Administrators Guide

SafeBoot N.V. Edisonbaan 15, Nieuwegein, 3439 MN, The Netherlands

Tel: +31 (0)30 6348800

Fax: +31 (0)30 6348899

Email: [email protected] For more information regarding local SafeBoot representatives please take a look at: www.safeboot.com Document: SafeBoot 5 Device Encryption Administrators Guide Version: 2007/05 Last updated: Friday, 25 May 2007 For Version: 5.1.0.0 B5100

Copyright © 2007 SafeBoot N.V. All rights reserved. Printed in The Netherlands.

No part of this document may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission from SafeBoot N.V.

The information furnished herein is believed to be accurate and reliable. However, no responsibility or liability is assumed by SafeBoot N.V., including its subsidiaries, for its use, nor for any infringements of patents or other rights of third parties resulting from its use.

Microsoft® and Windows® NT are registered trademarks of Microsoft Corporation. Novell® is a trademark of Novell Inc. SafeBoot® is a registered trademark of SafeBoot N.V. All other trademarks and registered trademarks are the property of their respective holders.

© SafeBoot N.V.

i

Welcome

The team at SafeBoot is dedicated to providing you with the best in security for protecting data on personal computers. Applying the latest technology, deployment and management of users is enhanced using simple and structured administration controls.

SafeBoot 5 Device Encryption represents the latest addition to the SafeBoot family and incorporates functionality not found in earlier versions. This new edition of SafeBoot features a new dimension in IT security incorporating many new enterprise level options, including automated upgrades, file deployment, flexible grouping of users and centralized user management. In addition, user’s credentials can be imported and synchronized with other deployment systems.

Through the continued investment in technology and the inclusions of industry standards we are confident that our goal of keeping SafeBoot at the forefront of data security will be achieved.

About This Guide

This Administrators Guide is designed to aid corporate security administrators in the correct implementation and deployment of SafeBoot 5 Device Encryption. Although this guide is complete in terms of setting up and managing SafeBoot systems, it does not attempt to teach the topic of "Enterprise Security" as a whole.

Readers unfamiliar with SafeBoot should follow the appropriate sections of the “SafeBoot Device Encryption 5 QuickStart Guide” which walks through setting up a SafeBoot enterprise before tackling any of the topics in this guide.

Audience

This guide was designed to be used by qualified system administrators and security managers. Knowledge of basic networking and routing concepts, and a general understanding of the aims of centrally managed security is required.

SafeBoot can only contribute to information security within your organisation as part of a coherent and well-implemented organisational security policy.

For information about cryptography topics, readers are advised to consult the following publications: -

Welcome

ii

Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition, Bruce Schneier, Pub. John Wiley & Sons; ISBN: 0471128457

Computer Security, Deiter Gollman, Pub. John Wiley and Sons; ISBN: 0471978442

Security in Computing, Charles P. Pfleeger, Pub Prentice Hall PTR; 3 edition; ISBN 0130355488

Document Conventions

The following conventions are used in this guide:

Convention Use Examples

Bold font Indicates a user entry - a command, menu, option, button or key - or the name of a file, directory, or utility.

• Click the option to set it.

Italic font Identifies a chapter or sub-chapter of this guide

• See Creating Users for more information.

Square Brackets ( [] ) Enclose optional keywords and values in command syntax

• SBServer [username] [password]

Vertical Bar ( | ) Separates two or more possible options in command syntax

• SBServer start | stop

Related Documentation

The following materials are available from our web site, http://www.safeboot.com, and from your SafeBoot Distributor,

• Device Encryption 5 PC Administrators Guide (this document)

• Management Center 5 Administrators Guide

• Device Encryption 5 PC QuickStart Guide

• SafeBoot Enterprise Technical Overview

• SafeTech Engineers Guide

© SafeBoot N.V.

iii

Contacting Technical Support

To obtain technical support on this product please use one of the following methods. Remember to have your maintenance agreement number, your license number, and details of the problem you are experiencing to hand when calling for support.

If you purchased SafeBoot from one of our distribution channels, you can call them direct for support. Alternatively, you can contact SafeBoot direct at one of our office locations:

You can find a complete list of SafeBoot’s office locations, and the Technical Support telephone numbers on our web site at:

http://www.safeboot.com/support/contact.html

Acknowledgements

SafeBoot’s Novell NDS Connector and LDAP Connectors make use of OpenLDAP (www.openldap.org) and OpenSSL (www.openssl.org). Due credit is given to these organisations for their free API’s.

http://www.safeboot.com/support/contact.html

http://www.openldap.org/

http://www.openssl.org/

© SafeBoot N.V.

i

Table of Contents

SafeBoot N.V...................................................................................................i WELCOME ........................................................................................................... I

ABOUT THIS GUIDE.................................................................................................I AUDIENCE............................................................................................................I DOCUMENT CONVENTIONS........................................................................................II RELATED DOCUMENTATION .......................................................................................II CONTACTING TECHNICAL SUPPORT .............................................................................III ACKNOWLEDGEMENTS ............................................................................................III

TABLE OF CONTENTS .......................................................................................... I

FIGURES ............................................................................................................. I

1. INTRODUCTION.......................................................................................1-1 1.1 WHY SAFEBOOT DEVICE ENCRYPTION?.................................................................1-1 1.2 DESIGN PHILOSOPHY......................................................................................1-1 1.3 HOW SAFEBOOT WORKS .................................................................................1-2

1.3.1 Protection...........................................................................................1-2 1.3.2 Management .......................................................................................1-3 1.3.3 Objects, Entities, and Attributes explained...............................................1-3

1.4 THE SAFEBOOT COMPONENTS ...........................................................................1-4 1.4.1 SafeBoot Administration Center (SBAdmin) .............................................1-4 1.4.2 SafeBoot Server (SBServer) ..................................................................1-5 1.4.3 SafeBoot Object Directory.....................................................................1-6 1.4.4 SafeBoot Device Encryption PC Client .....................................................1-7 1.4.5 SafeBoot File Encryptor ........................................................................1-8 1.4.6 SafeBoot Connector Manager.................................................................1-9

1.5 COMPONENT DESIGN......................................................................................1-9 1.5.1 SafeBoot Device Encryption Client........................................................ 1-10 1.5.2 SafeBoot Administration ..................................................................... 1-10 1.5.3 SafeBoot Connection Manager ............................................................. 1-10

1.6 INSTALL AND DEPLOYMENT ............................................................................. 1-10 2. INSTALLING SAFEBOOT ADMINISTRATION.............................................2-1

3. DEVICE ENCRYPTION USER POLICIES.....................................................3-1 3.1 USER ADMINISTRATION FUNCTIONS.....................................................................3-1

3.1.1 Create Token ......................................................................................3-1 3.1.2 Reset Token........................................................................................3-2 3.1.3 Set SSO Details ...................................................................................3-2 3.1.4 Force Password Change at Next Logon....................................................3-2 3.1.5 View Audit ..........................................................................................3-2 3.1.6 Reset (All) to Group Configuration..........................................................3-2 3.1.7 Create Copy........................................................................................3-2 3.1.8 Properties...........................................................................................3-2

3.2 USER CONFIGURATION OPTIONS.........................................................................3-3 3.2.1 General ..............................................................................................3-3 3.2.2 Devices ..............................................................................................3-4 3.2.3 Application Control...............................................................................3-5

Table of Contents

ii

4. USING TOKENS WITH DEVICE ENCRYPTION............................................4-1 4.1 GENERAL TOKEN OPERATION.............................................................................4-2 4.2 STORED VALUE TOKENS ..................................................................................4-3 4.3 CERTIFICATE, OR “CRYPT ONLY” TOKENS...............................................................4-4

4.3.1 How Certificate Tokens Work .................................................................4-5 4.3.2 Certificate Connectors ..........................................................................4-6

4.4 OTHER TYPES OF TOKEN .................................................................................4-6 4.5 TOKEN COMPATIBILITY....................................................................................4-6

4.5.1 Smart Card / Smart Card Reader Compatibility ........................................4-6 4.5.2 USB Key / Reader Driver Requirements...................................................4-8

4.6 SPECIFIC TOKEN NOTES ..................................................................................4-8 4.6.1 RSA SID800 USB Token........................................................................4-8 4.6.2 ActivIdentity Smart Cards and USB Keys.................................................4-8 4.6.3 Infineon Embedded TPM Chip ................................................................4-8 4.6.4 Sony Puppy Fingerprint Reader............................................................ 4-11 4.6.5 Aladdin eToken 64KB ......................................................................... 4-13 4.6.6 SafeNet IKEY 2032 ............................................................................ 4-13 4.6.7 SafeBoot Phantom USB Biometric Key .................................................. 4-13

5. CREATING AND CONFIGURING MACHINES............................................5-16 5.1 MACHINE ADMINISTRATION FUNCTIONS .............................................................. 5-17

5.1.1 Create Machine ................................................................................. 5-17 5.1.2 Rename Machine ............................................................................... 5-17 5.1.3 Delete.............................................................................................. 5-18 5.1.4 Import Machines................................................................................ 5-18 5.1.5 Export Configuration .......................................................................... 5-18 5.1.6 Create Install Set............................................................................... 5-18 5.1.7 Force Synchronization ........................................................................ 5-18 5.1.8 Reboot Machine................................................................................. 5-19 5.1.9 Lock Machine .................................................................................... 5-19 5.1.10 Add Users ....................................................................................... 5-19 5.1.11 View Audit ...................................................................................... 5-19 5.1.12 Reset to Group Configuration............................................................. 5-19 5.1.13 Create Copy .................................................................................... 5-19 5.1.14 Properties ....................................................................................... 5-19

5.2 MACHINE CONFIGURATION OPTIONS .................................................................. 5-20 5.2.1 Machine Groups................................................................................. 5-20 5.2.2 General ............................................................................................ 5-21 5.2.3 Encryption ........................................................................................ 5-25 5.2.4 Users ............................................................................................... 5-27 5.2.5 Warning Text .................................................................................... 5-28 5.2.6 Synchronization Settings .................................................................... 5-29 5.2.7 Files................................................................................................. 5-31 5.2.8 Screen Saver .................................................................................... 5-32 5.2.9 Boot ................................................................................................ 5-33

6. FILE GROUPS AND MANAGEMENT............................................................6-1 6.1 SETTING FILE GROUP FUNCTIONS ........................................................................6-2 6.2 IMPORTING NEW FILES ....................................................................................6-3 6.3 EXPORTING FILES..........................................................................................6-3 6.4 DELETING FILES ...........................................................................................6-3 6.5 SETTING FILE PROPERTIES ...............................................................................6-4

7. ADDING COMPONENTS TO A MACHINE....................................................7-1

8. USING SAFEBOOT AS A FILE DEPLOY SYSTEM.........................................8-1

© SafeBoot N.V.

iii

8.1 EXAMPLE - COPYING A NEW FILE TO THE DESKTOP.....................................................8-1 9. CREATING AN INSTALL PACKAGE............................................................9-1

9.1 SELECTING THE GROUP / MACHINE .....................................................................9-1 9.2 SELECT THE INSTALL SET TYPE...........................................................................9-2 9.3 ONLINE INSTALLS..........................................................................................9-3 9.4 OFFLINE INSTALLS.........................................................................................9-3 9.5 IMPORTING A TRANSPORT DIRECTORY ..................................................................9-4 9.6 SUMMARY OF OFFLINE INSTALL SET CONTENTS ........................................................9-4 9.7 SELECT THE MASTER DIRECTORY ........................................................................9-5 9.8 SET INSTALL OPTIONS AND CREATE THE SET............................................................9-6

10. INSTALLING, UPGRADING, AND REMOVING DEVICE ENCRYPTION .......10-1 10.1 OFFLINE PACKAGE INSTALLS ......................................................................... 10-1 10.2 ONLINE PACKAGE INSTALLS .......................................................................... 10-1 10.3 REMOVING / UNINSTALLING SAFEBOOT CLIENT ................................................... 10-1 10.4 UPGRADING SAFEBOOT FROM PREVIOUS VERSIONS. .............................................. 10-2

10.4.1 Upgrading SafeBoot 4.x Clients to 5.x ................................................. 10-2 10.4.2 Upgrading existing 5.x clients to a later service pack or patch version ..... 10-2 10.4.3 Removing SafeBoot 5.x from a machine .............................................. 10-3

11. CLIENT SOFTWARE................................................................................11-1 11.1 THE TOOL TRAY ICON ................................................................................. 11-1 11.2 CLIENT AUDITING...................................................................................... 11-2 11.3 BOOT AND LOGON PROCESS.......................................................................... 11-3 11.4 SAFEBOOT SCREEN SAVER ........................................................................... 11-3 11.5 WINDOWS SIGN-ON AND LOGON MECHANISMS. .................................................. 11-4 11.6 CHANGING THE PASSWORD .......................................................................... 11-4

12. WINDOWS SIGN-ON AND SSO...............................................................12-1 12.1 WINDOWS LOGON FEATURES......................................................................... 12-1 12.2 HOW WINDOWS LOGON WORKS ..................................................................... 12-2

12.2.1 First Boot........................................................................................ 12-3 12.2.2 Second Boot.................................................................................... 12-3 12.2.3 Failed Windows Password.................................................................. 12-4 12.2.4 Re Logon ........................................................................................ 12-4 12.2.5 Setting and Changing a users SSO details ........................................... 12-4

13. AUDITING .............................................................................................13-1 13.1 INTRODUCTION......................................................................................... 13-1 13.2 COMMON AUDIT EVENTS.............................................................................. 13-2

13.2.1 Information Events........................................................................... 13-2 13.3 TRY EVENTS ............................................................................................ 13-3 13.4 SUCCEED EVENTS...................................................................................... 13-4 13.5 FAILURE EVENTS ....................................................................................... 13-4

14. RECOVERING USERS AND MACHINES ....................................................14-1 14.1 OFFLINE RECOVERY.................................................................................... 14-1 14.2 ONLINE RECOVERY..................................................................................... 14-6

15. TRUSTED APPLICATIONS ......................................................................15-1 15.1 HASH SETS ............................................................................................. 15-1 15.2 HASH SET PROPERTIES ............................................................................... 15-2

15.2.1 General .......................................................................................... 15-2 15.2.2 File Hashes ..................................................................................... 15-3

15.3 USING HASH SETS .................................................................................... 15-4

Table of Contents

iv

16. HASH GENERATOR.................................................................................16-1 16.1 INTRODUCTION......................................................................................... 16-1 16.2 USING HASH GENERATOR ............................................................................ 16-1

17. COMMON CRITERIA EAL4 MODE OPERATION ........................................17-1 17.1.1 Common Criteria EAL4 Certificate....................................................... 17-3

17.2 ALGORITHM CERTIFICATE NUMBERS................................................................. 17-4 17.2.1 AES ............................................................................................... 17-4 17.2.2 SHA1 ............................................................................................. 17-5 17.2.3 DSA/DSS ........................................................................................ 17-6 17.2.4 RNG............................................................................................... 17-6 17.2.5 DES ............................................................................................... 17-7

18. SAFEBOOT CONFIGURATION FILES .......................................................18-1 18.1 SBGINA.INI ............................................................................................. 18-1 18.2 SBERRORS.INI .......................................................................................... 18-3 18.3 SBHELP.INI.............................................................................................. 18-3 18.4 SBFEATUR.INI .......................................................................................... 18-3 18.5 SCM.INI ................................................................................................. 18-3 18.6 DEFSCM.INI ............................................................................................. 18-4 18.7 SDMCFG.INI............................................................................................. 18-4 18.8 TRIVIALPWDS.DAT..................................................................................... 18-5 18.9 BOOTCODE.INI ......................................................................................... 18-5 18.10 BOOTMANAGER.INI ................................................................................. 18-6 18.11 SBERRORS.XML..................................................................................... 18-6 18.12 AUTOBOOT.INI ....................................................................................... 18-6

19. SAFEBOOT PROGRAM AND DRIVER FILES .............................................19-1 19.1 EXE FILES .............................................................................................. 19-1

19.1.1 SafeTech ........................................................................................ 19-1 19.1.2 Setup............................................................................................. 19-1

19.2 DLL FILES .............................................................................................. 19-1 19.2.1 sbalgxx .......................................................................................... 19-1 19.2.2 sbgina ............................................................................................ 19-1

19.3 SYS FILES.............................................................................................. 19-2 19.3.1 SafeBoot.SYS .................................................................................. 19-2 19.3.2 SBALG.SYS ..................................................................................... 19-3 19.3.3 SafeBoot.CSC/RSV ........................................................................... 19-3 19.3.4 SafeBoot.FS .................................................................................... 19-3

19.4 OTHER FILES ........................................................................................... 19-3 19.4.1 srg files .......................................................................................... 19-3

20. SAFETECH..............................................................................................20-1

21. THEMES & LOCALIZATION.....................................................................21-1 21.1 THEMES ................................................................................................. 21-1 21.2 KEYBOARDS............................................................................................. 21-2

21.2.1 Physical Keyboard Layouts ................................................................ 21-2 21.2.2 Creating your own Keyboard Layout ................................................... 21-4 21.2.3 On Screen Keyboards ....................................................................... 21-6

21.3 PRE-BOOT LANGUAGE................................................................................. 21-9 21.3.1 Creating your own Language file ...................................................... 21-10

21.4 PRE BOOT TOKEN DESCRIPTIONS.................................................................. 21-11 21.5 WINDOWS LANGUAGES ............................................................................. 21-11

22. TROUBLESHOOTING PCS .......................................................................22-1

© SafeBoot N.V.

v

23. ERROR MESSAGES .................................................................................23-1 23.1 MODULE CODES ........................................................................................ 23-1 23.2 1C000 IPC ERRORS .................................................................................. 23-2 23.3 5C00 COMMUNICATIONS PROTOCOL ................................................................ 23-2 23.4 5C02 COMMUNICATIONS CRYPTOGRAPHIC ......................................................... 23-4 23.5 A100 ALGORITHM ERRORS........................................................................... 23-4 23.6 DB00 DATABASE ERRORS............................................................................ 23-1 23.7 DB01 DATABASE OBJECTS ........................................................................... 23-3 23.8 DB02 DATABASE ATTRIBUTES ....................................................................... 23-3 23.9 E000 SAFEBOOT GENERAL........................................................................... 23-4 23.10 E001 TOKENS........................................................................................ 23-4 23.11 E002 SAFEBOOT DISK.............................................................................. 23-6 23.12 E003 SAFEBOOT SBFS............................................................................. 23-7 23.13 E004 BOOT CODE IMAGE........................................................................... 23-8 23.14 E005 CLIENT......................................................................................... 23-8 23.15 E006 ALGORITHMS................................................................................ 23-11 23.16 E007 READERS .................................................................................... 23-11 23.17 E008 USERS ....................................................................................... 23-12 23.18 E010 KEYS ......................................................................................... 23-12 23.19 E011 FILES......................................................................................... 23-12 23.20 E012 LICENCES.................................................................................... 23-12 23.21 E013 INSTALLER................................................................................... 23-13 23.22 E014 HASHES...................................................................................... 23-13 23.23 E015 APPLICATION CONTROL .................................................................... 23-14 23.24 E016 ADMINISTRATION CENTER................................................................. 23-14 23.25 XXH: BIOS......................................................................................... 23-14

24. TECHNICAL SPECIFICATIONS AND OPTIONS ........................................24-1 24.1 ENCRYPTION ALGORITHMS............................................................................ 24-1

24.1.1 RC5-12 (FASTEST) ........................................................................... 24-1 24.1.2 RC5-18........................................................................................... 24-1 24.1.3 AES 256 ......................................................................................... 24-1 24.1.4 AES-FIPS (FIPS 140-2 Approved) - RECOMMENDED .............................. 24-1 24.1.5 DES (FIPS 140-1 Approved) .............................................................. 24-2 24.1.6 Blowfish.......................................................................................... 24-2

24.2 SMART CARD READERS ............................................................................... 24-2 24.2.1 PCMCIA Smart Card Readers ............................................................. 24-2 24.2.2 Generic USB CCID Smart Card Reader and compatibles ......................... 24-2 24.2.3 PCI Smart Card Readers ................................................................... 24-2

24.3 TOKENS ................................................................................................. 24-3 24.3.1 Smart Cards.................................................................................... 24-3 24.3.2 USB Tokens .................................................................................... 24-3 24.3.3 Other Authentication Tokens.............................................................. 24-3

24.4 LANGUAGE SUPPORT................................................................................... 24-4 24.4.1 Client ............................................................................................. 24-4

24.5 SYSTEM REQUIREMENTS .............................................................................. 24-6 24.5.1 Client ............................................................................................. 24-6

25. INDEX ........................................................................................................ 7

© SafeBoot N.V.

