Escolar Documentos
Profissional Documentos
Cultura Documentos
Version 8.5
Information in this document is subject to change without notice. No part of this document may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written
permission of GuardianEdge Technologies Inc.
©2006 GuardianEdge Technologies Inc. All rights reserved.
475 Brannan St., Suite 400
San Francisco, CA 94107
415.683.2200
GuardianEdge, Encryption Anywhere, and Authenti-Check are either trademarks or registered trademarks of
GuardianEdge Technologies Inc. Microsoft, Active Directory, Windows, and Windows XP are either registered
trademarks or trademarks of Microsoft Corporation. Any other trademarks used herein are the property of their
respective owners and are hereby acknowledged. Other product and company names mentioned herein may be the
trademarks of their respective owners.
Printed in the United States of America.
Client Administrator Guide Contents
Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
GuardianEdge Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Policy Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Client Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Registered User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Client Administrator/Registered User Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Partition Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Boot-Time Defragmenters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
System Restore Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Trusted Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Restricted Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Computer Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Frequent Information Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Pre-Windows Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Password/Token Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Automatic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The Startup Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Password Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Keyboard Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Credential Entry and Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Token Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Keyboard Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Token Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
First Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Subsequent Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
PIN Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Computer Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
About Lockouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Lockout Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Lockout Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3. The Client Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Password Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Token Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Navigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
User Interface Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Mouse Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Keyboard Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figures
Figure 2.1—Pre-Windows Startup, Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Figure 2.2—Pre-Windows Password Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Figure 2.3—Pre-Windows Logon, One-Minute Delay for Incorrect Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Figure 2.4—Pre-Windows Token Logon, Initial Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Figure 2.5—Pre-Windows Token Logon, Subsequent Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Figure 2.6—Pre-Windows Logon, Lockout Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Figure 2.7—Computer Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 2.8—Pre-Windows Logon, Client Administrator Logon to Unlock Computer . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 3.1—Client Console Logon, Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Figure 3.2—Client Console Logon, Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 3.3—Select Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 3.4—Client Console Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 3.5—Client Console User Interface Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 3.6—Client Console User Interface, Focus on Password Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 3.7—Client Console Encryption Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 3.8—Client Console Decryption Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 3.9—Client Console Check-In Panel, Check-In With No Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 3.10—Client Console Users Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 3.11—Client Console Password Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 3.12—Client Console Authenti-Check Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 3.13—Client Console About Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure A.1—Canadian French Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.2—French Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.3—German Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.4—Spanish Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.5—United Kingdom Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.6—US English Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.7—Regional and Language Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Figure A.8—Languages Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure A.9—Text Services and Input Languages, Before New Keyboard Added . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure A.10—Add Input Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure A.11—Text Services and Input Languages, After Keyboard Added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure A.12—Regional and Language Options Advanced Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Figure A.13—Change Default User Settings Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
1. Introduction
Overview
GuardianEdge Hard Disk Encryption ensures that only authorized users can access data stored on hard disks. This
safeguards enterprises from the accidental loss or theft of a laptop or PC and eliminates the legal need for public
disclosure. As a key component of the GuardianEdge Data Protection Platform, GuardianEdge Hard Disk offers
seamless deployment and operation across increasingly diverse IT infrastructures and environments.
This Guide explains how to authenticate to GuardianEdge Hard Disk; use the Client console to support users and
computers; provide support to users who have forgotten their password or PIN; and recover a hard disk’s data, if
necessary.
This chapter defines the GuardianEdge roles and discusses best practices. The sections are as follows:
“GuardianEdge Roles” on page 1
“Best Practices” on page 2
GuardianEdge Roles
Policy Administrator
An organization’s centralized point of control for the GuardianEdge Platform is one or more Policy Administrators. A
Policy Administrator defines installation settings and policy updates that are pushed out to Client Computers through
Active Directory. Policy Administrators create Client Administrator accounts. Installation settings and policy updates
may differ from computer to computer, and from user to user. Once policies are pushed out, they affect computer
behavior and user interface displays. Policy Administrators also assist registered users who have the One-Time
Password (OTP) recovery method available. The Policy Administrator runs the help-desk side of the OTP utility,
which requires the availability of the GuardianEdge Manager console.
Client Administrator
While the GuardianEdge Policy Administrator sets policies from a centralized location, Client Administrators
support the distributed Client Computers and their users.
As a Client Administrator, you may have one or more of the following rights and responsibilities:
To unregister user accounts;
To extend the next date by which a Client Computer is required to check in with the GuardianEdge Server to
prevent a lockout condition;
To unlock a Client Computer;
To encrypt partitions;
To run the GuardianEdge Hard Disk Recover Program if an unexpected error prevents a Client Computer from
booting;
To decrypt partitions.
A Policy Administrator uses the GuardianEdge Manager console to create and manage passwords for Client
Administrators not using tokens, by pushing out installation settings and policy updates from a centralized server.
This single-source password management allows Client Administrators to remember only one password as they
move among many Client Computers. If password(s) were local to each computer, then remembering multiple
passwords would become unwieldy.
Registered User
GuardianEdge Hard Disk protects the data stored on a user’s hard disk by requiring users to authenticate before it
allows Windows to load. This could have been configured in one of three ways:
Single Sign-On (SSO) enabled—If Single Sign-On is enabled, registered users will be prompted to authenticate
once, each time they restart their computer.
Single Sign-On not enabled—If the user is an authenticating user and Single Sign-On is not enabled, the user will
need to log on in pre-Windows to GuardianEdge Hard Disk and then separately to Windows.
Automatic authentication—Users are not prompted to provide credentials to GuardianEdge Hard Disk and the
process is completely transparent to them.
