to - Secure Support
Contents
1. ss 68 Creating a Custom SYSBIN SKE for Use with RPADMIN EXE 69 Chapter 10 Disaster Recovery Tools ices ciscciccssssdevicesusscscaiscedeacseiessdodececonsssosesensocsdecssestootsasvedssasesseve 71 BACKUP EXE Creating ProtectDrive Recovery Files ss 71 DISPEFS EXE ProtectDrive Diagnostic Utility s ccccssuccesssuiecsscavcues covedsccatnacventeasnndedavecteadexeesenstes 72 DECDISK EXE Disk Decryption Utlty issie at A bigest eee He ee ead 13 vi Eracom Technologies ProtectDrive Administration Guide Table of Contents Using ProtectDrive Recovery FES ien en isda tnt mess aa daiie started dada tetes basen cebati tee R da etes 74 RMBR EXE MBR Recovery Utility sites titanium idelheieentih nie 75 RMBR Initial Status CHEK crecendo AN i idl Oa 75 RMBR Version Compatibility CHECK islamiste 75 Restoring the ProtectDrive MBR RMBR JD scscessecscosssssasscdssavscedassanccdivansadeivsnnsdsadesntbaiaaectsons 76 Restoring the Original MBR RMBR TO aies ren ie rs transe tant 76 PDUSERDB EXE Preboot User dB Administration Utility eee eeeeseseeceeeeeeeeeeeesneeeenaeees 77 Chapter 11 Troubleshooting ssooesssooessooesssooesssosccesssooeessoosessooecesosccesssoosessoosessosecssssosssssoosessosee 79 Disk Encryption Warnih ut aac tones a a iets ae Rene A S aeaee aen sink 79 ProtectDrive User Authentication Activity Tracking ss 80 Incorrect Preboot Username and or Password 80 Preboot Log On Fa2. En 3 Active Director Large Icons H Q Saved Quei Small Icons 9 PDHOST co List H Q Builtin Detail H E Comput H Domain Users Groups and Computers as containers Foreign H E Users Filter Options Customize T com au 5 objects main Controllers reignSecurityPrincipals ers builtinDomain Container Default container for Organizational Unit Default container for Container Default container for Container Default container for Enables disables advanced features and objects Navigate to Program Data Eracom ProtectDrive ProtectDrive Default Configuration and select Properties 4 Active Directory Users and Computers BE xi lt File Action View Window Help 151 xi CEE MERE RAYA Active Directory Users and Computers t2 PDHOST com au l ProtectDrive 1 objects H E Saved Queries B gp PDHOST com au H E Builtin E Computers w Domain Controllers E ForeignSecurityPrincipals E LostandFound H E NTDS Quotas Er Program Data E Eracom 3 ProtectDrive H E Microsoft H E System H Users ProtectDrive Default Configuration eracomPdDefaultConfig Settings applied to newly created computer objects Properties my Opens property sheet for the current selection Use the PD Settings Tab to configure Default System Policy
3. AND Smartcard or Token No Allow Password Domain Access Inserted OR Allow Local User Access Yes Log On to Windows Microsoft E 2 Built on NT Technology Logon using diskup connection Lox cos autoon aros lt x ioan o Built on NT Technology User nama mp Password Log onto JPost I Log on using distup connection Cancel shutdown Options lt lt Figure 3 Smartcard Token PIN or Username Password Domain Postboot Authentication Eracom Technologies 89 ProtectDrive Administration Guide Appendix C Postboot User Authentication into Windows THIS PAGE INTENTIONALLY LEFT BLANK 90 Eracom Technologies ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages Appendix D System Debug and ACS Error Messages Before proceeding familiarize yourself with the contents of Chapter 10 Disaster Recovery Tools System Debug Problem Fix Password type account user Run Dispefs exe u This will display a list of all can not be authenticated by users and their account types Password type the ProtectDrive Preboot account users are indicated with Token User Authentication program False setting If the user is shown to have a Password account type then it is possible they are entering an invalid password Passwords are case sensitive Finally if the user is positive they are entering the correct password and
4. Eracom Technologies 23 ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy ProtectDrive Default Configuration Properties Use the PD Users Tab to assign users to the systems by default and also to configure these users Device Access Permissions to COM LPT ports and the FDD drive resources Note following setting Permissions you need to press Neither nor will save the Permissions settings ProtectDrive Default Configuration Properties 24 Eracom Technologies ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy PD Settings Tab Default System Policy Client Configuration Policy Tab PD Settings PD Users Encryption Settings Password Policy Interrupt Vector Update Lockout Configuration User Shell Authentication Default Permissions Client Configuration Update Status Encryption Status m Updates Fi M OnLogon T On Shutdown D Ontnterval Eye This tab configures how the ProtectDrive client retrieves System and User Policy data from Active Directory It also allows the client to be configured locally as well as store the local configuration changes in Active Directory On Restart The ProtectDrive client pulls policy data from the Active Directory service on system boot On Logon The ProtectDrive client pulls policy data from the Active Directory service on user login
5. Cryptographic Service Providers listed in this property 15 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 16 Deploying Server Side Components Installing the Active Directory Schema Extensions Please note that ProtectDrive Server Side Components are used exclusively for System and User Policy management via the Windows Active Directory Service If securing and or encrypting the server resources is desired please install the ProtectDrive Client Side components on the server then manage ProtectDrive installed on the server as any other ProtectDrive client system on your network Launching the PROTECTDRIVE MSI will result in the display of the ProtectDrive installation wizard The wizard automatically installs all ProtectDrive Server Side components with minimal user interaction as follows ip ProtectDrive InstallShield Wizard License Agreement Please read the Following license agreement carefully ERACOM Software License NOTICE TO USER This legal document is an agreement between you the end user the LICENSEE and ERACOM Pty Ltd ACN 001 745 375 ERACOM This agreement License constitutes the complete agreement between you and ERACOM in relation to the licensing of the software product SOFTWARE 1 GRANT OF LICENCE x 1 do not accept the terms in the license agreement InstallShield lt Back cancel ji ProtectDrive InstallShi
6. However if RMBR detects any alteration to the ProtectDrive MBR the following message will display Current MBR is not the ProtectDrive MBR RMBR Version Compatibility Check RMBR will attempt to verify that it is working with the correct version of the ProtectDrive system If the version is incorrect the following message will display Incompatible versions ProtectDrive Version 7 1 0 example RMBR EXE Version X X X example Eracom Technologies 75 ProtectDrive Administration Guide Chapter 10 Disaster Recovery Tools Note Depending on the level of system data corruption it is not always possible to determine the version of the currently installed ProtectDrive system Restoring the ProtectDrive MBR rm p RMBR will initially display the list of all ProtectDrive partitions Select the partition you wish to recover the ProtectDrive MBR for Disk Etart Sector End Sector Megabytes Type 1 63 16771859 8189 Primary Boot ProtectDrive Select partition to recovery Ctrl C to exit _ Current MBR is not the ProtectDrive MBR Searching for super block from sector 63 to sector 20487599 99 99 and 3hrs 20mins remaining Press Ctrl C to stop RMBR EXE will search the disk sector by sector looking for the ProtectDrive super block corresponding to the start of the ProtectDrive embedded file system It is possible that remnants of previously installed ProtectDrive systems may exist on the disk If a super block is fou
7. ProtectDrive Administration Guide Revision A01 Eracom Technologies THIS PAGE INTENTIONALLY LEFT BLANK ProtectDrive Administration Guide Preface Preface Copyright All intellectual property is copyright All trademarks and product names used or referred to are the copyright of their respective owners No part of this document may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical chemical photocopy recording or otherwise without the prior written permission of Eracom Technologies 28 Greg Chappell Drive Burleigh Heads Queensland 4220 AUSTRALIA National International Voice 07 5593 4911 61 7 5593 4911 Fax 07 5593 4388 61 7 5593 4388 Website www eracom tech com Copyright Eracom Technologies All rights reserved Disclaimer Eracom makes no representations or warranties with respect to the contents of this document and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose Furthermore Eracom reserves the right to revise this publication and to make changes from time to time in the content hereof without the obligation upon Eracom to notify any person or organization of any such revisions or changes Publication Improvements Eracom invites constructive comments on the contents of this document These comments together with your personal and or company details should be dispatched
8. C Program Data Eracom a ProtectDrive J Microsoft System E Users f DELL7O00 Computer 2 doc_Computeers_Group Security G Name Mappings BI pp_poc_xP Computer Disable Account ey T4 2K Computer Reset Account TestExample Computer Move Manage E OE All Tasks gt Cut Delete Help x y Opens property sheet For the current selection Select PD Users Tab Add all Windows Domain users and groups you would like to give preboot access to this on client system For each user or group use Set to set their device access permissions Note that changes to device access permissions for any user or group apply across the entire Windows Domain Changing permissions here will make the change for all client systems where this user or group is listed Eracom Technologies 49 ProtectDrive Administration Guide Chapter 7 System and User Management Enabling All users have password accounts will allow all users listed here preboot access with the use of the password defined in the Default Password System Policy Tab DELL 7000 Properties Administra T 0 doc_user3 VIRTUAL doc_user3 0 Doc_Users_Group VIRTUALSDoc Group 50 Eracom Technologies ProtectDrive Administration Guide Chapter 7 System and User Management Managing User Policy via the User Object
9. Copy SYSKEY BIN toa floppy 2 Copy the ProtectDrive Recovery Tools from the RECOVERY directory on the ProtectDrive distribution CD ROM Eracom Technologies 11 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 12 Creating Custom SYSKEY BIN Eracom provides GENRKEYS EXE utility for creating custom Recovery Keys Recommended procedure is as follows Make a backup copy of the Eracom provided floppy containing SYSKEY BIN files Run GENRKEYS EXE The system will proceed to collect entropy for the random number generator Once completed press Generate Registration Disk This program alters syskey bin If systems have been installed using this file ensure a copy has been made Please move the mouse while entropy is collected BABAR RRR AR Ran kf Provide the system with a copy of the floppy made in step 1 above The newly created SYSKEY BIN will be saved Select Recovery Key File Look in Temp JJ c EB F screens My Recent Documents G Desktop My Documents My Computer File name my_syskey bin ad d My Network Files of type syskey bin Cancel Places Hel Eracom Technologies Chapter 5 ProtectDrive Administration Guide Deploying ProtectDrive ProtectDrive Install MSI Package ProtectDrive is deployed using a Windows Installer MSI package The following files will install both the ProtectDrive Server Side
10. On Shutdown The ProtectDrive client pulls policy data from the Active Directory service on system shutdown Note if using Windows Certificate Auto Enrollment Smartcard Token users only this option needs to be selected so a new entry in the ProtectDrive Preboot User dB can be created for the newly issued certificate On Interval The ProtectDrive client pulls policy data from the Active Directory service based on the specified period Eracom Technologies 25 ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy Authentication Policy Tab 26 PD Settings PD Users Encryption Settings Password Policy Client Configuration Update Status Interrupt Vector Update Encryption Status Lockout Configuration User Shell Authentication Default Permissions FA Pending Authentication Methods NV Allow Local User Access M Allow Password Domain User Access Allow Token Domain User Access I Allow Password Fallback I Allow Windows Password Fallback M Single sign on rm Pre boot Access Management Allow User Key Recovery Allow Windows Logon Recovery I Allow New User Introduction IV Add users to ProtectDrive on successful Windows logon OK Cancel Apply Activate Preboot Authentication Activated Pending Deactivated jy Indicator This activates the Preboot Authentication If disabled all aspects of ProtectDrive including disk encry
11. ProtectDrive device access permissions for individual Windows Domain users can be set using the ProtectDrive Privileges Tab in the MMC Active Directory Users and Computers Snap in Select Properties for a Windows Domain user lolx lt Ele Action View Window Help x e Am tel xe ikl S eRzavee Active Directory Users and Computers l Users 22 objects H Q Saved Queries virtual domain Administrator administering the compu E Buitin Bicert Publishers Security Group Domain L Copy bup are permitted to put 3 Computers i 3 Add to a group f DnsAdmins Security Group Domain L Group H Domain Controllers Name Mappings A K ForeignSecurityPrincipals DnsUpdateProxy Security Group Global Disable Account permitted to perform c H E LostandFound doc_usert User Reset Password E NTDS Quotas ae Ta Move Program Data oc_user ser Qa croc E Doc_Users_Group Security Group Global Sa Fage ProtectDrive Domain Admins Security Group Global ftrators of the domain amp C3 Microsoft Domain Computers Security Group Global All Tasks d servers joined to the c H E System Domain Controllers Security Group Global rs inthe domain A Users Domain Guests Security Group Global Cut Domain Users Security Group Global Delete Enterprise Admins Security Group Global Reed i trators of the enterprise g Opens property sheet for the current selection Help Click the ProtectDrive
12. Appendix E Additional Guidance Regarding Security Password Policy The operating system password policy must be configured in accordance with organisational policies and be consistent with ProtectDrive requirements The following minimum settings should be used Enforce Password History 7 passwords Maximum Password Age In accordance with organisational policy Minimum Password Age 1 day or greater if required by organisational policy Minimum Password Length 6 characters or greater if required by organisational policy Passwords Must Meet Complexity Requirements Enabled Store Password Using Reversible Encryption Disabled Screen Lock Feature The operating system screen lock feature must be enabled and configured in accordance with organisational requirements If the screen lock feature is not enabled and configured correctly ProtectDrive security features may be subverted 104 Eracom Technologies ProtectDrive Administration Guide Appendix E Additional Guidance Regarding Security Information Relevant to Administrators of ProtectDrive Operating Systems Evaluated versions of ProtectDrive are tested on specific version of operating systems For example e Microsoft Windows 2000 Professional 5 00 2195 Service Pack 4 e Microsoft Windows XP Professional 5 1 2600 Service Pack 2 Build 2600 While the product will operate with a wider range of service packs and builds if you wish to use it in its evaluated configu
13. Client Configuration i Encryption Status Last Configuration Update 15 09 2005 10 59 21 4M Last Client Update 9 09 2005 11 12 22 AM Client Update Code 0 Client Status Message Update successful Load Defau Cancel Apply Use the __ Mgo tm button on the Encryption Status Tab to specify which partitions on the client will be encrypted DELL7000 Properties 21x Member Of l Location PD Settings PD Users General Operating System Managed By Object Security Dial in Encryption Settings Password Policy Interrupt Vector Update Lockout Configuration User Shell Authentication l Default Permissions Client Configuration Update Status Encryption Status Configured Algorithm _ Current Algorithm None None Se None None EF None None G None None v None AES256 AES192 E5128 Load Defaults OK Cane BESS DES Eracom Technologies General Operating System Member Of Location Managed By Object Security Dial in PD Settings PD Users Encryption Settings Password Policy Interrupt Vector Update Lockout Configuration User Shell Authentication Default Permissions Client Configuration Update Status Encryption Status Configured Algorithm Current Algorithm fc None None BE IDEA None F IDEA None 6 DES None None AES256 AES192 4E5128 IDEA Load Defaults OK Caner 3DES 47 Protec
14. DOS floppy or CD ProtectDrive sees hard disks accessible via DOS drivers and TSRs if the appropriate drivers are loaded rd Windows and 3 Party Boot Managers At system start up ProtectDrive manipulates the Master Boot Record MBR while verifying its integrity All software that needs to manipulate the MBR for its own purposes is incompatible with ProtectDrive This also applies to the standard Windows boot manager Windows Disk Manager Utility Any post installation disk repartitioning resizing and mirroring configuration changes are prohibited by ProtectDrive If any of the above operations are required decrypt all disks and uninstall ProtectDrive before proceeding Windows Folder Compression Utility Windows folder compression is fully supported with one exception The ProtectDrive system files directory C SECURDSK must not be compressed Compressing this directory will interfere with the normal operation of ProtectDrive Windows System Restore Utility Windows System Restore points created prior to the ProtectDrive install are rendered useless System can only be restored to any restore point created following the ProtectDrive install Windows Fast User Switching Utility ProtectDrive disables the standard Windows Welcome screen along with its fast user switching functionality Eracom Technologies 9 ProtectDrive Administration Guide Chapter 4 ProtectDrive Software Compatibility THIS PAGE INTENTIONALLY LEFT