i

Figures

FIGURE 1-1. SAFEBOOT ADMINISTRATOR INTERFACE ........................................................1-4 FIGURE 1-2. SAFEBOOT SERVER................................................................................1-5 FIGURE 1-3. OBJECT DIRECTORY IN DBHELPER ..............................................................1-6 FIGURE 1-4. SAFEBOOT CLIENT ................................................................................1-7 FIGURE 1-5. SAFEBOOT FILE ENCRYPTION UTILITY............................................................1-8 FIGURE 1-6. SAFEBOOT CONNECTOR MANAGER ..............................................................1-9 FIGURE 2-1. INSTALLING SBADMIN ............................................................................2-1 FIGURE 2-2. SBADMIN START MENU...........................................................................2-2 FIGURE 3-1. USER RIGHT-CLICK MENU ........................................................................3-1 FIGURE 3-2. USER OPTIONS - GENERAL .......................................................................3-3 FIGURE 3-3. USER CONFIGURATION - DEVICES...............................................................3-4 FIGURE 3-4. USER CONFIGURATION - APPLICATION CONTROL ..............................................3-5 FIGURE 4-1. TRAINING A SONY PUPPY ....................................................................... 4-13 FIGURE 5-1. MACHINE ADMINISTRATION FUNCTIONS ...................................................... 5-17 FIGURE 5-2. MACHINE GROUP DESCRIPTION................................................................ 5-20 FIGURE 5-3. BOOT PROTECTION AND GENERAL OPTIONS.................................................. 5-21 FIGURE 5-4. SETTING DRIVE ENCRYPTION .................................................................. 5-25 FIGURE 5-5. ALLOWED USERS ................................................................................ 5-27 FIGURE 5-6. CLIENT WARNING TEXT ......................................................................... 5-28 FIGURE 5-7. SYNCHRONIZATION SETTINGS ................................................................. 5-29 FIGURE 5-8. CLIENT FILE GROUPS............................................................................ 5-31 FIGURE 5-9. SCREEN SAVER PROPERTIES ................................................................... 5-32 FIGURE 6-1. SAFEBOOT FILE GROUPS .........................................................................6-1 FIGURE 6-2. FILE GROUP CONTENT ............................................................................6-2 FIGURE 6-3. ADDING FILES TO THE OBJECT DIRECTORY .....................................................6-3 FIGURE 6-4. FILE PROPERTIES, FILE INFORMATION ..........................................................6-4 FIGURE 6-5. FILE PROPERTIES, ADVANCED....................................................................6-5 FIGURE 8-1. SETTING THE NEW TEXT FILE PERMISSIONS.....................................................8-2 FIGURE 8-2. DOWNLOADING THE MESSAGE.TXT FILE .........................................................8-3 FIGURE 9-1. CREATING A GROUP INSTALLATION SET ........................................................9-1 FIGURE 9-2. CREATING INSTALLATION SETS, PAGE 1........................................................9-2 FIGURE 9-3. SELECTING THE MASTER OBJECT DIRECTORY ..................................................9-5 FIGURE 9-4. CREATING THE INSTALL SET......................................................................9-6 FIGURE 11-1. SAFEBOOT RIGHT-CLICK TOOL TRAY MENU................................................. 11-1 FIGURE 11-2. SAFEBOOT CLIENT STATUS WINDOW ....................................................... 11-2 FIGURE 11-3. SAFEBOOT SCREEN SAVER ................................................................... 11-3 FIGURE 11-4. CHANGING THE PASSWORD PRE-BOOT....................................................... 11-5 FIGURE 12-1. WINDOWS LOGON SETTINGS................................................................. 12-1 FIGURE 12-2. LOGON TO WINDOWS REPLACEMENT DIALOG .............................................. 12-4 FIGURE 13-1. VIEWING A USERS AUDIT LOG ................................................................ 13-1 FIGURE 14-1. SELECT USER OR MACHINE RECOVERY ...................................................... 14-1 FIGURE 14-2. STARTING THE RECOVERY PROCESS.......................................................... 14-2 FIGURE 14-3. STARTING RECOVERY.......................................................................... 14-3 FIGURE 14-4. VALIDATING A USER ........................................................................... 14-3 FIGURE 14-5. SELECTING THE RECOVERY OPTION .......................................................... 14-4 FIGURE 14-6. USER’S RECOVERY CODE ...................................................................... 14-6 FIGURE 15-1. HASH GROUP................................................................................... 15-2 FIGURE 16-1. HASH GENERATOR MAIN SCREEN............................................................ 16-1 FIGURE 16-2. HASH PROGRESS SCREEN..................................................................... 16-2 FIGURE 20-1. SAFETECH 5 MAIN WINDOW ................................................................. 20-1

Figures

ii

FIGURE 22-1. SAFEBOOT WEBSITE .......................................................................... 22-1

TABLE 4-1. LIST OF SUPPORTED TOKENS.......................................................................4-2 TABLE 4-2. SAFEBOOT SMART CARD / READER COMPATIBILITY ............................................4-7 TABLE 4-3. USB KEY / READER DRIVER REQUIREMENTS....................................................4-8 TABLE 13-1. INFORMATION AUDIT EVENTS.................................................................. 13-3 TABLE 13-2. TRY AUDIT EVENTS ............................................................................. 13-4 TABLE 13-3. SUCCEED AUDIT EVENTS ....................................................................... 13-4 TABLE 13-4. FAILURE AUDIT EVENTS ........................................................................ 13-5 TABLE 15-1. TRUSTED APPLICATION LOGIC ................................................................. 15-4 TABLE 21-1. THEME OVERVIEW............................................................................... 21-2 TABLE 21-2. KEYBOARD DEFINITION IN LOCAL.INI ......................................................... 21-4 TABLE 21-3. KEYBOARD MAP SOURCE FILE .................................................................. 21-6 TABLE 21-4. ON SCREEN KEYBOARD SOURCE .............................................................. 21-8 TABLE 21-5. ON SCREEN KEYBOARD DEFINITION .......................................................... 21-9 TABLE 21-6. PRE-BOOT LANGUAGE DEFINITION.......................................................... 21-10 TABLE 21-7. TOKEN TRANSLATION FILE ................................................................... 21-11 TABLE 23-1. MODULE ERROR CODES ........................................................................ 23-2 TABLE 23-2. IPC ERRORS ..................................................................................... 23-2 TABLE 23-3. PROTOCOL ERRORS ............................................................................. 23-4 TABLE 23-4. CRYPTO ERRORS................................................................................. 23-4 TABLE 23-5. ALGORITHM ERRORS ............................................................................ 23-5 TABLE 23-6. DATABASE ERRORS ............................................................................. 23-2 TABLE 23-7. DATABASE OBJECT ERRORS.................................................................... 23-3 TABLE 23-8. ATTRIBUTE ERRORS ............................................................................. 23-4 TABLE 23-9. GENERAL ERRORS ............................................................................... 23-4 TABLE 23-10. TOKEN ERRORS ................................................................................ 23-5 TABLE 23-11. DISK ERRORS .................................................................................. 23-7 TABLE 23-12. SBFS ERRORS................................................................................. 23-7 TABLE 23-13. SBFS ERRORS................................................................................. 23-8 TABLE 23-14. CLIENT ERRORS.............................................................................. 23-11 TABLE 23-15. ALGORITHM ERRORS ........................................................................ 23-11 TABLE 23-16. READER ERRORS............................................................................. 23-12 TABLE 23-17. USER ERRORS................................................................................ 23-12 TABLE 23-18. KEYS ERRORS ................................................................................ 23-12 TABLE 23-19. FILES ERRORS ............................................................................... 23-12 TABLE 23-20. LICENCES ERRORS........................................................................... 23-13 TABLE 23-21. INSTALLER ERRORS.......................................................................... 23-13 TABLE 23-22. HASHES ERRORS ............................................................................ 23-14 TABLE 23-23. APPLICATION CONTROL ERRORS ........................................................... 23-14 TABLE 23-24. MANAGEMENT CENTER ERRORS............................................................ 23-14 TABLE 23-25. BIOS HARD ERRORS ....................................................................... 23-16 TABLE 24-1. PRE BOOT LANGUAGES ......................................................................... 24-4 TABLE 24-2. PRE BOOT KEYBOARD LAYOUTS ............................................................... 24-5 TABLE 24-3. WINDOWS SUPPORTED LANGUAGES .......................................................... 24-5

Introduction

1-1

1. Introduction

1.1 Why SafeBoot Device Encryption?

Around 1,000,000 laptops go missing each year, causing an estimated 4 billion USD worth of lost data. Is your data safely stored? Ever thought about the risks you run for your company and your clients? SafeBoot was developed with the understanding that often the data stored on a computer is much more valuable than the hardware itself.

1.2 Design Philosophy

Unlike other security systems, SafeBoot Device Encryption does not prevent access to specific files, or in any way alter the way the PCs and PDAs are used.

SafeBoot’s SafeBoot product range enhances the security of devices by providing data encryption and a token-based logon procedure using, for example a Smart Card via a USB, PCMCIA, serial or parallel reader. SafeBoot also has optional File and Media encryption programs (SafeBoot VDisk, SafeBoot File Encryptor and SafeBoot Content Encryption). SafeBoot supports all current Microsoft Operating Systems, and also common PDA platforms:

Microsoft Windows 2000 through SP4

Microsoft Windows XP through SP2

Microsoft Windows 2003

Microsoft Vista 32bit and 64bit (all versions)

Microsoft Pocket Windows 2002 and 2003

Microsoft Windows Mobile 5.0/6.0

PalmOS 3.5 through 5.4

Symbian UIQ

NOTE - For end users, SafeBoot allows users to work as usual, including the security and network services. Apart from the initial Logon, SafeBoot offers completely transparent security.

Introduction

1-2

1.3 How SafeBoot Works

1.3.1 Protection

On PCs, the client side of SafeBoot, in simple terms, takes control of the user’s hard disk away from the operating system. SafeBoot’s driver encrypts every piece of data written to the disk, and decrypts every piece of information read off the disk. If any application managed to break through the SafeBoot barrier and read the disk directly, it would find only encrypted data, even in the Windows swap file and temporary file areas.

NOTE - Even if a Data Recovery agency tries to retrieve information from a SafeBoot-protected hard drive, without access to the SafeBoot System via the passwords or recovery information there is no way of accessing this data – total security.

SafeBoot installs a mini-operating system on the user’s hard drive, this is what the user sees when they boot the PC. SafeBoot looks and feels like Microsoft Windows, with mouse and keyboard support, moveable windows etc. This SafeBoot OS is completely contained and does not need to access any other files or programs on the hard disk, and is responsible for allowing the user to authenticate (with a password, or token such as a smart card).

Once the user has entered the correct authentication information, the SafeBoot operating system starts the crypt driver in memory, and boots the protected machine’s original operating system. From this point on the machine will look and behave as if SafeBoot was not installed. The security is invisible to the user, and because the only readable data on the hard disk is the SafeBoot operating system, and the encryption key for the hard drive is itself protected with the user’s authentication key, the only possible way to defeat SafeBoot is to either guess the hard disk encryption key (a one in 2256 chance with the AES256 algorithm), or to guess the user’s password.

On PDAs such as Pocket Windows and PalmOS, SafeBoot installs applications and drivers to provide authentication and encryption services. SafeBoot can protect memory cards, internal databases (such as e-mail and contact lists), and provides secure, manageable authentication services.

Introduction

1-3

1.3.2 Management

Every time a SafeBoot protected device boots, and optionally every time the user initiates a dial-up connection or after a set period of time, SafeBoot tries to contact its "Object Directory". This is a central store of configuration information for both machines and users, and is managed by SafeBoot Administrators. The Object Directory could be on the user’s local hard disk (if the user is working completely stand-alone), or could be in some remote location and accessed over TCP/IP via a secure SafeBoot Server (in the case of a centrally managed enterprise).

The SafeBoot protected machine queries the directory for any updates to its configuration, and if needed downloads and applies them. Typical updates could be a new user assigned to the machine by an administrator, a change in password policy, or an upgrade to the SafeBoot operating system or a new file specified by the administrator. At the same time SafeBoot uploads details like the latest audit information, any user password changes, and security breaches to the Object Directory. In this way, transparent synchronization of the enterprise becomes possible.

1.3.3 Objects, Entities, and Attributes explained.

SafeBoot 5 Device Encryption stores information about users, machines, servers, PDAs etc in collections called "objects" - from an internal point of view it does not matter to SafeBoot what an "object" represents, only the information it contains. So an object representing a user, say "John Smith", and an object representing a machine, for example "Johns Laptop" both contain information about encryption keys, account status and administration level.

Within the object are collections of configuration data called "attributes", again the same type of attribute may exist across many object types. To take our previous example of John and his laptop, the details of the encryption keys, user status and administration level would all be stored as separate attributes.

Entities are applications within the SafeBoot system. Because of the generality of the "object" design, all SafeBoot applications also have some generality about them, for instance the "Entity" representing the SafeBoot client, and the "Entity" representing the SafeBoot Server, both authenticate to the Object Directory in the same way - as an "object" which could be a machine or user - which it is does not matter. This generality is mainly hidden from users and administrators, but because of this core design, you will find that many SafeBoot related functions and tasks are common between users, machines and entities.

Introduction

1-4

1.4 The SafeBoot Components

1.4.1 SafeBoot Administration Center (SBAdmin)

Figure 1-1. SafeBoot Administrator Interface

The most important component of the SafeBoot enterprise is SBAdmin, the administrator Interface. This utility allows privileged users to manage the enterprise from any workstation that can establish a TCP/IP link or file link to the Object Directory. Typical procedures that the SafeBoot Administrator handles are: -

• Adding users to machines

• Configuring SafeBoot protected machines

• Creating and configuring users

• Revoking users logon privileges

Introduction

1-5

• Updating file information on remote machines

• Recovering users who have forgotten their passwords

• Creating logon tokens such as smart cards for users

1.4.2 SafeBoot Server (SBServer)

Figure 1-2. SafeBoot Server

The SBServer facilitates connections between SafeBoot entities such as SBClient and SBAdmin, and the central Object Directory over an IP connection (rather than the file based "local" connection). The server performs authentication of the entity using DSA signatures, and link encryption using Diffie-Hellman key exchange and bulk algorithm line encryption. This ensures that "snooping" the connection cannot result in any secure key information being disclosed.

The server exposes the Object Directory via fully routed TCP/IP, meaning that access to the Object Directory can be safely exposed to the Internet / Intranet, allowing clients to connect wherever they are. As all communications between the Server and client are encrypted and authenticated there is no security risk in exposing it in this way.

There is a unique PDA Server which provides similar services to PDAs such as Microsoft Pocket Windows and PalmOS devices. More information about this can be found in later chapters.

Introduction

1-6

1.4.3 SafeBoot Object Directory

Figure 1-3. Object Directory in DBHelper

The SafeBoot Object Directory is the central configuration store for the SafeBoot 5 Device Encryption and is used as a repository of information for all the SafeBoot entities. The default directory uses the operating systems file system driver to provide a high performance scalable system which mirrors an X500 design. Alternative stores such as LDAP are possible – contact your SafeBoot representative for details. The standard store has a capacity of over 4 billion users and machines.

Typical information stored in the Object Directory includes

• User Configuration information

• Machine Configuration information

• Client and administration file lists

• Encryption key and recovery information

• Audit trails

• Secure Server Key information

Introduction

1-7

1.4.4 SafeBoot Device Encryption PC Client

Figure 1-4. SafeBoot Client

The SafeBoot Device Encryption (DE) client software is largely invisible to the end user. The only visible part is an entry in the user’s tool tray (the SafeBoot icon).

Clicking on this icon allows the user to lock the PC with the screen saver (if one is selected). Right clicking on the monitor allows them to perform a manual synchronization with their Object Directory, or monitor the progress of any active synchronization.

Normally the SafeBoot client attempts to connect to its home server or directory every time the machine boots or establishes a new dial-up connection. During this process, any configuration changes made by the SafeBoot administrator are collected and implemented by the SafeBoot client. In addition, information such as the last audit logs are uploaded to the directory.

Introduction

1-8

1.4.5 SafeBoot File Encryptor

Figure 1-5. SafeBoot file encryption utility

By right clicking on a file, users can elect to encrypt it using various keys. Files can be encrypted with other SafeBoot users’ keys, and/or passwords.

Once protected in this way the file can be sent elsewhere, for example via e-mail, or on a floppy disk, without the risk of disclosure.

When the file needs to be used, it just needs to be double clicked, a password or login prompt will be presented for authentication, if correct the file will be decrypted.

The File Encryptor also has an option to create an RSA key pair for recovery – if the password to a file is lost, then the file can still be recovered using the correct recovery key.

Introduction

1-9

1.4.6 SafeBoot Connector Manager

Figure 1-6. SafeBoot Connector Manager

SafeBoot’s directory used to keep track of security information is designed so that synchronization of details between SafeBoot and other systems is possible. The "Connector Manager" is a customizable module which enables data from systems such as X500 directories (commonly used in PKI infrastructures) to propagate to the SafeBoot Object Directory. Using this mechanism, it's possible to replicate details such as a user’s account status between SafeBoot 5 Device Encryption and other "directories". Current connector options include LDAP, Active Directory, and a NT Domain Connector. For information on these components, see your SafeBoot representative, or see the “Management Centre 5 Administrators Guide”

1.5 Component Design

SafeBoot uses a suite of reusable components to handle the synchronization of security data between the users and administration systems.

Introduction

1-10

1.5.1 SafeBoot Device Encryption Client SafeBoot Configuration Manager (SCM)

|

SafeBoot Directory Manager ---- SafeBoot Communication Manager (Client Side)

| Remote Link |

Local Object Directory SafeBoot Communication Manager (Server Side)

|

SafeBoot Directory Manager

|

Local Object Directory

1.5.2 SafeBoot Administration SafeBoot Administration (SBAdmin)

|


| Remote Link |


|


|


1.5.3 SafeBoot Connection Manager Alternate Information Database (Eg LDAP)

|

SafeBoot Directory Synchronizer (SDS)

|


| Remote Link |


|


|


From the above diagrams, you can see that all SafeBoot components share a common communication backbone. This design has the benefit that the security information source is transparent to the driving application, and the end store can be changed with no modifications to the administration, client, or synchronization engines.

1.6 Install and Deployment

SafeBoot is installed on users PCs by running small deploy sets created by the SafeBoot Administration Center (SBAdmin). This executable file contains the core components and drivers needed to enable SafeBoot on a user’s machine.

Introduction

1-11

With the increasing necessity of install mechanisms which do not involve end users, and the software industries strive to make the cost of ownership and implementation of products as small as possible, SafeBoot 5 Device Encryption utilizes "smart-update" type technology. With this mechanism, only a small amount of code needs to be placed on the client machine to facilitate installation. The remaining code modules are downloaded on demand from either central SafeBoot Servers (in the case of a network install), or from a local compressed directory (in the case of a stand alone PC). With network connected machines, this gives the additional benefit of being able to update SafeBoot files simply by updating the data stored in the Object Directory.

SafeBoot’s file deploy mechanism can also be used to "push" other files to SafeBoot protected machine, for instance virus databases can be stored in the central SafeBoot directory, when it needs updating a SafeBoot administrator upgrades the central copy. All SafeBoot protected machines notice the change and automatically download the new file. This deploy mechanism can also be used to make registry changes on remote machines, and can even execute files.

Installing SafeBoot Administration

2-1

2. Installing SafeBoot Administration

NOTE Readers unfamiliar with SafeBoot should follow the “Device Encryption 5 PC QuickStart Guide” which walks through setting up a SafeBoot enterprise before tackling any of the topics in this guide.

SBAdmin is the Administration part of SafeBoot and is the core tool for managing all SafeBoot aware applications. If this is the first time you have installed a SafeBoot application, you should read the SafeBoot QuickStart Guide. You will find this either in your SafeBoot box, or on your SafeBoot CD in the “DOCS” directory.

Install SBAdmin by running the appropriate “setup.exe” from the “SafeBoot5…” directory on your SafeBoot CD. You should run this first on the machine which you want to be the “master” or administrators machine. If you have a multi-language CD, select the language (for example “English”) you want to install.

Figure 2-1. Installing SBAdmin

The SafeBoot administration system will now be installed on your machine. Follow the on-screen prompts to install the software, you may be prompted to select a language, smart card reader, and encryption algorithm. For more information on these options please see the “Management Centre 5 Administrators Guide”. Once completed you may need to restart your system.

Installing SafeBoot Administration

2-2

The SafeBoot management suite adds some items to your start menu. “SafeBoot Administration” starts the SafeBoot management console; “SafeBoot Database Server” starts the communication server which provides encrypted links between clients and the configuration.

Figure 2-2. SBAdmin Start Menu

After rebooting, run the SafeBoot Administration program. A wizard will walk you through the creation of a new SafeBoot directory. If you have an existing Object Directory in your network, you can connect to it by canceling the wizard and manually configuring a connection.

For more information on the SafeBoot Administration Center please see the “Management Center 5 Administrators Guide”.

Device Encryption User Policies

3-1

3. Device Encryption User Policies

For information on SafeBoot users in general, please see the “Management Center 5 Administrators Guide”. The following sections detail the SafeBoot Device Encryption specific parameters.

3.1 User Administration Functions

Figure 3-1. User Right-click menu

3.1.1 Create Token

Creates a new Token for the selected user - this could be a soft (password) token, or a hard token such as a smart card or eToken. See Chapter 4 for more information.

NOTE: In the case of hard tokens, creating the token does not necessarily set the user to actually use that token. This must be accomplished separately from the users “Token” properties page.


3-2

3.1.2 Reset Token

Resets the token authentication to the default. In the case of the soft (password) token resets the password to 12345.

NOTE: Some hard tokens may not be able to be reset using SafeBoot - for example Datakey Smart Cards. In this case contact the manufacturer of your token to determine the correct re-use procedure.

3.1.3 Set SSO Details

Sets the Single-Sign-On details for the user. For more information on SSO see Chapter 12.

3.1.4 Force Password Change at Next Logon

Forces the user to change their password at their next logon.

3.1.5 View Audit

Displays the audit for the user - for more information see Chapter 13.

3.1.6 Reset (All) to Group Configuration

Resets the configuration of the user, or all the users in the group, to the groups configuration.

3.1.7 Create Copy

Creates a new object based on the selected object.

3.1.8 Properties

Displays the properties of the selected object.


3-3

3.2 User configuration Options

3.2.1 General

Figure 3-2. User Options - General

Auto-boot users

The special user id “$autoboot$” with a password of “12345” can be used to auto-boot a SafeBoot protected machine. This option is useful if an auto-boot of a machine is needed, for example when updating software using a distribution package such as SMS or Zenworks. This ID should be used with caution though, as it effectively bypasses the security of SafeBoot.

Enabled

Shows whether the user account is enabled or not. The enabled status is always user selectable.