Best Practices
Partition Changes
Once partitions have been encrypted, they must not be repartitioned, reformatted, or resized with any third-party
utility that is not a part of Windows. In addition, the drive letters of encrypted partitions must not be changed.
Boot-Time Defragmenters
GuardianEdge Hard Disk relies on its client database files. Boot-time defragmenters can scramble the client database
files. If used, they will cause the Client Computer to fail to boot.
Trusted Software
Firewalls and anti-virus software should be installed on Client Computers to protect against viruses and secure
computers against invasive software that arrives over the network, such as a Trojan horse. File sharing, peer-to-peer
networks, and FTP servers are not recommended. Network logon scripts must be approved scripts. If remote access to
stored data is allowed, users with remote access must be required to authenticate.
Restricted Users
Only administrators should have software installation privileges. Users should not have the ability to edit the
GuardianEdge Registry settings or the system date and time.
Computer Shutdown
It is best not to leave a computer unattended, particularly in an insecure location, such as a cafe. If you must step
away, you should invoke the Windows screensaver that requires Windows credentials before it allows you to get back
into Windows.
Password Security
Both Client Administrators and registered users should not share passwords and should avoid writing them down.
Client Administrators and registered users should be aware of others watching over his/her shoulder as s/he types. If
this has happened, the password should be changed.
2. Pre-Windows Authentication
Overview
Basics
Pre-boot authentication prevents unauthorized users from accessing encrypted data. This important feature takes full
effect after the first user registers in Windows to GuardianEdge Hard Disk. The first user is forced to register after
any grace restarts expire.
Once the first user has registered, a Client Computer’s behavior upon restart is based on the GuardianEdge policy.
Password/Token Authentication
If a policy is enabled that requires all users on a Client Computer to authenticate, upon restart the computer will first
display the GuardianEdge Startup screen. This screen begins the GuardianEdge Hard Disk pre-Windows logon
process.
As a Client Administrator, you gain access to the computer by authenticating to GuardianEdge Hard Disk at the
pre-Windows logon prompt using your GuardianEdge password or PIN. You then log on at the Windows prompt
using your Windows credentials.
The exception to the pre-Windows logon process is when an Autologon policy is in place. This process bypasses
pre-Windows authentication so that administrators can run software installations and upgrades that require system
reboots. Should an Autologon policy be in effect, you and other users authenticate only at the Windows prompt.
Automatic Authentication
If a policy is enabled that allows all GuardianEdge users on a Client Computer to be automatically authenticated, no
pre-Windows authentication is required. You and all other users authenticate only at the Windows prompt. If
automatic authentication is enabled, you can skip to “Computer Lockout” on page 8.
The default image with both changed instructions and changed legal notice, or
A custom image.
If you are authenticating with a token and the token is already inserted, you may not see this Startup screen, or you
may see it flash briefly. Go directly to “Token Logons” on page 7. If you authenticate with a token and have not yet
inserted it, insert it now, then go to “Token Logons” on page 7.
If you authenticate with a password, press CTRL+ALT+DEL and proceed to the next section.
Password Logons
Once you have pressed CTRL+ALT+DEL, the pre-Windows password Logon screen appears.
Keyboard Selection
GuardianEdge Hard Disk shows the active keyboard layout in a bar displayed in the lower right-hand corner of your
Token Logons
Keyboard Selection
GuardianEdge Hard Disk shows the active keyboard layout in a bar displayed in the lower right-hand corner of your
Token Preparation
If you are using an RSA token, connect the USB-connector end of your token to a USB port or into a USB extension
cable attached to your computer.
If you are using a smart card, when you insert it, hold the card so that the side containing the gold chip is on top and
the card end containing the chip is closest to the reader.
If your token or the reader has a light, the light blinks when information from your token is being read. Wait until the
blinking stops before taking the next action, such as clicking OK from the Logon screen. Do not remove your token
until authentication is complete.
First Logon
Figure 2.4 shows an example of the token Logon screen that displays the first time you log on to the Client Computer.
To authenticate, type your PIN into the PIN field then click OK. Do not remove your token until processing
completes.
The first time this Logon screen appears, it displays only the PIN field. Once you enter your PIN and
click OK, this message appears, “Unrecognized token. Please wait. This will take a few moments.” This
short delay occurs because the system is recording the token ID and certificate information.
Subsequent Logons
Once you log on the first time, the next time you reboot, the screen will display User name and Domain fields in
addition to the PIN field (Figure 2.5), and the “unrecognized token” message will not appear.
Type your PIN into the PIN field and click OK. Do not remove your token until processing completes.
PIN Verification
If your PIN is correct, you advance to the Windows logon prompt once the credentials are verified.
If your PIN is not correct, the logon fails. Check your PIN and re-enter the information, then click OK to resubmit. If
it fails again, contact the appropriate administrator.
You can also reference Appendix B “Token Error Messages” and check the section “Pre-Windows Logon” on
page 33.
Tip: If you are using an RSA SID800 token and your authentication fails, remove the token, then re-insert
it and re-enter your credentials. Click OK.
Computer Lockout
About Lockouts
If lockouts are used to force a Client Computer to check in with the GuardianEdge Server according to a prescribed
schedule, when a computer fails to check in, users will not be able to boot to Windows.
Lockout Prevention
If a Client Computer is about to be locked, a Server Communication Required warning message appears before the
Startup screen loads (Figure 2.6).
The message identifies the number of days left before the lockout and advises the user to contact a Client
Administrator. After the user clicks OK, the Startup screen will be displayed.
If a user contacts you about this warning, prevent the lockout in one or more of the following ways:
Resolve the problem that is preventing the Client Computer from connecting to the GuardianEdge Server.
Log on to the Client Computer at the pre-Windows logon prompt, which automatically extends the next
communication due date.
Use the Client console Check-In panel to extend the due date further.
Lockout Recovery
If the Client Computer is already locked, an Access Denied error message appears immediately upon reboot as shown
in Figure 2.7.
Click OK. The Client Administrator Logon screen for lockouts appears (Figure 2.8).
Only you can log on to the computer; users cannot proceed to Windows. Your action will unlock the computer and
extend the next communication due date.
If Autologon is activated while a computer is in a lockout state, the Autologon policy preempts the
lockout condition for as long as the Autologon policy is in effect. This functionality ensures that a
communication lockout condition does not disrupt the completion of the Autologon process, which is
used to allow software installations and upgrades to run without users authenticating in pre-Windows.
Overview
The Client console allows you to perform the following tasks:
Encrypt one or more partitions on the hard disk, if they are not already encrypted or have been decrypted.
Decrypt one or more partitions on the hard disk, if decryption is necessary and allowed by policy.
View and extend the date the computer must next check in with the GuardianEdge Server, if check-in is required.
Logon
When the Client console launches, it prompts you for your credentials. If you log on with a token, see “Token
Logons” on page 11. If you log on with a password, see the next section.
Password Logons
If your account uses a password to authenticate, the Logon screen prompts you for your password (Figure 3.1).
To log on to the Client console with a password, in the Password field type your GuardianEdge Client Administrator
password, then click Log On.
If your password is not correct, the logon will fail. Check your password and re-enter the information.
Your Policy Administrator may have implemented a logon delay to occur when one or more incorrect logon attempts
are made. This delay helps protect the computer against unwanted password-guessing attacks. If such a setting or
policy is in place and you trigger that restriction, a message appears informing you that the number of allowed logon
attempts has been exceeded and that you can try again in 60 seconds.
If your authentication succeeds, you will be given access to the Client console. Skip to the section “Welcome” on
page 13.
Token Logons
Token Insertion
The Logon panel prompts you to insert your token.
If your token is already inserted, skip to the next section; otherwise, insert your token.
If you are using an RSA token, connect the USB-connector end of your token to a USB port or into a USB extension
cable attached to your computer. Make sure that the RSA token software recognizes your token: wait until the RSA
icon in your system tray changes to include a plus sign .
If you are using a smart card, when you insert your token, hold the card so that the side containing the gold chip is on
top and the card end containing the chip is closest to the reader.
If your token or the reader has a light, it blinks when information from your token is being read. If you are using an
Axalto smart card, the icon’s computer screen changes from black to blue while the icon’s golden token blinks, then
returns to black when the blinking stops . Wait until all blinking stops before taking the next action, such as
clicking Next. Do not remove the token until authentication is complete.
PIN Entry
In the PIN field, type your PIN, then click Log On. Do not remove the token until authentication completes.
If your authentication succeeds, you are given access to the Client console. Skip to the section “Welcome” on
page 13.
If your authentication fails or if you encounter token, certificate, or PIN errors during logon, please refer to Appendix
B “Token Error Messages” and check the section “Client Console Logon” on page 56 for possible causes and
resolution.
Your Policy Administrator may have implemented a logon delay to occur when one or more incorrect logon attempts
are made. This delay helps protect the computer against unwanted attacks. If such a setting or policy is in place and
you trigger that restriction, a message appears informing you that the number of allowed logon attempts has been
exceeded and that you can try again in 60 seconds.
Certificate Selection
If the Select Certificate dialog (Figure 3.3) appears, continue reading; otherwise, skip to the next section “Welcome”
on page 13.
Your administrator may have set up your GuardianEdge certificate with the values listed immediately below. These
are the values that the GuardianEdge software uses to identify your certificate automatically for authentication.
For RSA SID800:
DATA_ENCIPHERMENT and KEY_ENCIPHERMENT (Key Usage)
Welcome
The Client console opens to the Welcome panel, which appears with an enabled navigation pane (Figure 3.4).
Navigation
User Interface Elements
The Client console is divided into several sections.
Banner
Navigation
Pane
Quick
Help
Pane
Main
Pane
The Quick Help pane provides context-sensitive help based on the location of your mouse. See the next section
for how to display Quick Help.
Mouse Navigation
You may navigate the Client console using a mouse or using the keyboard.
If you are using a mouse:
To load a panel, click the desired hyperlink in the navigation pane; the panel loads into the main pane.
To display Quick Help, click the help icon . The Quick Help pane appears. To close the Quick Help pane, click
the help icon again.
Keyboard Navigation
If you are using the keyboard:
Press the TAB key to move among the screen elements. A dotted line surrounds the link, input field, button, or
icon, indicating which element has the focus.
To load a panel, press the TAB key to the desired link in the navigation pane, then press ENTER. The panel loads
into the main pane (Figure 3.6).
To display Quick Help, press the TAB key until the focus is on the help icon , then press ENTER or the
SPACEBAR. To close the Quick Help pane, press ENTER or the SPACEBAR again. Note that Quick Help
applies at the panel level; context-sensitive Quick Help is available only when using a mouse.
To select a check box, press the TAB key to place focus on the box, then press the SPACEBAR. To toggle off the
selection, press the SPACEBAR again.
To activate a button, press the TAB key to place focus on the button, then press ENTER or the SPACEBAR
The TAB key follows standard user-interface behavior:
Tabbing order within each panel is top to bottom, left to right.
To move down, press the TAB key; to move up, press Shift-TAB.
To scroll, use the UP ARROW key and the DOWN ARROW key.
When you use the TAB key to navigate, you may need to press the key more than once to place the focus
on the next desired link, input field, button, or icon, depending on the location of the current focus.
Use the Encryption panel to view the encryption status of the hard disk partitions or manually begin the encryption of
a hard disk partition. To open the Encryption panel, click Encryption. The Encryption panel appears. Figure 3.7
shows an example.
The Status field next to each partition shows which state a partition is in. The states are: Encryption Pending,
Encrypting, Encrypted, Decryption Pending, Decrypting, and Decrypted.
If partitions are listed with a status of Decrypted, Decrypting, or Decryption Pending you can check the check box
beside them to select them for encryption. A check box beside a partition will not be available if the partition has a
status of Encrypted, Encrypting, or Encryption Pending. This unavailability could also occur if a remote
decryption policy prevents encryption.
Should you need to encrypt the disk, you should first connect to an uninterruptible power source, since an
interruption of power could cause data corruption. For example, if you are encrypting a laptop, fully charge the
battery or plug in the laptop before you start.
Once you select one or more partitions, the Encrypt Selected Partitions button becomes available. Click Encrypt
Selected Partitions. A partition’s status changes to Encryption Pending, then to Encrypting.
While encryption is running, the panel shows the (0-99) percentage of partition encryption, such as Encrypting
(80 %). When encryption completes, no percentage is shown; a lock icon accompanies the Encrypted state for
easy visual confirmation that this partition is fully encrypted.
Users can continue to work while partitions are encrypting.
Decryption
Use the Decryption panel to view the decryption status of the hard disk partitions or manually begin the decryption of
a hard disk partition. To open the Decryption panel, click Decryption. The Decryption panel appears. Figure 3.8
shows an example.
The Status field next to each partition shows which state a partition is in. The states are: Encryption Pending,
Encrypting, Encrypted, Decryption Pending, Decrypting, and Decrypted.
While decryption is running, the panel shows the (0-99) percentage of partition decryption, such as Decrypting
(20 %). When decryption completes, no percentage is shown; an unlock icon accompanies the Decrypted state for
easy visual confirmation that this partition is fully decrypted.
The Encryption panel also shows encryption and decryption status information.
If you have decryption rights, you may need to use them for the following reasons:
The operating system is about to be upgraded.
A major physical change in the core hardware is about to occur. For example, an upgraded processor or
motherboard is going to be installed. Changes to the partition table are not possible on an encrypted computer and
the hard disk must be decrypted prior to the repartitioning.
You are uninstalling GuardianEdge Hard Disk.
Should you need to decrypt the disk, first connect to an uninterruptible power source, since an interruption of power
could cause data corruption. For example, if you are decrypting a laptop, plug in the laptop before you start.
If partitions are listed with a status of Encrypted, Encrypting, or Encrypting Pending you can check the check box
beside them to select them for decryption. Once you select one or more partitions, the Decrypt Selected Partitions
button becomes available. Click Decrypt Selected Partitions. A decrypted partition’s state changes to Decryption
Pending, then to Decrypting.
A check box beside a partition will not be available if the partition has a status of Decrypted, Decrypting, or
Decryption Pending, if you do not have the right to decrypt, or if a remote decryption policy is active.
Users can continue to work while partitions are decrypting.
Check-In
Client Computers may be configured to connect with the GuardianEdge Server. At designated intervals, they attempt
to send important recovery, status, and account information, including:
The date and time of the connection;
To extend the next communication date, if check-in is enforced by lockout and a network problem or a user’s or
computer’s known circumstance is preventing communication.
To access the panel, from the navigation pane click Check-In. The Check-In panel appears.
Figure 3.9 shows an example of a computer that has checked in and is not subject to a lockout enforcement policy.
The information displayed in the Check-In panel varies as described in the following table.
The Extend Due Date button is only available under the following circumstances:
If you are logged in as a Client Administrator,
You may have the right to unregister users. When you unregister a user, the user’s GuardianEdge account is deleted
and that user can no longer log on in pre-Windows.
Reasons for unregistering a user include:
Employee departure;
Logon assistance methods (Authenti-Check and/or OTP) do not succeed or are not available.
Select the check box next to the user account(s) that you want to unregister. The Unregister Selected Users button
becomes available. Click Unregister Selected Users. The account is removed and the Number of registered users
is decremented.
If you unregister the only user—or the last user of many users—either leave the computer at the Windows
logon prompt or usher the next user of that computer past the pre-Windows logon prompt. As soon as
they try to access Windows, they will be prompted to register for their own GuardianEdge account. Once
they register, they will be able to log on in pre-Windows.
A policy may exist that mandates unregistering of users who do not log on for a specified number of days. Inactive
users will be automatically unregistered and will no longer be visible on the Users list.
Password
Your password is set by installation setting or policy. Therefore, your password panel will display as follows:
Authenti-Check
You do not have Logon Assistance methods available. Therefore, your Authenti-Check panel will display as follows:
About
Use the About panel to find out which version of GuardianEdge Framework and GuardianEdge Hard Disk the Client
Computer is running. To open the About panel, click About.
The build number is accessible as a Tool Tip when you hover your mouse over the version number. The build number
can be used to see whether patches have been applied.
Overview
GuardianEdge provides utilities and a Recover Program to assist you in the event that a GuardianEdge Hard Disk
Client Computer fails to boot. While the Recover Program can be run by a qualified Client Administrator, we
recommend that you contact GuardianEdge Technical Support for assistance with the process.
ephdxlat.bin
ephdxlat.ovl
RECOVER.EXE
Readme.txt
These files can be used on any Client Computer, as long as the Client Computer and the Manager Computer are
running the same version of GuardianEdge Hard Disk.
Recovery Steps
Basics
The following steps should be performed in sequence:
1. Recover /A
2. Access Utility
Recover /A
If your computer has encountered a serious error and you cannot load Windows, first run the Recover Program with
the /A option. The /A option attempts to repair damaged client database files.
After Recover /A runs, the Audit Trail is reset and all events logged in pre-Windows that have not been moved to the
Windows Event Log are lost.
To run Recover with the /A option, you will need the bootable Recover floppy or CD that the Policy Administrator
created.
To run Recover with the /A option:
1. Remove any bootable media.
2. Insert the Recover floppy or CD (see “The Recover Floppy or CD” on page 23) into the appropriate drive.
3. Restart the computer, booting from the Recover floppy or CD. You may need to modify the BIOS to boot from
CD.
4. At the A:> prompt, type Recover.exe /A.
5. You will be asked to authenticate with a Client Administrator name and password, after which you follow the
program prompts.
If the /A option succeeds in repairing the client database files and you are able to boot, you once again have access to
the computer. If the /A option does not succeed, proceed to the next step: Access Utility.
Access Utility
Two versions of the Access Utility are available: 32-bit and 16-bit. Both versions contain text-based instructions in an
accompanying Readme file. The 32-bit version is preferred and is delivered separately from GuardianEdge; the 16-bit
version is included with GuardianEdge Hard Disk. If you do not have the 32-bit version, request it from your Policy
Administrator.
Both versions of the Access Utility address possible Windows problems. If you succeed in booting with the Access
Utility, it indicates that the problem is with your Windows installation. The Access Utility will allow you to pull off
the critical files before you attempt to work on the Windows operating system.
The 32-bit Access Utility contains an NTFS reader and brings up a plug-and-play environment, allowing you to boot
from a CD using a Windows Preinstallation Environment (Windows PE). This allows you to map to a network drive
and copy your data to a safe location.
The 16-bit Access Utility ships with GuardianEdge Hard Disk. The Policy Administrator provides you with a copy.
This version runs in DOS and can be handy if you are off site and do not have disk access. Its smaller size is more
suited to being distributed by email. If you use the 16-bit Access Utility, you also need:
The Recover floppy or CD (see “The Recover Floppy or CD” on page 23).
An NTFS reader. This reader is a freeware tool that provides read access to NTFS partitions within the MS-DOS
environment. You can preview files on NTFS and copy files from NTFS to File Allocation Table (FAT) volumes
or network drives. The reader can be run from a DOS bootable floppy. Many sources provide the reader. The
http://www.sysinternals.com/Utilities/NtfsDosProfessional.html site is recommended.
A shareware program to view the data.
If either version of the Access Utility does not succeed, proceed to the next step: Hard Disk Consistency Check.
Recover /D
If your disk passed the consistency check, run the Recover Program with the /D option once, to attempt to regain
access to the data on your hard disk. The /D option attempts to repair the GuardianEdge Hard Disk client database
files, then tries to decrypt the hard disk. After Recover /D runs, the Audit Trail is reset and all events logged in pre-
Windows that have not been moved to the Windows Event Log are lost.
Never run this option more than once, whether it succeeds or fails. Running Recover /D twice will cause
double decryption and permanent loss of data.
When the program ends, if you see a success message, you will have a fully or partially decrypted disk, depending on
the extent of damage.
Until you see a final message indicating success or failure, let the program run.
If you see a failure message, proceed to the next step.
Recover /B
Recover /B should be performed only with the assistance of GuardianEdge Technical Support.
If all previous steps failed, it may mean that a very important cryptographic key cannot be found. The Recover
Program using the /B option reads from a computer-specific recovery file that contains that key, allowing you to
decrypt your data.
While you already should have a Recover floppy or CD that can be used to perform Recover /A and /D, to perform
Recover /B you will need computer-specific data and a special Recover floppy or CD from your Policy
Administrator. The Administrator creates the DAT file by exporting a Client Computer’s data from the GuardianEdge
Server. For this reason, Recover /B is not available for silent clients. The administrator stores the data and other
recovery files on the Recover floppy or CD that is formatted as a boot disk (see “The Recover Floppy or CD” on
page 23).
When the Policy Administrator creates the medium, the Administrator defines a Recovery Password to protect the
DAT file. When the Administrator gives you the Recover floppy or CD, they tell you the password. Typically the
Administrator gives the DAT file a meaningful name, perhaps containing a computer-specific identifier and date,
such as Laptop4849_112907.dat.
Make sure that you execute the Recover /B option on the intended computer by checking the filename on
the medium. Since the data in the DAT file is computer-specific, running /B using a recovery data file
intended for another computer will corrupt your hard disk files.
Also make sure that the computer is connected to an uninterruptible power supply; otherwise, data loss
can occur if the process stops.
Boot from the Recover floppy or CD and enter Recover.exe /B. You will be prompted for the Recovery Password
associated with this file. Enter the password. The Recover Program will generate several information and warning
messages and/or prompts, depending on what the program encounters. The most severe warning message occurs if
something goes wrong when the Recover Program attempts to compare values in the DAT file with the client
database files, as described below.
If the Recover Program detects a mismatch between the DAT file and the client database files, the program halts and
issues a warning that the data on the hard disk will be destroyed if you continue the recovery process. Cancel the
process.
If the Recover Program is unable to compare the backup file and the client database files due to file corruption of
client database files, the program halts and issues the same warning message as stated in the previous paragraph.
Only if you are absolutely certain that the DAT file is the correct file should you continue the process; otherwise,
cancel the process.
If the Recover Program detects that the DAT file is corrupted, the Recover Program halts.
Appendix A. Keyboards
Overview
For computers that require pre-boot authentication, GuardianEdge offers a means of selecting different keyboard
layouts in pre-Windows.
Keyboard List
The keyboards that GuardianEdge Hard Disk supports are:
Canadian French,
French,
German,
Spanish,
US English.
Keyboard Use
Active Keyboard Layout Identification
After a computer reboot, when you press CTRL-ALT-DEL or insert a token at the Startup screen, the GuardianEdge
pre-Windows Logon screen appears. The active keyboard layout is identified in a bar displayed in the lower right-
Keyboard Toggling
If the keyboard you require is not displayed in the bar and your administrator has defined multiple keyboards, you can
toggle to another keyboard in pre-Windows. The default key sequences for switching among keyboard layouts is
pressing either Left ALT+SHIFT or CTRL+SHIFT, depending on how the key sequence was defined in Windows.
Advantages
Having an alternate keyboard layout to toggle to may be useful to you if you find yourself in a situation where you are
supporting a registered user whose physical keyboard is unfamiliar to you. For example, you may be assisting a user
who is in France and your user name and password are US English. If you are logging on in pre-Windows and you are
about to enter your Client Administrator password, you can toggle to your familiar keyboard layout. The section
“Keyboard Layouts: Default View” on page 27 shows the default-state view of each of the six supported keyboards.
Even though you actually will be typing on an unfamiliar physical keyboard, the computer will interpret the incoming
characters as if they were entered from the keyboard that you have selected to be the active keyboard.
Canadian French
French
German
Spanish
United Kingdom
US English
Keyboard Definition
Multiple keyboard layouts may already be defined in your organization. However, if you need to add a keyboard
layout, use the Windows standard method, as described in the steps in the following sections.
Initial Steps
This section describes the first steps to take to configure the additional keyboard, on both Windows XP and Windows
2000.
1. From the Start menu click Control Panel, then double-click Regional and Language Options. The window
opens.
3. From the Languages window, click Details. The Text Services and Input Languages window appears.
Figure A.9—Text Services and Input Languages, Before New Keyboard Added
5. For each keyboard layout you wish to add, select an Input language from the drop-down menu and click OK.
The new keyboard appears in the Text Services and Input Languages dialog (Figure A.11).
6. Click Apply.
Windows XP
If you are running Windows 2000, skip to the section “Windows 2000” on page 32 to complete the process. If you are
running Windows XP, follow the steps in this section.
1. From the Regional and Language Options window (Figure A.7), click the Advanced tab. A new window
appears (Figure A.12).
2. Select the check box for Default user account settings. The following warning appears:
Windows 2000
In Windows 2000, once you complete “Initial Steps” on page 29, use the Registry editor, RegEdit, to update the
Default User Profile as follows:
1. Copy the values from “HKEY_CURRENT_USER\Keyboard Layout\Preload” to
“HKEY_USERS\.DEFAULT\Keyboard Layout\Preload.”
2. Copy the values from “HKEY_CURRENT_USER\Keyboard Layout\Substitutes” to
“HKEY_USERS\.DEFUALT\Keyboard Layout\Substitutes.”
3. Reboot.
Overview
This appendix lists the error messages that you may encounter while using your token to:
Authenticate in pre-Windows, or
In some cases, the message itself contains the default instruction: Please call the help desk for assistance.
This instruction appears in the Message column in italics. The instruction can be customized by your
Policy Administrator, so your instruction may differ from the default shown.
Pre-Windows Logon
Table B.1 lists the error messages that may be generated when you attempt to log on to GuardianEdge Hard Disk in
pre-Windows.
Glossary
Active Directory Active Directory is a directory service that provides the means to manage the identities
and relationships that make up network environments. Active Directory provides
network administrators with a hierarchical view of the network and a single point of
administration for all network objects.
Active Directory Active Directory Application Mode (ADAM) is a Lightweight Directory Access
Application Mode Protocol (LDAP) directory service that runs as a user service on top of Windows, as
(ADAM) opposed to a system service such as Active Directory. The GuardianEdge Manager
stores data in ADAM rather than in Active Directory, allowing organizations to avoid
changing the Active Directory schema.
Active Directory Users The Users and Computers snap-in from Microsoft allows an administrator to find and
and Computers Snap-in organize the user and computer objects within an Active Directory structure.
Authenti-Check A self-help password recovery method for authenticating registered users who forget
their GuardianEdge passwords in pre-Windows. Policy Administrators can choose
whether to enable or disable this feature. The Authenti-Check method involves up to
three question-answer pairs, established during GuardianEdge registration. If a user
forgets his or her password, the questions are displayed and the user is prompted to
enter the answers. Correct answers authenticate the user. Then the user is prompted to
change his or her GuardianEdge password. Authenti-Check is not available to Client
Administrators or to token-based users.
Autologon Autologon is a policy used by Policy Administrators for remotely deploying software
to computers protected by GuardianEdge Hard Disk. Software installations typically
require several restarts of Client Computers, and Autologon automatically
authenticates without user or administrator intervention. The Policy Administrator
defines a window of time during which Autologon remains active, along with the total
number of restarts that may occur within the defined period. Autologon does not
decrement the number of available grace restarts.
Automatically An automatically authenticated user is a registered user who does not authenticate to
Authenticated User the GuardianEdge Platform.
Registration of this users’s account takes place after successful Windows
authentication in one of two ways, as dictated by policy: the user is registered silently,
or the user registers interactively, by entering a Registration Password. After being
registered, this user can gain access to the Client console without authenticating. Also,
after computer restart, the computer boots to Windows. The user does not encounter a
pre-Windows logon process nor require use of the pre-Windows logon-assistance
recovery methods.
Client Administrator The Client Administrator supports GuardianEdge registered users. Main functions
include: unregistering users (if allowed by policy), extending a computer’s check-in
due date with the GuardianEdge Server, unlocking a locked computer that has failed to
check in at the appointed time with the GuardianEdge Server, if applicable. All Client
Administrators may encrypt hard disk partitions and the default policy allows Client
Administrators to decrypt partitions.
A Policy Administrator establishes Client Administrator accounts using an installation
setting or a policy that is pushed out from the GuardianEdge Manager. The account
can be password-based or token-based, although at least one Client Administrator
account per computer must be password-based to allow the administrator to run
recovery programs. The Policy Administrator creates and manages a Client
Administrator’s password. A Policy Administrator can remove a Client Administrator
account by pushing out a policy in which the account is not present. Client
Administrators cannot change their own passwords or use any password-recovery
methods.
Between 1-50 Client Administrator accounts may exist on each Client Computer, as
defined by installation setting and policy. A Client Administrator may have an account
on more than one computer.
Client Database The client database consists of a series of volume files and is part of the GuardianEdge
file system. Once the location of the client database files has been specified during the
creation of the Client Computer installation packages and the installation has
completed, these files must never be moved or disturbed. See “Best Practices” on
page 2.
Federal Information Federal Information Processing Standards (FIPS) are issued by the National Bureau of
Processing Standards Standards. Several standards (140-1, 140-2, 140-3) provide guidelines for
(FIPS) implementing cryptographic software. The validation process is administered by
National Institute of Standards and Technology’s (NIST) Cryptographic Module
Validation (CMV) Program.
Group Policy A snap-in from Microsoft that a GuardianEdge Policy Administrator can use to assign
Management, Group GuardianEdge software and policies to users and computers.
Policy Management
Console Snap-in
Group Policy Object An object in Active Directory that contains user and/or computer policies.
(GPO)
GuardianEdge If the Client Computer is configured to have authenticating users, this password is
Password used by registered users and by Client Administrators to authenticate to GuardianEdge
Hard Disk during pre-boot authentication. Registered users who do not have SSO
enabled, as well as all Client Administrators, also use this password to authenticate to
the Client console once Windows has loaded. The Client Administrator also uses their
password to authenticate to Recover /A and Recover /D.
A Client Administrator’s password must be between 16 and 32 characters and is
defined by the Policy Administrator through installation settings and policies.
An authenticating user defines their GuardianEdge password during registration. If
SSO is off, the user can change this password using the Client console. If SSO is on,
the user’s Windows password is used as the GuardianEdge password and Windows
manages password requirements and changes.
GuardianEdge Software The snap-in runs on the GuardianEdge Manager, allowing GuardianEdge Policy
Setup Snap-in Administrators to customize GuardianEdge software before deployment, both for
GuardianEdge Framework and for GuardianEdge Hard Disk.
Master Boot Record A master boot record (MBR) is the first sector (sector zero) of a data storage device,
(MBR) such as a hard disk. It is sometimes used for bootstrapping operating systems,
sometimes used for holding a disk’s partition table, and sometimes used for identifying
disk media. On some computers it also can be unused or ignored.
Microsoft Installer The Microsoft Installer package provides a format for self-contained database files
Package (MSI) containing the requirements and instructions that the Windows Installer uses when
installing applications. MSI packages can be installed using Group Policy Objects
(GPOs).
One-Time Password The One-Time Password (OTP) Program allows authenticating users to recover from a
(OTP) forgotten password, PIN, or token with help desk assistance. This assistance provides
the user with a one-time password or response key, which allows the user to
temporarily authenticate. A password-based user is then prompted to enter a new
password. The help-desk side of the OTP Program is typically run by a Policy
Administrator, since the GuardianEdge Manager must be installed on the same
computer where the OTP Program runs. If a Client Computer never checks in with the
GuardianEdge Server, the OTP recovery method is not available.
Partition A logical division on a hard disk that allows the application of operating system-
specific logical formatting to that division only and not to the entire hard disk.
Password Management The ability of a Policy Administrator to define attributes to which a registered user’s
password must adhere, such as age, reusability, and complexity, if Single Sign-On
(SSO) is not enabled. This password management applies during the registration
process when an authenticating user defines a password, during password-recovery
methods when an authenticating user is prompted to change their password, and in the
Client console Password panel, where authenticating registered users without SSO
may change their GuardianEdge passwords. This feature is both a Framework
installation setting and computer policy.
Policy Administrator An organization’s centralized point of control for the GuardianEdge Platform is one or
more Policy Administrators. A Policy Administrator defines installation settings and
policy updates that are pushed out to Client Computers through Active Directory.
Policy Administrators create Client Administrator accounts. Installation settings and
policy updates may differ from computer to computer, and from user to user. The user
accounts to which policies are directly applied are not stored on the Client Computer
or in the GuardianEdge Platform; these are the Active Directory accounts. Once
policies are pushed out, however, the policy requirements display on user interface
screens. Policy Administrators also typically run the help-desk side of the One-Time
Password (OTP) Program.
Pre-Windows The GuardianEdge Hard Disk environment that loads upon reboot, before the
Windows operating system loads, if the Client Computer is configured to have
authenticating users. This environment helps protect the Client Computer’s primary
hard disk by requiring authentication before a user gains access to Windows and thus
to the computer’s file system.
Recover Program The Recover Program can be used if a Client Computer encounters a serious error and
cannot load Windows. The program attempts to regain access to data on the hard disk
by repairing the GuardianEdge client database files or by performing an emergency
decryption of the entire hard disk.
Registered User A registered user of a Client Computer has a GuardianEdge account and can power the
GuardianEdge Hard Disk-protected computer from an off state as well as access those
functions of the Client console which have been provided to them by policy.
A Policy Administrator defines registered user rights and the number of allowed user
accounts through installation settings and policies. (1–50 user accounts can exist on
any given computer.) Registered users are supported by Client Administrators and help
desk technicians.
Client Administrators and registered users can view a list of the users registered on a
computer by using the Client console Account Settings — Users panel. An authorized
Client Administrator can use that panel to unregister registered users, thus deleting a
user’s GuardianEdge account. If a policy is pushed out to make a registered user a
Client Administrator, then the registered user account is deleted. The user cannot hold
both roles.
Policy Administrators can view the registered user accounts on a specified Client
Computer by using a GuardianEdge Manager snap-in, the Client Monitor.
Registration When authenticating users register to the GuardianEdge Platform, they set a PIN, or a
password possibly along with important information that allows them to recover their
password, should they forget it. Once the first authenticating user has registered, the
Client Computer is in a much more secure state. For this reason, users are forced to
register after an optional, configurable number of grace restarts expires.
The GuardianEdge registration wizard walks users through a series of screens to define
and activate their GuardianEdge account. A user may register on more than one
computer.
Users who are automatically authenticated may be silently registered and do not need
to follow the interactive registration process. Automatically authenticated users who
register interactively need only enter the Registration Password.
Re-Registration Existing GuardianEdge registered users who authenticate are prompted to re-register if
a Policy Administrator issues a computer policy requiring them to change their
authentication method—from password to token, or from token to password—by a
certain date. Refer to the User Guide for details.
Silent Client A silent client is a Client Computer that does not check in with the GuardianEdge
Server, as prescribed by installation setting or policy. If the silent client option is
enabled and the computer has never checked in, the One-Time Password recovery
method and the Recover /B hard disk recovery option—which requires computer-
specific data stored in ADAM during check-in—are not available. Silent clients are
also produced when Framework Client packages are created from a GuardianEdge
Manager whose installation mode does not require connection to a GuardianEdge
Server.
Single Sign-On (SSO) A feature that allows GuardianEdge registered users to use their Windows password as
their GuardianEdge password. If SSO is enabled, the user logs on once in pre-
Windows and is automatically authenticated to Windows and to the Client console. If
SSO is not enabled, the user logs on in pre-Windows using their GuardianEdge
password, logs on to Windows using their Windows password, and logs on a third time
to the Client console, if they need to, using their GuardianEdge password.
Windows manages password changes, imposing Windows password criteria.
GuardianEdge Framework synchronizes the GuardianEdge password with the
Windows password, if the passwords get out of sync, if a new policy is pushed out
invoking SSO, or if the Windows password expires and must be changed.
The Client Computer must reboot to activate an SSO policy, which installs the
GuardianEdge GINA into the (Windows) GINA chain, allowing password
synchronization to take place.
SSO is not relevant to automatically authenticated users.
Index description 8, 18
extending next communication due date 19
preempted by Autologon 9
A preventing 8
About panel, description 21 recovering from 9
Access Utility logging on
16-bit version 23 Client console using password 10
32-bit version 23 Client console using token 11
using 24 pre-Windows using password 5
Account Settings pre-Windows using token 7
Authenti-Check 21
Password 21 O
Users 19 One-Time Password (OTP) Program, responsibility 1
Active Directory, pushing out policies 1
Authenti-Check panel, description 21 P
Password panel, description 21
B Policy Administrator, role 1
best practices, list 2
build number, viewing 22 Q
Quick Help, use 14
C
Check-In panel, description 18 R
Client Administrator Recover floppy or CD
compared to registered user 2 DAT file creation 26
role 1 description 23
Client console Recover Program
description 10 /A option 24
Hard Disk tasks 15 /B option 26
logging on 10 /D option 25
navigating 14 Recovery Password, description 26
consistency check, when to run 25 recovery, see hard disk recovery
registered user
D compared with Client Administrator 2
Decryption panel, description 16 unregistering 20
viewing 19
E
Encryption panel, description 15 T
token error messages
H Client console logon 36
Hard Disk pre-Windows logon 33
Check-In 18 token logon
Decryption 16 certificate key usage 12
Encryption 15 Client console 11
hard disk recovery multiple certificates 12
overview 23 pre-Windows 7
steps 23
U
K unregistering users
keyboards description 20
defining 29 effects 20
identifying active 27 how to 20
list 27 Users panel, description 20
toggling among 5, 27
V
L version information, viewing 21
lockout
Check-In panel settings 19