15. Privileges Tab and set the device access permissions as appropriate Note that these settings will apply across the entire Windows Domain and will be picked up by all clients where this Windows Domain User is listed Administrator Properties 2 x Published Certificates MemberOf Dian Object Security Environment Sessions Remote control General Address Account Profile Telephones Organization Terminal Services Profile COM ProtectDrive Privileges Use this tab to configure the ProtectDrive privileges for this user These privileges can only be enforced if ProtectDrive is installed on the workstation the user logs onto Serial Ports Parallel Ports Diskette Permissions i M Lpti M Read M Lpt2 M write IV Lpt3 Cancel Apply Eracom Technologies 51 ProtectDrive Administration Guide Chapter 7 System and User Management Managing User Policy via the Group Object ProtectDrive device access permissions for groups of Windows Domain users can be set using the ProtectDrive Privileges Tab in the MMC Active Directory Users and Computers Snap in Select Properties for a Windows Domain Group rA Active Directory Users and Computers lB x lt Ele Action View Window Help 1812 lamiex 82 m8 v n Active Directory Users and Computers Users 22 objects H E Saved Queries B gp virtual domain H E Builtin sd Administrator User
16. ProtectDrive Error xi x Password logons are not permitted for domain users with the current ProtectDrive configuration Invalid Password Format Error If a user attempts to change their Windows Domain or Local Windows password by specifies a string that falls outside the ProtectDrive defined Password Policy limits then the following error will display Please note that as an example the following error was generated on a system where Password Policy requires password strength to be between 7 and 20 characters ProtectDrive Error xj Invalid ProtectDrive password Your password must be between 7 and 20 characters long must not be the same as your Username cannot contain more than 2 repeated characters and cannot be the same as any of the last 7 passwords you have used Eracom Technologies 83 ProtectDrive Administration Guide Appendix A Smartcard Token PIN User Authentication Error Saving Local Configuration Data to Active Directory The following error may occur when the Local Machine Configuration utility has trouble saving System Policy data in the Active Directory This may be due to connectivity problems or other reasons for which the Computer Object account can not be reached on the domain controller This may also occur if the computer object does not have permissions to write ProtectDrive configuration data to the Active Directory Follow the steps outlined in the section titled_Enabling Clients to Store Pro
17. The system on which the product is installed must have features that detect physical tampering and provide a clear indication to users that tampering has occurred Users must be able to regularly check the system for indications of tampering Training All users of ProtectDrive with administrator privileges must receive sufficient training to enable them to securely administer ProtectDrive Users of ProtectDrive with administration privileges are responsible for implementing guidance that ensures ProtectDrive is installed configured administered and operated in a secure manner consistent with the evaluated configuration Tokens Smartcards or Tokens used with ProtectDrive for authentication must provide an adequate level of security to protect authentication information and perform the functions required by ProtectDrive This security may be gained though assurance of the Smartcard or Token or a combination of Smartcard or Token assurance combined with organizational procedures Users Users of ProtectDrive must receive sufficient guidance and training to be able to fulfill their duties 102 Eracom Technologies ProtectDrive Administration Guide Appendix E Additional Guidance Regarding Security USB and other I O Devices I O devices such as USB and Firewire ports for example may pose the risk that protected information could be accidentally sent to a device without adequate protection If the risk posed by I O devices is c
18. Users of ProtectDrive Further Reading Relevant to the CC Certification The following documents should be read in conjunction with this manual e Security Target e Certification Report e Release Notes included on the distribution CD e README TXT included with the distribution CD Users are reminded that evaluated versions of ProtectDrive are based on assumptions contained in the evaluation Security Target In particular the following chapters should be read Chapter 3 Assumptions and Chapter 4 Security Objectives for the Environment These chapters describe the responsibility of users and detail requirements needed to ensure that ProtectDrive product is used and administered securely Delivery Procedures Standard commercial practice is used for the packaging and delivery of ProtectDrive Registered copies of ProtectDrive are distributed in a shrink wrapped package that comprises e a CD ROM containing the ProtectDrive software user manual Release Notes and a README TXT notice a diagnostic floppy disk holding licence information a licence certificate a support agreement certificate if a support agreement has been purchased and a packing list On receipt of a delivery you should e Check the delivery for any signs of tampering Eg shrink wrap package open or damaged e Check the packing list to ensure all items are correct and that the customer purchase order number and the Eracom Technologies sales order number a
19. accounts m Permissions Serial Ports Parallel Ports Diskette V Com V Lpti V Read MV Com2 IV Lpt2 lV Write V Com3 Vv Lpt3 M Com4 Set 2 users with 2 ProtectDrive certificates Users and Groups Lists individual domain users and groups of users which will be automatically assigned to all newly created computer objects in the given domain Press or Remove to populate this column from Active Directory Certificates Lists the number of Smartcard Token certificates each user possesses in the given domain Users with certificates are able to log into ProtectDrive using their Smartcard Token Note that the total number of assigned certificates is also listed at the bottom of this tab A ProtectDrive User account is created for each Smartcard Token certificate Including any accounts created for password users the total number of accounts on each client system can not exceed 200 Eracom Technologies ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy Password Account All users have password accounts Permissions Eracom Technologies Indicates whether a user or group of users possess password accounts for login into ProtectDrive Press EN to configure individual user or group wide password accounts The number of password users and Smartcard Token certificate users should not exceed 200 Selecting this will create a password account for all
20. and ACS Error Messages The following flowchart represents the system debug information listed above It is included for additional information SYSTEM BOOT TO MS DOS RUN RMBR P TO RESTORE PROTECTDRIVE MBR REBOOT NO YES lt YES BOOT TO MS DOS RUN DECDISK EXE TO DECRYPT ALL DRIVES RUN FDISK MBR OR RMBR O TO RESTORE THE ORIGINAL WINDOWS MBR REBOOT TO WINDOWS REINSTALL PROTECTDRIVE RECREATE PREBOOT USER ACCOUNTS PASSWORD USER IS ABLE TO AUTHENTICATE AT PREBOOT YES NO BOOT TO MS DOS RUN DISPEFS EXE U TO LIST ALL VALID USERS VERIFY THAT USER S PREBOOT ACCOUNT EXISTS TOKEN USER FALSE INDICATES PASSWORD TYPE USER RECREATE USER ACCOUNT IF NEEDED REBOOT TO WINDOWS DESKTOP USER IS ABLE TO WINDOWS LOADS YES _ NO BOOT TO MS DOS RUN DISPEFS EXE U TO LIST ALL VALID USERS VERIFY THAT USER S PREBOOT ACCOUNT EXISTS TOKEN SUGGESTED BY MICROSOFT USER TRUE INDICATES TOKEN TYPE USER RECREATE USER ACCOUNT IF NEEDED REBOOT BOOT TO MS DOS RUN DECDISK EXE TO DECRYPT DRIVE C REBOOT Eracom Technologies 93 ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages 94 ACS Error Messages The ProtectDrive Access Control System ACS becomes active when a computer with ProtectDrive installed boots up If an error occurs during its initialization the system will display an error message compo
21. for Windows Domain authentication can be configured to automatically lock the system when the token is removed This behavior is controlled by the Smart card removal behavior policy in the MMC Local Security Settings Snap in By default this policy is set to No action or Not defined Eracom recommends setting this policy to Lock Workstation This setting will require the user to re insert their token and enter their PIN upon returning to the workstation Authenticating with Username Password and Domain Name Preboot Authentication Please refer to Appendix B for a detailed diagram of the Username Password Domain Name preboot authentication logic flow If either the Allow Local User Access or the Allow Password Domain User Access Authentication Policy option is set the ProtectDrive preboot authentication screen will be as shown below The Domain field lists all the relevant Windows Domains available on the system Assuming the Allow Local User Access Authentication Policy option is enabled then the Local System Name will also be listed in the Domain field of the following Protect Dive preboot authentication screen UP ARROW and DOWN ARROW are used to navigate the list of available domain names 7 eracom TECHNOLOGIE F1 for Help User Name Help User Name and correct ProtectDrive Password must be entered for startup to continue User ID Password F2 to toggle token pud
22. known hard disks The output will be similar to that below Partition Information Disk Start Sector End Sector Megabytes Type 1 63 16771859 8189 Primary Boot 1 16771923 78140159 29964 Logical 2 63 417689 203 Primary 2 417690 10217339 4784 Primary 2 10217403 12498569 1113 Logical Area Disk Start Sector End Sector Algorithn Megabytes Enc ed Type T 63 16771859 3DES CBC 8189 100 00 Primary 2 Z 6771923 73140159 3DES CBC 29964 100 00 Logical 3 2 63 417689 3DES CBC 203 100 00 Primary 4 2 417690 10217339 3DES CBC 4784 100 00 Primary 5 2 10217403 12498569 3DES CBC 1113 100 00 Logical Select encrypted area to decrypt Ctrl C to exit _ Eracom Technologies 73 ProtectDrive Administration Guide Chapter 10 Disaster Recovery Tools 74 In the above example DECDISK displays information regarding all known hard disk partitions Disk is the physical disk number Start Sector and End Sector are relative to the start of the physical disk DECDISK also displays information regarding encryption status of the above partitions Start Sector and End Sector show the extent of the encryption The value in Area is used to select which area to decrypt The information above portrays two physical disks First disk has primary and extended partitions containing one logical drive The second disk contains two primary partitions and an extended partition containing one logical drive All partitions on these disks are fully
23. no other user is able to log on then the ProtectDrive files have become corrupt See below for ProtectDrive appears to be corrupt Smartcard Token type Run Dispefs exe u to list of all existing users account user can not be and their account types Smartcard Token type authenticated by the account users are designated with Token User ProtectDrive Preboot True setting Authentication program Although a user may have one or more token accounts it is possible that the Certificate contained by the token does not match the Certificate originally used for this user s record creation in the ProtectDrive Preboot User dB Note that users may have multiple records in the preboot user dB The Hash field displayed by Dispefs exe lu is the same as the Thumbprint field displayed when certificate details are viewed in Windows Finally if the user is positive they are using a valid token and no other user is able to log on then the ProtectDrive files have become corrupt See below for ProtectDrive appears to be corrupt Eracom Technologies 91 ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages 92 User successfully authenticates at Preboot but Windows does not boot ProtectDrive Preboot Authentication Program does not run ProtectDrive appears to be corrupt It s possible that one of the Windows system files is corrupt If Drive C is not encrypted proceed with normal Wind
24. occurred This warning is displayed immediately preceding the loading of the Windows Explorer Shell Unsuccessful Logon message An optional custom unsuccessful preboot warning message can be specified for display purposes Show Certificate Expiry Smartcard Token users will see a warning the warning specified number of days before their certificate expires Show Task Bar Icon By default a small key icon is placed in the task bar tray The system can be locked by DOUBLE CLICKING on this icon Eracom Technologies 31 ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy 32 Encryption Settings Policy Tab zjx PD Settings PD Users Lockout Configuration User Shell Authentication Default Permissions Client Configuration Update Status Encryption Status Encryption Settings Password Policy Interrupt Vector Update Select which algorithms you would like to have available for disk encryption M AES 256 bit M AES 192 bit D AES 128 bit I IDEA 128 bit I Triple DES CBC 112 bit M DES CBC 56 bit FT Allow addition of floppy and removable disks Show Disk Not Fully Encrypted Warning Selecting the Encryption Algorithm s Allow Addition of floppy and removable disks Enabled by default this option displays a warning message to all users informing them of an incomplete disk encryption status This ProtectDrive warning message i
25. operating system boot These keys are used for decrypting the operating system files as well as the rest of the encrypted hard drive s For this purpose ProtectDrive introduces the Preboot User Authentication The decryption key is encrypted by a unique data key derived from the user authentication credentials After user authentication the disk key can be decrypted and the operating system can be loaded In support of this functionality ProtectDrive maintains its own Preboot User Database dB The ProtectDrive Preboot User dB has the following characteristics Maximum Number of Users Certificates 200 Username Length Syntax 1 20 characters Password Length Syntax 6 20 case sensitive characters ProtectDrive is capable of preboot authenticating users on stand alone Local Windows only as well as Windows Domains systems The following user authentication credentials are supported by ProtectDrive Smartcard Token and PIN This requires the presence of a Public Key Infrastructure including Active Directory Service Token Runtime Environment and the Certification Authority Service ProtectDrive supports the following Token Runtime Environments eToken Base Cryptographic Service Provider Schlumberger Cryptographic Service Provider Siemens Card API CSP Username Password Domain Name This method of user authentication is used on both Windows Domains and Local Windows systems On Local Windows systems the Domain Name represents the Local Syste
26. ue need Moines 100 Product Identification rss donna tuant main nn di ne TETE 101 Before Installation sissstnseen state nan en ee tes ee ae 101 After TUS TA LOM AA TE RU ne Une sa adinin 101 Organizational R GUITEMENTS un ne din en sn nn A Re ee rennes nt ds 102 Connections to Outside SYSTEMS seine msn Prenant eme ses dapeess den den dense ru ve unter ma rer dense 102 CHANCES ae ie dite toad soa a Letra at Rae ie na Pace das eee daa nee de E 102 OREN G8 of eno LR HO de NN SR E RERE NEE da Ce ES 102 TVG aise hiss dass teen a base tn nee ns A anaes os eens Mer edit 102 VE A EE A a dt tit A ne lin 102 DISCrS E T E RE bu doa cas nd tes a Saute de aa de ee Sen Set nie nets E 102 USB Gnd other VO Devit es Essen res ne ans Ra esas 103 Guidance for the Operating System Configuration 103 C R ALES ART TT da ES A D an PE RU EI ea CU 103 Password POV en nus ena E A Ans E rea 104 Screen Lock Featuren sinistres eens din teen datant en a eaten des 104 Information Relevant to Administrators of ProtectDrive ss 105 CDTI SNS LES ne tien st Eds asian tee nt A E E Lettre ae eee 105 Eracom Technologies Vii ProtectDrive Administration Guide Table of Contents Evaludted items ovale ie bain sc Pele bana cela Sapa el ade bea ia cs wate cada cea dela sen node nee 105 Encryption Algorithm lien tard e e a i a ien ee aa ea aaa iaa eos 105 Show Disk Not Fully Encrypted WG fade dt D Bd D 105 Automatic Pr DootAthentiCAROn ss nds entit Mustataautent retsati
27. users can not be added to the client system s Preboot user dB from the server This option is permanently enabled It allows the Windows Domain users to authenticate into the system at preboot using their Windows Domain Username Password and Domain Name Enabled by default on Windows Domains systems with Token Runtime Environment s this option enables Windows Domain users to employ Smartcard Token PIN for preboot authentication This option is disabled by default If enabled Smartcard Token users who have misplaced their tokens or forgotten their PIN are permitted to invoke the Token User Preboot Password Fallback Procedure This procedure allows for a one time only preboot access to the system using the user s Windows Domain Password 27 ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy Allow Windows Password Fallback Single Sign On Allow User Key Recovery Allow Windows Logon Recovery Allow New User Introduction 28 This feature is disabled by default If enabled the user who has successfully exercised the Token User Preboot Password Fallback Procedure will be automatically authenticated into Windows By necessity this will override all authentication restrictions imposed by the potentially disabled setting of the Allow Local User Access and or the Allow Password Domain Access options Please note that enabling this option will permanently force Prote