3-4

When a SafeBoot Device Encryption system synchronizes with the SafeBoot Management Center, it checks the user account list to ensure that the currently logged on user is still valid (because they logged on at boot time before the network and Object Directory was available). Users with disabled accounts (or users who have been removed from the user list) will find the workstation will lock and they will be unable to log in.

NOTE - If you want to force a SafeBoot machine to synchronize (and hence immediately stop the user from accessing the machine), you can use the "force sync" option to force an update. For more information see the SafeBoot DE Administrators Guide, Chapter 0.

3.2.2 Devices

Figure 3-3. User Configuration - Devices

Floppy Disk Access


3-5

Users can be prevented from accessing the floppy disk, or prevented only from writing to it. You can also elect to allow only Encrypted floppy disks - in this case users must format their own disks, which can then only be used by themselves (the disk is encrypted with the users personal key).

Ports

SafeBoot can attempt to block access to the serial and/or parallel ports. This blocking is implemented after the operating system has booted, so if the machine has a serial mouse, it will still function, as will a printer connected to the parallel port. This option is designed to stop users adding serial and parallel devices AFTER the machine has booted.

NOTE: If you need to take detailed control of the devices which are available to your users, please see SafeBoot’s Port Control product which provides granular device access.

3.2.3 Application Control

Figure 3-4. User Configuration - Application Control


3-6

SafeBoot includes an innovative application blocking system which can be used to restrict what code can actually be run by a user. For more information on this feature see Chapter 15.

List Contains Untrusted Applications (Blacklist)

Files specified in the listed file hash sets will be blocked (untrusted). All unlisted executable files will be permitted to execute code (trusted).

List Contains Trusted Applications (White list)

Files specified in the listed file hash sets will be permitted to execute code (trusted). All unlisted executable files will be blocked (untrusted)

Enable Blocking of Untrusted Applications

Blocks code from executing from untrusted applications. If this option is not set, then any code can run. This is a debugging option.

Enable Logging of Executed Applications

Logs files which try to execute code, with status messages indicating whether the file is trusted or not - this feature is useful for debugging trusted application file sets.

Using Tokens with Device Encryption

4-1

4. Using Tokens with Device Encryption

SafeBoot supports many different types of logon token, for example passwords, smart cards, Aladdin eToken, and others. Before a user can use a non-password token, you must ensure any machine they are going to use has been suitably prepared.

A Summary of the supported tokens:

Token Name Token Type

ActivIdentity Smart Card Stored Value, Certificate

ActivIdentity USB Key Stored Value, Certificate

Aladdin eToken USB Key Stored Value

Charismathics USB Key Stored Value

DataKey Smart Card Stored Value

DOD CAC Smart Card Certificate, Storage, All versions

Datev PKI Smartcard Certificate

Embedded Infineon TPM Chip Stored Value

Estonian National ID Smart Card Certificate

HP ProtectTools Smart Card (Branded ActivIdentity smart card)

Stored Value / Certificate

IZN Certificate Smart Card Certificate

Passfaces Stored Value

Password Only Stored Value

RSA SecurID RSA5100 Smart Card Stored Value

RSA SecurID SID800 Stored Value

PToken Identity Card Certificate

SafeBoot Black Smart Card Stored Value

SafeBoot Red Smart Card Stored Value

SafeBoot Phantom Biometric USB Stick

Stored Value

SafeNet IKEY 2032 USB Key Stored Value


4-2

Token Name Token Type

Siemens CardOS 4.3b and 4.01a Smart Card

Certificate

Setec Identity Card Certificate

Sony Puppy Stored Value

TEID Identity Card Certificate

Telesec Identity Card Certificate

Vasco Digipass 860 USB Key Stored Value

Table 4-1. List of supported tokens

4.1 General Token Operation.

1. Hardware Device Support

Ensure the machine has the appropriate Windows drivers for the hardware tokens it needs to support, for example, if you intend to use Aladdin eTokens you need to install the Aladdin eToken RTE (Run Time Environment).

If you intend to use smart cards, you need to ensure that a SafeBoot supported smart card reader is installed, along with its drivers – for example the Mako/Infineer LT4000 PCMCIA smart card reader must be installed.

In both cases, the appropriate device drivers are available either direct from the manufacturer, or from the SafeBoot install CD in the “Tools” directory.

2. Device Encryption Driver Support

Once you have installed hardware support for the devices, you can enable software support for them – from the machine, or machine group properties window, select the “Files” properties pane and tick the appropriate options for the tokens you want the machine, or group of machines to support.

For example, if you want the machines to support eTokens, select the “eToken PRO Client Token” file group. To support the Mako/Infineer Smart Card reader, select “Infineer Smart Card Reader” file set.

You should also note that some USB key tokens are in fact a combined USB Smart Card reader and USB Device in one unit, so you also need to add USB CCID Smart Card reader support to your Device Encryption clients for them to work. See the compatibility document later in this chapter for information on the tokens which are of this nature.


4-3

3. Assign the token to the user and create it.

From the user’s “Token” properties pane, select the token you want that user to log in with. SafeBoot will prompt you to insert the token and will create the appropriate data files on it.

If all steps are followed, when you install SafeBoot, or after the machines synchronize, users will be able to log in using their new token.

NOTE: When learning how to use SafeBoot, we advise you always leave at least one password-only user assigned to machines in case you make a mistake when setting up token support.

4.2 Stored Value Tokens

SafeBoot can store user keys on certain tokens, such as smart cards or USB keys such as the Aladdin eToken.

Storage tokens host around 1KB of data unique to the SafeBoot environment, and SafeBoot user on each token, and need to be configured within the SafeBoot Management Center for the specific user before they can be used.

Tokens offer the following advantages over passwords:

• The users key is not stored on the users machine, and is protected from brute force attack by the microprocessor of the token

• The same token can be used to authenticate to many systems

• Tokens can be used for other physical purposes, for example door access systems

SafeBoot supports many types of token, and the list is continuously growing. Some examples are:

Soft Tokens such as :

• Password Only Token

Smart Cards such as:

• ActivIdentity Smart Card and USB Keys from ActivIdentity (http://www.actividentity.com)

• SafeBoot Black Smart Card (G&D Cardos 1.2 T=1)

• SafeBoot Red Smart Card (G&D Cardos 1.2 T=0)

• RSA SecurID RSA5100 Smart Card from RSA (http://www.rsa.com)


4-4

USB tokens such as:

• RSA SecurID SID800 USB Authenticator from RSA (http://www.rsa.com)

• Charismathics USB Authenticator Token (http://www.charismathics.com/)

• Aladdin eToken 64k Authenticator Tokens (http://www.aladdin.com)

• SafeNet IKEY 2032 USB Token (http://www.safenet.com)

• SafeBoot Phantom Biometric USB Stick (http://www.safeboot.com)

4.3 Certificate, or “Crypt Only” tokens

SafeBoot can leverage your investment in PKI and tokens to allow users to authenticate using their certificates. This can be quite advantageous in the corporate environment because of the following reasons:

• Leverage investment in PKI and existing tokens

• Tokens do not need to be provisioned specifically for SafeBoot

• Users can login to Windows etc using their PKI certificates

• Revocation of certificates denies access to SafeBoot-protected PCs

By using one of SafeBoot’s certificate connectors, you can quickly make your SafeBoot enterprise aware of all certificate-holding users, and can allow them to be allocated to PC’s using SafeBoot Device Encryption without having to create new smart cards or other forms of token for them to use.

SafeBoot has been tested with the following tokens and PKI environments – more tokens and PKIs are being developed so if your environment is not listed, please contact your SafeBoot representative for the latest information.

You can use any token with any PKI.

PKIs

• Microsoft Certificate Server

• Entrust

• T-Systems

• Estonian National ID Card System

Tokens

http://www.rsa.com/

http://www.charismathics.com/

http://www.aladdin.com/

http://www.safenet.com/

http://www.safeboot.com/


4-5

• Datev PKI Smartcard

• ActivIdentity Smart Card and USB Keys from ActivIdentity (http://www.actividentity.com). This token is also branded by HP As a HP ProtectTools Smart Card

• Estonian National ID Smart Card (http://id.ee)

• Telesec TCOS ID Card / IZN ID Card

• Siemens CardOS 4.3b and 4.01a Smart Card (http://www.siemens.com)

• Setec ID Card (http://www.setec.com)

4.3.1 How Certificate Tokens Work

Certificate tokens leverage the unique one-way properties of public-key encryption: that a piece of data can be encrypted for a user, using some public information, but cannot be subsequently decrypted with that same information.

SafeBoot uses the information stored in the public certificate store of a PKI to look up users and encrypt their unique SafeBoot key with the public key stored in their certificate. This online process is handled transparently by one of the SafeBoot Connectors.

Once encrypted, SafeBoot stores the information within its policy store, and makes it available to all SafeBoot-aware applications. For example with SafeBoot Device Encryption, the users key encrypted with their public key is stored on each machine the user is assigned to.

When a user tries to login, SafeBoot sends their encrypted user key to their token and asks it to decrypt it using the private key stored on the token. The actual decryption happens securely within the microprocessor of the token, and only after the user has supplied the correct token PIN or password. This ensures the users decryption key (private key) never has to leave the token.

Once decrypted, the resulting user key can be used to authenticate the user.

You can see from this process that there is no need for SafeBoot to have prior experience, or to have stored anything on the users token. All the information SafeBoot needs to prepare the system can be obtained online through the PKI certificate server.

http://www.actividentity.com/

http://id.ee/

http://www.siemens.com/

http://www.setec.com/


4-6

4.3.2 Certificate Connectors

Setting up Certificate tokens is the responsibility of the SafeBoot Certificate connectors – these are available for both Active Directory and LDAP systems, and more information on configuring them can be found in the “Management Center 5 Administrators Guide”, in the “Active Directory Connector” and “LDAP Connector” chapters.

The connectors can search AD and LDAP directories for users, and create them in SafeBoot based on certain criteria. The connectors can also monitor CRL lists for revoked certificates, and also automatically handle the rollover of certificates on expiry.

4.4 Other Types Of Token

There are other types of token also supported by SafeBoot, such as Biometric and Cognometric tokens. For more information on these tokens please contact the manufacturer or your SafeBoot Distributor

Other Tokens Supported in SafeBoot Device Encryption:

• Sony Puppy Biometric Reader (http://www.sony.co.jp/puppy/)

• RealUser Passfaces (http://www.realuser.com)

• Infineon Embedded TPM Chip

4.5 Token Compatibility

SafeBoot supports many tokens, but due to the pre-boot nature of Device Encryption, not all tokens are supported in all environments. The following table indicates known compatibility issues, though if you have a specific token requirement; please contact your SafeBoot representative for the latest information.

4.5.1 Smart Card / Smart Card Reader Compatibility

Sm

art

Card

Reader Safe

Bo

ot

Bla

ck (

T=

1)

(Sto

red

Valu

e)

Safe

Bo

ot

Red

(T

=0

) (S

tore

d V

alu

e)

Date

v (P

KI

Mo

de)

Act

ivId

en

tity

(S

tore

d

Valu

e)

T=

0

RS

A S

ecu

reID

RS

A5

10

0

(Sto

red

Valu

e)

Act

ivId

en

tity

(P

KI

Mo

de)

Est

on

ian

Nati

on

al ID

C

ard

IZN

Cert

ific

ate

Sie

men

s C

ard

OS

Generic USB CCID

http://www.realuser.com/


4-7

Sm

art

Card

Reader Safe

Bo

ot

Bla

ck (

T=

1)

(Sto

red

Valu

e)

Safe

Bo

ot

Red

(T

=0

) (S

tore

d V

alu

e)

Date

v (P

KI

Mo

de)

Act

ivId

en

tity

(S

tore

d

Valu

e)

T=

0

RS

A S

ecu

reID

RS

A5

10

0

(Sto

red

Valu

e)

Act

ivId

en

tity

(P

KI

Mo

de)

Est

on

ian

Nati

on

al ID

C

ard

IZN

Cert

ific

ate

Sie

men

s C

ard

OS

Reader

Omnikey 3021 CCID ? ? ? ?

ACR38 USB Reader

GemPC 430 USB

Dell D620 Integrated reader

SCM SCR243 PCMCIA

PCI Integrated

SCM SCR201

CISCO / PSCR PCMCIA

Cardman 4040

TI Embedded (Dell D610, HP NC6400)

O2 Micro Embedded ( Dell D600 etc)

Table 4-2. SafeBoot Smart Card / Reader Compatibility


4-8

Some USB key tokens are in fact a combined USB Smart Card reader and USB Device in one unit, so you also need to add USB CCID Smart Card reader support to your Device Encryption clients for them to work.

4.5.2 USB Key / Reader Driver Requirements

US

B K

ey

Reader RS

A S

ID8

00

(S

tora

ge)

RS

A S

ID8

00

(C

ert

ific

ate

)

Ch

ari

smath

ics

(Sto

rag

e)

Vasc

o D

igip

as

86

0

(Sto

rag

e)

Act

ivid

en

tity

Act

ivkey

Ala

dd

in e

To

ken

64

K

Safe

Net

IKEY

20

32

Generic USB CCID Reader

Not Required

Table 4-3. USB Key / Reader Driver Requirements

4.6 Specific Token Notes

4.6.1 RSA SID800 USB Token

Storage token supported pre-boot. This token requires firmware 1.01.33 or higher.

4.6.2 ActivIdentity Smart Cards and USB Keys

These modules support ActivIdentity 64K v1 (card profile S4), ActivIdentity 64K v2 (card profile O4) and ActivIdentity 64K v2C (card profile S4 Cards. You can choose to use the card in Stored Value mode, or Certificate mode. The Tested ActivIdentity ActivKeys are AAK300 version (product code ZFG-3007-AB).

4.6.3 Infineon Embedded TPM Chip

The Infineon Trusted Platform Module (TPM) on Fujitsu PCs can be used as a token for SafeBoot allowing:

• Authentication to SafeBoot Administration

• Pre-Boot Authentication

• Screensaver Authentication


4-9

Note: When you wish to use the TPM as a token for SafeBoot Administration, you must ensure that the UserID is not used on any other PC with a TPM as it will be locked to that PC from then on.

The embedded TPM chip is in its simplest form can be envisaged as a smart card physically attached to the motherboard of the PC. The TPM (Trusted Platform Module) can perform similar cryptographic operations to PKI smart cards, such as encryption, decryption, key generation, signing of data etc.

With the SafeBoot TPM module, the TPM chip is used to secure a users logon credentials. This means once initialized the users unique secret key is removed from the SafeBoot environment and secured by the TPM chip. The user from this stage onwards will only be able to login to that particular machine.

Conversion from password mode to TPM mode is automatic and occurs as soon as the user uses their account on a TPM protected machine. From activation onwards, that SafeBoot user will only be able to log into the machine on which the TPM chip holds their keys.

Pre-Requisites for SafeBoot Pre-Boot TPM Support

• SafeBoot V5.0

• PC with Infineon TPM Chip installed (TCG Spec. Version 1.2)

SafeBoot's TPM module also requires that the TPM be "initialised". This involves creating the Endorsement Key, Storage Root Key and setting an Owner password. If this is not done, SafeBoot will find the TPM and try to convert the user to use it at first logon, but the operation will fail and the user will not be able to logon.

• Infineon TPM Professional Package (Version 2.5)

The TPM initialisation process is performed by the Infineon software after you install it.

• The TPM Chip must be enabled in the BIOS on the target PC.

The TPM has to be enabled in the BIOS (which it isn't by default). Until it is enabled, is essentially not present as far as SafeBoot and Infineon software is concerned. If you try to install the Infineon software with TPM disabled, it will warn you that the "Infineon TPM not found" and abort the install (exactly as it does on machines without a TPM).

SafeBoot has been tested with the following TPM Components:

Infineon TPM Professional Package v2.5 HF2

Chip State = Enabled

Owner State = Initialized


4-10

User State = Initialized

Trusted Platform Module:

TCG Spec. Version = 1.2

Vendor = Infineon Technologies AG

Chip Version = SLB 9635 TT 1.2 (41313100) FW Version = 1.00 FW ROM CRC = 0x4028

TPM Device Driver:

File name = ifxtpm.sys (x86)

Version = 1.80.0002.00 built by: WinDDK

TPM Device Driver Library:

File name = IFXTPM.dll

Version = 2.50.0771.00

Configuring the TPM on the target PC

The following instructions detail how to enable TPM support for a user on a target PC

1. From the system tray double-click the TPM icon or from Start-> All Programs -> Infineon Security Platform solution -> Manage Security Platform

2. Click on the User Settings tab

3. Click on the Basic User Password -> Change button

4. Follow the on screen instructions to register password for the TPM

5. When you have successfully created the TPM password, exit the application.

SafeBoot DE 5.0 setup

1. Install SB5.0 with TPM support

2. Login to SBADMIN

3. Click on Devices and from SafeBoot Machine Groups add a new Machine Group

4. Right click on the Machine Group and select properties

5. Click on the Files icon and select TPM Machine Chip and apply these settings

6. Click on the User’s tab and create a SafeBoot User


4-11

7. Right click on the new SafeBoot user and select properties

8. Assign an Infineon Embedded TPM Chip to the User and apply these settings

(Note the Configure option does not apply to the Puppy token)

9. Assign the user to the machine group

10. Create an install set from the machine group.

Installing SafeBoot with TPM

1. Install SafeBoot on the Client PC using the newly created install set

2. Reboot and Synchronize with the SafeBoot Database

3. Login to the Pre-Boot authentication using the default password “12345”

4. When prompted to change the password, select the same password as the Basic User password for the TPM

5. From the PCs next boot the password for the TPM will be the TPM Basic User password.

6. Reboot machine and logon at PBA by selecting the Sony Puppy token.

Recovery

When a user password recovery is performed SafeBoot will reset the password to the default ‘12345’ and will allow the user to login. The user will be prompted to change the password. Select a new password and ensure that you change the TPM password to the new one before rebooting the PC.

4.6.4 Sony Puppy Fingerprint Reader

The Sony Puppy can be used as a token for SafeBoot allowing:

• Authentication to SafeBoot Administration

• Pre-Boot Authentication

• Screensaver Authentication

The Puppy allows two mode of operation: Fingerprint or Password. This means that if a user fails to login using their fingerprint, they can do so using their password.

Requirements to use Sony Puppy with SafeBoot

1. Puppy Suite Enterprise / Personal - v2.1 or later

2. Sony Puppy device (FIU-810-N03)


4-12

3. SafeBoot V5.0

The following instructions detail how to enable Sony Puppy Support for a User. For this you will need to have a new Sony Puppy or Reset an exiting one using the Sony Puppy Administration Tools.

Step 1. Setup the Sony Puppy Fingerprint Reader

1. Install the Sony Puppy software - SC-API 810 setup (Basic)

2. Plug the Sony Puppy finger-print reader into an available USB Port

3. Click Start -> All Programs -> FIU-810 tools -> User Manager

4. Follow the on screen instructions to register a UserName and Fingerprint / Password for the device

5. When you have successfully created the Sony Puppy User and registered your fingerprint(s) exit the application.

Step 2. SafeBoot DE 5.0 setup

1. Install SB5.0 with Sony puppy support

2. Login to SBADMIN

3. Click on Devices and from SafeBoot Machine Groups add a new Machine Group

4. Right click on the Machine Group and select properties

5. Click on the Files icon and select Sony Puppy Client Files

6 Apply these settings,

7. Click on the User’s tab and create a SafeBoot User (Keep a note of the UserID)

8. Right click on the new SafeBoot user and select properties

9. Assign a Puppy token to the User and apply these settings

(Note the configure option does not work with the Puppy token).

10. Assign the user to the machine group and

11. Create an install set from the machine group.

Step 3. Installing SafeBoot with Puppy Support

1. Install SafeBoot on the Client PC using the newly created install set

2. Once installed, start SbPuppytrainer.exe from default SafeBoot directory.

3. Select Train Puppy from the menu.


4-13

The following screen is displayed:

Figure 4-1. Training a Sony Puppy

4. Select Use SafeBoot Username and enter the UserID and Password of the SafeBoot user and click the Logon with Password button.

You will be asked to verify your fingerprint,

5. Place your finger on the reader and it should verify "OK"

The training is complete. You may Reboot the machine and logon at PBA by selecting the Sony Puppy token.

4.6.5 Aladdin eToken 64KB

Tokens with id 0x0514 and 0x0600 are supported. Tokens 0x050c are no longer supported as they are discontinued by Aladdin.

This token module requires Aladdin RTE 3.65 to be installed.

4.6.6 SafeNet IKEY 2032

Requires the v3.4.7 drivers as available from www.safenet.com. The Windows update drivers do not function. This token is supported in Storage Mode only.

4.6.7 SafeBoot Phantom USB Biometric Key

The SafeBoot Phantom is a combined USB storage + Biometric authentication token. To use it for Device Encryption Pre-Boot:

Step 1.

http://www.safenet.com/


4-14

Create a user and assign their finger within the USB Phantom by running SMCforUSB.exe (this is the USB Management utility):

1. Create user

2. Enrol user i.e. register finger!

3. Assign a partition to the user

Step 2.

1. Within the SafeBoot Management Center create a user account for the user name created in step 1.

2. Assign SafeBoot for USB token to user (default token is password) Note: Default in DE is to create a default password of 12345

Step 3.

Define Machine Policy which should include file sets:

• DE 5.x client files

• READER: USB CCID smart card

• TOKEN V5x: SafeBoot for USB Phantom client files

Step 4.

Create on line installation set note: assign user or user group to the machine as part of machine policy.

Step 5.

Install Safeboot5x.exe on client PC

After the second reboot of the client should see the pre boot authentication screen which will have password and SafeBoot for USB token options.

Step 7.

Select SafeBoot for USB which should generate a SafeBoot Biometric challenge screen

1. Attach USB phantom to PC.

2. Swipe enroled finger on USB Phantom

3. Tick the box for user listed “Provide User Name”


4-15

The standard SafeBoot logon screen should appear which will require the SAME user name to be entered as the one registered with the USB Phantom. At this point you will need to enter the default DE password of 12345 which will marry the DE Safeboot client with the USB phantom. This step has completed the integration of the SB DE client with the USB phantom.

The PC should now boot into Windows. After rebooting the client you should only be prompted to authenticate via the USB Phantom biometric reader.

Creating and Configuring Machines

5-16

5. Creating and Configuring Machines

The Object Directory contains a unique record for every machine attached to it. When SafeBoot installs, it creates a record either directly in the Object Directory, or in a transfer directory for later inclusion – this “object” contains the machine’s encryption key, hard drive geometry, and secure configuration.

Each user machine periodically tries to connect to its parent directory to check that its local configuration matches the centrally defined one. If there are any differences, the local machine reconfigures itself to match. You can change any aspect of the machine’s configuration centrally; these changes get applied to the machine the next time it synchronizes.

Machines normally create their own object in the directory when SafeBoot first installs, this happens automatically if you use a Group Install Set (see Chapter 9), but you can pre-create a “placeholder” object for the machine, set a unique custom configuration for it, and then create an install set for that object only.

Users are assigned to machines and machine groups. When the machine synchronizes it compares its local user list with that in its Object Directory entry. Any changes are made in real time, including disabling the current user if their account status becomes removed or disabled.


5-17

5.1 Machine Administration Functions

Figure 5-1. Machine Administration Functions

5.1.1 Create Machine

Creates a new “placeholder” machine definition. If in the future a new machine with the same network name tries to install itself into the group, it will take over the placeholder object and use the configuration set within it.

5.1.2 Rename Machine

Changes the SafeBoot name of the machine.

NOTE: This does not affect the machines network name which can be seen from the General Properties page.


5-18

5.1.3 Delete

Deletes the machine entry – you will be given the opportunity to Permanently Delete the machine, or to move the machine to the Recycle Bin (where it can be later restored)

5.1.4 Import Machines

Imports a machine definition into the group - This definition could be from a machine created using an Offline Install (see Chapter 10) or from an export from another database.

5.1.5 Export Configuration

Exports the configuration information for a machine (.sdb file) which can be used for diagnostic or troubleshooting tasks (see Chapter 22), or for import into an alternate database.

5.1.6 Create Install Set

Creates a package of all the files and configuration needed to install SafeBoot - for more information see Chapter 10.

5.1.7 Force Synchronization

You can elect to force a machine (or group of machines), which are online to perform immediate configuration synchronization. You would perhaps do this if you have removed a user from a group (or disabled them) and it is imperative that they are disabled immediately, or a user has a configuration issue that needs resolving.

To do this, select the machine (or machine group) in question, and use the "Force Synchronization" option from the window menu or right-click menu. The Administration Center sends a short message to the machine in question (using its stored DNS or IP address) telling it to perform an immediate synchronization to update its policies.

If you "Force Sync" a machine that is not online, or refuses the request because SafeBoot is no longer installed, an error message is generated. If SafeBoot is already in the process of performing a configuration change on the remote machine, the sync request is ignored.


5-19

5.1.8 Reboot Machine

You can select the “Reboot Machine” option to attempt to reboot one or many machines – this sends a message to the machines in question telling them to perform an immediate shutdown. Users may not be given enough time to save their work, so this feature should be used with caution.

You can configure the messages and timeout of the reboot option by editing the SCM.ini file, as explained in Chapter 18 of this guide.

NOTE: There are some instances when Windows will prevent remote rebooting of a system, e.g. while the screen-saver is active.

5.1.9 Lock Machine

You can remotely activate the screen saver on a given machine by using the “Lock Machine” command. Both machines and groups of machines can be locked in this way.

5.1.10 Add Users

You can add a number of users to a collection of machines using this option – You can select the machine, or combination of machines you want to add users to from a group or search window.

5.1.11 View Audit

Displays the audit for the machine - for more information see Chapter 13.

5.1.12 Reset to Group Configuration

Resets the configuration of the Machine, or all the machines in the group, to the groups configuration - optionally sets the user list to match the group user list.

5.1.13 Create Copy

Creates a new object based on the selected object.

5.1.14 Properties

Displays the properties of the selected object.


5-20

5.2 Machine Configuration Options

The following configuration options can be set for machines, or groups of machines.

5.2.1 Machine Groups

Figure 5-2. Machine Group Description

Description

You can enter a text description for a machine group, such as the physical location of the machines.


5-21

5.2.2 General

Figure 5-3. Boot Protection and General Options

Boot Protection

The status of SafeBoot can be set in one of four modes. Both the desired and current protection status is shown.

Disabled – SafeBoot is installed and listening, but is not securing the computer. You can change the status to another mode and this will be reflected at the next synchronization

Enabled – SafeBoot is protecting the machine, and requiring users to logon.

Remove – SafeBoot will decrypt and uninstall itself at the next synchronization

Remove and Reboot – as above, with the addition that SafeBoot will automatically reboot the machine after uninstalling.

Removed – SafeBoot is no longer installed on the machine, and its entry can be deleted from the directory.


5-22

TIP – If you select “Remove” and let the machine uninstall SafeBoot, remember to either delete the entry from the directory, or set the protection back to “Enable” before re-installing SafeBoot. If you forget this, then as soon as the new install connects, it will remove itself again.

Description

A text description of the machine, such as its specification, model or physical location.

Network Name

The machines logical network name - you can find and filter the Machine tree for the machines name using the Object/Filter option.

Options

Windows Logon

• Require SafeBoot Logon – SafeBoot takes control of the normal windows logon screen, and screen saver logon. Users will be prompted for their SafeBoot credentials.

• Attempt automatic Windows Logon – SafeBoot tracks the user’s Windows id, password and domain, and presents these automatically to windows logon boxes. This mechanism means once the user has authenticated to SafeBoot at the boot screen, they do not need to enter any more passwords for Windows.

NOTE – If the user’s Windows credentials are different from their SafeBoot credentials, SafeBoot stores the windows credentials the first time they are used. It may take two reboots before the single sign on becomes active.

• Require SafeBoot re-logon – If the user loges out of Windows, SafeBoot will control the login box for the next login.

• Automatically logon as boot user – If there are no stored Windows credentials for the user, SafeBoot tries to login to Windows with the user’s SafeBoot credentials.

• SafeBoot logon component always active – If selected, the SafeBoot login component is kept active on the machine even if all the other options are disabled. This means that it can be reactivated mid-session during synchronization with the Object Directory. If all options are deactivated, the SafeBoot logon component can only be reactivated after a reboot.

• Set SafeBoot Password to Windows Password – If the Windows and SafeBoot login passwords differ, Users will be prompted to set the SafeBoot password to the Windows password. Also, if the user changes their password in Windows, their SafeBoot password will be set to match.


5-23

• Must Match Windows user name – If a users SafeBoot and Windows user ID’s do not match, no SSO credentials will be stored for the user if this option is enabled. This prevents an administrators Windows credentials being associated with a normal user’s SafeBoot account in the case that the normal user logged in at pre-boot, but then an administrator authenticated to Windows.

Booting

• Allow Booting from the hard disk – If disabled, users will have to boot the machine with a machine bootable token such as a SafeBoot Floppy Disk. This adds the additional security in that the machine is inaccessible without the token.

NOTE: This option is not available with SafeBoot version 4.1 or later.

Virus Protection

• Enable MBR Virus protection – SafeBoot monitors boot sector activity, and prevents any program writing to it. SafeBoot also monitors the bios signature to further prevent boot viruses.

NOTE – If you have this option enabled and you move a protected hard disk between two machines, SafeBoot will detect this as a possible virus and prevent the machine being used until a virus reset has been performed. For information on this procedure, see Chapter 20

Miscellaneous

• Do not display previous user name – Hides the ID of the last logged on user in all SafeBoot logon dialogs, and changes the “Incorrect Password” and “Unknown User ID” error messages to a generic message.

• Reject Suspend/Hibernate Requests - Stops the machine performing an insecure power action.

• Disable Checking for AutoBoot - switches off the $autoboot$ user support on this machine. If the machine has many users assigned, this option can speed up the boot time.

• Do not lock after AutoBoot is removed – normally SafeBoot locks the workstation if the current logged in user is removed or disabled as part of a synchronization event. This is to prevent the machine being used in the event that there is no current user. Switching this option on stops the autolock happening if the $autoboot$ user is removed, and may be useful in the case of automated software updates.


5-24

• Allow AutoBoot user to be managed locally – enables support for the “-disablesecurity” and “-reenablesecurity” options of the SafeBoot Automation library – for more information on these options see the SBAdmCL users guide.

• Disable Clearing of status log – Prevents users from clearing the Client side status log.

• Always display On-screen keyboard – Forces the pre-boot to always display a clickable on screen representation of the keyboard. This option is of most benefit to TabletPC users.

• Enable Boot Disk Compatibility – Some machines have BIOS code which mounts USB disks as physical drives. This is an unusual mode of operation and means that after SafeBoot has finished it’s authentication, Windows will hang trying to access the drive through the BIOS physical interface (because SafeBoot is also a 32 bit platform, it unloads all BIOS drives when it finishes). This option forces the low-level SafeBoot drivers to block access to disks other than the boot disk meaning Windows will not detect these USB drives until the USB stack is initialized. An alternate solution would be to unplug all USB drives before booting the machine.

• Always enable pre-boot USB support – This option forces the SafeBoot pre-boot code to always initialize the USB stack. Normally this option should not be enabled as SafeBoot will dynamically enable USB on demand.


5-25

5.2.3 Encryption

Figure 5-4. Setting Drive Encryption

Before a machine has first synchronized with the Object Directory, or in the case of the properties of a machine group, the Object Directory does not know what drives and partitions are available to be encrypted. The SafeBoot Administration Center gives you the ability to specify any partition name and elect to encrypt it.

Once the machine has synchronized, only the partitions present on it will be shown.

Encryption Mode

You can specify one of three encryption modes – “Full” encrypts the entire partition, “Partial” encrypts only the first 10% of the drive, “None” leaves the drive in plain text with no security. The “Last Reported Setting” can be used to verify if the machine has applied recent configuration changes.

The “Last Reported Setting” for a drive is the exact state of encryption the last time the machine reported to the Database.


5-26

NOTE – Partial encryption is designed to encrypt the directory structure and file allocation table on FAT drives – it does not stop a competent hacker reassembling file data from the drive.

Recovery key

You can boot a machine, or close the SafeBoot screen saver without logging on using the recovery process – this involves the user reading a small “challenge” of 18 characters from the machine to an administrator, then typing in a larger “response” from the administrator. The recovery key size defines the exact length of this code exchange. For more information see Chapter 14. A recovery key size of “0” disables the machine recovery system.

Removable Devices

You can configure Device Encryption to also encrypt removable drives such as USB/Firewire hard disks, Flash drives etc. Normally, Device Encryption only protects physically attached hard disks – for example IDE or SCSI hard disks. This is because SafeBoot Device Encryption is related to the machine, not the user – it’s impossible to share drives encrypted with Device Encryption between different machines. If you need to share data amongst users and machines, please consider SafeBoot Content Encryption.

• Manually Select – Normally removable drives will not be show in the encryption list. Selecting this option makes them visible.

• Always Encrypt – Forces encryption of removable drives.

• Never Encrypt – Prevents SafeBoot from attaching its drivers to removable disks – this is the default option.


5-27

5.2.4 Users

Figure 5-5. Allowed Users

You can add both groups of users, and individual users to a machine (or machine group) – either drag the user(s) from the user tree into the machine properties user tab, or use the “user picker” to select them. Although SafeBoot supports many hundreds of users on a single machine, we STRONGLY recommend that the actual number of users assigned is minimized to the fewest possible. Every user added to a machines is another possible account for a hacker to gain entry via. There is no purpose in adding entire departments of users to laptops which are used by only one person.

Auto-boot users

Special user IDs containing the name “$autoboot$” with a password of “12345” can be used to auto-boot a protected machine. This option is useful if an auto boot of a machine is needed, for example when updating software using a distribution package such as SMS or Zenworks. These IDs should be used with caution though, as they effectively bypasses the security of SafeBoot.


5-28

Any ID containing the string “$autoboot$” can be used, for example “my$autoboot$”, “$autoboot$123” etc.

By using more than one ID, you can improve database performance if many machines are synchronizing the $autoboot$ account at the same time.

You can also change the default password for the $autoboot$ accounts, to do so see the section “Autoboot.ini” in Chapter 18.

WARNING – It is quite possible to create a machine, or machine group, with no users assigned. If this configuration is deployed then no one will be able to log on to that machine. To resolve this issue, use the recovery “boot once” procedure, add some users to the machine in question, then synchronize it again to update the configuration.

5.2.5 Warning Text

Figure 5-6. Client Warning Text

Security Warning


5-29

Text displayed to the user in the SafeBoot login box.

Recovery Message

Text displayed to the user when they select the “recover” button. This may include information such as their help desk telephone number.

5.2.6 Synchronization Settings

Figure 5-7. Synchronization Settings

SafeBoot machines try to keep their local configuration the same as their central directory configuration; they do this by periodically synchronizing changes with the Object Directory. The default behavior is to synchronize on boot, but further options can be set.

Automatically Resynchronize

SafeBoot tries to contact the Object Directory every specified number of minutes. If the directory cannot be contacted, the sync sleeps until the next period.

Allow Local Resynchronization


5-30

By right clicking on the SafeBoot tool tray icon, the user can force a synchronization event by selecting the “Synchronize” option. This feature can be disabled.

Resynchronize when RAS connection is detected

Causes a synchronization event to occur if the user dials up to the internet / intranet. SafeBoot checks for new RAS (Remote Access Service) connections every second.

Synchronize time with directory

Sets the local machine time to the time of the server / directory it is synchronizing with. If the user’s machine is in a different time zone to the server, the correct local time will be set as long as their time zone is correct.

SECURITY TIP - This option is useful when logon hour restrictions are in place – without this time check the user could set their system clock back to gain extra hours of machine use.

Disable Synchronization of Files

Stops SafeBoot monitoring file group changes, and deploying updates to the remote machines.

Allow remote controlled synchronization

Lets an administration initiate a synchronization event using the “Force Sync” option – The SafeBoot client sends its ip address to the Object Directory each time it connects to enable the communication channel. The communication port can be set between 0 and 65535.

Disable Access if not synchronized…

If a machine does not connect to its server within the specified number of days, then all accounts will become disabled. This option prevents users continuing to use machines offline from the SafeBoot Object Database for extended periods of time. Also, if a machine is stolen or lost, you can be assured that it will disable itself after the timeout has passed.

Delay Sync at boot for…

You can specify an optional offset and random offset for the initial boot sync. This may speed up the machine, and will also ensure any network load created by “9am syndrome” is distributed over a longer period of time. You can set a value of Zero for the delay time, this disables the initial synchronization.


5-31

The synchronization settings take effect once SafeBoot has connected and picked up its policy from the central object directory. You can pre-set the parameters that SafeBoot will use while it is trying to establish the initial first time connection through settings in the file SCM.ini. More information on this file can be found in Chapter 18.

5.2.7 Files

Figure 5-8. Client File Groups

Select which groups of files need to be deployed to the machine. Typically the “SafeBoot Client File” group is deployed, along with optional token and language files.

Some file groups may not be displayed in the list - Only file groups with the property “Client File Sets” will be show.

You can add your own file groups for deployment to the SafeBoot Object Database – see Chapter 6 for more information.


5-32

NOTE: If your SafeBoot user account has group permissions set, Some file groups assigned to the machine may be outside your control - in this case they will be marked as locked groups. To gain the ability to change them, remove any “Group” administration restrictions on your account.

5.2.8 Screen Saver

Figure 5-9. Screen Saver Properties

Enable Secure Screen Savers

SafeBoot will take control over all screen savers, providing secure authentication services. On Windows NT, 2000, and XP, the “Windows Logon” options also need to be configured.

NOTE: If “secure screen saver” is disabled, then it will be possible for users to set a screen saver which does not required a password, or set no screen saver.

Allow user access…

If set, allows the user to change the local screen saver properties.

Run screen saver if token is removed…


5-33

If the current user’s token supports dynamic removal (such as a smart card or eToken), then the screen saver will be activated if they remove the token from the machine.

Set SafeBoot screen saver as default

Sets the current selected screen saver to be the “SafeBoot Screen Saver”

Allow logon of administrators…

Allows administrators with accounts on machines greater than the specified level to unlock a screen saver locked buy a different user. If this option is not set, then only the user who locked the machine can unlock it.

Set screen saver inactivity…

Sets the timeout period for the screen saver.

5.2.9 Boot

Boot Manager


5-34

Enable boot Manager

Switches on the built in pre-boot partition boot manager. Users will be able to select which primary partition on the hard disk they wish to boot.

You can control the display of the partitions which the user can select to via the file “bootmanager.ini”. For information about this file see Chapter 18 of this guide.

Auto select After…

Allows you to select a time period which once expires, will cause the boot manager to select the last used partition.

File Groups and Management

6-1

6. File Groups and Management

Figure 6-1. SafeBoot File Groups

SafeBoot 5 Device Encryption uses central collections of files, called "Deploy Sets" to manage what versions of files are used on remote SafeBoot clients. When an administrator updates a file in the central directory, all machines attached to that deploy set automatically collect the new version of the file from the directory the next time they synchronize. This mechanism can be used to update SafeBoot clients to future versions, or to manage any file on a SafeBoot protected machine - for instance updating a virus database, or a new version of an application.

You can assign multiple file sets to be used on each machine. Typically two are used, the first for the core SafeBoot files, the second for the language files. All assigned sets are processed in the same way.

When the Management Center is installed, it automatically adds the entire standard SafeBoot administrator and client files into two core file groups, " Administration Center Files" and "Device Encryption 5 Client Files", and also may create language sets, for example "English Language". Two INI files, ADMFILES.INI for the administrator files, determine the contents of the core groups and CLTFILES.INI for the client files. These INI files can be edited to allow custom collections of files to be quickly imported and then applied using the "Import file list" menu option. For more information on ADMFILES.ini and CLTFILES.ini, see Chapter 18.

Other file sets created as standard include those to support login tokens (such as smart card readers, and USB Key tokens).


6-2

6.1 Setting file group functions

Figure 6-2. File Group Content

You can specify the function of a file group by right-clicking it and selecting its properties. Some file selection windows, for example the file selector for machines, only display certain classes of file group (in this example, those marked as “Client Files”).


6-3

6.2 Importing new files

Figure 6-3. Adding files to the Object Directory

New files can be imported one by one into an existing deploy set using the "Import files" menu option. Simply select the file, SBAdmin will then import it into the directory, and add it to the deploy set. The default options for the file mean that it will NOT automatically be downloaded to machines using this deploy set when they synchronize. See Chapter 6 for information on how to achieve this. You can also import File Sets, for instance to add a new option to the SafeBoot database.

6.3 Exporting Files

You can export a file group, or an individual file back to a directory. This may be useful, for example if you have an out of date administration system driver and there is an updated file in the Object Directory.

6.4 Deleting Files

You can delete individual files from a file set. In this case all machines that are maintaining a link to the file through association will delete it from their local directory at the next synchronization event.

NOTE – Clients maintain a link to a particular file via its object id, not its name. If you delete a file and re-import it, its id changes, clients will still delete the original and download the new copy.


6-4

6.5 Setting File Properties

To see the properties of a file, right click on the file in question and select "Properties". Two screens of information are available.

Figure 6-4. File Properties, File Information

The name of the file is the actual name, which will be used when deploying the file on the remote machine. The ID is the Object Directory object ID used as a reference for the file from the client PC. The version number is an incremental version of the file. When the file is updated, the version is incremented. This is used by the clients to check whether an update is needed. Other information such as the name of the user who imported the file, and its size may be shown.


6-5

Figure 6-5. File Properties, Advanced

File Types – Set the type of the file

Operating System -

Because some files are only applicable to some operating system(s), the target operating system(s) for the file must be selected. This is to prevent Windows NT drivers being installed on Windows 98 machines, or windows 9x registry files being run on Windows 2000 servers.

Appid – If you are installing file which is shared between multiple SafeBoot applications, you can specify this applications ID. This prevents one application from installing files shared by another.

Update – Specify when SafeBoot should update the file.

Adding components to a Machine

7-1

7. Adding components to a Machine

To add new options, such as tokens, smart card readers, or other ancillary files to an existing machine, or group of machines, simply check the desired options on their “Files” tab.

Some combinations of options may be incompatible – for information please see our web site, http://www.safeboot.com.

Using SafeBoot as a File Deploy System

8-1

8. Using SafeBoot as a File Deploy System

SafeBoot’s internal file update mechanism can be used to synchronize any file on a SafeBoot protected machine.

When the SafeBoot client performs synchronization, it compares its internal file revision list with the revision of the files in the Object Directory. If any files have been superseded (or are in the directory list but not in the local list), the SafeBoot downloads them.

The file type assigned in the Object Directory determines what happens to a file when it is downloaded. The action can be summarized simply:-

• SafeBoot Registry File Processed into registry

• Windows Registry File Processed into registry using RegEdit

• Pre/post Installation Executable Copied to specified location and Run either before or after SafeBoot.

• Any other file Copied to specified location

8.1 Example - Copying a new file to the desktop

This example shows how to set up a new text file that will be copied to the user’s desktop when they synchronize.

Step 1. Checking the File Group settings

From the properties of the machine (or controlled machine group) you want to update, check which file groups are assigned. The default file group is "SafeBoot 5.1 Client Files". You can create new file groups specifically for your custom files and assign them to machines if you so wish.

Step 2. Adding the new text file

Select the file group from step 1, and then use the "import files" option.

Select the new file you want to import, for example "message.txt". Once imported, select the new file and go to its "Advanced Properties" box.


8-2

Because we are importing a "Known" file type, the file location will be set automatically to [appdir]. We will override this with the location we want to send the file to, in this case "c:\windows\desktop". We also want this file to be deployed on all operating systems, so we check all the boxes.

Figure 8-1. Setting the new text file permissions.

Now, next time the machine synchronizes, it will notice the new file, and download it into its "c:\windows\desktop" directory. If the file was defined as a type of SafeBoot or Windows Registry file, it would be applied. If it was marked as a "Installation Executable", it would be run.

You can test this behavior by forcing the machine to resynchronize using either the "Force Sync" option from SBAdmin, or from the SafeBoot client tool tray Icon right-click menu.


8-3

Figure 8-2. Downloading the message.txt file

The file "message.txt" should appear on the desktop, and the status window of the client should reflect the change.

More information on the SafeBoot file deployment mechanism can be found in Chapter 6.

Creating an Install Package

9-1

9. Creating an Install Package

SafeBoot client is installed by running a special archive file created from the Management Center. This archive file contains all the components necessary to install SafeBoot.

The Management Center compresses the files needed into a single self-contained executable for ease of management. Deploy sets can be created for Machine groups, and individual machines for both fully online, and temporary offline situations. This chapter deals with creating the install package, for information on how to apply it, see Chapter 10.

9.1 Selecting the Group / Machine

Figure 9-1. Creating a Group Installation Set


9-2

The First step in creating an install set is to select the object you want to create set for. Either an individual machine or a machine group can be used. Install sets created for A MACHINE can only be used to install that one machine - the target PC always takes the database entry the install set was created for. Sets created for GROUPS OF MACHINES can be used to install any number of machines in that group - each machine looks in the deployed group for its name - if found it uses that object, if not it creates a new object based on its network name.

9.2 Select the Install Set type

Figure 9-2. Creating Installation Sets, Page 1

For the second step you need to determine whether you expect the machine to be online or offline at the time of install.


9-3

9.3 Online Installs

Online installations expect the master Object Directory (the directory the administrator is currently connected to) to be available via the LAN during the install process. Once SafeBoot is set up, on the next boot SafeBoot will contact the Object Directory and download all the configuration and object data for the machine and users.

If a "placeholder" object for the machine name exists (a machine object created, but not installed), it will use the configuration stored in that object. If no placeholder exists, the machine will obtain its configuration from the machine group that the install set was created for.

If the machine name is already used in the directory, and the existing machine is not a “placeholder”, the new machine will append a four digit number to the end of its name and install. For example, where a machine called “JSMACHINE” already exists, an object “JSMACHINE0001” will be created.

NOTE: by editing the file "scm.ini" on the client before SafeBoot is activated (i.e. after setup, but before the first reboot) the group can be changed.

9.4 Offline Installs

If the machine is expected to be disconnected from the SafeBoot Server during the install, an "offline" install set can be created. In this case a "transport directory" containing the necessary objects and configuration data will be included in the deploy set. After local configuration, the transport directory will need to be re-imported into the master directory before the machine can be recovered.

Selecting an Offline install mode allows the additional choice to include the "individual objects" in the transport directory. If they are included, then all users and machines in the set will be deployed with the transport directory (and therefore will be available immediately, even before the machine connects back to the master directory). If they are not included, then there will be no login prompt until the machine has performed its first connection and brought down its user list.

NOTE- Until the transport directory containing the machine’s completed configuration is imported back into the master directory, no connection or configuration of the client can be performed. Also, in the case where the offline install set was created from a group, it will not be possible to recover the machine until it has successfully synchronized with its master database. In the case where the offline install set was created for an individual machine, or in the case of users, synchronization is not necessary for the machine to be recovered.


9-4

9.5 Importing a Transport Directory

The Transport directory is a file called sbxferdb.sdb, and can be found in the directory the SafeBoot client is installed into. To import the details in this directory back into the master, select the machine group you want to contain the entries, and use the “Import Machines” right-click option. This brings the keys and configuration from the machine into the master database, giving the ability to synchronize with, reconfigure, and recover the machine.

9.6 Summary of Offline Install set contents

Machine Group Sets

An Install set created from a machine group can contain the following items.

• The Machine Group object.

• User objects assigned to the group, and user objects assigned to machines in that group.

If the group contains machines, the following items are included in the set.

• Individual Machine objects (live or placeholder).

• User objects assigned to the individual machines.

Individual Machine Sets

The following items are included.

• The machine object.

• Users assigned to that machine.


9-5

9.7 Select the Master Directory

Figure 9-3. Selecting the Master Object Directory

Step 3 involves selecting the final Object Directory that the new client will communicate with to synchronize configuration details. The default is the directory that the administrator is currently using, but may be any the administrator has access to. Usually the clients will access the Object Directory via a SafeBoot server, rather than locally. Connections via a SafeBoot Server have the type “Remote”. You can specify multiple connection points for machines, if you have more than one server defined.

You can also change the order that the client will look for servers, and enable automatic random selection of servers by using the wizard.

NOTE – For information on setting up a SafeBoot Server, see the SafeBoot Administration Center Guide.


9-6

9.8 Set install options and create the set

Figure 9-4. Creating the Install Set

In Step 4, you set the location you wish the completed install file to be saved to, and the directory on the client you wish SafeBoot to be installed into.

Two options for the "visibility" of the set-up process can be set, Silent installs do not give the user any visible display of the install process, and are used in automatic deployment environments, such as Microsoft SMS.

After SafeBoot.exe has been run on a client machine, it needs to be restarted before SafeBoot can be activated. An automatic restart option is included, but note that if both silent install, and automatic restart are enabled, the machine will restart with no user intervention - this may cause users to loose work if they have open documents when this process occurs.

Installing, Upgrading, and Removing Device Encryption

10-1

10. Installing, Upgrading, and Removing Device Encryption

Running an “Install Package” created by the SafeBoot administrator on the target machine enables and installs SafeBoot.

For information on creating install packages see Chapter 9.

10.1 Offline Package Installs

Create the install file as per Chapter 9, selecting Offline install, and including the users and machines required. Run the package on the target client and let it reboot.

Once restarted, you must retrieve the file sbxferdb.sdb which needs to be imported back into the master directory. For information on this procedure see Chapter 9.

Once the transport directory has been imported into the master database, if there is a network connection between the client and a SafeBoot Server, you will be able to remotely manage the machine. If you do not retrieve the transport directory, then you will not be able to recover or reconfigure the machine.

If your machines are unable to connect to the master database after install, for example if you are working in a permanently disconnected environment, you may want to retrieve the .sdb file AFTER encryption has finished – the status of encryption will then be properly reflected in the master database. In the case of machines which connect to the master database after offline install, this property will be automatically updated during the sync process.

10.2 Online Package Installs

Create an “Online” install package as per Chapter 9. Simply run this file on the target machine(s). Once they have installed and rebooted, they will contact one of the SafeBoot Servers specified and create their directory entries.

10.3 Removing / Uninstalling SafeBoot Client

You can specify four modes of operation for SafeBoot in the machine’s “General” property page. For full details of these modes see Chapter 5.2.2.


10-2

To disable SafeBoot, i.e. put it into a mode where it is applying no protection but can be easily re-enabled, set the machine status to “Disable”. You can then at a future time set the status to “Enable” and SafeBoot will re-apply the protection specified.

To completely remove SafeBoot, select either “Remove” or “Remove and Reboot” – SafeBoot Client will perform the action after the next synchronization event.

10.4 Upgrading SafeBoot from previous versions.

Where 5.x is mentioned, the current version of SafeBoot 5 should be assumed.

As there are many different SafeBoot versions in existence, the upgrade procedure changes depending on what versions you are upgrading from and to.

10.4.1 Upgrading SafeBoot 4.x Clients to 5.x

1. Update your database and administration system as described earlier in this chapter

2. Deselect the “SafeBoot 4.x Client Files” file set from the machines you wish to upgrade, and select “SafeBoot 5.x Client Files” instead.

On the next synchronization, the machine will download the latest files and code and apply the upgrade.

If you have other options selected, such as the File Encryptor, or Token modules, be sure to also select 5.x versions of these as well.

10.4.2 Upgrading existing 5.x clients to a later service pack or patch version

Method 1. All machines at once

To upgrade between service pack or patch levels, for example from v5.0 to v5.1 you modify the existing file set in the SafeBoot Object Directory. A special version of the client file cltfiles.ini is provided which does not include items which have not changed, thus reducing the amount of data which needs to be sent to the client machines.


2. Copy the appropriate upgrade file from the tools/upgrade directory on the SafeBoot CD into your admin system directory.


10-3

3. Update the existing SafeBoot 5.0 Client file set with the new service pack files by right-clicking the file group, clicking “import files” and selecting the file you copied in step 2.

4. The machines assigned to the file set will download the new files and apply it when they next synchronize.

Method 2. Upgrade machine by machine

To upgrade between service pack or patch levels, for example from v5.0 to v5.1 you can create a new file set in the SafeBoot Object Directory.


2. Create a new file group for the new 5.x files.

3. Right-click the new group and select “Import File Set”. Select the file ‘SBClientFileSet.ini’ from the administration system directory (usually c:\program files\sbadmin).

4. For each machine you want to upgrade, deselect the machines current client file set, and select the new 5.x file set you created in step 2.

10.4.3 Removing SafeBoot 5.x from a machine

1. Set SafeBoot to either “Remove” or “Remove and Reboot” from the machines General properties.

The next time the machine synchronizes with the database, it will remove all encryption and authentication, then uninstall the SafeBoot program files. If you simply want to disable the SafeBoot protection, set the Client to be “Disable” instead.

If the machine is unable to synchronize, perhaps because of a network or Windows issue, you can still remove SafeBoot by performing an emergency SafeTech removal, then running:

Sbsetup -Uninstall

From the SafeBoot program files directory.

Client Software

11-1

11. Client Software

The SafeBoot Client connects to its Object Directory, or configuration store, which may be on the same machine, a network drive, or via a SafeBoot Server. It does this every time the machine boots, and optionally at set time intervals or when a RAS session is initiated.

Once connected to the directory, SafeBoot Client uploads the latest audit and password changes to the directory, and if necessary downloads any configuration changes specified centrally.

11.1 The Tool Tray Icon

The only user-visible part of SafeBoot is the “SafeBoot Monitor” icon in the user’s tool-tray. By double-clicking the icon users can start the system screen saver (which may be protected by SafeBoot). By right-clicking it they can select one of four actions.

Figure 11-1. SafeBoot right-click Tool Tray Menu

Activate Screen Saver

The default action when the SafeBoot tray icon is clicked is to bring up a password protected screen saver.

Show Status

As the configuration process within SafeBoot 5.1 is largely transparent to the user. The only evidence of SafeBoot's working can be found from the status menu available from SafeBoot's tool tray icon

Client Software

11-2

Figure 11-2. SafeBoot Client Status Window

The Status window displays any on-going configuration tasks (such as encryption processes) and status messages from the last directory connection.

Synchronize

SafeBoot tries to establish connection with its directory during the boot process, in situations where the directory is unavailable then (for instance a notebook user who is connecting via dial-up networking), the user can establish a connection at any time, and select the Synchronize option to connect to a remote directory and collect / upload changes.

For details of the supported functions within the SafeBoot client, please see the User and Machine configuration sections in the “Management Centre 5 Administrators Guide”, and also this guide.

11.2 Client Auditing

User events are audited locally and then transferred to the Object Directory as part of the synchronization process. For more information on the events tracked see Chapter 13.

Client Software

11-3

11.3 Boot and Logon Process

The Device Encryption boot screen allows the user to select a login method (one of the available tokens), and then provide authentication credentials such as a user id and password. If the user can provide the correct details, the SafeBoot boot code starts the transparent hard drive decryption process, loads the original MBR and executes it.

When the operating system starts, the SafeBoot Configuration Manager (SCM) runs and performs a logon to the operating system (if SSO is enabled). It then attempts to contact the Object Directory using the Directory Manager - this can be local or remote via a SafeBoot Server and re-validates the user against any changes that have been made between the last validation. Following this SCM downloads and applies any configuration updates. This could include new user accounts.

If the Object Directory validation is successful (i.e. no administrator has deleted or disabled the users account) the Windows startup completes, and the SafeBoot icon is loaded into the tool tray to allow the user to run the screen saver, validate with the server, display status etc.

After a period of inactivity or a power event, SCM activates the screen saver locking the user.

If the user logs out of the operating system, they may be required to authenticate to SafeBoot when they log back into windows.

11.4 SafeBoot Screen Saver

Figure 11-3. SafeBoot Screen Saver

Client Software

11-4

SafeBoot Client includes a simple logo screen saver. You can use any screen saver written to the Microsoft Screen Saver standards on the system, SafeBoot will still protect the logon of them using the standard SafeBoot logon window.

NOTE – You can change the logo displayed in the screen saver by adding a file called “logo.bmp” to the Windows directory. You can also deploy logo.bmp using the File Update technology built into SafeBoot. You may find extra graphics on your SafeBoot CD in the “tools” directory.

Users can start the screen saver through any of the normal Windows mechanisms, or by double-clicking on the SafeBoot tool tray icon.

11.5 Windows Sign-On and Logon Mechanisms.

SafeBoot includes many options to reduce the numbers of passwords users have to remember. For information on these features, see Chapter 12. These options are used to ensure that whenever the user changes their Windows password, their SafeBoot password is changed to the same. This happens without user interaction.

11.6 Changing The Password

The Device Encryption password can only be changed in the pre-boot environment. To change the password:

1. Restart the PC

2. Enter the current user ID and password in the login dialog

3. tick the change box, and click “OK”

4. Follow the on-screen prompts to change the password.

Client Software

11-5

Figure 11-4. Changing the password pre-boot.

Windows Sign-on and SSO

12-1

12. Windows Sign-on and SSO

SafeBoot can ease the logon process for users by doing the Windows logon for them, and taking responsibility for screen saver logons and re-logon requests. The features available can be configured by clicking on the “General” icon of a machine or machine group object.

12.1 Windows Logon Features

Figure 12-1. Windows Logon Settings

Require SafeBoot Logon – SafeBoot takes control of the normal windows logon screen, and screen saver logon. Users will be prompted for their SafeBoot credentials rather then their Windows Credentials.


12-2

Attempt automatic Windows Logon – SafeBoot tracks the users Windows id, password and domain, and presents these automatically to windows logon boxes. This mechanism means once the user has authenticated to SafeBoot at the boot screen, they do not need to enter any more passwords for Windows.

NOTE – If the user’s Windows id and password are different from their SafeBoot id and password, SafeBoot stores the windows credentials the first time they are used. It may take two boots before the single sign on becomes active.

Require SafeBoot re-logon – If the user loges out of Windows, SafeBoot will control the login box for the next login.

Automatically logon as boot user – If there are no stored Windows credentials for the user, SafeBoot tries to login to Windows with the user’s SafeBoot credentials.

SafeBoot logon component always active – If selected, the SafeBoot login component is kept active on the machine even if all the other options are disabled. This means that it can be reactivated mid-session during synchronization with the Object Directory. If all options are deactivated, the SafeBoot logon component can only be reactivated after a reboot.

Set SafeBoot Password to Windows Password – If the Windows and SafeBoot login passwords differ, Users will be prompted to set the SafeBoot password to the Windows password. This option also captures the Windows Change Password event, and again, sets the users SafeBoot password to match.

If you are using this option, it is important to ensure that the password template and quality rules in SafeBoot are identical, or more lenient than those in Windows, otherwise a failed password change may occur and the user will be reset to “12345”.

Must Match Windows User Name – This option ensures that SSO details are only captured in the situation that the users SafeBoot and Windows IDs match. If they are different, no SSO details will be stored.

12.2 How Windows Logon works

SafeBoot intercepts the Windows Logon mechanism, using a “Pass through Shim Gina” on Windows NT, 2000 and XP, and a Credential Provider on Vista. On Windows NT, 2000, and XP operating systems a custom .ini file (SBGINA.INI) is used to help SafeBoot analyze the logon screen and paste the credentials into the correct boxes on screen.


12-3

In Windows VISTA Microsoft has replaced the original MSGINA (Graphical Identification and Authentication) with a new method called Microsoft Credential Provider. SafeBoot has modified the Single Sign On architecture and implemented a Credential Provider to communicate with Windows. We display each of the SafeBoot Tokens as a potential logon method. If you logon to SafeBoot, you will be asked for your Windows credentials only for the first time and SafeBoot will store the Windows Credentials securely within SafeBoot. On subsequent logon events, SafeBoot will use the stored Windows credentials to logon.

You can find out more about Microsoft Vista Credential Providers from the Microsoft MSDN Website :

http://msdn.microsoft.com/msdnmag/issues/07/01/CredentialProviders/default.aspx

NOTE – For more information on SafeBoot ini files, see Chapter 18.

12.2.1 First Boot

The first time a user starts their newly SafeBoot protected machine, SafeBoot authenticates them at boot time. If successful, the operating system starts.

Normally they would next presented with a Windows logon – if the SafeBoot Windows Logon architecture is fully activated, SafeBoot will automatically present the user’s stored SSO id and password to windows. If these details are accepted, SafeBoot stores a record of these credentials in a special encrypted area of the user’s profile. If Windows fails the SSO credentials, for example if they have not been set, Windows displays the standard login box and the user is forced to enter their Windows id and password. Again, once a valid login has taken place, SafeBoot stores the correct credentials in the user’s encrypted profile, which are uploaded to the central Object Directory on the next synchronization.

12.2.2 Second Boot

The second and subsequent times the user starts the machine, they login to the SafeBoot boot screen, then SafeBoot supplies the stored Windows credentials to the Windows login box.




12-4

12.2.3 Failed Windows Password

If/When the Windows Logon credentials become invalid, for instance if the user changes their windows password on another system, or has it reset by an administrator, the automatic login will fail and the standard Windows login box will appear. Once again, once a successful login has occurred, the correct details are stored encrypted in the user profile and uploaded on synchronization with the central Object Directory.

12.2.4 Re Logon

If a user chooses to “log off” windows, they would normally expect to see the standard Windows logon box. SafeBoot takes control of this in the same way as the initial logon screen, forcing the next user to login with their SafeBoot credentials.

Figure 12-2. Logon to Windows Replacement Dialog

If you want to logon to Windows using a different account than your stored credentials, they simply cancel the default login window, then clear the “Automatically logon to Windows” box.

Once cleared, simply select the token you want to login with.

12.2.5 Setting and Changing a users SSO details

You can pre-set or change the SSO details associated with a user by right-clicking their object and selecting “Set SSO Details”.

Auditing

13-1

13. Auditing

13.1 Introduction

SafeBoot Device Encryption audits user, machine, and server activity. By right-clicking on a object in the SafeBoot Object Directory, you can select the view audit function.

Figure 13-1. Viewing a users audit log

Audit trails are uploaded to the central directory each time a machine synchronizes. Until that time the audit is cached internally in the encrypted SafeBoot file system. In SB4.1.1 and above, the last 3000 entries are cached locally; when the limit is reached the oldest 300 entries are culled. The local audit will retain approximately 2 years of normal operation before culling begins.

The permission to view or clear an audit log can be controlled on a user or group basis. Both the administration level, and administration function rights are checked before allowing access to a log. For more information on setting these permissions see Chapter 3.

Audit trails can be exported to a CDF file by using the “Audit” menu option, or by right-clicking the trail and selecting “Export”. Also, the entire audit of the directory can be exported using the “SBAdmCL” tool – for information on this option please contact your SafeBoot representative.

Auditing

13-2

The Object Directory audit logs are open-ended, i.e. they continue to grow indefinitely, but can be cleared on mass again using SBAdmCL.

13.2 Common Audit Events

The text displayed in the audit log will depend on your localization and language settings. The following table lists the common events and their ID codes for the American English version of SafeBoot. Many events can appear at multiple places, for example the “Login Successful” event will be logged both in the user account doing the login, and the machine being logged into simultaneously.

13.2.1 Information Events

Description Event

Audit cleared 01000000

Boot started 01000001

Boot complete 01000002

Booted non-secure 01000003

Backwards Date Change 01000005

Booted from floppy 01000004

Token battery low 01000010

Power fail 01000011

A virus was detected 01000013

Synchronization Event 01000014

Crypt Start 01000015

Crypt End 01000016

Add group 01000082

Add object 01000083

Delete group 01000084

Delete object 01000085

Import object 01000086

Export object 01000087

Export configuration 01000088

Auditing

13-3

Description Event

Update object 01000089

Import file set 01000090

Create token 01000091

Reset token 01000092

Export key 01000093

Recover 01000094

Create database 01000095

Reboot machine 01000096

Move Object between groups 01000098

Rename Object 01000099

Server started 010000C0

Server stopped 010000C1

Table 13-1. Information Audit Events

13.3 Try Events

Description Event

Logon attempt 02000001

Change password 02000002

Forced password change 02000003

Recovery started 02000016

Database logon attempt 02000081

Logon successful 04000001

Password changed successfully 04000002

Boot once recovery 04000016

Password reset 04000017

Password timeout 04000018

Lockout recovery 04000018

Change token recovery 04000019

Auditing

13-4

Description Event

Screen saver recovery 0400001A

Database logon successful 04000081

Logon failed 08000001

Password change failed 08000002

Password invalidated 08000005

Recovery failed 08000017

Database logon failed 08000081

Machine configuration expired Undefined

A virus was detected Undefined

Table 13-2. Try Audit Events

13.4 Succeed Events

Description Event

Logon successful 04000001

Password changed successfully 04000002

Boot once recovery 04000016

Password reset 04000017

Password timeout 04000018

Lockout recovery 04000018

Change token recovery 04000019

Screen saver recovery 0400001A

Database logon successful 04000081

Table 13-3. Succeed Audit Events

13.5 Failure Events

Description Event

Logon failed 08000001

Password change failed 08000002

Password invalidated (too many 08000005

Auditing

13-5

incorrect attempts)

Machine configuration expired 08000012

Recovery failed 08000017

Database logon failed 08000081

Table 13-4. Failure Audit Events

Recovering Users and Machines

14-1

14. Recovering Users and Machines

You can recover users using either the SafeBoot Management Center, WebHelpdesk, or the procedure documented below. For information on recovery via the Management Center WebRecovery and WebHelpdesk options, please see the “Management Center 5 Administrators Guide”.

14.1 Offline Recovery

Resetting a remote user’s password or replacing their logon token if it has been lost requires a challenge/response procedure to be followed. The user starts their machine, cancels any logon dialogues that may appear, then clicks the “Recover” button from the pre-boot SafeBoot Icon. This process can be used at the boot screen, windows logon, or screen saver logon.

Figure 14-1. Select User or Machine Recovery


14-2

After (optionally) entering their user name, a set of codes is displayed on the user’s screen, the user needs to telephone their helpdesk and read the codes to the administrator. The user code is time based, and unique to the user and machine.

Figure 14-2. Starting the recovery process

The SafeBoot administrator needs to log into the Administration Centre, select a machine group, and click the recover button – there is no need to find the correct user beforehand.


14-3

Figure 14-3. Starting Recovery

The administrator will be prompted to enter the user code in the wizard, and if correct will be given the opportunity to check the user’s profile if the administrator has sufficient access rights to recover the user (based on their level and group memberships). The administrator should use this opportunity to validate the user by asking them questions based on the hidden information stored in their account. Only if successful should the helpdesk actually allow the user’s password to be reset.

Figure 14-4. Validating a user

If the administrator is happy that the user on the telephone is legitimate, they can proceed with the next step in recovery.


14-4

Figure 14-5. Selecting the recovery option

The administrator selects the option they want to perform. If a user name was entered a user recovery proceeds, if no user name was entered, then a machine recovery can be performed.

Boot Once - The machine boots with no user logged in.

Unlock Screen Saver – The screen saver is cleared.

Reset the user’s password – The user’s password is reset to the token default. The user can then change this to a new password – This option will not function if the user is disabled due to too many invalid passwords – to resolve this issue see “Change Token”.

NOTE: Some tokens do not support password resets through SafeBoot, examples of this include the DataKey Smartcard, RSA Smartcard, and Aladdin eToken Pro. For information on how to reset the password on these devices contact the appropriate manufacturer. To recover a SafeBoot user who has forgotten their password in this case, either issue them with a new token, or temporarily switch them to use a password using the “Change Token” recovery option.


14-5

Unlock a disabled user – If a user account is marked as disabled in the object database, it can be temporarily activated using this option. When the machine synchronizes with the Object Directory, the account will be re-disabled if their security profile in the Directory still indicates this.

Create Token – If supported by the token, allows administrators to remotely create a new token for the user to replace a lost ones. The SafeBoot Password login always supports remote recreation, for information on other tokens see the Tokens chapter in the product administrators guide.

Change the user’s token to – Changes or resets the user’s token to the one specified. The administrator needs to have pre-generated the token for the user. If a user has invalidated their password account through too many invalid attempts, changing their token to “password only” recreates their “soft token” and allows them to enter the default password again.

NOTE – If you change a user’s token using this method, remember that next time their machine synchronizes with the SafeBoot directory, their token will be set to whatever is specified in their user properties. If you want the change to be permanent remember to set their token type in the user properties window.


14-6

Figure 14-6. User’s recovery code

The final step is to read the recovery code back to the user. The length of this code is controlled by their token recovery key as set in the user’s “token” properties, or in the case of a machine, the recovery key set in the encryption properties.

The user simply enters the code line by line into the pre-boot dialog. Each line is check summed. Once the code has been entered, the elected action will occur.

14.2 Online Recovery

If a user’s machine is online when they forget their password or loose their token, simply create a new token for them in the SafeBoot directory, and force sync their machine to make the appropriate change.

You can reset a user’s password by simply generating a new password token for them.

Trusted Applications

15-1

15. Trusted Applications

SafeBoot’s client has the capability on Windows NT, 2000, and XP to restrict what applications and code users are allowed to run. Through this mechanism you can restrict access to certain applications to only a few users, or you prevent users running any applications that are not pre-defined.

With this system you can apply untrusted control, for example to prevent access to pre-defined tools such as “regedit.exe” for all but administrators. With untrusted control, unknown applications are allowed to run, known applications are blocked. You can also apply trusted control where ONLY pre-defined code can run, and unknown control is blocked. This is useful for example when you want to restrict an entire build image so it was impossible for users to run any application other than the ones distributed in the “gold build”.

SafeBoot application control takes effect once a user has logged into Windows – it does not affect code run in the context of booting the operating system. To prevent applications and code being run at this stage Control Break recommend appropriate operating system security settings be used, for example disallowing device driver updates etc.

15.1 Hash Sets

The first step in applying application control to SafeBoot users is to create sets of “hashes” for the code modules you want to apply control to using the SafeBoot Hash Generator (see Chapter 16). A hash set contains a unique “digital signature” for each file in the scope of the set. This digital signature is unique to the file – no two files will ever have the same signature. When SafeBoot applies control to applications, it calculates the “hash” of the code (.exe file, .dll etc) that the user is trying to run, and compares it to the list of hashes applied to the user. The actual location of the code does not matter, only its content, so if a user moves a restricted application to another directory, it will still be blocked.

After creating a hash set for the files or directories containing the sample code modules you can create a “SafeBoot Hashes Group” in the SafeBoot database to contain them. Within the group, create new hashes objects to contain your hash sets created previously.


15-2

Figure 15-1. Hash Group

15.2 Hash Set Properties

15.2.1 General

Hash Count


15-3

Displays the number of file hashes stored in this object. You can remove duplicates using the “File Hashes/Compact” function.

Description

A text description of this hash set – for example its source.

15.2.2 File Hashes

Import

Allows you to import one or many hash sets created with “SafeBoot Hash Generator” into this hash object.

Export

Saves the contents of this hash object as a hash set.

Compact

Removes duplicate entries from this hash object – As SafeBoot Application Control is driven by the hash (or digital signature) of a file, not its location, only one entry per file is required.

Remove


15-4

Removes a single file entry from this hash object.

NOTE: You can add entries only by importing hash files

15.3 Using Hash Sets

After creating hash sets, you can assign both hash objects, and hash groups to users through their “application control” properties.

You can specify one of two modes of application control – “Untrusted” and “Trusted”:-

Untrusted

In the case of untrusted control, if the hash is known then the code is prevented from running.

Trusted

In the case of trusted control, if the code is know it is allowed to run, whereas all unknown code is blocked.

These options can be summarized in the following table:

Known Applications Unknown Applications

Untrusted Application Control

Optionally Blocked Allowed

Trusted Application Control

Allowed Optionally Blocked

Table 15-1. Trusted Application Logic

You can also set whether to actually block the untrusted code, or to simply log it for future analysis – this option (log with no blocking) is useful when debugging hash sets which do not block appropriately.

Hash Generator

16-1

16. Hash Generator

16.1 Introduction

SafeBoot Hash Generator creates “Hash Sets” for use with the application control feature of SafeBoot. For more information on application control, see Chapter 16.

Figure 16-1. Hash Generator Main Screen

The generator creates MD5 hashes of the selected files and packages them into a SafeBoot hash set (HSH file).

16.2 Using Hash Generator

After selecting the output file name, add the files (or folders) you want to include in the hash set . Finally, click “Hash” – the specified HSH file will be generated.

Hash Generator

16-2

Figure 16-2. Hash Progress Screen

The progress window shows the activity. Once completed, you can import the resultant hash set into your SafeBoot directory.

Common Criteria EAL4 Mode Operation

17-1

17. Common Criteria EAL4 Mode Operation

CESG in the United Kingdom, has certified the following products to the standard EAL4

• SafeBoot 5.0 Device Encryption Client

To apply this standard to your implementation of SafeBoot, you need to ensure the following criteria are met:-

Administrator Guidance

SafeBoot must be installed using the SafeBoot AES (FIPS) 256bit algorithm.

1. Administrators must enforce the following Policy Settings

• A minimum password length of 5 characters or more

• Disabling of accounts after 10 or less invalid password attempts

• All data and operating system partitions on the machines where SafeBoot client has been installed MUST be fully encrypted. You can check the conformance to this issue by viewing the SafeBoot client status window – if any drives are highlighted in red then they are not fully encrypted.

• Administrators must enforce use of the SafeBoot Secure Screen Saver Mode

• Use of “Autoboot Mode” is prohibited

• Machine and User recovery key sizes must be non-zero (Machine/Encryption properties and User/Token properties)

To comply with CC regulations, these policy settings must be applied before installing any clients.

2. There must be a system in place for maintaining secure backups that are separately encrypted or physically protected to ensure data security is not compromised through theft of or unauthorised access to backup information.

3. Backups should be regular and complete to enable system recovery in the event of loss or damage to data as a result of the actions of a threat agent and to avoid vulnerability through being forced to use less secure systems.


17-2

4. Users (including administrators) must protect all access credentials, such as passwords or other authentication information in a manner that maintains IT security objectives.

5. Customers implementing a SafeBoot enterprise must ensure that they have in place a database of authorised TOE-users along with user-specific authentication data for the purpose of enabling administrative personnel to verify the identity of a user over a voice-only telephone line before providing them with support or initiating recovery. SafeBoot provides the means to display personal information such as the users ID number as part of the “User Information Fields” – but any other appropriate system is acceptable.

6. Administrators should ensure their users are fully trained in the use of the Device Encryption Client software as described in Chapter 11 of this guide, and should remind them of the security procedures detailed in the User Guidance Below.

User Guidance

1. Users must maintain the confidentiality of their logon credentials, such as passwords and tokens

2. Users must not leave a SafeBoot protected PC unattended in a logged on state, unless it is protected by the secure screen saver.

3. Users must be informed of the process that they need to go through in order that they may contact their administrator in the event of needing to recover their PC if they forget their password or their user account becomes disabled, either through the actions of the administrator or repeated incorrect login attempts.


17-3

17.1.1 Common Criteria EAL4 Certificate

You can find the official recognition of this certification on CESG’s website:

http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=152&id=336




17-4

17.2 Algorithm Certificate Numbers

17.2.1 AES

Cert 21 and 170 ECB(e/d; 256); CBC(e/d; 256); CFB8(e/d; 256)

http://csrc.nist.gov/cryptval/aes/aesval.html

http://csrc.nist.gov/cryptval/aes/aesval.html


17-5

17.2.2 SHA1

Cert 71 and 254

http://csrc.nist.gov/cryptval/shs/shaval.htm

http://csrc.nist.gov/cryptval/shs/shaval.htm


17-6

17.2.3 DSA/DSS

DSS cert 53 and 112 Sig(ver) Mod(all)

http://csrc.nist.gov/cryptval/dss/dsaval.htm

17.2.4 RNG

Cert 15 AES, DSA., SHA, RNG on AMD Athalon XP, Windows XP SP1, PentiumIII Windows 2000

http://csrc.nist.gov/cryptval/rng/rngval.html

http://csrc.nist.gov/cryptval/dss/dsaval.htm

http://csrc.nist.gov/cryptval/rng/rngval.html


17-7

17.2.5 DES

Cert 145 CBC(e/d); CFB( 8 bits;e/d)

http://csrc.nist.gov/cryptval/des/desval.html

SafeBoot Configuration Files

18-1

18. SafeBoot Configuration Files

SafeBoot uses many .ini files to maintain information about the configuration of various components. Some of the more important files are listed here.

18.1 sbgina.ini

Used by the SafeBoot Client to control the Windows logon mechanism. SBGina.ini contains the references used to populate the user id, password and domain boxes of a login dialog, and also the id of the “ok” button. [Global] ; ; This option is an aid to implementing SSO to further dialogs. If this option ; is set to "Yes", then information about every window that is created when ; a logon dialog is expected is saved to the file specified (or "LOGONWND.TXT" ; if not supplied). Note the file will always be in the SafeBoot directory. ; Trace.LogonWindowInfo=No Trace.FileName=LOGONWND.TXT [Windows.NT.Logon] ; ; Lists all the sections that contain information about the logon windows for ; the NT derived versions of Windows (NT4/2000/XP). ; ; The keys should be of the form "Window" with an incrementing number appended. ; The sections are checked in incrementing numerical order. The numbering ; cannot contain any gaps. ; Window1=MSGina.NT4.LogonDialog Window2=MSGina.W2K.LogonDialog Window3=MSGina.XP.LogonDialog Window4=MSGina.WIN2003.LogonDialog Window5=NWGina.NT.LogonDialog Window6=NWGinaJP.NT.LogonDialog [Windows.9x.Logon] ; ; Lists all the sections that contain information about the logon windows for ; the Windows 9x versions of Windows (95/98/ME). ; ; The keys should be of the form "Window" with an incrementing number appended. ; The sections are checked in incrementing numerical order. The numbering ; cannot contain any gaps. ; Window1=MSNP.9x.LogonDialog Window2=NWNP.9x.LogonDialog window3=NWNPJP.9x.LogonDialog

The Trace option is an aid to implementing SSO to further dialogs. If this option is set to "Yes", then information about every window that is created during the logon process is output to the defined trace file.


18-2

;---------------------------------------------------------------------------- ; The logon window definition sections for NT/W2K/XP ; [MSGina.NT4.LogonDialog] ; ; The operating system version to which this section applies. You can specify ; the value of "Any" for either field (which is the default if not specified). ; OS.MajorVersion=4 OS.MinorVersion=Any ; ; The original DLL to which this section applies. If the name is not ; specified or set to "Any", all original DLLs match. If any part of the ; for digit file version is set to "x", then then all values for that ; component are matched (e.g. 4.1.0.x). ; OrigDll.Name=MSGINA.DLL OrigDll.FileVersion=x.x.x.x ; ; Specifies information about the window that we can use to indentifiy it. ; For both the class and title, setting a value of "Any" will match any ; window. Starting the value with a "*" means the remainder of the value ; is treayed as a substring, and hence if it occurs anywhere in the window ; title/class it is matched. Otherwise the whole value must match (case ; insensitive). ; Window.Title=Any Window.Class=#32770 ; ; The control identifiers of controls that are used by the SSO module to ; simulate logons. ; Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=1453 Dlg.CtrlId.Password=1454 Dlg.CtrlId.Domain=1455 ; ; If this is set to "Yes" then the user/password fields are captured from the ; dialog box rather than using the values supplied by the original gina. ; Option.CaptureFromDlg=No ; ; These options define how text is entered into the various fields when ; simulating a logon. Mode 0 sets the text directly into the controls, while ; mode 1 sends characters one at a time (simulating pressing keys) and mode 2 ; selects from a combo box. ; Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=2 …


18-3

; The logon window definition sections for Win9x/ME ; [MSNP.9x.LogonDialog] OS.MajorVersion=4 OS.MinorVersion=Any OrigDll.Name=MSNP32.DLL OrigDll.FileVersion=x.x.x.x Window.Title=Any Window.Class=#32770 Dlg.CtrlId.OK=1 Dlg.CtrlId.UserName=21 Dlg.CtrlId.Password=23 Dlg.CtrlId.Domain=25 Option.CaptureFromDlg=No Option.EntryMode.UserName=0 Option.EntryMode.Password=0 Option.EntryMode.Domain=0 ...

18.2 sberrors.ini

Used to increase the detail available in on-screen error messages. You can add further descriptions to errors by amending this file.

18.3 sbhelp.ini

Used to match on-screen windows to their help file sections.

18.4 sbfeatur.ini

Controls the feature set available to SafeBoot. This file is digitally signed by the SafeBoot team and must not be modified.

18.5 scm.ini

Configuration manager file, controls options such as which directory to connect to, and which group to install into.

[Install] GroupID=the ID of the group this machine will relate to [Databases] DatabaseID1=1 TryLastGoodFirst=Yes LastGoodConnection=1 [Uninstall] Sbsetup.exe=sbsetup.exe

You can specify the maximum number of lines to hold in the SCMLOG.txt file using the following parameters. If scmlog reaches a size of beyond 10,000 lines, performance of your machine can suffer.

[Log] MaxSize=number of KB keep in log (128). PurgeSize=number of KB to delete when log reaches MaxSize (16).

You can specify the pre-configuration connection behavior by setting the following parameters


18-4

[Defaults] ;this section defines settings that apply before the SafeBoot is ;actually active on the machine. BootSynchDelay=0 ; delay before synching on boot in minutes RandSynchDelay=0 ; an extra max random delay to synch in minutes SynchInterval=0 ; time between automatically retrying synch

You can turn on tracing of the SafeBoot client with the following section. Trace is output to SBCM.log in the same directory of the application.

[Debug] Trace=1 ;Trace activity, 1 = on, 0 = off

You can set a message to be displayed and a timeout when an administrator performs a remote shutdown of the client (using the machine/Reboot menu option).

[Reboot] Message=some text to display Timeout=10 (seconds) [disk] Sbfs.defaultsize=10 ;Default size of SafeBoot.FS (in MB) Install.clearcryptlist=1(0) ;Determines whether to clear the cryptlist ;for a drive on install, or to leave it set. Boot.message=Starting SafeBoot %d%d

;The default starting message [boot] Hookflags=… ;Internal use only – do not change.

18.6 defscm.ini

You can pre-set parameters used in the SCM.ini file created within install sets by creating a file “defscm.ini” in the Administration system directory containing the lines and sections you want to pre-define. defscm.ini is used as a seed to create the unique scm.ini file for the install set.

18.7 sdmcfg.ini

Used by the SafeBoot Client to control the connection to the Object Directory. There may be many connections listed in the file, the multi-connection behavior is controlled through scm.ini.

[Databases]

Database1=192.168.20.57 The ip address for the remote server. This can be a DNS name.


18-5

[Database1] Description=SH-DELL-W2K IsLocal=No Authenticate=Yes Port=5555

ServerKey=… The public key for the remote Server. This is used to stop a hacker putting a rogue server in place and intercepting the traffic.

ExtraInfo=… Padding for the serverkey.

18.8 TrivialPwds.dat

This file provides a dictionary of forbidden passwords. Simply create a Unicode text file, with one password per line, and deploy it to the client machines. You need to enable the user template option “no simple passwords”

The file needs to be deployed to the “[appdir]\SBTokens\Data” folder

NOTE – It is more effective to restrict passwords using a template which insists on numeric or special characters, rather than supply a long list of forbidden words.

18.9 Bootcode.ini

Bootcode.ini defines the behaviour of the SafeBoot pre-boot environment. This file is not commonly modified by the end user as it is a system only file. The file is stored in SafeBoot’s pre-boot environment in the \boot directory.

[TokenSelect] ; the token type id of the last token the user selected. Default=0x01000000 [Locale] ; ; the user selected language to use (reference a key in the [Languages] section ; of the \Locale\Locale.ini file). ; Language=EnglishUS ; ; the user selected keyboard to use (reference a key in the [Keyboards] section ; of the \Locale\Locale.ini file). ; Keyboard=US [Audit] ; ; The maximum alllowed audit events ; MaxEvents=3000 ;


18-6

; The number of events to remove when the maximum is reached ; PurgeCount=300

18.10 BootManager.INI

This file controls the partition names specified when the SafeBoot Boot Manager is enabled. The file is stored in SafeBoot’s pre-boot environment in the \boot directory.

[Partition.Names] Partition0=My secure partition Partition1=My Insecure partition

18.11 SBErrors.XML

XML version of SBErrors.ini to allow Unicode translation. Device Encryption uses SBErrors.XML in preference of SBErrors.ini if both exist.

18.12 AutoBoot.ini

Defines the default password for the $autoboot$ user(s) [AutoBoot] Password=12345

SafeBoot Program and Driver Files

19-1

19. SafeBoot Program and Driver Files

19.1 EXE Files

19.1.1 SafeTech

Disaster recovery tool for SafeBoot client.

19.1.2 Setup

Setup.exe is the core executable in SafeBoot’s' packaging mechanism, it is used as an exe stub for the install package, and also handles the de-install process. Setup takes one parameter "-Uninstall" which prompts it to walk through sbfiles41.lst, deleting files (or marking them for deletion if they are in use) and reversing registry settings. Setup also re-runs any installation executables with the -Uninstall flag to remove programs. The order of removal is reverse to the install, i.e. Installation executables, registry settings, then lastly files.

19.2 DLL Files

19.2.1 sbalgxx

Utility Encryption algorithm module.

19.2.2 sbgina

Windows login passthrough GINA driver for NT / 2000.

Usually SafeBoot monitors the GINA settings in the registry to ensure that nothing removes or disables the login system. You can change the behavior of this system by editing the SB-NoUpdateGina DWORD key in [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]. The following values can be set:

0 - SafeBoot will install and remove it's Gina 1 - SafeBoot will *not* install it's Gina, but will remove it. 2 - SafeBoot will *not* remove it's Gina, but will install it. 3 - SafeBoot will *not* install or remove it's Gina.

You can use these settings to force compatibility with other GINA replacement login systems. If you use option 1,2,3 you are responsible for keeping the GINA chain correct, as SafeBoot will not be monitoring some aspects of it .


19-2

19.3 SYS Files

19.3.1 SafeBoot.SYS

The core device driver for SafeBoot, handling crypt of the disk, and management functions.

You can change the way that SafeBoot calculates the disk number by setting the following registry settings – do NOT do this without consulting a SafeBoot Certified System Engineer.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SafeBoot] "DiskNumberMode"=dword:00000001 "DiskNumberingMode"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SafeBoot\Parameters] "DiskNumberMode"=dword:00000001 "DiskNumberingMode"=dword:00000001

You can block the use of Safe Mode when SafeBoot is installed by setting the following parameters. These options are included in the “BlockSafeMode” file group option in SafeBoot DE Build 23L and above.

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SafeBoot] ;Prevent Safe Mode access if SafeBoot is activated PreventSafeMode=dword:00000001 ;The warning message to display (default if not set) ;PreventSafeModeMsg="" ;The screen background color (default red) ;PreventSafeModeBkCol=dword:00000000 ;The Screen forground color (default white) ;PreventSafeModeFgCol=dword:0000000f

5.01+ SafeBoot uses several sectors of the hard disk between 1 and 63 (commonly termed the “partition gap” to store power fail information while encryption and decryption is in progress. If you have other applications also using these sectors, you can exclude them from the range used by specifying registry settings as below.

For each sector you need to exclude, add a DWORD value of 1 with a name of the decimal sector number to the following registry key as follows:

[HKLM\Software\SafeBoot International\SafeBoot\DiskManager\ExcludedSectors] 14=dword:1 15=dword:1

You can specify any number of exclusions using this method, but be aware that at least two sectors are required, and the smaller the number available, the slower encryption processes will run.

You can add this information to the client NTDRV.SRG registry file to ensure it is applied on all machines at point of install.


19-3

19.3.2 SBALG.SYS

SafeBoot’s device driver crypto algorithm module.

19.3.3 SafeBoot.CSC/RSV

5.01 SafeBoot’s pre-boot sector chain for the boot loader. The SafeBoot.csc file was renamed to SafeBoot.RSV in v5.01 for better defrag protection.

19.3.4 SafeBoot.FS

The encrypted pre-boot environment (stored as a single file)

19.4 Other Files

19.4.1 srg files

SafeBoot registry files – these are standard regedit files which are processed into the registry by SafeBoot, without using the windows regedit utility.

SafeTech

20-1

20. SafeTech

Figure 20-1. SafeTech 5 Main Window

SafeTech is SafeBoot’s disaster recovery and diagnostic tool. It only needs to be used in the event of a catastrophic failure of the machine, for example after severe hard disk corruption, virus attack, or a complete OS failure.

SafeTech can perform the following functions:

• Decrypt the drive using information obtained from the SafeBoot Management Center

• Start the SafeBoot Emergency Repair process

• Perform forensic analysis on encrypted data

SafeTech can only be used by trained SafeBoot staff, or after attending a SafeBoot training course. For more information, and access to the SafeTech Engineers Guide, please contact your SafeBoot Representative.

Themes & Localization

21-1

21. Themes & Localization

SafeBoot Device Encryption is the most flexible product of its kind in terms of Localization capabilities. It supports unlimited numbers of pre-boot languages and keyboards, and offers full localized pre-boot on screen keyboard and automatic language detection.

You can also restyle almost any aspect of the pre-boot interface, from changing colors and graphics, to moving buttons and text on the screen.

SafeBoot provides full localization and customization services, but for those interested, the following information is provided to help you gain experience of how all the components fit together. We provide numerous languages and graphical layouts (themes) with our product, readers are strongly advised to look to those while reading these sections to understand how they work.

A tip to future theme designers – the Device Encryption client will synchronize any file changes found in the [appdir]\locale and [appdir]\graphics trees into the SafeBoot pre-boot file system on every policy sync event, so, rather than making your changes and uploading them to a SafeBoot Management Center, you can simply change the files directly on a SafeBoot client and perform a sync event to load them into the pre-boot. A successful sync is not required – only an attempt.

21.1 Themes

Device Encryption uses graphical “Themes” to control the look and feel of the pre-boot environment. These Themes are stored as “Client File” type file sets within the SafeBoot Object Directory. Only one theme can be assigned to a machine at any time.

To assign a theme to a Device Encryption machine, simply enable its file set from the “Files” tab of either the machine, or machine group properties.

Themes are comprised of the following components:

File or Directory

Description

Graphics

Graphics.ini

Master definition file for the graphical theme. This file dictates the overall look of the theme, the button an d window positions, and the various graphical elements


21-2

which are used for each resolution. The

ENGLISH English language font files

640x480 Images for 640x480 resolution



Shared Shared images used in all modes

Locale

Locale.ini

Language Translations. This file sets all the options re various language and keyboard support options. The options in Local.ini determine which font sets from Graphics.ini are used.

Table 21-1. Theme Overview

For information about the parameters in the Graphics.ini and Local.ini files, see the example theme which has fully commented versions.

21.2 Keyboards

21.2.1 Physical Keyboard Layouts

Device Encryption 5 supports many physical keyboard layouts, and also supports automatic detection of the Windows keyboard layout in an attempt to choose the most appropriate pre-boot layout.

Having the correct layout selected pre-boot is essential when authenticating, for example, imagine the user has the French keyboard enabled in Windows, but has the USA keyboard enabled in Device Encryption Pre-Boot.

Row 2 of the French keyboard begins “azerty…” whereas row 2 of a USA keyboard begins “qwerty…” – so if the users password contains either “a” or “z”, then they will not be able to press the same keys in pre-boot to authenticate.

Defining and adding layouts to the SafeBoot PBA

Device Encryption 5 can support an unlimited number of different keyboard layouts. To define which layouts are available, usually you simply need to select the appropriate file group for a machine and the layout will be added.


21-3

The PBA determines which layouts are installed by considering the Locale\Locale.ini file in the pre-boot environment. This file is synchronised along with the entire [app-dir]\locale directory each time the machine performs a sync operation.

An example keyboard layout is defined as follows in Locale.ini:

Node Description

;Norwegian Stub

;B5100

[Settings]

DefaultKeyboard=0414

Defines the default keyboard if no mapping in [LanguageIDMap] can be determined

[Keyboards]

0414=Keyboard.0414

043B=Keyboard.043B

Defines the list of possible keyboards. In this example, two keyboards are defined (0414 and 043B), which are described in the sections keyboard.0414 and keyboard.043b. The definition names and section names are arbitary, but we recommend you use the actual keyboard ID for consistency.

[Keyboard.0414]

name=Norwegian

mapfile=0414_E.MAP

OSK=0414_OSK.XML

This is a keyboard definition section, it describes the name of the keyboard (displayed in the selection list), the map file to use (stored in \Locale), and the On screen keyboard file to use (again, stored in \locale) Instead of using the “name” tag, you can use NameW which takes a comma separated list of hex char codes, for example:

NameW=32,54,23,6A,43DF

With NameW you can display Unicode chars which are useful when defining double-byte languages.

[Keyboard.043B]

name=Norwegian with Sami

mapfile=043B_E.MAP

OSK=043B_OSK.XML

[LanguageIDMap]

0414.Keyboard=0414

043B.Keyboard=043B

This section describes how the client should attempt to map the selected Windows keyboard to the pre-boot keyboards. 0414.Keyboard=0414 indicates if Windows is using a keyboard with the ID 0414, SafeBoot should use the keyboard described in


21-4

Node Description

[keyboards] under the definition name 0414. Table 21-2. Keyboard definition in Local.ini

Normally Language and keyboard layouts are defined within the SafeBoot Database, and each language has a locale.ini file configured as a “Merge Ini”. This system enables administrators to add and remove languages without having to define the exact set prior to distribution. As all keyboards and Languages are defined in the same Locale.ini file, without merge INIs you would have to create a locale.ini file describing the exact combination of keyboards and locales prior to sending it to a Device Encryption client.

For examples of how to define a Locale.ini, see one of the supplied languages stored in the SafeBoot Management Center install directory \Languages tree.

21.2.2 Creating your own Keyboard Layout

Keyboard layouts are compiled from a source text file with the following structure:

Name=the keyboard name Flags=keyboard flags Scancode=Unicode char number, mask, keystate…

For example: flags=0x8000007C NAME=Norwegian with Sami ;---- 0x02=0x0031,0x009F,0x0000 ;-normal 0x02=0x0021,0x009F,0x0010 ;-shift 0x02=0x0000,0x009F,0x0009 ;-altgr 0x02=0x0031,0x009F,0x0080 ;-caps 0x02=0x0000,0x009F,0x0090 ;-shiftcaps 0x02=0x0000,0x009F,0x0019 ;-shiftaltgr 0x02=0x0000,0x009F,0x0089 ;-altgrcaps 0x02=0x0000,0x009F,0x0099 ;-shiftaltgrcaps

The keyboard map source file is comprised of the following components:

Node Description

flags Operational flags which control the behaviour of this keyboard map. Defined flags include:

0x00000001 Caps is Shift 0x00000002 Shift unsets Caps 0x00000004 Acute 0x00000008 Grave 0x00000010 Circumflex 0x00000020 Umlaut (Diaresis)


21-5

Node Description

0x00000040 Tilde 0x00000080 Caron 0x00000100 Apostrophe 0x00000200 Cedliia 0x00000400 Breve 0x00000800 Ogonek 0x00001000 Dotabove 0x00002000 DoubleAcute 0x00004000 Degree 0x00008000 Tonos 0x00010000 Middle Dot 0x00020000 Low Nine 0x00040000 Dialytika 0x00080000 Quotation 0x00100000 Polish Programmers Tilde 0x00200000 Ring Above 0x00400000 Macron 0x80000000 Extended Mode (should always be enabled)

Name The keyboard name

Key definitions Each key (scan code) behaviour is defined in a number of entries which state the Unicode character which should be produced. Each key may have many states (normal, shifted, caps etc) so there may be multiple entries per key.

The possible states are defined with a mask (which keys to consider) and a state (the key state itself)

The possible keys you can use in the mask and keystate are:

RIGHT_ALT_PRESSED 0x0001 LEFT_ALT_PRESSED 0x0002 RIGHT_CTRL_PRESSED 0x0004 LEFT_CTRL_PRESSED 0x0008 SHIFT_PRESSED 0x0010 NUMLOCK_ON 0x0020 SCROLLLOCK_ON 0x0040 CAPSLOCK_ON 0x0080


21-6

Node Description

ENHANCED_KEY 0x0100 So as an example, to define key 2 (the number 1 key on a USA keyboard) you would add an entry for scan code 0x02 (the scan code of this key) followed by a number of possible key states. 0x02=0x0031,0x009F,0x0000 Would define the number 1 key to display the char “1” in the situation that none (keystate of 0x000) of the modifiers capslock, shift, left-alt, right-ctrl, left-ctrl and right-alt (0x09F) is pressed. To define the behaviour of this key when shift alone is pressed we use the following line: 0x02=0x0021,0x009F,0x0010 As above, if key 2 is pressed, create a quotation mark (Unicode char 21) if shift (0x0010) is pressed out of the combination of capslock, shift, left-alt, right-ctrl, left-ctrl and right-alt (0x09F). Of course, in both the cases above, the keys not considered in the keystate must not be pressed. The Mask defines which keys to consider, and the keystate defines the state of each of those keys.

Table 21-3. Keyboard map source file

If you wish to create a custom keyboard map, you will need to have it compiled by SafeBoot before it can be used.

21.2.3 On Screen Keyboards

On-Screen keyboards provide visual representation of the physical keyboard. Each keyboard map can be defined to provide either it’s own OSK, or the system default OSK (US English). The symbols on each key can be defined for the normal, alt, altgr, shift, caps, and ctrl states, and also any combination of states.


21-7

OSK’s are defined in SafeBoot pre-boot using an XML file which controls the layout (key spacing, number of rows etc), and the display char for each key. The OSK file (keyboardID_OSK.XML) is usually stored in the SBFS\Locale directory.

The can be many OSK’s installed, and each physical keyboard map can choose one of the installed OSK’s to display on request.

Administrators can choose to always display an OSK for the user by selecting the “always display on-screen keyboard” option of the Machine/General properties.

NOTE: Though the OSK displays the character for each possible state, the OSK sends the scan code and modifier (shift/alt etc) to the selected keyboard driver for conversion, so the actual character printed will be a result of the keyboard driver, NOT necessarily the one displayed on the OSK.

A Sample OSK Keyboard could be defined as follows

<?xml version="1.0" encoding="UTF-16"?> <keyboard> <options col="lightgray" button_col="lightgray" border_col="black" txt_col="black" font="System" down_col="blue" button_style="square" border_width="3"> </options> <layout id="English (US)"> <layout> <row> <key id="18" obey-caps="true" scancode="0x11"> <default display="w" /> <shifted display="W" /> <caps display="W" /> <alt_gr display="GR" /> <text state="alt+shift" display="AS" /> <text state="alt+shift+ctrl" display="ASC" /> <text state="shift+ctrl" display="SC" /> <text state="caps+shift" display="PS" /> <text state="altgr+ctrl" display="GC" /> </key> <key id=”19” obey-caps=”false” scancode=”0x056”> … </key> <row> … </row> </layout> </keyboard>

The following nodes should be considered:

Node Description

Options/font The name of the font used by this OSK. This should be defined in graphics.ini and needs to be an OnTime Binary font

Layout ID The name of this OSK layout – displayed in the title


21-8

Node Description

bar of the OSK

Key/ID

A decimal representation of the key – usually the decimal scan code ID

Key/Obey-Caps If this key is subject to any caps state switching, this should be set to true.

Key/Scancode The Scancode produced by this key

Key/default The default display char

Key/shifted The shifted display char

Key/caps The caps lock state char

Key/alt_gr The alt_gr state char

Key/text/state The combination states for this key – The text/state attribute takes precedence over the key/default key/shift etc states. You can specify single states, for example

Text state=”shift” display=”Q”

Or combination states, for example

Text state=”shift+altgr” display=”%”

For any key to consider any caps behaviour, the key/obey_caps needs to be true.

Table 21-4. On Screen Keyboard Source

To set which OSK is displayed per keyboard map, add an “OSK=” tag to the keyboard definition in locale.ini, for example:

[Keyboard.043B] name=Norwegian with Sami mapfile=043B_E.MAP OSK=043B_OSK.XML

Node Description

Name The display name of the Keyboard

Mapfile The name of the map file to use to map the key presses to chars


21-9

Node Description

OSK The name of the OSK file to display

Table 21-5. On Screen Keyboard Definition

21.3 Pre-Boot Language

Device Encryption 5 supports many languages, and also supports automatic detection of the Windows Language in an attempt to choose the most appropriate pre-boot language.

The selectable languages are defined in the SBFS Locale\Locale.ini file, for example:

Node Description

Chinese Stub

;B5100

[Settings]

DefaultLanguage=0804

The default language to use if no mapping is found in the [LanguageIDMap] section

[Languages]

0804=Lang.0804

0404=Lang.0404

The defined languages – Both the definition name and section name are arbitrary.

[LanguageIDMap]

0804.Language=0804

0404.Language=0404

0004.Language=0804

0C04.Language=0404

0404.Keyboard=0404

0804.Keyboard=0804

The Windows language to SafeBoot Pre-Boot language map.

For example, if Windows is using the Locale 0404, then the Pre-boot should use the definition 0404 for it’s language.

Both the major and minor language can be checked, so in this example both Windows languages 0804 and 0004 use the SafeBoot pre-boot definition section 0804. If the primary variant for example 0F04 is found in Windows, then 0004 will be used in SafeBoot

[Lang.0804]

;Name=Chinese Simplified (PRC)

NameW=,0020,0050,0052,0043,0029

ID=0804

StringFile=0804.STR

FontSection=Fonts.SuperFont

This section defines a language.

The Name tag is the name displayed in the pre-boot selection list. You can supply a NameW tag instead which takes a comma separated list of char codes. This enables you to set a Unicode name for the list.

The ID describes the Locale ID, this should


21-10

Node Description

be the ANSI recognised ID for this languages.

The StringFile describes the actual compiled definition file to use (stored in \locale).

The FontSection describes the section in Graphics.ini which contains the fonts to be used for this particular language.

Each language can use its own fonts, or can use fonts shared by other languages.

Table 21-6. Pre-Boot Language Definition

21.3.1 Creating your own Language file

Device Encryption Language files are created from a Unicode master which describes the text to display for each defined pre-boot message, for example:

Name=Chinese (Simplified) ID=0804 1=确定 2=取消 3=SafeBoot 4=是 5=否 50=请插入一张引导用的软盘或者按取消从硬盘引导。 100=SafeBoot登录 101=用户名： 102=密码： 103=修改密码 51=您不允许从软盘引导，系统将从硬盘引导。

You can obtain a pre-boot English master text file from your SafeBoot distributor. Once translated, the file needs to be compiled by SafeBoot.

Normally Language and keyboard layouts are defined within the SafeBoot Database, and each language has a locale.ini file configured as a “Merge Ini”. This system enables administrators to add and remove languages without having to define the exact set prior to distribution. As all keyboards and Languages are defined in the same Locale.ini file, without merge INIs you would have to create a locale.ini file describing the exact combination of keyboards and locales prior to sending it to a Device Encryption client.


21-11

For examples of how to define a Locale.ini, see one of the supplied languages stored in the SafeBoot Management Center install directory \Languages tree.

21.4 Pre Boot Token Descriptions

You can localise the token names used in the Device Encryption by adding a XML definition file to the [appdir]\SBTokens\Languages directory. The client searches for resources in the following order.

1. The [appdir]\SBTokens\Languages \LanguageID directory

2. The [appdir]\SBTokens\Languages \LanguageMajor directory

3. The [appdir]\SBTokens\Languages directory

For example, on a US English system (Language ID 0409) Device Encryption will look for token resources in [appdir]\SBTokes\Languages\0409, then [appdir]\ SBTokens\ Languages\ 0009, then [appdir]\ SBTokens\ Languages then [appdir]\ SBTokens\ Languages.

The definition file for each token is described in an XML file with the name “Token_tokenID.xml” as follows:

Node Description

<SbTokenInformation>

<Token type="xxxxxxxx"> The ID of the Token - you can find this from the “Tokens” section of this guide.

<PromptName>prompr text</PromptName> The text to display in the login box

<ListName>list text</ListName> The text to display in the list of tokens

</Token> </SbTokenInformation>

Table 21-7. Token Translation File

21.5 Windows Languages

Device Encryption 5 uses resource DLL’s and other files to convert its Windows components to display in alternate languages.

The client searches for resources in the following order

4. Looks to the [appdir]\Languages\LanguageID directory


21-12

5. Looks to the [appdir]\Languages\LanguageMajor directory

6. Looks to the [appdir]\Languages directory

7. Looks to the [appdir] directory and uses built in resources

For example, on a US English system (Language ID 0409) Device Encryption will look for resources in [appdir]\Languages\0409, then [appdir]\Languages\0009, then [appdir]\Languages then [appdir]

The following components are supported for localisation

• DLL resources (Windows resources)

• SBErrors.XML (Unicode Error code descriptions)

• SBErrors.INI (ASCII Error code descriptions)

• SBClient.CHM (Help file)

• SBHelp.INI (Help file index)

Troubleshooting PCs

22-1

22. Troubleshooting PCs

For the latest information on SafeBoot issues, patches and information please see our web site – www.safeboot.com. We maintain several sections with the latest tips from our implementation teams, and any suggested changes and updates. You can also subscribe to an update list which uses e-mail to keep you informed of any significant issues.

Figure 22-1. SafeBoot Website

http://www.safeboot.com/

Error Messages

23-1

23. Error Messages

Please see the file sberrors.ini for more details of these error messages. You can also find more information on error messages on our web site, www.safeboot.com.

23.1 Module codes

The following codes can be used to identify from which SafeBoot module the error message was generated.

Error Code Module

1c00 IPC

5501 SBHTTP Page Errors

5502 SBHTTP User Web Recovery

5c00 SBCOM Protocol

5c02 SBCOM Crypto

a100 ALG

c100 Scripting

db00 Database Misc

db01 Database Objects

db02 Database Attributes

e000 SafeBoot General

e001 SafeBoot Tokens

e002 SafeBoot Disk

e003 SafeBoot SBFS

e004 SafeBoot BootCode

e005 SafeBoot Client

e006 SafeBoot Algorithms

Error Messages

23-2

Error Code Module

e007 SafeBoot Users

e010 SafeBoot Keys

e011 SafeBoot File

e012 SafeBoot Licenses

e013 SafeBoot Installer

e014 SafeBoot Hashes

e015 SafeBoot App Control

e016 SafeBoot Admin

Table 23-1. Module Error Codes

23.2 1C000 IPC Errors

Code Message and Description

[1c000001] Timeout during IPC

[1c000002] IPC terminated

[1c000003] Unable to initialise IPC

[1c000004] Unknown or unsupported function

[1c000005] Request to send data that is too big

[1c000006] Timeout sending data

[1c000007] Timeout waiting for reply

[1c000008] Out of memory

Table 23-2. IPC Errors

23.3 5C00 Communications Protocol


[5c000000] Unsupported version

The server and client are not talking the same communications protocol version

[5c000005] Out of memory

Error Messages

23-3


[5c000008] A corrupt or unexpected message was received

[5c000009] Unable to load the Windows TCP/IP library (WSOCK32.DLL)

Check that the TCP/IP protocol is installed

[5c00000a] Communications library not initialised

This is an internal programmatic error

[5c00000c] Unable to create TCP/IP socket

[5c00000d] Failed while listening on a TCP/IP socket

[5c00000e] Unable to convert a host name to an IP address

Check the host file or the DNS settings

[5c00000f] Failed to connect to the remote computer

The computer may not be listening or it is too busy to accept connections

[5c000010] Failed while accepting a new TCP/IP connection

[5c000011] Failed while receiving communications data

The remote computer may have reset the connection

[5c000012] Failed while sending communications data

[5c000013] Invalid communications configuration

[5c000014] Invalid context handle

[5c000015] A connection has already been established

[5c000016] No connection has been established

[5c000017] Request for an unknown function has been received

[5c000018] Unsupported or corrupt compressed data received

[5c000019] Data block is too big

[5c00001a] Data of an unexpected length has been received

[5c00001b] Message too big to be received

This may occur if an attempt is made to import large amounts of data into the database (e.g. a file)

[5c00001c] Unable to create thread mute

[5c00001d] Message too big to be sent

Error Messages

23-4


This may occur if an attempt is made to import large amounts of data into the database (e.g. a file)

[5c00001e]

Wrong SafeBoot Communications Protocol Version

You are most likely trying to connect to a v4 SafeBoot Server using a v5 Server definition with server authentication enabled.

Check that you do not have both v4 and v5 servers running (perhaps as a service) at the same time.

Table 23-3. Protocol Errors

23.4 5C02 Communications Cryptographic


[5c020000] The Diffie-Hellmen data is invalid or corrupt

[5c020001] An unsupported encryption algorithm has been requested

[5c020002] An unsupported authentication algorithm has been requested

[5c020003] Unable to sign data

[5c020004] Authentication signature is not valid

[5c020005] Authentication parameters are invalid or corrupt

[5c020006] Failed while generating DSA parameters

[5c020007] No session key has been generated

[5c020008] Unable to authenticate user

[5c020009] Session key too big

Table 23-4. Crypto Errors

23.5 A100 Algorithm Errors


[a1000000] Not enough memory

[a1000001] Unknown or unsupported function

[a10000002] Invalid handle

[a1000003] Encryption key is too big

Error Messages

23-5


[a1000004] Encryption key is too small

[a1000005] Unsupported encryption mode

[a1000006] Invalid memory address

[a1000007] Invalid key data

Table 23-5. Algorithm Errors

Error Messages

23-1

23.6 DB00 Database Errors


[db000000] Out of memory

[db000001] More data is available

[db000002] The database has not been created or initialised yet

Check the database path or create a new database. To force the new database wizard to be run, delete the SDMCFG.INI file and restart the administration program.

[db000003] Invalid context handle

[db000004] The name was not found in the database

db000005] [Authentication was not successful.

Check that you have the correct token for this database

[db000006] Unknown database

[db000007] Invalid database type

[db000008] The database could not be found. Check the database path settings

[db000009] Database already exists.

Choose a different database path

[db00000a] Unable to create the database

Check the path settings and make sure you have write access to the directory

[db00000b] Invalid database handle

[db00000c] The database is currently in use by another entity

You can not delete a database while someone is using it

[db00000d] Unable to initialise the database

[db00000e] User aborted

[db00000f] Memory access violation

[db000010] Invalid string

[db000011] No default group has been defined

[db000012] The group could not be found

Error Messages

23-2


[db000013] File not found

[db000014] Unable to read file

[db000015] Unable to create file

[db000016] Unable to write to file

[db000017] File corrupt

[db000018] Invalid function

[db000019] Unable to create mutex

[db00001a] Invalid license

The license has been modified so that the signature is now invalid

[db00001b] License has expired

[db00001c] The license is not for this database

Check the database ID and ensure it is the same as the one specified in the license. Each time you create a new database, a different ID is generated. There is no way to change the ID of a database.

[db00001d] You do not have permission to access the object

[db00001e] SafeBoot is currently busy with another task. Please wait for it to complete and try again.

This usually means that your hard disks are in the process of being encrypted or decrypted. You can check the current SafeBoot status from the right-click menu of the SafeBoot task bar icon.

[db00001f] SafeBoot is still installed on this machine

[db000020] Buffer too small

[db000021] The requested function is not supported

[db000022] Unable to update the boot sector

The disk may be in use by another application or Explorer itself. The disk may be protected by an anti-virus program.

Table 23-6. Database Errors

Error Messages

23-3

23.7 DB01 Database Objects


[db010000] The object is locked

Someone else is currently updating the same object

[db010001] Unable to get the object ID

[db010002] Unable to change the object's access mode

Someone else may by accessing the object at the same time. If you are trying to write to the object while someone else has the object open for reading, you will not be able to change to write mode.

[db010003] Object is in wrong access mode

[db010004] Unable to create the object in the database

The disk may be full or write protected

[db010005] Operation not allowed on the object type

[db010006] Insufficient privilege level

You do not have the access rights required to access the object.

[db010007] The object status is disabled

This is usually associated with User objects. Disabling the user's object prevents them logging on until their account is re-enabled.

[db010008] The object already exists

[db01000f] The object is in use

[db010010] Object not found

The object has been deleted from the database

[db010011] License has been exceeded for this object type

Check that your licenses are still valid and if not obtain further licenses if necessary

Table 23-7. Database Object Errors

23.8 DB02 Database Attributes


Error Messages

23-4


[db020000] Attribute not found

[db020001] Unable to update attribute

[db020002] Unable to get attribute data

[db020003] Invalid offset into attribute data

[db020004] Unable to delete attribute

[db020005] Incorrect attribute length

[db020006] Attribute data required

Table 23-8. Attribute Errors

23.9 E000 SafeBoot General


[e0000000] User aborted

[e0000001] Insufficient memory

[e0000002] Invalid date/time

Table 23-9. General Errors

23.10 E001 Tokens


[e0010000] General token error

[e0010001] Token not logged on

[e0010002] Token authentication parameters are incorrect

[e0010003] Unsupported token type

[e0010004] Token is corrupt

[e0010005] The token is invalidated due to too many invalid logon attempts

[e0010006] Too many incorrect authentication attempts

[e0010007] Token recovery key incorrect

[e0010010] The password is too small

[e0010011] The password is too large

Error Messages

23-5


[e0010012] The password has already been used before. Please choose a new one.

[e0010013] The password content is invalid

[e0010014] The password has expired

[e0010015] The password is the default and must be changed.

[e0010016] Password change is disabled

[e0010017] Password entry is disabled

[e0010020] Unknown user

[e0010021] Incorrect user key

[e0010022] The token is not the correct one for the user

[e0010023] Unsupported user configuration item

[e0010024] The user has been invalidated

[e0010025] The user is not active

[e0010026] The user is disabled

[e0010027] Logon for this user is not allowed at this time

[e0010028] No recovery key is available for the user

[e0010030] The algorithm required for the token is not available

[e0010040] Unknown token type

[e0010041] Unable to open token module

[e0010042] Unable to read token module

[e0010043] Unable to write token module

[e0010044] Token file not found

[e0010045] Token type not present

[e0010046] Token system class is not available

[e0018000] Sony Puppy requires fingerprint

[e0018001] Sony Puppy requires password

[e0018002] Sony Puppy not trained

Table 23-10. Token Errors

Error Messages

23-6

23.11 E002 SafeBoot Disk


[e0000002] Invalid date/time

[e0020000] No more data is available

[e0020001] No more data is available

[e0020002] Unsupported disk driver function

[e0020003] Invalid disk driver request

[e0020004] Disk request buffer too small

[e0020005] Unsupported encryption algorithm

[e0020006] Unknown disk number

[e0020007] Error reading disk sector

[e0020008] Error writing disk sector

[e0020009] Unable to get disk partition information

[e002000a] SafeBoot disk information not present

[e002000b] Not enough space for the SafeBoot disk information

[e002000c] The SafeBoot disk information is invalid

[e002000d] Sector not valid for SafeBoot disk information use

[e002000e] Sector chain is invalid

[e002000f] Sector chain type incorrect

[e0020010] Sector chain sequence number incorrect

[e0020011] Sector chain checksum invalid

[e0020012] Crypt state information too big for available space

[e0020013] Crypt list full

[e0020014] Crypt range too big.

[e0020015] Attempt to crypt while in power fail state not allowed

[e0020016] Attempt to crypt in-progress I/O

[e0020017] Error communicating with SafeBoot disk driver

[e0020018] SafeBoot disk driver not present

[e0020019] Unsupported disk driver version

Error Messages

23-7

[e002001a] No encryption has been key set

[e002001b] Unable to find the system boot disk

[e002001c] Unknown message slot

[e002001d] Message slot data too large

[e002001e] Unable to lock floppy disk driver for access

[e002001f] Unable to access floppy disk

[e0020020] The boot disk type is not supported

[e0020021] Access to driver not permitted

Table 23-11. Disk Errors

23.12 E003 SafeBoot SBFS


[e0030001] The SafeBot File System is already mounted

[e0030002] Unable to mount the SafeBoot File System

[e0030003] Unable to unmount the SafeBoot File System

[e0030004] The SafeBoot File System is not mounted

[e0030005] Error reading SafeBoot File System sector

[e0030006] Error writing SafeBoot File System sector

[e0030007] SafeBoot File System too fragmented

[e0030008] SafeBoot File System size invalid

[e0030009] Error creating SafeBoot File System host file

[e003000a] Error reading SafeBoot File System host file

[e003000b] Error writing SafeBoot File System host file

[e003000c] Error setting SafeBoot File System host file pointer

[e003000d] Unable to locate sectors corresponding to the SafeBoot File System host file

[e003000e] No host driver found for the SafeBoot File System

Table 23-12. SBFS Errors

Error Messages

23-8

23.13 E004 Boot Code Image


[e0040001] Unable to open boot code image file

[e0040002] Error reading boot code image file

[e0040003] Boot code image file too big

[e0040004] Error creating boot code image host file

[e0040005] Error reading boot code image host file

[e0040006] Error writing boot code image host file

[e0040007] Error setting boot code image host file pointer

[e0040008] Unable to locate boot code image host file sectors

[e0040009] No host driver found for boot code image file

[e004000a] Unhandled instruction

[e004000b] Invalid instruction

[e004000c] Protected mode General Protection Fault

Table 23-13. SBFS Errors

23.14 E005 Client


[e0050001] SafeBoot Client not activated

[e0050002] The SafeBoot Client is already activated

[e0050003] The SafeBoot Client activation is already in progress

[e0050004] The wrong version of the SafeBoot Client is currently active

[e0050005] Unable to save original MBR

[e0050006] Disk Manager not open

[e0050007] Unable to load MBR copy

[e0050008] Unable to load the SafeBoot MBR

[e005000a] Too many work items to perform encryption.

[e005000b] SafeBoot MBR invalid

[e005000c] SafeBoot Client sync failed to start

Error Messages

23-9


[e005000d] SafeBoot Client sync already in progress

[e005000e] Key not available to the SafeBoot Client

[e005000f] The recovery key is incorrect

[e0050010] Failed to start cryption

[e0050011] Cryption already in progress

[e0050012] The hard disk key is incorrect

[e0050013] The machine configuration is corrupt or invalid

[e0050014] Unable to load string data

[e0050015] String data is invalid

[e0050016] Incorrect user logon

[e0050017] The isolation period has expired

[e0050018] A possible virus has been detected

[e0050019] Recovery data is invalid

[e005001a] Recovery file version unsupported

[e005001b] Invalid recovery command

[e005001c] Invalid recovery type

[e005001d Recovery data not found

[e005001d] Client not initialized for emergency boot

[e0050020] Unable to open the client data store

[e0050021] The client data store is not open

[e0050022] The client data store already exists

[e0050023] Error creating client data store

[e0050024] Unable to create client data store directory

[e0050025] Client data store in use

[e0050026] Unable to delete client data store

[e0050027] The client data store is corrupt

[e0050028] Unsupported client data store version

[e0050030] Client data store object not found

Error Messages

23-10


[e0050031] Client data store object not open

[e0050032] Client data store object not exclusive

[e0050033] Client data store object ID invalid

[e0050034] Client data store object ID already exists

[e0050035] Unable to create client data store object directory

[e0050036] Client data store object name already exists

[e0050037] Unable to read client data store object name

[e0050038] Unable to write client data store object name

[e0050040] Unable to remove client data store object

[e0050041] Client data store attribute not found

[e0050042] Client data store attribute not open

[e0050043] Unable to open client data store attribute

[e0050044] Unable to create client data store attribute

[e0050045] Unable to read client data store attribute

[e0050046] Unable to write data store attribute

[e0050047] Client data store attribute version incorrect

[e0050048] Client data store attribute corrupt

[e0050049] Invalid size of client data store attribute

[e005004a] Access denied to client data store attribute

[e0050060] Upgrade of client is not possible

[e0050061] Upgrade old SbFs is invalid

[e0050062] Upgrade old SbFs not found

[e0050063] Upgrade old SbFs drive not found

[e0050064] Upgrade, unable to read old SbFs

[e0050065] Upgrade, old machine configuration invalid

[e0050066] Upgrade, invalid user data.

[e0050067] Upgrade, user directory version invalid

[e0050068] Upgrade, invalid user directory

Error Messages

23-11


[e0050069] Upgrade, unable to get original MB

[e005006a] Upgrade, unable to get audit data

Table 23-14. Client Errors

23.15 E006 Algorithms


[e0060001] Unknown encryption algorithm

[e0060002] Unable to install pre-boot encryption algorithm module

[e0060003] Error relocation 16-bit encryption algorithm code

[e0060004] Error initializing 16-bit encryption algorithm module

[e0060005] 16-bit encryption algorithm module invalid

Table 23-15. Algorithm Errors

23.16 E007 Readers


[e0070001] Unknown reader type

[e0070002] Unable to open reader module

[e0070003] Unable to read reader module

[e0070004] Unable to write reader module

[e0070005] Reader failure

[e0070006] Unable to create reader context

[e0070007] Invalid reader parameter

[e0070008] Reader not present

[e0070009] Reader timeout

[e007000a] Reader sharing violation

[e007000b] Token not present in reader

[e007000c] Reader protocol mismatch

[e007000d] Reader communications error

[e007000e] Token not powered in reader

Error Messages

23-12

[e007000f] Token not reset in reader

[e0070010] Token removed from reader

Table 23-16. Reader Errors

23.17 E008 Users


[e0080001] User configuration invalid or corrupt

[e0080002] User information field index invalid

[e0080003] User has no hard disk encryption key

Table 23-17. User Errors

23.18 E010 Keys


[e0100001] Encryption key too big

[e0100002] Encryption key size invalid

Table 23-18. Keys Errors

23.19 E011 Files


[e0110001] Unable to create file

[e0110002] Unable to open file

[e0110003] Error reading file

[e0110004] Error writing file

[e0110005] Error setting file pointer

[e0110006] Error getting file size

Table 23-19. Files Errors

23.20 E012 Licences


[e0120001] License invalid

Error Messages

23-13

[e0120002] License expired

[e0120003] License is not for this database

[e0120004] License count exceeded

Table 23-20. Licences Errors

23.21 E013 Installer


[e0130002] No installer executable stub found

[e0130003] Unable to read installer executable stub

[e0130004] Unable to create file

[e0130005] Error writing file

[e0130006] Error opening file

[e0130007] Error reading file

[e0130008] Installer file invalid

[e0130009] No more files to install

[e013000a] Install archive block data too large

[e013000b] Install archive data not found

[e013000c] Install archive decompression failed

[e013000d] Unsupported installer archive compression type

[e013000e] Installation error

[e013000f] Unable to create temporary directory

[e0130010] Error registering module

Table 23-21. Installer Errors

23.22 E014 Hashes



[e0140002] Error opening hashes file

[e0140003] Error reading hashes file

[e0140004] Hashes file invalid

Error Messages

23-14


[e0140005] Unable to create hashes file

[e0140006] Error writing hashes file

[e0140007] Hashes file is not open

[e0140008] Hashes file data invalid

[e0140009] Hashes file data too big

[e014000a] User aborted

Table 23-22. Hashes Errors

23.23 E015 Application Control



[e0150002] Application control invalid parameter

[e0150003] Error communicating with application control driver

[e0150004] Application control driver not installed

[e0150005] Error opening application control log file

[e0150006] Invalid hashes object list

Table 23-23. Application Control Errors

23.24 E016 Administration Center


[e0160001] Invalid plugin information

Table 23-24. Management Center Errors

23.25 xxH: BIOS

If SafeBoot’s boot loader detects a hardware error from the BIOS, it reports the standard error code in the format “SafeBoot ?? Error code H??”

The following list of codes may be reported:


01H Invalid function call

Error Messages

23-15


02H Address mark not found

03H Disk is write protected

04H Sector not found

05H Reset failed (hard disk)

06H Diskette has been changed

07H Drive parameter activity failed (hard disk)

08H DMA overrun

09H DMA attempted across 64K boundary

0AH Bad sector flag detected (hard disk)

0BH Bad track detected (hard disk)

0CH Unsupported track or invalid media

0DH Invalid number of sectors for Format (hard disk)

0EH Control data address mark detected (hard disk)

0FH DMA arbitration level out of range (hard disk)

10H Uncorrectable CRC or ECC error on read

11H ECC corrected data error (hard disk)

20H Disk controller failure

31H No media in drive

32H Drive does not support media type

40H Seek failed

80H Timeout (disk not ready)

AAH Drive not ready

B0H Volume not locked in drive (INT 13 extensions)

B1H Volume locked in drive (INT 13 extensions)

B2H Volume not removable (INT 13 extensions)

Error Messages

23-16


B3H Volume in use (INT 13 extensions)

B4H Lock count exceeded (INT 13 extensions)

B5H Valid eject request failed (INT 13 extensions)

BBH Undefined error (hard disk)

CCH Write fault (hard disk)

E0H Status register error (hard disk)

FFH Sense failed (hard disk)

Table 23-25. BIOS Hard Errors

Technical Specifications and Options

24-1

24. Technical Specifications and Options

The following options are available from SafeBoot but may not be included on your install CD, or be appropriate for your version of SafeBoot. Please contact your SafeBoot representative for information if you wish to use one of these optional components.

24.1 Encryption Algorithms

SafeBoot supports many custom algorithms. Only one algorithm can be used in a SafeBoot Enterprise.

Algorithm performance is based on the “PassMark” rating which gives an overall indication of system performance. All tests were performed on a K6-II-300 machine running NT4.0. This test platform has a PassMark of 20.7. The closer to this figure an algorithm gets, the less the impact of SafeBoot on the user. Faster machines will achieve correspondingly faster passmark ratings, but the percentage difference between them will be comparable.

24.1.1 RC5-12 (FASTEST)

CBC Mode, 1024 bit key, 12 rounds, 64 bit blocks. PassMark 20.7 (100%)

24.1.2 RC5-18

CBC Mode, 1024 bit key, 18 rounds, 64 bit blocks, PassMark 20.7 (100%)

The 18 round RC5 variant is designed to prevent the theoretical “Known Plaintext” attack.

24.1.3 AES 256

CBC Mode, 256 bit key, 128 bit blocks, PassMark 19.3 (93%)

Only recommended for use where support for SafeBoot 4.0 AES is required.

24.1.4 AES-FIPS (FIPS 140-2 Approved) - RECOMMENDED

CBC Mode, 256 bit key, 128 bit blocks, PassMark 19.3 (93%)

This algorithm is approved for FIPS 140-2 use.


24-2

24.1.5 DES (FIPS 140-1 Approved)

CBC Mode, 56 bit key. 128 bit blocks. Passmark 16.5 (79%)

Only for use in exceptional circumstances.

24.1.6 Blowfish

CBC Mode, 448 bit key, 20 rounds, 64 bit blocks, PassMark 19.9 (96%)

Withdrawn from general distribution - special order only.

24.2 Smart Card Readers

The following smart card readers are supported.

24.2.1 PCMCIA Smart Card Readers

• SCR243 / SCR201 and compatibles such as HP DC350B, ActivIdentity and others)

PCMCIA smart card reader.

See http://www.scmmicro.com/security/SCR243.html for more information.

• SCR201 and compatibles such as PCSR and Cisco PCMCIA readers

24.2.2 Generic USB CCID Smart Card Reader and compatibles

This module provides support for the following devices

• Universal CCID USB smart card reader support (supports all industry standard CCID readers)

• Dell D620 Integrated Smart Card Reader

• Gemplus GemPC430 USB Smart Card Reader

• Omnikey 3121 USB Smart Card Reader

• ACR38 USB Smart Card Reader

24.2.3 PCI Smart Card Readers

• HP 6400 Integrated Smart Card Reader

• Dell D610/810 Integrated Smart Card Reader

http://www.scmmicro.com/security/SCR243.html


24-3

24.3 Tokens

24.3.1 Smart Cards

The following Smart Cards are supported. For more information, please contact the smart card vendor, and see the additional notes in the file “created.html” on the SafeBoot distribution CD.

• SafeBoot Blue Smart Card (G&D Starcos 2.1 T=1)

• SafeBoot Red Smart Card (G&D Starcos 2.1 T=0)

• ActivIdentity Smart Card

• DataKey Smart Card

• Datev PKI Smartcard

• DOD CAC smart cards (all types)

• Estonian National ID Smart Card

• HP ProtectTools Smart Card (Branded ActivIdentity smart card)

• PToken Certificate Card

• RSA SecurID RSA5100 Smart Card

• Setec Certificate Card

• Siemens CardOS 4.3b / 4.01a Smart Card

• Telesec Certificate Card

• TEID /IZN Certificate Card

24.3.2 USB Tokens

• Aladdin eToken 64KB Pro

• Charismathics USB Key

• RSA SID800 USB Key

• SafeNet IKEY 2032

• SafeBoot Phantom Biometric Key

• Sony Puppy Fingerprint Reader

24.3.3 Other Authentication Tokens

• Passfaces

• Infineon TPM Chip


24-4

24.4 Language Support

24.4.1 Client

Pre-Boot Languages (auto detect)

• Arabic

• Czech

• Chinese (Simplified)

• Chinese (Traditional)

• Dutch

• English (United Kingdom)

• English (United States)

• Estonian

• German

• Hungarian

• Italian

• Japanese

• Korean

• Polish

• Portuguese

• Russian

• Swedish

• Spanish

• Turkish

Table 24-1. Pre Boot Languages

Pre-Boot Keyboards (auto detect)

• Arabic 101

• Arabic 102

• Arabic AZERTY

• Belgian Comma

• Belgian Period

• Canadian Multilingual

• Canadian French

• Canadian French Legacy

• Chinese Bopomofo

• Chinese ChaiJei

• Croatian

• Czech (Czech Republic)

• Czech (QWERTY)

• Greek 319

• Greek 220 Latin

• Greek 319 Latin

• