintenance procedures are required, due to encryption of the server file system. You are advised to:

1 Create and test a customized Windows PE disc with Symantec Drive Encryption drivers installed.

2 Create a Symantec Drive Encryption recovery disc.

Create a customized Windows PE disc with the Symantec Drive Encryption drivers

The Symantec Knowledge Base contains articles with instructions for creating a Windows PE Disc for Symantec Drive Encryption recovery. Creating a customized Windows PE CD or USB flash drive provides a bootable recovery tool that you can use for rescue purposes. For example, you can use the DOS commands to copy, edit, back up, and delete files.

The Symantec Knowledge Base contains technical notes with instructions for creating a 32-bit Windows PE disc. While you can use the 32-bit Windows PE disc on a 64-bit system, you cannot create a 64-bit Windows PE disc.

For information on how to create and use a Windows PE disc, go to the Symantec

Knowledgebase (http://www.symantec.com/business/support/index?page=home) and

search for TECH149060, “Windows Preinstallation Environment & BartPE Tools.”

Note: The Technical Note includes instructions for customizing the BartPE or BartPE-based tools.

Create a recovery disc

While the chances are low that a master boot record can become corrupted on a boot disk or partition protected by Symantec Drive Encryption, corruption can happen. Before you encrypt a boot disk or partition using Symantec Drive Encryption create a recovery disc.

For information on how to obtain the .iso images and create a recovery disc for Symantec Drive Encryption, go to the Symantec Knowledgebase

(13)

Recommended Best Practices 7 Be certain that you will have AC power throughout the encryption process

KB article title

KB article link

TECH19905: Symantec Drive Encryption 10.3.0 for Windows Recovery Disk Images

http://www.symantec.com/docs/TECH 199905

TECH19906: Symantec Drive Encryption 10.3.0 for Mac OS X Recovery Disk Images

http://www.symantec.com/docs/TECH 199906

TECH199903: PGP Desktop 10.2.1 for Windows Recovery Disk Images

http://www.symantec.com/docs/TECH 199903

TECH197687: PGP Whole Disk Encryption for Mac OS X (PGP Desktop 10.2.1) Recovery Disk Images

http://www.symantec.com/docs/TECH 197687

TECH176201: PGP Desktop 10.2.0 for Windows Recovery Disk Images

http://www.symantec.com/docs/TECH 176201

TECH176187: PGP Whole Disk Encryption for Mac OS X (PGP Desktop 10.2.0) Recovery Disk Images

http://www.symantec.com/docs/TECH 176187

TECH152604: PGP Desktop 10.0 and 10.1 for Windows Recovery Disk Images

http://www.symantec.com/docs/TECH 152604

TECH152610: Symantec Drive Encryption (formerly known as PGP Whole Disk Encryption) for Mac OS X Recovery Disk Images (versions 10.0.x - 10.1.x)

http://www.symantec.com/docs/TECH 152610

Be certain that you will have AC power throughout the

encryption process

(14)

8 Recommended Best Practices

Follow installation procedures to install only the Symantec Drive Encryption drivers

Follow installation procedures to install only the Symantec

Drive Encryption drivers

Symantec Corporation offers a number of product suites that contain Symantec Drive Encryption, Symantec File Share Encryption, and Symantec Desktop Email. When you install Symantec Encryption client products on your server, ensure that you use the .msi installation switches so that you do not install the Symantec File Share Encryption and Symantec Desktop Email drivers. Instructions for utilizing the .msi switches are included in the Symantec Knowledgebase. Go to Symantec Knowledgebase

(http://www.symantec.com/business/support/index?page=home) and search for

TECH149282, "PGP Desktop Installation (msi) Switches." An example of the .msi switch is:

MsiExec /I pgpdesktop.msi PGP_INSTALL_WDE=1 PGP _INSTALL_MAPI=0 PGP_INSTALL_NOTES=0 PGP_INSTALL_LSP=0 PGP_INSTALL_NETSHARE=0

Installing these drivers can impact the performance of the server and email

functionality that is hosted on the server. Additionally, you cannot host Symantec File Share Encryption folders on a system that has Symantec File Share Encryption enabled. In a Symantec File Share Encryption environment, these servers are mainly used for hosting shared folders and installing the File Share drivers on the server.

Run a pilot test to ensure software compatibility

As a security practice, test Symantec Drive Encryption on a test server to ensure that Symantec Drive Encryption does not conflict with other software. Run the test before rolling Symantec Drive Encryption out to a large number of servers. This pre-test is particularly useful in environments that use a standardized Corporate Operating Environment (COE) image.

The following software is not compatible with Symantec Drive Encryption: ƒ Symantec Endpoint Encryption Full Disk

ƒ Faronics Deep Freeze (any edition) ƒ Utimaco Safeguard Easy 3.x

ƒ Absolute Software's CompuTrace security and tracking product. Symantec Drive Encryption is compatible only with the BIOS configuration of CompuTrace. Using CompuTrace in MBR mode is not compatible.

ƒ Hard disk encryption products from GuardianEdge Technologies: Encryption Anywhere Hard Disk and Encryption Plus Hard Disk products, formerly known as PC Guardian products.

The following programs co-exist with Symantec Drive Encryption on the same system, but will block the Symantec Drive Encryption feature:

(15)

Recommended Best Practices 9 Understand how performance is affected

Understand how performance is affected

Run performance testing as described in Run a pilot test to ensure software compatibility (on page 8). During testing, Symantec Corporation did not observe any major

performance-related issues with RAID 1 or RAID 5. However, performance can vary depending on the processor, memory, drives, and so on. For example, a 500GB RAID 5 system with three disks can take 8-9 hours to encrypt.

After initial encryption, performance can be affected slightly. However, performance is dependent upon individual server configurations.

Perform disk recovery on decrypted disks

If you need to perform recovery activities on a disk that is protected with Symantec Drive Encryption, when possible, decrypt the disk first. Do this by selecting Disk >

Decrypt in Symantec Encryption Desktop, using your prepared Symantec Drive

Encryption Recovery Disk, or by connecting the hard disk using a USB cable to a second system and decrypting from that system's Symantec Drive Encryption software. Once the disk is decrypted, proceed with your recovery activities.

Remote rebooting of the Windows Server

WDE Command Line contains the Boot Bypass function. This function lets you configure Symantec Drive Encryption so that PGP BootGuard does not require a passphrase at the next boot. This boot bypass allows remote rebooting of the server without someone being physically present. For more information on Boot Bypass, see

Booting and accessing the Server (see "Scenario 2: Booting and accessing the server" on

page 1).

The Boot Bypass feature lets you reboot a system one or more times without having to authenticate at the PGP BootGuard screen. Boot Bypass can be set for boot disks only. You can configure Symantec Drive Encryption to authenticate automatically at the PGP BootGuard screen and boot the system.

Note: You must set up Boot Bypass in advance.

Boot Bypass is generally used for remote deployment or upgrade scenarios when a reboot is required; for example, for patch management.

Caution: Boot Bypass bypasses the security of a system. Use it sparingly and with caution.

The Boot Bypass commands are:

--add-bypass: Enables the specified disk for Boot Bypass.

(16)

10 Recommended Best Practices

Remote rebooting of the Windows Server

References

Related documents

Before you start the Rescue and Recovery program from an internal hard disk drive, a disc, a USB hard disk drive, or other external devices, you must first make sure that your

When you want to restore computer 1 using a backup image that is stored on computer 2, you boot into Symantec Recovery Disk on computer 1, map a network drive to computer 2, browse

When you want to restore computer 1 using a backup image that is stored on computer 2, you boot into Symantec Recovery Disk on computer 1, map a network drive to computer 2, browse

■ Using the SEE Drive Encryption administrator command line ■ Using the Symantec Disk Recovery Utility. Accessing an encrypted disk using the administrator

Contrary to these authors’, the general preferences specification adopted enables me to characterize the conditions under which there is scope for international policy

I operationalize central government health distribution priorities by measuring grants to Indian states, using it as a dependent variable in the analysis of central political

In other words, and recalling that these types of corporate governance are relative to the omitted dummy variable of ‘private sector other’, PLCs are more likely to

Prepare for this unlikely event by creating a recovery CD before you encrypt a boot disk or partition using Symantec Endpoint Encryption Full Disk. Caution: Note that recovery