28. users listed in this tab The password will be set to the Default Password configured in the Password Policy Tab described earlier in this chapter the number of password users and certificate users should not exceed 200 Default Access Permissions to the client COM LPT ports as well as the FDD are configured here for each user or group listed in this tab Please note that you need to press eet in order for these settings to be saved in the Active Directory Pressing or Remove will not save these settings in the Active Directory 39 ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy THIS PAGE INTENTIONALLY LEFT BLANK 40 Eracom Technologies ProtectDrive Administration Guide Chapter 7 System and User Management Chapter 7 System and User Management Note ProtectDrive clients are managed centrally from the server with the System and User Policy data stored in and replicated from Active Directory MMC Active Directory Users and Computers Snap in is amended with the PD Settings and PD Users Tabs Alternatively Local Machine Configuration Utility may be used to manage clients locally Local configuration may be saved in the Active Directory Finally each client reports policy data update status back to the server In the current release of ProtectDrive the Local Machine Configuration Utility is read only Configuration data may be viewed but not changed Before You Begi
29. 4 Unattended Reboot Followed by Automatic Preboot Authentication ccccccccccccssseceeessteeeeeees 4 Windows User Authentication sine ed nee lie Le ent ns 4 UTE OS ATA O aan Sie Ne NE EE a sen SE 4 Manual Windows Authentication sens ire dre es as sen rad des den dettes tn dernier tes aie 4 Hard Drive Encryption and Decryption sssssssssssssssssessesesseesseeseesseess 4 Configuring ProtectDrive System and User Policy sii jcc mnt nm sente ren 5 Protect nl Ve DIS aster NECOV CRY LES i nn aa es anche 5 Chapter 3 System Requirements csccssscssssssssssccssssesssssccssssccsssscssssscssscssscsscsscessesssssssssssescsssoess 7 Minimum Hardware Requirements i csscccieicisescassssiacsasssdsasacestaceususcceda nasoaaaccosdadeaensbed on deeedaaaausnaceeans 7 Supported Storage Hardwares ne er sera E E danse SEA ESS 7 Floppy CD DVD Devices and COM LPT Ports 126 sun nie dienes die een 7 S p ported Operaa S VS E S SRE AE ne t 8 S pported NetWork Sassi S seys eter e t a eaa aaee E ETE 8 Chapter 4 ProtectDrive Software Compatibility ccssccssssscssssccssssccssssscsscscssscscssssssssssssenss 9 DOS Drivers and US RS 155 sassvsiias ye et nt nt mie M me tre nav near aeui 9 Windows and 3 Party Boot Managers soustraire de 9 Windows Disk Manager CID Sent en AS Mie nn ne ee een tete 9 Windows Folder Compression Utility c c ceceveaseescoasncuanesoadete ces ucatensctdeyeeesecaanesgedeagnes antaregdnoncanteedns 9 Windows System Res
30. Access settings An entry will be created for the user in the ProtectDrive Preboot User dB only if setting that corresponds with the type of Windows Logon being performed is set Note Caution needs to be taken if Allow Token Domain Access is the only enabled authentication policy option If the Allow Local User Access Allow Password Domain User Access Allow Password Fallback and Allow New User Introduction are all disabled then Smartcards Tokens are the only means of authentication into the system at preboot If any problems with the Smartcards Tokens are encountered the system may be rendered inaccessible For this reason it may be a good idea to temporarily enable the Allow Local User Access and or the Allow Password Fallback and or the Allow New User Introduction This will allow for at least one alternative method of preboot authentication until the Smartcards Tokens proven to be reliable and properly setup for use with ProtectDrive Eracom Technologies 29 ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy 30 Lockout Policy Tab ProtectDrive Default Configuration Properties 21x PD Settings PD Users Encryption Settings Password Policy Interrupt Vector Update Client Configuration Update Status Encryption Status Lockout Configuration User Shell Authentication Default Permissions Lock out individual users Allowed invalid logon attempts befor
31. Administration Guide Appendix E Additional Guidance Regarding Security Access Control ProtectDrive offers a number of access control options User ID and Password Token and PIN and password recovery and fallback options as well as new user introduction Evaluated versions of ProtectDrive may not include all access control options When using an evaluated version of ProtectDrive users should refer to the evaluation Security Target to determine which options form part of the evaluated version Only those access control options that form a part of the evaluated version of ProtectDrive should be enabled 106 Eracom Technologies ProtectDrive Administration Guide Appendix E Additional Guidance Regarding Security END OF DOCUMENT Eracom Technologies 107
32. BLANK 10 Eracom Technologies ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive Chapter 5 Deploying ProtectDrive Before You Begin Storage System Preparation Before deploying ProtectDrive ensure that your data storage system is well planned and that no further rearranging of any of the partitions will occur Use Windows Disk Management as needed to repartition set up disk mirroring resize partitions etc Run CHKDSK f to ensure file system health on all drives intended for encryption Backup all important data in case of a power failure during the ProtectDrive install This may render the storage system inaccessible Registration Disk Preparation When you purchase a copy of ProtectDrive Eracom will provide a floppy diskette containing Recovery Keys SYSKEY BIN issued by Eracom Should this diskette be misplaced or damaged Eracom will replace it based on your original registration Serial Number This disk is required during each install and uninstall of ProtectDrive It is also required in preparation for the ProtectDrive Network Roll Out installation Recovery Disk Preparation Eracom recommends the creation of a Recovery Disk floppy or CD containing the ProtectDrive Recovery Tools and Recovery Keys This disk is required by the e ProtectDrive Disaster Recovery Tools e Preboot Password Recovery Procedure e New User Preboot Introduction Procedure Follow these steps to create a Recovery Disk 1
33. Code Challenge Please note the code shown below is just an example Recovery Code Irx2cn lecito lgf2 In return the Administrator will communicate to you to the Response Code Enter this code into the Enter response below field shown below Enter response below At this point Windows will proceed to load normally and will either log the user on automatically or manually depending on how the System Administrator configured ProtectDrive Eracom Technologies ProtectDrive Administration Guide Chapter 9 Extraordinary Authentication Scenarios System Administrator Instruction For user administration purposes the Preboot Password Fallback Procedure is as follows Run RPADMIN EXE located in Program Files ProtectDrive on the server This will result in the display of the ProtectDrive Remote Recovery Administration window shown below remote Recovery Administration N OI Eg System Key File C SYSKEY BIN i Serial Number 37 Save As Client Data New User Introduction Token Password Fallback Unlock client C User Key Recovery User Name Recovery Code r Response Spaces are for display purposes only M ooe Generate Response Close Provide the system with the Registration Disk originally used during the ProtectDrive install The SYSKEY BIN file will be used for this procedure Alternatively if you created a custom SYSKEY SKE as described in Creating a C
34. Device Access Permissions Policy Tab Eracom Technologies 35 ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy 36 Encryption Status Policy Tab 21x PD Settings PD Users Encryption Settings Password Policy Interrupt Vector Update Lockout Configuration User Shell Authentication Default Permissions Encryption Status Current Algorithm Client Configuration Update Status Configured Algorithm B C None None D None None E None None F None None G None None H None None I None None y None None a K None None E L None None M None None amp N None None 0 None None Fe None None Q None None El Algorithm This tab allows for default configuration and automatic execution of disk encryption on the remote client system Any partitions configured for encryption here will be automatically encrypted by default on all newly added to the Windows Domain systems Drive Lists all possible partitions for the client system Note that this list does not accurately portray the partition allocation table on the client system Since this information is not readily available in Active Directory ProtectDrive lists all possible partitions between A and Z The number of actual partitions allocated on the client may be lower Configuring default encryption on a partition letter that does not actually exist on a parti
35. Drive installation package are electronically signed The file PD_x_yy_zz sig contains the signatures of all files contained in the installation package To verify the integrity of the installation package download and use the file verify utility from Eracom Technologies Internet site http www eracom tech com resources fileverify Instruction for using the File Verify utility may be found in the File Verify Technical Bulletin which is available from the same location as the File Verify utility The File Verify utility may also be obtained by contacting the Eracom Technologies support section After Installation Verify the version number of ProtectDrive after installation by starting the ProtectDrive About application Navigate to Start Programs ProtectDrive About ProtectDrive Verify that the version number displayed matches the expected version number of the installed software Eracom Technologies 101 ProtectDrive Administration Guide Appendix E Additional Guidance Regarding Security Organizational Requirements Connections to Outside Systems Those responsible for management of the systems in which ProtectDrive is used must ensure that no connections are provided to outside systems that would undermine the security features of ProtectDrive Guidance Guidance should be provided that details the delivery installation configuration administration and operation of ProtectDrive within an organization Tampering
36. Drive user dB Usage Options usage 1 list x remove a adq fe change a domain i file n name p password Eracom Technologies PDUSEDB EXE options Description Displays usage help Displays a list of all existing pre boot users Removes a user from pre boot dB Adds a user to the pre boot dB Change Password for a ProtectDrive user Windows Domain the newly added user is a member of This defaults to the Local System Name Specifies filename of a file containing user certificate Username to add to the pre boot dB Password of the newly added user 11 ProtectDrive Administration Guide Chapter 10 Disaster Recovery Tools THIS PAGE INTENTIONALLY LEFT BLANK 78 Eracom Technologies ProtectDrive Administration Guide Appendix A Smartcard Token PIN User Authentication Chapter 11 Troubleshooting Disk Encryption Warning If Show Disk Not Fully Encrypted Warning option on the Disk Encryption System Policy Tab is set and any of the drives are found to be unencrypted or partially encrypted then the following warning message will display right after the loading of the Windows Explorer Shell T ProtectDrive Warning All hard drives must be fully encrypted to ensure your system is secure The following drives have not been fully encrypted Eracom Technologies 79 ProtectDrive Administration Guide Appendix A Smartcard Token PIN User Authentication ProtectDrive Us
37. Enter Cont inue Domain ERACOM Copyright Eracom Technologies 2003 Eracom Technologies 59 ProtectDrive Administration Guide Chapter 8 User Authentication 60 Please note that in the case of consecutive failed preboot authentication attempts the Lockout Policy will be enforced to prevent password guessing Windows Authentication Note Every time a user successfully logs into Windows their most current Windows Password propagates to the ProtectDrive preboot user dB ProtectDrive Single Sign On Mode is ON Assuming the ProtectDrive Single Sign On mode is ON the user is then automatically authenticated into their relevant Windows Domain following successful preboot authentication ProtectDrive Single Sign On Mode is OFF In the case of no Single Sign on the following standard Windows Domain authentication screen will display Welcome to Windows Built on NT Technology D EE ey Press Ctrl Alt Delete to begin Ctrl Alt Del helps keep your password secure Click Help For more information Help The following standard Windows Domain authentication screen will display upon the pressing of the CTRL ALT DEL The relevant Windows Domain Usernames and Passwords apply icrosoftr Microsoft Windows 2000 A P f I Built on NT Technology Ney User name Administrator Password Log on to PDHOST 7 J Log on using dial up connection Cancel Shutdown Options lt
38. G Computers Bicert Publishers Security Group Domain Local H Domain Controllers Dns dmins Security Group Domain Local E ForeignSecurityPrincipals onsupdateProxy Security Group Global H E LostandFound doc_usert User E E NTDS Quotas doc_user2 User EC Program Data User lopens property sheet for the current selection Built in account for administering the compt Members of this group are permitted to put DNS Administrators Group DNS clients who are permitted to perform c he domain S E Eracom Doc_Users Security Group FE ProtectDrive Domain Admins Security Group Global Des ce Mail 9 Microsoft Domain Computers Security Group Global Ally E Ca System EBoomain Controllers Security Group Global Alle All Tasks 3 Users Domain Guests Security Group Global alle ah f Domain Users Security Group Global ll c Delete Enterprise Admins Security Group Global Des a aS fas se eer Rename 4 mila Ergon 5 of the domain ers joined to the c 5 of the enterprise zs rf 5 gt Click the ProtectDrive Privileges Tab and set the device access permissions as appropriate Note that these settings will apply across the entire Windows Domain and will be picked up by all clients where this Windows Domain User Group is listed Also note that settings that differ for various members of the group will be grayed out indicating conflicting data Check these settings and set as app
39. LANK 98 Eracom Technologies ProtectDrive Administration Guide Appendix E Additional Guidance Regarding Security Appendix E Additional Guidance Regarding Security Evaluated Versions of ProtectDrive This chapter provides important guidance to users of evaluated versions of ProtectDrive Evaluation of ProtectDrive is based on assumptions contained in a Security Target for the evaluation The Security Target describes the basis of the evaluation including e Threats that the security claims of ProtectDrive are designed to counter e Environmental and organizational assumptions required to support the security claims e Constraints to the configuration of the ProtectDrive required to support the security claims When relying on an evaluated version of ProtectDrive users should follow the recommendations in this chapter refer to the evaluation Security Target and refer to the Certification Report for guidance on use of the evaluated version of ProtectDrive The Security Target and the Certification Report can be found at the Common Criteria Evaluated Products List EPL Both the Security Target and Evaluation Technical Report are available on line on completion of an evaluation This list for ProtectDrive may be found at http www dsd gov au infosec evaluation_ services epl epl html Eracom Technologies 99 ProtectDrive Administration Guide Appendix E Additional Guidance Regarding Security 100 Guidance for
40. TENTIONALLY LEFT BLANK 86 Eracom Technologies ProtectDrive Administration Guide Appendix B Username Password Domain Authentication Appendix B Username Password Domain Authentication SYSTEM BOOT AHOw Password Domain Acc Allow Local User Access AND Allow Token User Acces SHIFT F10 Preboot Password Recovery To Figure 1 Smartcard Token PIN Authentication SHIFT F9 New User Preboot Introduction Allow Windows Password T Single Sign On No No Recovery Welcome to Windows Built on NT Technology ee xy eee Insert card or press Ctrl Alt Delete to begin To Windows Shell Ctri Akt Del helps keep your password secure Click Help For more information To Windows Shell Figure 2 Username Password Domain Name Preboot Authentication Eracom Technologies 87 ProtectDrive Administration Guide Appendix B Username Password Domain Authentication THIS PAGE INTENTIONALLY LEFT BLANK 88 Eracom Technologies ProtectDrive Administration Guide Appendix C Postboot User Authentication into Windows Appendix C Postboot User Authentication into Windows From Figure 1 Smartcard Token PIN Authentication Welcome to Windows ee o Built on NT Technology FFE a Insert card or press Ctr Alt Delete to begin Ctrl alt Del helps keep your password secure Click Help for more information Tog No CTRL ALT DEL
41. ab User Policy defines individual user access permissions to the floppy drive s COM and LPT ports User Policy is automatically replicated from to the Active Directory ProtectDrive Disaster Recovery Disaster recovery preparation begins with periodic ProtectDrive system data backups The ProtectDrive backup utility creates Recovery Files which can be used to later decrypt a failed system These files must be stored off the client system ProtectDrive also provides a set of command line Recovery Tools used to perform disaster recovery tasks such as data decryption and Preboot User dB management These Recovery Tools are included on the ProtectDrive distribution CD Eracom Technologies 5 ProtectDrive Administration Guide Chapter 2 ProtectDrive Functional Description THIS PAGE INTENTIONALLY LEFT BLANK 6 Eracom Technologies ProtectDrive Administration Guide Chapter 3 System Requirements Chapter 3 System Requirements Minimum Hardware Requirements 32 bit Intel compatible CPU computer system e 32 MB of RAM e CDROM drive or access to a server based installation directory e 10 MB of free disk space on drive C Supported Storage Hardware ProtectDrive encrypts decrypts all fixed non removable system HDD partitions with a drive letter assigned no hidden partition support This includes all IDE EIDE SATA SCSI drives and RAID arrays ProtectDrive does not in anyway interfere with the normal operation of the
42. and communicate to them the displayed Recovery Code Challenge along with your Username Please note the code displayed below is just an example Recovery Code la4 ng lozt07 q0 The Administrator in turn will communicate to you the appropriate Response Code Enter the Response Code into the Enter response below field Enter response below H At this point Windows will proceed to load normally and will either log you on automatically or manually depending on how the System Administrator configured ProtectDrive Eracom Technologies ProtectDrive Administration Guide Chapter 9 Extraordinary Authentication Scenarios System Administrator Instruction For System Administration purposes the Preboot Password Fallback Procedure is as follows Run RPADMIN EXE located in Program Files ProtectDrive on the server This will result in the display of the ProtectDrive Remote Recovery Administration window shown below remote Recovery Administration N OI Eg System Key File C SYSKEY BIN i Serial Number 37 Save As Client Data New User Introduction Token Password Fallback Unlock client C User Key Recovery User Name Recovery Code r Response Spaces are for display purposes only M ooe Generate Response Close Provide the system with the Registration Disk originally used during the ProtectDrive install The SYSKEY BIN file will be used for this procedure Alt
43. and Client Side components Configuring the Active Directory Group Policy Object responsible for automatically launching the PROTECTDRIVE MSI will result in the Network Roll Out of ProtectDrive to multiple client systems Name Size Type Date Modified E 1031 mst 83KB MST File 9 08 2005 2 32 PM A 1033 mst 4KB MST File 9 08 2005 2 32 PM E 1041 mst 82KB MST File 9 08 2005 2 33 PM B ProtectDrive 7 869 D Windows Installer P 9 08 2005 2 33 PM 13 Eracom Technologies ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 14 Customizing the MSI Package If silent installation is desired e g Group Policy Object deployment System Administrator needs to set all the required parameters of the Property to require no user interaction during installation This may be achieved by modifying the MSI package MSI is a database table and System Administrators can tune the PROTECTDRIVE MSI There are number of tools publicly available for this task Microsoft provides free database tool called Orca for example http support microsoft com kb 255905 EN US The following Properties effecting the installation are modifiable ERA_CIDKY_PATH The absolute path that contains CIDKEY CID ProtectDrive installation looks for this file in the current folder where PROTECTDRIVE MSI located However you can modify this path to the desired location E g SERVER SHARE ERA_INSTALL_TYPE Client default for client installa
44. anges to the client s will take place in accordance with the Updates settings located on the Client Configuration Tab Eracom Technologies 45 ProtectDrive Administration Guide Chapter 7 System and User Management 46 In the Authentication Tab pay attention to the Activated Pending Deactivated Indicator Note that this indicates the current status of the client s ProtectDrive Preboot Authentication ProtectDrive client Activated Deactivated state gets updated in accordance with the settings of the Update Interval Tab When setting of the Activate Preboot Authentication checkbox changes the ProtectDrive client goes through a delayed transitionary period indicated by Pending before the actual Activated or Deactivated state takes effect geeecessssseessassnscnsssssenssnssncesssssscsssssscessnscsscsssonseessaseey MN Activate Preboot Authentication Pending Recesseecsscenecevsesssceccescecceosescssoesseeseneessosssencocoesvescenees In the above example the indicator tells us that although the preboot authentication is activated check box is checked no preboot users have replicated to the client yet Therefore for the time being all ProtectDrive features are disabled on DELL7000 This may be the case when ProtectDrive is first installed on DELL7000 and the System Policy has not yet propagated to it from Active Directory Alternatively the same effect will be achieved if no users have been assigned to DELL7000 In shor
45. assword Fallback Smartcard Token user password fallback and Password Recovery and Windows Domain user preboot password recovery New User Introduction procedures including new user introduction at preboot Single Sign On or Manual ProtectDrive provides Automatic Windows Windows Authentication Domain user authentication following successful preboot authentication Manual authentication is also available as an alternative Configurable System and FDD COM LPT device access control Policy User Policy management using the MMC Snap ins Automatic System and User Policy data replication from the server Hard Drive Encryption Strong data encryption made completely transparent to the user Disaster Recovery Tools MS DOS utilities used to recover corrupt and or inoperable systems Eracom Technologies 1 ProtectDrive Administration Guide Chapter 1 Introduction Who should read this document This document is intended for System Administrators planning to deploy ProtectDrive on stand alone as well as networked multi user computer systems with either single boot or multi boot configurations 2 Eracom Technologies ProtectDrive Administration Guide Chapter 2 ProtectDrive Functional Description Chapter 2 ProtectDrive Functional Description Supported Preboot User Authentication Credentials In order to boot an encrypted operating system partition ProtectDrive needs to get access to the Decryption Keys prior to the
46. ctDrive into the Single Sign On mode Enabled by default this option turns the Single Sign On mode ON This option is disabled by default If enabled this option allows the user to invoke the User Preboot Password Recovery Procedure It is used in cases where the user has forgotten their Windows Domain Password It allows for one time only preboot access to the system This option is disabled by default If enabled this option allows the user to automatically authenticate postboot into Windows immediately following successful exercise of the User Preboot Password Recovery Procedure This option is disabled by default This option is only used in conjunction with the ProtectDrive Allow Local User Access and or the Allow Password Domain User Access authentication options If enabled newly created Windows Domain or Local Windows users may invoke the New User Preboot Introduction Procedure This allows for one time only preboot access to the system for all users who do not yet have a ProtectDrive Preboot user account Eracom Technologies ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy Add users to ProtectDrive on This will create a new ProtectDrive pre boot user successful Windows logon account if it does not exist for the user currently attempting to log onto Windows This functionality is dependent on Allow Local User Access or Allow Domain User Access or Allow Token User
47. ctDrive tabs and set DELL7000 System Policy accordingly Pay particular attention to the settings outlined below Eracom Technologies ProtectDrive Administration Guide Chapter 7 System and User Management General Operating System Member Of Location Managed By Object Security Dialin PD Settings PD Users Encryption Settings Password Policy Interrupt Vector Update Client Configuration Update Status Encryption Status Lockout Configuration User Shell Authentication Default Permissions Activated m Authentication Methods IV Allow Local User Access Allow Password Domain User Access Allow Token Domain User Access T Allow Password Fallback Allow Windows Password Fallback IV Single sign on r Pre boot Access Management T Allow User Key Recovery F Allow Windows Logon Recovery T Allow New User Introduction IV Add users to ProtectDrive on successful Windows logon Load Defauts OK Cancel Apply Load Defaults If ProtectDrive System and User Policy Defaults have been previously defined for this particular Windows Domain as outlined in Chapter 6 then pressing this button will apply these defaults to all the members of this computer group Apply Pressing these buttons will store the System and User Policy FE data in Active Directory and time stamp it in preparation for eventual replication to the client system s Replication of the configuration ch
48. ctor failure or partition table recover the stack corruption ProtectDrive MBR 0314 MBL Disk i o error Disk IO error Hard disk Run RMBR EXE to reading VXBIOS failure or partition table recover the corruption ProtectDrive MBR 1100 VXBIOS System Not System could not load the Standard Recovery Initialised disk encryption key or the Procedure DTE EFS is missing or corrupted 1204 VXBIOS VROM load Error VROM file is missing has Standard Recovery an incorrect size or a read Procedure error occurred 1205 VXBIOS VROM Status VROM signature Standard Recovery Error verification failed or the Procedure program loader reported an error 1300 VXBIOS Insufficient Failed to allocate memory Try to free up memory for the VROM resources Insufficient memory available 1301 VXBIOS GDA file load GDA file is missing or a Standard Recovery error read error occurred when Procedure tying to initialize encryption information 1310 VXBIOS Cannot Init EFS EFS corruption Standard Recovery Procedure Eracom Technologies 95 ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages ACS Component Description Possible cause Recovery action Error 1311 VXBIOS VROM load Error VROM file is missing has an incorrect size or a read error occurred Displayed after a ACS1204 error 1312 VXBIOS VXVECT save Failed to store original disk Standard Recovery fail interrupt se
49. cular client will result in no negative consequence Eracom Technologies ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy Configured Algorithm Current Algorithm Eracom Technologies This column lists the algorithm selected for the encryption of the given partition If None is shown then the partition is either not configured for encryption or if already encrypted see the Current Algorithm column it is slotted for decryption Press __Algorthm and select the desired algorithms for each partition that you wish to encrypt by default This has no effect on the default configuration In general this column represents the encryption status of the partition If None is shown then the partition is not currently encrypted 37 ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy 38 PD Users Tab Default User Policy Using this tab certain Windows Domain users can be automatically assigned to newly created computer objects These users access permissions to the COM LPT ports and the FDD drives can be configured here as well ProtectDrive Default Configuration Properties 24 xi PD Settings PD Users Users and Groups Certificates Password Account Administrator PDHOST Administrator 2 doc_userl PDHOST doc_userl 0 N Domain Admins PODHNS T Domain Group Remove Password P All users have password
50. d Windows authentication screens allowing the user to manually authenticate into their respective Windows Domain account Hard Drive Encryption and Decryption All data encryption is invisible transparent to the user ProtectDrive automatically encrypts and decrypts multiple HDD partitions When encrypted data is being read from the HDD ProtectDrive decrypts it on the fly ready for display to the user or for use by other applications and software processes All data written back to the HDD is automatically re encrypted Consequently normal system operation remains unaffected 4 Eracom Technologies ProtectDrive Administration Guide Chapter 2 ProtectDrive Functional Description Configuring ProtectDrive System and User Policy Windows Domain client ProtectDrive System Policy can be managed remotely using the Microsoft Management Console MMC Active Directory Users and Computers Snap in ProtectDrive automatically applies System Policy to individual systems from the Domain Controller Active Directory Schema Extensions implementing the PD Settings are automatically deployed during installation of the ProtectDrive Server Side Components System Policy can be managed locally using the ProtectDrive Local Machine Configuration Utility deployed as part of the installation of the ProtectDrive Client Side Components Users are assigned to client systems as well as user device access permissions are configured using the PD Users T
51. d disks diskO must be the drive where ProtectDrive is installed Furthermore ProtectDrive requires that the partition on diskO where the Client Side components will be installed is designated as drive letter C within the operating system Preparing the SYSKEY CID File This file is required by the ProtectDrive Client Side installer It is created from the SYSKEY BIN file located either on the Eracom provided Registration Floppy or the custom created floppy described in Creating a Custom SYSKEY BIN earlier in this chapter Run the CIDKEY EXE utility located in the DIAGS directory on the ProtectDrive distribution CD or ZIP file Usage CIDKEY EXE s SOURCE DIR t TARGET DIR SOURCE_DIR Directory containing the SYSKEY BIN file Typically this is the A floppy drive directory TARGET_DIR Location where the newly created SYSKEY CID will reside Installing the ProtectDrive Client Side Components Launching PRoTECTDRIVE MSI will results in the ProtectDrive installation wizard The wizard automatically installs all of the ProtectDrive Client Side components with minimal user interaction as follows Please note that in addition to the installer files listed below Eracom may also place a custom graphics file named ACSGIF the below installer directory This is a custom graphics file created by Eracom and includes the customer specific artwork that will appear as part of the various ProtectDrive preboot authentication and or s
52. dows Messenger a Windows Movie Maker The PD Settings Tab is identical to the one used on the server with minor modifications as follows columns y Local Management Console X E E Of x PD Settings PD Users PD Settings PD Users Encryption Settings Password Policy Interrupt Vector Update Encryption Settings Password Policy Lockout Configuration User Shell Authentication Default Permissions Client Configuration Update Status Encryption Status Client Configuration Configured Algorithm Current Algorithm Size MB Percent Encrypted y Local Management Console Update Status Time Remaining The Encryption Status Tab lists three 3 additional o x Interrupt Vector Update Lockout Configuration User Shell Authentication Default Permissions Encryption Status None None 1200 0 0 00 IDEA IDEA 7 100 0 00 None None 23 0 0 00 None None 47 0 0 00 qe Algorithm Algorithm Eracom Technologies 53 ProtectDrive Administration Guide Chapter 7 System and User Management 54 Indicates the size of the hard drive en partition Percent Encrypted Indicates the encryption status of the hard drive partition Indicates the time remaining to Tine Remaining completion while encryption is in progress Use the PD Users Tab to add Windows Domain users and groups to the client Note that all existing preboot user accounts are listed here To add Windows D
53. e lockout F 3 Lockout Period g Hours Days Maximum lock out period is 365 days Lockout All Users Individual Users Allowed Invalid Logon Attempts Before Lockout Lockout Period By default all users are locked out for the specified Lockout Period after the specified Allowed Invalid Logon Attempts Before Lockout By default three 3 unsuccessful preboot authentication attempts lead to system lockout By default the system is locked out for three 3 minutes Please note that the maximum Lockout Period is 365 days Eracom Technologies ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy User Shell Policy Tab PD Settings PD Users Encryption Settings Password Policy Interrupt Vector Update Client Configuration Update Status Encryption Status Lockout Configuration User Shell Authentication Default Permissions m Logon Messages IV Show Unsuccessful Logon Wamings Unsuccessful Logon Message 5 3 s days prior to M Show Certificate Expiry warming 30 EACE AAN m User Interface IV Show ProtectDrive Task Bar Icon Show Logon Information By default the ProtectDrive Authentication Information Dialog is displayed immediately preceding the loading of the Windows Explorer Shell Show Unsuccessful Logon By default a warning message is displayed if Warnings previous unsuccessful preboot authentication attempts have
54. e requires 113KB on your hard drive Key Recovery Application Active Directory Schema Extensions Active Directory MMC Snap ins Administration Guide ji ProtectDrive InstallShield Wizard a Custom Setup Select the program features you want installed Help Space lt Back Cancel this installs RPADMIN EXE See Chapter 9 Extraordinary Authentication Scenarios for additional information This applies the AD Schema Extensions This installs all the MMC snap ins required to manage ProtectDrive System and User policy from the server This installs this document Click on an icon in the list below to change how a feature is installed Jr Server Client f Baelocal Machine Configuration Application X 7j User Manual Sh Install to C SECURDSK BINNTI Installshield p peature Description Local Machine Configuration Application This feature requires 188KB on your hard drive Eracom Technologies Help Space lt Back Cancel 21 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 22 Removing ProtectDrive Make sure that all partitions are decrypted Navigate to Add or Remove Programs in the Windows Control Panel Select ProtectDrive and click Remove je Accessibility Options SE Add Hardware Administrative Tools D Automatic Updates 2 Date and Time Display lao Folde
55. ect the required token type eToken Base Cryptographic Provider 7 InstallShield E Cancel Custom Installation In addition to the above mentioned Server and Client components install ProtectDrive provides the ability to custom select the install components Select Custom Installation i ProtectDrive InstallShield Wizard Setup Type Choose the setup type that best suits your needs Please select a setup type Typical Client Installation 13 All ProtectDrive Client features will be installed Typical Server Installation ie All ProtectDrive Server Features will be installed ri Choose which Client and Server features you want installed InstallShield lt Back cancel Select the Server and or Client components that you wish to install 20 Eracom Technologies ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive ie ProtectDrive InstallShield Wizard Custom Setup Select the program Features you want installed Click on an icon in the list below to change how a feature is installed Jr Server Key Recovery Application Active Directory Schema Extensions E v Active Directory MMC Snap Ins E3 Computer Object Snap In E v User Object Snap In x Administration Guide H E Client Install to C Program Files ProtectDrivel InstallShield Feature Description Key Recovery Application This featur
56. ector addresses change e g updating the BIOS this error message is still displayed The Interrupt Vector Address Update Policy Tab provides a mechanism to accept a legitimate change by updating ProtectDrive s copy of the disk keyboard and clock tick interrupt vector address 34 Eracom Technologies ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy Default Devices Access Permissions Policy Tab PD Settings PD Users Encryption Settings Password Policy Interrupt Vector Update Client Configuration Update Status Encryption Status Lockout Configuration User Shell Authentication Default Permissions m Serial Ports F Com2 D Com3 D Com4 r Parallel Ports M Lpti M Lpt2 M Lpt3 r Diskette Permissions N Read F write F Boot The Default Device Access Permissions only apply to users whose individual User Policy has not yet been defined explicitly see PD Users Tab In fact individual User Policy settings once defined in the PD Users Tab will override these defaults For example a user may be added to the ProtectDrive preboot user dB following a successful Windows log in see Add users to ProtectDrive on successful Windows logon in Authentication Policy Tab If this user was not explicitly added to the system using the PD Users Tab then their device access permissions to the systems resources will be governed by the settings of the Default
57. eld Wizard Setup Type Choose the setup type that best suits your needs Please select a setup type Typical Client Installation 3 All ProtectDrive Client features will be installed 3 All ProtectDrive Server features will be installed Custom Installation 14 Choose which Client and Server features you want installed InstallShield lt Back Cancel Eracom Technologies ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive s Protec ProtectDrive Schema Extension Utility 7 3 0 5 Binding to the Schema Master ok Locating the RootDSE ok Enabling schema modifications 0k Making modifications eX C Program Files Protecti pdate exe ProtectDrive Schema Extension Utility 7 3 6 26 Binding to the Schema Master ok Locating the RootDSE o Enabling schema modifications ok Making modifications ok Successfully applied the schema extensions At this point the Schema has been amended to include features used for management of ProtectDrive client System and User Policies Eracom Technologies 17 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 18 Deploying Client Side Components Note ProtectDrive Client Side components are used for management and encryption of ProtectDrive stand alone and or networked systems members of a Windows Domain When deploying ProtectDrive Client Side components on systems containing multiple har
58. encrypted with triple DES The user is required to select one of the encrypted areas to decrypt As the decryption progresses the user is informed of the percentage of the encrypted area still to be decrypted and approximately how long the decryption will take as follows 75 10 3hrs 15mins remaining Press Ctrl C to stop Once the decryption is complete the list of encrypted areas will be refreshed When there are no more encrypted areas the following will message will display No encrypted areas found Using Recovery Files In case of serious system corruption the ProtectDrive system files may not be accessible In this case DECDISK EXE requires the backed up Recovery Files These files are produced using BACKUP EXE during normal ProtectDrive operation The following command line syntax example allows the user to select partitions for decryption decdisk kp 1 pd key r rp 1 pd recover Manually Specifying Decryption Area e est option DECDISK decrypts disk areas selectable by sector number User manually provides the Start and End Disk Sectors and the Algorithm as follows Partition Information Disk Start Sector End Sector Megabytes Type L 63 16771859 8183 Primary Boot Enter disk number i Enter start sector 63 Enter end sector 16771859 Enter Alg 1 DES Z 3DES 3 Idea 3 rea Disk Start Sector End Sector Algorithm Megabytes Enc ed ES l 63 16771859 3DES CBC 8189 100 00 Select encrypted area t
59. er Authentication Activity Tracking If Show Logon Information and or the Show Unsuccessful Logon Warnings options on the User Shell System Policy Tab are set then after successful Windows authentication and right before the loading of the Windows Explorer Shell the following two 2 ProtectDrive information dialogs will display alerting the user to all of their ProtectDrive preboot authentication activity to date ProtectDrive Information x Gas L x Current User Administrator Since your last logon there has been Domain ERACOM 3 unsuccessful logon attempt s with your Last logon Tuesday March 15 2005 09 54 53 user name Password last changed never Logons since last password change 5 Total logons 5 Since the last system logon there has been 3 unsuccessful logon attempt s The last unsuccessful logon attempt was made on Tuesday March 15 2005 09 56 02 Incorrect Preboot Username and or Password Lockout Policy defines the maximum number of failed preboot authentication attempts along with the lockout period If this condition occurs ProtectDrive will display the following User Lockout Screen A count down period will commence for a period defined by Lockout Policy The system will be inoperable during this time 80 Eracom Technologies ProtectDrive Administration Guide Appendix A Smartcard Token PIN User Authentication Preboot Log On Failure Due to System Inoperability If any of the ProtectDrive
60. ernatively if you created a custom SYSKEY SKE as described in Creating a Custom SYSKEY SKE later in this chapter then point the system to that file Select User Key Recovery in the above window Enter the user provided Username and Recovery Code a k a Challenge and press Generate Response Instruct the user to enter the automatically generated Response into their respective ProtectDrive User Key Recovery Challenge Response Screen At this point the user will be granted one time preboot access to the system For security purposes instruct the user to change their Windows Domain Password as soon as they log on to Windows Eracom Technologies 65 ProtectDrive Administration Guide Chapter 9 Extraordinary Authentication Scenarios 66 New User Preboot Introduction Procedure This procedure does not apply to the Smartcard Token PIN users End User Instruction Place the cursor into the User ID field of the Username Password Domain Name Log On Screen below Note ERACOM domain is just an example Press SHIFT and the F9 function key while the cursor is placed into the User ID field ProtectDrive UserID of Password Domain ERACOM The New User Introduction Challenge Response Screen displays ProtectDrive en Introduction gt ya PAST lqf2 nn res below a eee El Contact your System Administrator either in person or phone and communicate to them the displayed Recove
61. guration Tab DELL7000 Properties 21 xl General Operating System Member Of Location Managed By Object Security Dialin PD Settings PD Users Encryption Settings Password Policy Interrupt Vector Update Lockout Configuration User Shell Authentication Default Permissions Client Configuration Update Status Encryption Status Configured Algorithm Current Algorithm None None IDEA IDEA None IDEA None DES E5256 AE5192 E5128 Load Defaults OK Canc 48 Eracom Technologies ProtectDrive Administration Guide Chapter 7 System and User Management Managing User Policy from the Server Assigning Users to Clients and Managing User Policy via the Computer Object Before configuring User Policy review the contents of Chapter 6 Configuring Default System and User Policy This will familiarize you with the fields contained in the PD Users Tab This tab is used to configure ProtectDrive User Policy Let s for example take a client system named DELL7000 In the MMC Active Directory Users and Computers Snap in select Properties for the DELL7000 E Active Directory Users and Computers Bl xi lt File Action View Window Help j x e mse xenR e Phy Sa Active Directory Users and Computers virtual 2003 se1 Computers 5 objects H E Saved Queries B gp server2003virtual com au E Builtin Computers Domain Controllers CA ForeignSecurityPrincipals J Lost ndFound CA NTDS Quotas
62. h any unique Username and Password One way to do this is to use the PDUSERDB EXE see Chapter 10 Amend the Windows Registry as shown below HKLM SOFTWARE ERACOM TECHNOLOGIES AUSTRALIA PTY LTD PROTECTDRIVE APB_COUNT REG_DWORD Set to zero 0 by default it allows no automatic pre boot authentication 0 gt 0 Maximum number of automatic preboot authentications allowed If any one of the automatic preboot authentications attempts fails this value is reset back to zero 0 If set to a value greater than 0 N gt 0 then N number of automatic preboot authentications is allowed APB USERNAME REG_SZ Username APB PASSWORD REG_SZ User Preboot Password APB DOMAIN REG_SZ Domain Name for the User 68 Eracom Technologies ProtectDrive Administration Guide Chapter 9 Extraordinary Authentication Scenarios APB_RESETINTV REG_DWORD The default value is 0 causing no change in the normal ProtectDrive operation When set to one 1 this option will suppress the standard ProtectDrive warning message displayed when any system tampering is detected This can be useful when performing a BIOS upgrade which potentially changes the interrupt vector addresses as part of automated system maintenance Creating a Custom SYSBIN SKE for Use with RPADMIN EXE When using RPADMIN EXE it is possible to create an encrypted SYSKEY SKE file to be used in place of the SYSKEY BIN originally used during ProtectDrive dep
63. he system to that file Select New User Introduction in the Remote Recovery Administration window shown above Enter the user provided Recovery Code a k a Challenge and press Generate Response Instruct the user to enter the automatically generated Response into their respective ProtectDrive New User Introduction Challenge Response Screen At this point the user will be granted one time preboot access to the system Once the user successfully completes their postboot Windows authentication a new preboot user account is created for them in the local system s ProtectDrive Preboot User dB Eracom Technologies 67 ProtectDrive Administration Guide Chapter 9 Extraordinary Authentication Scenarios Unattended Reboot and Automatic Preboot Authentication Certain system administration tasks require unattended system reboots and automatic loading of the operating system For these purposes ProtectDrive is provisioned for creation of the Dummy Preboot User account Creation of this account combined with the following additions to the Windows Registry allows for the automatic unattended pre boot system authentication Note that the unattended preboot will disable Single Sign On independent of the System Policy setting The system will automatically log in at preboot load Windows and stop at the Windows Domain Log On screen The Unattended Preboot Authentication setup procedure is as follows Create a new preboot user account wit
64. ilure Due to System Inoperability 81 Disallowed Floppy Device Access HI Or kia cc sierebste Geass Gcaracseeendacsaeertnae cadet Qunssacecmdad aerate 81 Disallowed COM and LPT Port Access Error 82 Disallowed Local Windows Authentication Error ss 82 Disallowed Postboot Windows Domain Authentication Error 83 Invalid Password Format MO isess ccscnccies Mia secesvsslionsSeatnesedesiaaccasounndheealaaeanteaesdbaiaaiagsnrcsetiieaies 83 Error Saving Local Configuration Data to Active Directory ss 84 Appendix A Smartcard Token PIN User Authentication ssccssssccsssscssssccssssccsssccssssssesenes 85 Appendix B Username Password Domain Authentication ss 87 Appendix C Postboot User Authentication into Windows ccscscccsssssscccssssscccsssesccsees 89 Appendix D System Debug and ACS Error Messages sscssssscssscsscsssssscscssscssccssessssssscees 91 System EIS DOS I ata re St tsi slo Sudeep aise da tu dace ie tats als eda slide Maas Crete ne 91 AGS Error Messages sine nds dt de lobtad a a AS aa eiat 94 Appendix E Additional Guidance Regarding Security sessoescossessoesocssessossoossessossoosseesossoossosss 99 Evaluated Versions of Protect nye sai ui note Gino eases essen alasaendsleas 99 Cuidance for sers OF Protect Drive saciacivccahesanionentacnitish hie nie aa aistok Beco 100 Further Reading Relevant to the CC Certification ss 100 DE E VET PCCM Secs SR ne
65. in the Log on to filed and specify the new password Change Password Mi yh Windows Copyright 1985 2001 Professional Microsoft Corporation User name administrator Log on to DELL7000 this computer v Old Password cs New Password 00 000 000 Confirm New Password eeeeseeeeeeece For local Windows see this computer above the new password change immediately propagates to the Preboot User dB Eracom Technologies 55 ProtectDrive Administration Guide Chapter 7 System and User Management 56 For Windows Domain below the user will need to log out of Windows and log back in This will propagate the new password to the ProtectDrive Preboot User dB If the user does not follow this procedure they would have to use their old password at preboot Once they log into Windows Domain with their new password this new password is immediately available for use during preboot authentication Change Password Copyright 1985 2001 Microsoft Corporation User name administrator Log on to VIRTUAL x Old Password Le 0000 New Password eeccccccoccece Confirm New Password Le coscssesse oo ees Eracom Technologies ProtectDrive Administration Guide Chapter 8 User Authentication Chapter 8 User Authentication Note If System Policy has been configured to disable preboot authentication see Acti
66. isplay the following message In these instances the user is advised to contact their respective system administrator for further assistance Device Manager b E x You do not have sufficient security privileges to uninstall devices or to change device properties or device drivers Please contact your site administrator or logout and log in again as an administrator and try again Disallowed Local Windows Authentication Error If the Allow Local User Access authentication System Policy option is disabled and the user attempts to authenticate postboot into the Local Windows by specifying Local System Name in the Domain field of the Windows Log On Screen then the following error will display ProtectDrive Error Ed x Local user logons are not permitted with the current ProtectDrive configuration Note that if Allow Local Password Access and Allow Domain Password Access are both disabled then pressing CTRL ALT DEL will have no effect Similarly if Allow Domain Token Access is disabled inserting a Smartcard Token will have no effect Eracom Technologies ProtectDrive Administration Guide Appendix A Smartcard Token PIN User Authentication Disallowed Postboot Windows Domain Authentication Error If the user attempts to authenticate into the Windows Domain using the Windows Log On Screen but the Allow Password Domain User Access authentication System Policy option is disabled then the following error will display
67. ive Server Component is supported e Windows XP Pro Build 2600 SP1 and later ProtectDrive supports the use of FAT FAT32 NTFS4 and NTFSS file systems Please note that MS DOS can be used during ProtectDrive Disaster Recovery Inaccessible or corrupt ProtectDrive systems can be booted to MS DOS from a floppy disk or CD ROM Drives that require special DOS drivers e g SCSI or TSRs are only accessible to the ProtectDrive Recovery Tools if the respective drivers are loaded Supported Networks ProtectDrive is Active Directory aware and fully supports Windows Domains It does not interfere with normal operation of any of the Windows network services including Remote Desktop connections Windows Domain as well as Local Windows users are able to authenticate successfully into systems secured by ProtectDrive All hard disk partitions encrypted with ProtectDrive are configurable as shared volumes at the discretion of the System Administrator ProtectDrive will not interfere with user authentication via the Novell Netware client 8 Eracom Technologies ProtectDrive Administration Guide Chapter 4 ProtectDrive Software Compatibility Chapter 4 ProtectDrive Software Compatibility ProtectDrive has been tested and does not interfere with normal operation of most MS Windows compliant software applications services and utilities Some care needs to be taken however when using the following DOS Drivers and TSRs When booted from a
68. loyment This will provide protection for the sensitive key files if they are not kept physically secure Follow this procedure to achieve this remote Recovery Administration N RE x System Key File C ASYSKEY BIN 4 Serial Number 37 Save As r Client Data New User Introduction Token Password Fallback Unlock client C User Key Recovery User Name Recovery Code m Response Spaces are for display purposes only hh Generate Response Close Click on _Saveas _ and point to a location for saving the SYSKEY SKE Eracom Technologies 69 ProtectDrive Administration Guide Chapter 9 Extraordinary Authentication Scenarios Select Encrypted System Key File 24x Save in Local Disk C fete Fr My Recent Documents Desktop S My Documents Documents and Settings My Computer e File name Joustord T Save as type Encrypted system key files ske 7 Cancel Places Help Z Provide RPADMIN with a Pass Phrase Use this Pass Phrase every time you use RPADMIN with this SYSKEY SKE file Please enter New Passphrase for file C custom ske Enter passphrase SE Candet Re enter passphrase pa D ce 70 Eracom Technologies ProtectDrive Administration Guide Chapter 10 Disaster Recovery Tools Chapter 10 Disaster Recovery Tools BACKUP EXE Creating ProtectDrive Recovery Files In prepara
69. lt Eracom Technologies ProtectDrive Administration Guide Chapter 9 Extraordinary Authentication Scenarios Chapter 9 Extraordinary Authentication Scenarios Note If System Policy has been configured to disable preboot authentication see Activate Preboot Authentication in the Authentication Tab then none of the material in this chapter applies In this case the user will be presented with a standard Windows Domain authentication dialog and normal Windows logon applies In addition to normal preboot user authentication System Policy can be configured to accommodate the following extraordinary circumstances e Token User Preboot Password Fallback Procedure this is used when a Token User misplaces their Smartcard Token or forgets their PIN This procedure allows for one time preboot access to the system with some help from the System Administrator e User Preboot Password Recovery Procedure this is used to accommodate a Windows Domain or Local Windows user who has forgotten his her Windows Password Preboot access to the system can be achieved with some help from the System Administrator e New User Preboot Introduction Procedure this is used to introduce newly added Windows Domain or Local Windows users to the client system s Preboot User dB For example this method of new user introduction would be appropriate in situations where the Active Directory User Policy has not yet replicated to the client system
70. m Name Total number of domains including the Local System Name can not exceed 150 Eracom Technologies 3 ProtectDrive Administration Guide Chapter 2 ProtectDrive Functional Description Misplaced Forgotten User Authentication Credentials ProtectDrive will accommodate users who have misplaced their authentication credentials This refers to such instances where a user has misplaced their Smartcard Token or forgotten their Windows Domain Password for example ProtectDrive System Policy provides automated procedures for handling these preboot authentication scenarios Unattended Reboot Followed by Automatic Preboot Authentication Various system administration functions not related to ProtectDrive may at times require an unattended reboot followed by automatic preboot authentication ProtectDrive provides this functionality with the use of a special User Account System Registry amendments are required to implement this functionality Windows User Authentication Single Sign On ProtectDrive System Policy can be configured to automatically authenticate users to Windows Users are automatically logged on to their respective Windows Domain or Local Windows accounts following their successful preboot authentication This method of automatic Windows authentication is referred to as Single Sign On Manual Windows Authentication As an alternative to the Single Sing On mode ProtectDrive System Policy can be configured to provide standar
71. ms with the use of the ProtectDrive Local Machine Configuration utility System Policy can be configured to allow local system management with the use of this utility Any local System Policy changes made inside the Local Machine Configuration utility can be this is also configurable stored in the Active Directory and made available for view and or change on the server Let s for example take a client system named DELL7000 In the MMC Active Directory Users and Computers Snap in select Properties for the DELL7000 amp Active Directory Users and Computers FRET lt lt File Action View Window Help laj x em iexer8 2 RP8v e 3 Active Directory Users and Computers virtual 2003 se1 Computers 5 objects CA Saved Queries ep server2003virtual com au E Builtin Computers amp 1 Domain Controllers CA ForeignSecurityPrincipals E Lost ndFound CA NTDS Quotas C Program Data E Eracom C ProtectDrive H E Microsoft D H E fi Doc_Computeers_Group Security G Name Mappings BI pp_poc_xP Computer Disable Account r4 x Computer Reset Account TestExample Computer Move Manage Ej D 0 All Tasks gt Cut Delete Properties Help Opens property sheet for the current selection Select PD Settings Tab and use all the displayed tabs to set the desired ProtectDrive System Policy Go through all the Prote
72. n Enabling Clients to Store ProtectDrive Policy Data in the Active Directory In order to enable client systems to save data in Active Directory and to report policy data update status back to the server it is important to configure each client computer object security configuration to allow writing ProtectDrive policy data to Active Directory To do this for a system called DELL7000 for example Select Properties for the DELL7000 system Active Directory Users and Computers _ TOI x lt File Action View Window Help le 5 x e Am l exen 2 Pb ver 3 Active Directory Users and Computers t2 PDHOST com au Computers 9 objects H O Saved Queries 1 299 PDHOST com au H E Builtin 3 Computers Domain Controllers i ForeignSecurityPrincipals C3 Lost ndFound NTDS Quotas CBrzeamD64 Security Group Globe Program Data E t3 xp Computer eS System iw T4 xP Computer All Tasks E Users ie T8 xP Computer Computer Computer Computer Name Mappings Group_Doc_Computers Security Group Globe Disable Account m PD_DOC_XP Computer Reset Account Move Manage BG Cut Delete AERCEUETS Help Opens property sheet for the current selection Eracom Technologies 41 ProtectDrive Administration Guide Chapter 7 System and User Management 42 Click Security Tab DELL7000 Properties xj General Operating System Member Of Location ManagedBy Object Securty Dia
73. nd but it is not correspond to the current ProtectDrive installation the following message will display Found super block at sector 1893443 Incorrect super block Continuing search If a valid super block is located RMBR will display the version and ask the user for verification as shown below Found super block at sector 1893443 ProtectDrive v7 1 0 Is this the correct version of ProtectDrive Y N If the version is not correct enter N and RMBR will continue If the version is correct enter Y and the following will be displayed ProtectDrive MBR restored Current MBR is the ProtectDrive MBR Restoring the Original MBR aver o This option replaces the current MBR with the original system MBR which ProtectDrive saved during installation This is only supported if there are no currently encrypted drives present on the system Otherwise decrypt before proceeding 76 Eracom Technologies ProtectDrive Administration Guide Chapter 10 Disaster Recovery Tools PDUSERDB EXE Preboot User dB Administration Utility This command line MS_DOS tool manipulates the ProtectDrive pre boot user dB allowing the ProtectDrive Administrator to List the names of users authorized to perform ProtectDrive pre boot authentication Remove Local and Domain including Token PIN user account user accounts from the ProtectDrive pre boot user dB Add Local and Domain user including Token PIN user account accounts to the Protect
74. ntm etterete 53 Adding Local Windows Users to the ProtectDrive Preboot User dB ee eeeeeeceeeseeereeneeeeees 54 Canes Pie BOGE PASSW OS se Se a Se ne nee 55 Chapter User A mth en tiCationns ises sive icivwadevsnscunseconds nissan 57 Authenticating with Smartcard Token and PIN 57 PrebootAuthenticat onire iiie a aena EAR EAEE ERRETORE ORARE te La 57 Authentication into WindOWS ssssseseesseeseeesseeseseesseessressereseoeseseeeserestresserrseeesereessessseesseerseeesseeee 58 Token Removal Policia misa ie a E A R E cas TEE said ste a 59 Authenticating with Username Password and Domain Name 59 Pr boot Authentication smash tenant annees eue 59 Windows Authentication ssie unat eteesi a EEE ESAE ASEE TEE 60 Chapter 9 Extraordinary Authentication Scenarios sessoesoessessossoossessossooesossossoossosssesooesossses 61 Token User Preboot Password Fallback Procedure ss 62 End User Instruction seirena enn E RE teintes 62 System Administrator Instruction ETES US EN ns nn een 63 Domain User Preboot Password Recovery Procedure ss 64 End User LASUPUCHON ist ns ira lan last 64 System Administrator Instruction so sedie saieuss det een iite see Date rte is ee tre nues 65 New User Preboor Introduction Procedure 5 sa sage Sew tes cc vc hase alsa a ee age cece eR 66 End User Instruction ans isa nine da aaa oes 66 System Administrator Instruction as ane ane te at te a ei dennr Anal date 67 Unattended Reboot and Automatic Preboot Authentication
75. o decrypt Ctrl C to exit Eracom Technologies ProtectDrive Administration Guide Chapter 10 Disaster Recovery Tools RMBR EXE MBR Recovery Utility The ProtectDrive Boot Manager Master Boot Loader is the very first utility that runs after the system BIOS is loaded ProtectDrive modifies part of the MBR during installation This is done to enable ProtectDrive to locate its embedded file system upon system boot and prior to all other disk access If the MBR is altered replaced or corrupt after the ProtectDrive install the RMBR EXE is used to recover it Restoring the ProtectDrive MBR requires a sector by sector search of the embedded file system located on the boot partition Once the embedded file system is located the ProtectDrive MBR can be restored Reverting to the original system MBR in existence prior to the ProtectDrive install is done using the fdisk mbr command Usage PDUSEDB EXE options Options Description is usage Displays usage help v ver Displays utility version p pd Recover the ProtectDrive MBR Sr Recover the original system MBR This is same as fdisk O original mbr Use the ProtectDrive Recovery Files to perform any of the x recovery above operations RMBR Initial Status Check Prior to performing any MBR recovery RMBR will display the current MBR status If the ProtectDrive MBR has been unaltered since the install the following message display Current MBR is the ProtectDrive MBR
76. omain users jes press x Local Management Console PD Settings PD Users Users and Groups Certificates Password Ac DELL7000 Administrator SERVER2003VIRTUSAdministrator 0 VIRTUAL Administrator 0 X gt Add Remove Password Allusers have password accounts Permissions Serial Ports Parallel Ports Diskette F Com M Lpi M Read l Com2 T Lpt2 M write M Com3 M Lpt3 M Com4 3 users with 0 ProtectDrive certificates OK Cancel Adding Local Windows Users to the ProtectDrive Preboot User dB To add local Windows users to the ProtectDrive Preboot User dB log out of your Windows Administrator session on the client PC and have each user log into the local Windows Once they successfully log in their preboot user accounts will be automatically created assuming Add users to ProtectDrive on successful Windows logon in the Authentication Policy Tab is enabled Eracom Technologies ProtectDrive Administration Guide Chapter 7 System and User Management Changing Preboot Passwords Press CTRL ALT DEL and select Windows Security Micr Se a Windows Copyright 1985 2001 P Microsoft Microsoft Corporation Logon Information You are logged on as VIRTUAL administrator Logon Date 17 08 2005 9 57 12 AM Use the Task Manager to close an application that is not responding Lock Computer Log Off Shut Down Change Password Task Manager Select the appropriate domain
77. onsidered unacceptable then an organization policy should be used to specify and restrict the use of these I O devices If the risk is considered unacceptable even through procedural policy then the I O devices should be disabled at the operating system as a part of the system configuration General users should not have system privileges that would enable them to change the status of an I O Device ProtectDrive currently manages secure use of Floppy Disk Serial Ports COM and Parallel Port LPT Future releases of ProtectDrive will provide secure operation of other I O devices Guidance for the Operating System Configuration General ProtectDrive provides protection of information through pre boot authentication and access control of peripheral devices combined with hard disk encryption Once access is gained to a computer by correct user authentication the user is then responsible for ensuring that the computer is treated in accordance with organizational security policies for the level of information available Administrators of ProtectDrive are responsible for ensuring that the underlying operating system is correctly configured and complies with organizational security policies If the computer on which ProtectDrive is installed is a part of a network domain then the domain security policies must be correctly configured and comply with organizational security policies Eracom Technologies 103 ProtectDrive Administration Guide
78. ows recovery If Drive C is encrypted run Decdisk exe to decrypt the system drive and enable Windows Recovery tools access the system drive If fdisk mbr or another utility has replaced the ProtectDrive MBR the Preboot Authentication program will not be run If the system drive is encrypted the operating system will also fail to load If the system drive is not encrypted but other drives are the operating system will load but access to the encrypted drives will be prevented by the ProtectDrive driver To recover from this situation run rmbr p If ProtectDrive is corrupt then one of the following is possible 1 Preboot Authentication Program will not run or behaves strangely 2 Valid users can not be authenticated at preboot 3 Operating system fails to load If none of the above sections apply or you failed to restore ProtectDrive to normal working order then all the encrypted drives will need to be decrypted using Decdisk exe If Decdisk exe is unable to access the ProtectDrive Embedded File System EFS then use the Recovery Files originally created by Backup exe Once all the drives have been decrypted run fdisk mbr or rmbr o to restore the ProtectDrive MBR It is possible to boot the operating system once the system drive has been decrypted It is not possible to uninstall ProtectDrive until all drives are decrypted Eracom Technologies ProtectDrive Administration Guide Appendix D System Debug
79. prior to the user s initial preboot authentication Once the user executes this procedure and then authenticates into Windows an account is created for him her in the local system s Preboot User dB e Unattended Reboot with Automatic Preboot Authentication if an unattended reboot followed by an automatic preboot authentication is needed by the System Administrator then a special Preboot User account needs to be created This function is not controlled by System Policy Instead the System Registry must be amended as described later in this chapter Eracom Technologies 61 ProtectDrive Administration Guide Chapter 9 Extraordinary Authentication Scenarios 62 Token User Preboot Password Fallback Procedure End User Instruction If a Smartcard Token PIN user misplaces their Smartcard Token or forgets their PIN access to the system may be achieved by exercising the ProtectDrive Preboot Password Fallback Procedure as follows ProtectDrive PN f Press SHIFT F9 while the cursor is placed into the PIN field of the Smartcard Token PIN Preboot Log On Screen shown above The ProtectDrive Password Fallback Challenge Response Screen displays ProtectDrive Serial no 37 Username lt Password Fallback gt Domain ERACOM Recovery Code rxZcn cito qf2 Enter response bolovi m Contact your System Administrator either in person or by phone and communicate to them the displayed Recovery
80. ption will be disabled Activated Pending M Activate Preboot Authentication Pending Il Activate Preboot Authentication Deactivated The Activated Pending Deactivated Indicator indicates whether the Preboot Authentication is currently Active ON Pending the server is waiting for the client to update to the state currently set on the server or Deactivated OFF Eracom Technologies ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy Allow Local User Access Allow Password Domain User Access Allow Token Domain Access Allow Password Fallback Eracom Technologies Note that deactivating Preboot Authentication will remove all users from the client system s ProtectDrive Preboot User dB The Windows Domain users will be re added automatically when Preboot Authentication is reactivated Local Windows users however will not be automatically re added and will not be able to perform preboot authentication Add Local Windows users manually once the Preboot Authentication is reactivated Enabled by default this option allows the Local Windows users to authenticate into the system at preboot using their Local Windows Username Password and Local System Name Local Windows users can only be added using Local Machine Configuration Utility or via a Windows Logon when Add users to ProtectDrive on successful Windows Logon is set in the Authentication Tab Local Windows
81. r Options E Fonts T Game Controllers internet Options amp Keyboard Mouse D Add or Remove Programs Network Connections SI a Be Phone and Modem Options G Currently installed programs C Show updates Sort by Name 3 Power Options Change or Sy Printers and Faxes Ramov eToken Run Time Environment 3 51 Size 4 98MB Regional and Language Options R Programs amp HyperSnap Dx 5 ss ms Scanners and Cameras Scheduled Tasks l ProtectDrive Security Center Cs Clic f Sounds and Audio Devices Add New amp Speech Programs To remove this program from your computer click Remove MA System n n n EE Taskbar and Start Menu Virtual Machine Additions Size 0 84MB 8 User Accounts Windows Firewall Add Remove Windows 4 Wireless Network Setup Wizard Components Eracom Technologies ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy Chapter 6 Configuring Default System and User Policy ProtectDrive will store an instance of a Default System and User Policy in the Active Directory Every time a new computer account is created in the Windows Domain these stored default settings will automatically apply Display Advanced Features in the MMC Active Directory Users and Computers Snap in EA Active Directory Users and Computers Mel xi Ele Action View Window Help e mle Add Remove Columns
82. ration you should only use it on those specified above Evaluated items Note that the Server Edition of ProtectDrive has not been evaluated and nor has the Multiple Boot Manager functionality Furthermore only the Registered Product has been evaluated The evaluation does allow for the installation of ProtectDrive over a network so this manual should be read in conjunction with the network installation manual by those administrators that will be performing the installation in that way Encryption Algorithm To comply with Government advice only the AES and Triple DES encryption algorithms have been evaluated and one these algorithms should be selected during installation This will ensure that the correct components are installed and the choice of algorithms available for initial encryption will be limited to AES and 3DES Show Disk Not Fully Encrypted Warning It is strongly recommended that this option be set ON in the evaluated configuration so that users are advised if the disk they are working on is not completely encrypted If this is set to ON the warnings will be displayed for all users Automatic Pre boot Authentication This option must be used with caution and strictly as directed in the relevant chapter of this user guide Show Unsuccessful Logon Warnings This should be set on in the evaluated configuration so that the user is warned of unsuccessful logons Eracom Technologies 105 ProtectDrive
83. re consistent with the delivery On opening the package you should verify the product identification by checking the product version number which is printed on the CD ROM and on the packaging If there are any signs of tampering or any inconstancies with the delivery or the product version then you should immediately notify Eracom Technologies Eracom Technologies ProtectDrive Administration Guide Appendix E Additional Guidance Regarding Security Product Identification To ensure that the copy of ProtectDrive you have is authentic and the correct version you should Before Installation e As noted above under Delivery Procedures if the product or its packaging shows signs of tampering when it is received you should notify Eracom Technologies for advice before using the product e Check the product version number on the CD volume label You should ensure that the volume label identifies the version as PD x yy zz where x yy zz is the ProtectDrive version number e g PD 7 02 02 If you are using an evaluated version of ProtectDrive ensure that the version you are installing matches the version listed in the Evaluated Products List e If installing The ProtectDrive from an electronic archive then ensure that the file name is pd_x_yy_zz where x_yy_zz is the version number e Ensure that the files README TXT and Release Note on the distribution CD ROM refer to the product version being used e All files in the Protect
84. rname Note that if Enable Password Strength Checks is set users given a password of their user name will fail to be added to the ProtectDrive dB Eracom Technologies 33 ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy Default Password Newly added Windows Domain users may be instructed to use this default password for their initial first time ever preboot authentication Once the user authenticates into Windows using their Actual Windows Domain Password the user s Actual Windows Domain Password replaces the Default Password in the ProtectDrive Preboot User dB The default password is pre set to password by ProtectDrive Interrupt Vector Address Update Policy Tab ProtectDrive Default Configuration Properties PD Settings PD Users Lockout Configuration User Shell Authentication Default Permissions Client Configuration Update Status Disk Encryption Password Policy J7 Update keyboard interrupt vector address P Update clock tick interrupt vector address Encryption Settings Interrupt Vector Update ProtectDrive maintains a store of the BIOS interrupt vector addresses This allows ProtectDrive to detect potential attacks mounted by the changing of the interrupt vector address When ProtectDrive detects a difference between the BIOS interrupt vector address and the copy held by ProtectDrive an error message is displayed When interrupt v
85. ropriate General Members Member Of Managed By Object Security PD Settings PD Users ProtectDrive Privileges Use this tab to configure the ProtectDrive privileges for this user These privileges can only be enforced if ProtectDrive is installed on the workstation the user logs onto Serial Ports Parallel Ports Diskette Permissions 5 F Lpti F Read F Com2 VV Lpt2 F write F Com3 F Lpt3 F Com4 Cancel Apply 52 Eracom Technologies ProtectDrive Administration Guide Chapter 7 System and User Management Managing System and User Policy Locally Please note that in the current release of ProtectDrive the Local Machine Configuration Utility operates in read only mode All System and User policy changes need to be made on the server The Local Machine Configuration Utility is used for display only of the configured System and User policy Run the Local Machine Configuration Utility ER Activate Windows Set Program Access and Defaults ea Windows Catalog EA Windows Update nara M Accessories gt rograms IM Administrative Tools gt z TA Documents Las eToken gt 1 7 Games A ei Settings _ i lag ProtectDrive Local Machine Configuration g po Search gt ED Startup Manual Internet Explorer gt 7 Help and Support msn n r 3 SF Rn S Outlook Express 3 s Remote Assistance Q Shut Down Windows Media Player 3 Win
86. rvice routine Procedure ISR address in the EFS super block EFS corruption 1313 VXBIOS SBLK get fail Failed to locate the EFS Run RMBR EXE to Super Block attempt to restore the ProtectDrive MBR 1314 VXBIOS Info open fail Missing VDX EFS file Standard Recovery EFS corruption Procedure 1315 VXBIOS Info write fail EFS corruption Standard Recovery Procedure 1316 VXBIOS VROM EXEC fail Failed to execute the VROM Displayed after a ACS1205 error 1317 VXBIOS Info read fail EFS corruption Standard Recovery Procedure 1318 VXBIOS Diskette boot fail Master Boot Loader Use bootable floppy signature verification failed diskette Missing operating system on Eject floppy diskette floppy disk from drive and boot from hard disk 1319 VXBIOS GDA open fail GDA file is missing when Standard Recovery trying to load and execute Procedure the original MBL 1320 VXBIOS GDA read fail A read error occurred on the Standard Recovery GDA file when trying to Procedure load and execute the original MBL 1321 VXBIOS Boot fail Master Boot Loader Standard Recovery signature verification failed Procedure 3301 VROM Too many logon Forgotten password Log on as other user attempts Corrupted user database Exercise user key recovery Run DISPEFS EXE 96 Eracom Technologies ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages ACS Component Description Possible ca
87. ry Code Challenge Note the code listed below is just an example Recovery Code rxZen cito qf2 In turn the System Administrator will communicate to you the appropriate Response Code Enter the Response Code into the Enter response below field and one time only preboot access to the system is granted The user then proceeds to normal Windows log in Enter res pater nus below Eracom Technologies ProtectDrive Administration Guide Chapter 9 Extraordinary Authentication Scenarios System Administrator Instruction For System Administration purposes the New User Introduction Preboot Procedure is as follows Run RPADMIN EXE located in Program Files ProtectDrive on the server This will result in the display of the ProtectDrive Remote Recovery Administration window shown below remote Recovery Administration N OI Eg System Key File C SYSKEY BIN i Serial Number 37 Save As Client Data New User Introduction Token Password Fallback Unlock client C User Key Recovery User Name Recovery Code r Response Spaces are for display purposes only M ooe Generate Response Close Provide the system with the Registration Disk originally used during the ProtectDrive install The SYSKEY BIN file will be used for this procedure Alternatively if you created a custom SYSKEY SKE as described in Creating a Custom SYSKEY SKE later in this chapter then point t
88. ry time a user successfully logs into Windows their most current Windows Password propagates to the ProtectDrive preboot user dB Please refer to Appendix C for a detailed diagram of the Windows Domain authentication logic flow Automatic Single Sign On Mode is ON Assuming the ProtectDrive Single Sign On mode is ON the user is then automatically authenticated into their relevant Windows Domain Manual Single Sign On Mode is OFF In the case of no Single Sign On the following standard Windows Domain authentication screen will display Welcome to Windows Built on NT Technology NV anne Q S Insert card or press Ctrl Alt Delete to begin Ctrl Alt Del helps keep your password secure Click Help for more information Inserting the Smartcard Token into the reader will result in the following standard Windows Domain PIN authentication screen At this point the user enters their PIN Log On to Windows 4 Professional Built on NT Technology T Log on using dial up connection Cancel Shutdown Options lt lt Alternatively assuming that either the Allow Local User Access or the Allow Password Domain User Access Authentication Policy option is set then the user may press CTRL ALT DEL to invoke the standard Windows Domain Log On Screen Eracom Technologies ProtectDrive Administration Guide Chapter 8 User Authentication Token Removal Policy Computers using Smartcards Tokens
89. s displayed immediately following the loading of the Windows Explorer Shell All encryption algorithms selected here will be made available to users during ProtectDrive encryption operation Only addition removal of floppy disk drives is supported at this point Changes to this setting will apply only after a reboot Eracom Technologies ProtectDrive Administration Guide Chapter 6 Configuring Default System and User Policy Password Policy Tab PD Settings PD Users Lockout Configuration User Shell Authentication Default Permissions Client Configuration Update Status Encryption Status Encryption Settings Password Policy Interrupt Vector Update ks Minimum Password Length fe I Default password equals username Enable Password Strength If enabled ProtectDrive will monitor the specified Checks Minimum Password Length for all Windows Domain Passwords ProtectDrive will also ensure that the password is not the same as the username and that there is no more than two 2 consecutive repeating characters Minimum Password Length ProtectDrive will impose this restriction to all Windows Domain Passwords Windows Password Policy may impose more stringent limits which will override this setting Default password equals This is an alternative to specifying the Default username Password Please note that in this case the users still need to type in their password which is their Windows Use
90. sed of an error number and a brief description Error numbers are composed of three components CTXX where C is the module the error occurred in T identifies the type of error and XX isthe actual error number Module identifiers are 0 Master Boot Loader MBL 1 VXBIOS 2 Not used 3 VROM Type identifiers are 0 Not used 1 Warning 2 Error 3 Fatal The following table lists all ACS errors together with their possible causes and recommended recovery action Note The Standard Recovery Procedure referred to in the table is described at the end of this chapter Eracom Technologies ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages ACS Component Description Possible cause Recovery action Error 0301 MBL Invalid master MBR corruption Run RMBR EXE to boot code recover the checksum MBR Trojan attack ProtectDrive MBR 0305 MBL Invalid VXBIOS Signature checksum or size Contact Eracom verification of the VXBIOS Support failed possibly caused by disk corruption 0306 MBL Invalid master MBR corruption Run RMBR EXE to boot record MBR Trojan attack recover the signature ProtectDrive MBR 0307 MBL No ERACOM Partition table corruption or Run RMBR EXE to partition info changeAddition of fixed recover the disk after ProtectDrive ProtectDrive MBR installation 0313 MBL Disk i o error Disk IO error Hard disk Run RMBR EXE to reading se
91. sente l rd e 105 Show Unsuccessful Logon Warnings lis latente ses fal tree Bai he 105 ACCESS CONT Ole cae Ads ee andre a A hen Saad add eau dune CT E 106 Vili Eracom Technologies ProtectDrive Administration Guide Chapter 1 Introduction Chapter 1 Introduction Product overview In today s computing environment hard drives HDD have become mass repositories of proprietary information The widely used Windows operating systems provide adequate system privacy whether on a stand alone machine or a networked computer However insufficient data security protection exists in a case of system or HDD loss due to malicious intent Unless appropriate data protection measures are taken any HDD can be removed from the system and data on it can be read Furthermore the system can be accessed via its Floppy Disk Drive FDD Serial COM and or Parallel LPT ports To bridge these data security gaps Eracom has developed ProtectDrive PD system security and data encryption application Eracom ProtectDrive is a multi user Windows Active Directory aware computer security application that provides the following functionality listed in order of appearance during normal ProtectDrive operation Preboot User Authentication Used to derive unique decryption keys for decrypting the operating system files and the rest of the encrypted hard drive s Support for Smartcards and Tokens as well as Windows Domains Usernames and Passwords Preboot P
92. sssecceseeces 23 PD Settings Tab Default System POLICY 212 5icssctesscusonads adadostanen hein trot tepdanvasuaddenersngacssouss 25 Client Configuration Policy Tab liens nie hein 25 A thentication Policy Tab e anera a O A ee home EE OO AER tees 26 Lockout Poley Taboro inea a a a a aa a aA eas bearings 30 User Shell Policy Tab nenei dis a a E eal oa Ou 31 Encryption Settings Policy Tab Ses nee mentale ac tite dl Mie e seen een 32 Password Policy Tabi sisi a a a aana E A me aa ane 33 Interrupt Vector Address Update Policy Fabian coors ee idinses is aenan aeons eieeas 34 Default Devices Access Permissions Policy TD cases ssscasssecoces paniaucctencdcdsadeacndiscoevcateas sieaadonceeetins 35 Encryption Status Policy Tab Aig fot Rinse ata vost dled Gace ik alia M tn 36 PD Users Tab Default User Policy sis none ta osinean na n 38 Chapter 7 System and User Management ccscccssscssssscssssscesssccssssccssssccsssccssscscssssssssssscsessees 41 ISG FOTE LOU ESC SIN oes saad E A A A EE 41 Enabling Clients to Store ProtectDrive Policy Data in the Active Directory 41 Managing System Policy from the Server hide anna esttige 44 Managing User Policy trom the SERVEL ES SE MS ten esta ttes 49 Assigning Users to Clients and Managing User Policy via the Computer Object 49 Managing User Policy via the User Object sstnamsenasatantesinieaentite tige aad 51 Managing User Policy via the Group Obernai 22 Managing System and User Policy Locally island
93. storage sub system with the following exceptions e It is not possible to format any partition on the system HDD e ProtectDrive does not support post installation addition removal or substitution of hard drive s e During installation ProtectDrive accounts for all partitions present on the system Post installation partition resizing converting masking active or re partitioning is not supported This includes the Master Boot Record manipulation Floppy CD DVD Devices and COM LPT Ports 3 5 FDD are excluded from encryption decryption However ProtectDrive controls configurable user Read Write privileges to these devices Post install addition removal or substitution of FDD is fully supported ProtectDrive accounts for the total number of FDD in the system and does not interfere with their normal operation All removable devices or media devices such as CD RW DVD RW and Iomega Zip Drive are excluded from encryption decryption ProtectDrive does not interfere with the normal operation of these devices ProtectDrive System Policy and User Policy provide configurable default and individual user access rights to all Floppy Drive s COM and LPT ports Eracom Technologies 7 ProtectDrive Administration Guide Chapter 3 System Requirements Supported Operating Systems ProtectDrive has been tested and works with the following Operating Systems e Windows 2000 Pro Service Pack 4 SP4 e Windows 2003 SP1 only the ProtectDr
94. sult this support plan for further information about your entitlements including the hours when telephone support is available to you Contact details Within Australia 1800 63 4796 International 61 7 5593 4796 See your support certificate for toll free numbers email support eracom tech com Eracom Technologies ProtectDrive Administration Guide Preface Revision History Release Date Description A00 August2005 A14 User Manual was restructured into 2005 A14 User Manual was restructured into ProtectDrive Administration Guide Rev A00 and ProtectDrive User Manual Rev B00 Implemented new installer updated disaster recovery and troubleshooting A01 October 2005 Eracom Technologies iii ProtectDrive Administration Guide Preface THIS PAGE INTENTIONALLY LEFT BLANK iv Eracom Technologies ProtectDrive Administration Guide Table of Contents Table of Contents L D EE AE E RE PS EE T OR AE NUE Et ee i Technical SUS POI RE UE LT coc sateen gat Saye earned ca evden aaa ii Chapter TT trod UCM sey En nn nr Nes nee tonne passubcarenonaavsscnuecneanucs 1 Product OVERVIEW nn nl nn nt tn ln et Ne teen EA 1 Who should read this document Rss e ne er ne er te 2 Chapter 2 ProtectDrive Functional Description ssssssseeeeesesssssssesssesse 3 Supported Preboot User Authentication Credentials 3 Misplaced Forgotten User Authentication Credentials ss
95. system files and or encrypted hard drive partitions experience corruption the user may not be able to authenticate into the system at preboot In these isolated instances an error screen similar to the one shown below will display The screen will list an ACS Error Code which the user needs to communicate to the System Administrator Please note that ACSO301 is just an example See Appendix D for a complete listing of ACS Error Codes Error ACSO301 Disallowed Floppy Device Access Error If System Policy and or User Policy disables floppy drive access and the user attempts to access the floppy drive then the following error will display My Computer x A is not accessible Access is denied Eracom Technologies 81 ProtectDrive Administration Guide Appendix A Smartcard Token PIN User Authentication 82 Disallowed COM and LPT Port Access Error If a user who s ProtectDrive Device Access Permissions are disabled attempts to access any of the devices including the COM and LPT ports the an error will occur This error may be displayed by the actual software application the user is running through which the device is being accessed For example while using the Windows HyperTerminal the user may try to use the COM port s permissions for which are currently disabled by ProtectDrive In this case HyperTerminal will display some sort of device access or read write error In isolated instances ProtectDrive itself will d
96. t the Pending status will prevail until DELL7000 is properly configured and the policy data successfully replicates from the server Eracom Technologies ProtectDrive Administration Guide Chapter 7 System and User Management Monitor the Update Status Tab for indication of the time of the most recent policy data change and client update If the Last Client Update is chronologically later than the Last Configuration Update then the policy data has successfully replicated to the client In the following example DELL7000 has successfully updated policy data from the server snapshot on the left In the snapshot on the right the client is still awaiting the next update General Operating System Member Of Location ManagedBy Object Security Dialin PD Settings PD Users Encryption Settings Password Policy Interrupt Vector Update Lockout Configuration User Shell Authentication l Default Permissions Client Configuration Encryption Status Last Configuration Update 15 09 2005 10 59 21 AM Last Client Update 9 09 2005 11 12 22 AM Client Update Code 0 Client Status Message Update successful Load Defau Cancel Apply General Operating System Member Of Location ManagedBy Object Security Dialin PD Settings PD Users Encryption Settings Password Policy Interrupt Vector Update Lockout Configuration User Shell Authentication l Default Permissions
97. tDrive Administration Guide Chapter 7 System and User Management Ongoing encryption progress will be indicated in half shaded disk drive icons as follows drive F on the left and drive G on the right DELL 7000 Properties 2 x DELL 7000 Properties 2 xi General Operating System Member Of Location General Operating System Member Of Location ManagedBy Object Securty Diskin PD Settings PD Users ManagedBy Object Security Dian PD Settings PD Users Encryption Settings Password Policy Interrupt Vector Update Encryption Settings Password Policy Interrupt Vector Update Lockout Configuration User Shell Authentication Default Permissions Lockout Configuration User Shell Authentication Default Permissions Client Configuration Update Status Encryption Status Client Configuration Update Status Encryption Status Configured Algorithm Current Algorithm Drive Configured Algorithm Current Algorithm None None a C None None IDEA IDEA SE IDEA IDEA IDEA IDEA ar IDEA IDEA DES None tes DES DES 4 2I Algorthn Algorithm Load Defauts OK Cra Ep Load Defaults Cancel Apply If you wish to decrypt any of the encrypted partitions set the Configured Algorithm to None In the following example drives E and F are configured for decryption which will take place as soon as the policy data replicates to the client in accordance with the Updates settings in the Client Confi
98. tectDrive Policy Data in the Active Directory Finally this may also happen if the client s Computer Account has been removed from the domain controller To fix this un join the Windows Domain on the client system and then rejoin it LocalMC 4 There was an error sending the settings to the server they have been saved locally and may be overridden at the next update 84 Eracom Technologies ProtectDrive Administration Guide Appendix A Smartcard Token PIN User Authentication Appendix A Smartcard Token PIN User Authentication SYSTEM BOOT ProtectDrive Allow Token Domain Access F2 Press AND Allow Local User Access OR Domain Password Acce Ye SHIFT F9 Pressed in PIN field Token User Preboot Password Fallback Requested Username Password Fallback H ac Yes Tecovery Code frxZoa fcita ft Single Sign On No To Figure 2 Username Password Domain Name Authentication No Allow Windows Passwor Fallback is ON s j Microsoft 3 Windows 20 Professional Built on NT Technology Yes 2 GE Press Ctrl Alt Delete to begin Ctri Alt Del helps keep your password secure Click Help for mors information Help To Windows Shell To Windows Shell Figure 1 Smartcard Token PIN Preboot Authentication Eracom Technologies 85 ProtectDrive Administration Guide Appendix A Smartcard Token PIN User Authentication THIS PAGE IN
99. ticated Users Cert Publishers PDHOST Cert Publishers DELL7000 PDHOST DELL7000 Domain Admins PDHOST Domain Admins sii Enterprise Admins PDHOS T Enterprise Admins PR ENTERPRISE NOMAIN CONTROLLERS z Permissions for DELL7000 Allow Deny nte Account Restrictions Read DNS Host Name Attributes Write DNS Host Name Attributes Read Personal Information Write Personal Information Read ProtectDrive Configuration Write ProtectDrive Configuration Read Public Information Write Public Information oooooo0o00 E For special permissions or for advanced settings A click Advanced amp anced co ey Eracom Technologies 43 ProtectDrive Administration Guide Chapter 7 System and User Management 44 Managing System Policy from the Server Before configuring System and User Policy review the contents of Chapter 6 Configuring Default System and User Policy This will familiarize you with the fields contained in the PD Settings Tab This tab is used to configure ProtectDrive System Policy All systems in a Windows Domain can be managed remotely with the use of the PD Settings and PD Users tabs in the MMC Active Directory Users and Computers Snap in All the configuration settings in these tabs are stored in Active Directory and are replicated this is configurable to the client systems System Policy settings applied on the server can also be viewed and modified locally on the client syste
100. tin PD Settings PD Users Group or user names ount Oper Administrators PDHOST Administrators sii Authenticated Users Cert Publishers PDHOST Cert Publishers sii Domain Admins PDHOST Domain Admins Enterprise Admins PDHOST Enterprise Admins sii ENTERPRISE DOMAIN CONTROLLERS PB E uanana z Add Bemove Permissions for Account Operators Allow Deny Full Control o Read o Write o Create All Child Objects oO Delete All Child Objects oO Allowed to Authenticate oO Change Password oO Receive As oO mn 1m ea zi For special permissions or for advanced settings click Advanced name Select Users Computers or Groups HEI Select this object type Users Groups or Built in security principals Object Types Erom this location POHOST com au Locations Enter the object names to select examples dell7000 Check Names Advanced Cancel y Click and add the DELL7000 computer object press Eracom Technologies ProtectDrive Administration Guide Chapter 7 System and User Management Click on DELL7000 and select Write ProtectDrive Configuration under the Allow column Press DELL7000 Properties 20x General Operating System Member Of Location Managed By Object Security Dial in PD Settings PD Users Group or user names lt 8 Account Operators PDHOST Account Operators Administrators PDHOST Administrators sii Authen
101. tion Server for server installation and Serverl for sever installation without the schema extensions ERA_INSTALL_AD_COMPOBJ_SNAPIN Set to 0 by default Set it to 1 to install the Active Directory Computer Object Snap in ERA_INSTALL_AD_USEROBJ_SNAPIN Set to 0 by default Set it to 1 to install the Active Directory User Object Snap in ERA_INSTALL_ADMIN_GUIDE Set to 0 by default Set it to 1 if you wish to install the ProtectDrive Administration Guide ERA_INSTALL_CLIENT Set to 1 by default Set it to 0 not to install the Client component This is also set to 1 automatically if ERA_INSTALL_LOCAL_MC is set to 1 Eracom Technologies ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive ERA_INSTALL_KEY_RECOVERY ERA_INSTALL_LOCAL_MC ERA_INSTALL_USER_MANUAL ERA_SELECTED_CSP ERA_SUPPORTED_CSPS Eracom Technologies Set to 0 by default Set it to 1 to install RPADMIN EXE See Chapter 9 Extraordinary Authentication Scenarios for additional information Set to 1 by default Set it to 0 not install the Local Machine Configuration utility Set to 1 by default Set it to 0 not to install the ProtectDrive User Manual The desired and installed Cryptographic Service Provider for this installation If you use Smartcards or Tokens you need to set this This value must be one of those listed in ERA_SUPPORTED_CSPS see below ProtectDrive will only support
102. tion for disaster recovery the command prompt utility BACKUP EXE must be used following each disk encryption status change Note that you can also run this utility as a scheduled administrative task Usage BACKUP EXE options Options usage v ver t tgt n noverchk Eracom Technologies Description Displays usage help Displays utility version Specifies target directory for backed up Recovery Files No ProtectDrive version compatibility check is performed Default Current directory Note that it may be good practice to store the Recovery Files off the client system This will ensure their availability in cases when the client system is rendered inoperable 71 ProtectDrive Administration Guide Chapter 10 Disaster Recovery Tools If for some reason the ProtectDrive secured system becomes inaccessible due to data corruption for example the System Administrator can use the following disaster recovery tools to perform system diagnosis decrypt the hard disk s manipulate the MBR and administer the Preboot User dB The following tools are included in the RECOVERY directory of the ProtectDrive distribution CD These tools along with the original Registration Disk and the Recovery Files provide enough functionality to recover any inoperable ProtectDrive system DISPEFS EXE ProtectDrive Diagnostic Utility This diagnostic tool displays contents of the ProtectDrive system files ProtectDri
103. to the above address Eracom Technologies i ProtectDrive Administration Guide Preface ii Technical Support If you encounter a problem while installing registering or operating this product please make sure that you have read the documentation consisting of the following two 2 documents ProtectDrive User Manual ProtectDrive Administration Guide This document represents a subset of the ProtectDrive Administration Guide All end user functionality of ProtectDrive is covered in this document This does not include any of the System or User Management Hard Drive Decryption or Disaster Recovery functionality as these topics were reserved for the Administration Guide Topics such as the User Authentication User Password Management Hard Drive Encryption and ProtectDrive Data Backups are covered in this document This document allows End Users to understand how to operate ProtectDrive It allows System Administrators to better prepare users for the every day operations of ProtectDrive This document concentrates on all aspects of deploying and operating ProtectDrive in networked and stand alone Widows environments If you encounter a technical issue that you can not solve please contact your supplier or Eracom Support Eracom Support operates 24 hours a day 7 days a week Your level of access to this service is governed by the support plan arrangements made between Eracom and your organization Please con
104. tore U tity ciccsccscsccdsensecsseisavsccvevsavesdeseseancevsavecsisaseadeddsseaceense caseapavadeaseenacseens 9 Windows Fast User Switching Utility So csi ie MR Re M Se ane 9 Chapter 5 Deploying Protect Drive siscvessssccscsssccracecssevccssssncccecessscdesnscecsbsassvcssetsavaceuabnssdsensesseassintsas 11 Betore You Besimtar RARE cr URE CPEDESR age Ret ce PERCE OT AE RAT CRT PERE IRE AT at AU aE 11 Storage System PCPA AION sit csi daa eh nied ci Sel de ae SEM Ca as 11 Registration Disk Pr parafion iss ds tendresse ins avin Mandats Miss 11 Recovery Disk Preparation cade ane din dasa Stich ate fade li diese aide tats cela 11 Creating Custom SYSKEY BIN eos nas then ee aan es ceed AS air 12 Pr rotectDrive Install MSI Pa RASE ic fossa ue sais aanne EE A a a aa 13 Cust mizing the MSI Packa be nn nnee nena a a i aao aee aea aahi aaan 14 Deploying Server Side Components 22e oe ee enh ede Bedard edonnts 16 Installing the Active Directory Schema Extensions ss 16 Deploying Client Side Components dant miennes ee tee esta 18 Preparing the SYSKEY CID Fue ss aaa eal aetna os Gaede heed natant 18 Installing the ProtectDrive Client Side Components ss 18 Custom Instalati Assien st et LS et ee ne ET D n 20 Removing ProtectDrive inner saspanaaaesdaaeanusbenva oeae uaea 22 Eracom Technologies v ProtectDrive Administration Guide Table of Contents Chapter 6 Configuring Default System and User Policy cscccsssssssssscssssccssssccssssc
105. use Recovery action Error 3302 VROM 1 O error reading Corrupted EFS Standard Recovery disk Procedure Hard disk failure 3304 VROM An unknown error Internal program error Standard Recovery has occurred Procedure 3305 VROM Configuration file MAC check of configuration Standard Recovery has been file failed Procedure corrupted Corrupted EFS 3306 VROM User information MAC check of user database Log on as different has been entry failed user at preboot and let corrupted failed user log on to Windows Corrupted EFS User database entry will be regenerated Alternatively exercise user key recovery mechanism 3308 VROM ProtectDrive MAC check of ProtectDrive Log on as different Administrator Administrator failed user at preboot and let information has Corrupted EFS failed user log on to been corrupted Windows User database entry will be regenerated Alternatively exercise user key recovery mechanism 3309 VROM Configuration file EFS corruption Standard Recovery has been fatally Procedure corrupted Hard disk failure 3310 VROM Error occurred The token module could not To diagnose this error initialising the be initialised and password further contact Eracom token logons are not allowed To get access to the system exercise the token password fallback function Eracom Technologies 97 ProtectDrive Administration Guide Appendix D System Debug and ACS Error Messages THIS PAGE INTENTIONALLY LEFT B
106. ustom SYSKEY SKE later in this chapter then point the system to that file Select Token Password Fallback in the Remote Recovery Administration window Enter the user provided Recovery Code a k a Challenge and press _Generate Response Provide the user with the automatically generated Response and instruct them to enter it into their ProtectDrive Token User Challenge Response Screen At this point the user will be granted one time preboot access to the system Eracom Technologies 63 ProtectDrive Administration Guide Chapter 9 Extraordinary Authentication Scenarios 64 Domain User Preboot Password Recovery Procedure This procedure does not create new preboot user accounts for newly added Windows Domain users New User Preboot Introduction Procedure should be used instead End User Instruction If a Username Password Domain Name user forgets their Password the Preboot Password Recovery Procedure can be used to gain access to the system as follows ProtectDrive User ID Password Domain ERACOM Enter your Username into the User ID field shown above Next place the cursor into the Password field and press SHIFT F10 The Password Recovery Challenge Response Screen displays ProtectDrive Serial no 37 Username Administrator Domain E RACOM Recovery Code a4 ngq lozt07 q0 Enter response below m Contact your System Administrator either in person or on the phone
107. vate Preboot Authentication in the Authentication Tab then none of the material in this chapter applies In this case the user will be presented with a standard Windows Domain authentication dialog and normal Windows logon applies Authenticating with Smartcard Token and PIN Preboot Authentication Please refer to Appendix A for a detailed diagram of the Smartcard Token PIN Preboot Authentication logic flow If the ProtectDrive Allow Token Domain User Access Authentication Policy option is set then the preboot authentication screen will be as shown below Furthermore if either or both of the Allow Local User Access or the Allow Password Domain User Access Authentication Policy option is set then pressing F2 in the below screen will cause it to toggle with the Domain Password Preboot Authentication Screen At this point the user can authenticate into the system by using either their Smartcard Token PIN or their Windows Username Password Domain Name Please note that in the case of consecutive failed preboot authentication attempts the Lockout Policy will be enforced to prevent PIN guessing eracom La for Help Token Help Insert token ProtectDrive enter your pin and hit enter F2 to toggle token pud PN Enter Cont inue Copyright Eracom Technologies 2003 Eracom Technologies 57 ProtectDrive Administration Guide Chapter 8 User Authentication 58 Authentication into Windows Note Eve
108. ve stores system data in a number of files contained in the embedded file system Usage DISPEFS EXE options gt output_text_file Options Description We usage Displays usage help a all Displays contents of all ProtectDrive system files d dtes Displays drive table entries c Ed Displays configuration data k dky Displays key data fx ex Displays exchange data u user Displays the Preboot User dB VE rec Displays data from Recovery Files rp recpath Specifies the path to the Recovery Files No Arguments Displays all system files J2 Eracom Technologies ProtectDrive Administration Guide Chapter 10 Disaster Recovery Tools DECDISK EXE Disk Decryption Utility This is a 16 bit MS DOS command prompt disk decryption utility It should be used only when access to the GUI based decryption mechanism is not available for use Usage Options v kp t v a e usage ver keypath Pecover recpath all est DECDISK EXE options Description Default Displays usage help Displays utility version Specifies the Recovery Disk path Current directory Uses Recovery Files for the decryption operation Specifies the path to the Recovery Files Current directory Decrypts all encrypted partitions User specified Specifies the hard disk sectors corresponding to the region intended for decryption DECDISK will initially display partition information for all
109. ystem recovery display screens If this file is there the ProtectDrive installer will automatically include this file as part of the Client Side Component installation Eracom Technologies ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive 83KB MST File 9 08 2005 2 32 PM 1033 mst 4KB MST File 9 08 2005 2 32 PM 1041 mst 82KB MST File 9 08 2005 2 33 PM J ProtectDrive 7 869 aes Windows Installer P 9 08 2005 2 33 PM Launch the PROTECTDRIVE MSI Select Client in the wizard and follow the prompts 1 ProtectDrive InstallShield Wizard Setup Type Choose the setup type that best suits your needs InstallSnield ProtectDrive will require a SYSKEY CID file prepared prior to the install Specify the location of this file for the installer fe ProtectDrive InstallShield Wizard Select path to Cidkey Select the path to the System key file that comes with the ProtectDrive package as E 3 Floppy A fz INSEE IG Eracom Technologies 19 ProtectDrive Administration Guide Chapter 5 Deploying ProtectDrive ProtectDrive will automatically detect all installed Token Runtime Environments and will prompt the installer to select the one that will be associated with ProtectDrive ig ProtectDrive InstallShield Wizard Preboot Logon Method Selection The Following token or smart card CSPs supported by ProtectDriveare installed on this system Please sel
Download Pdf Manuals
Related Search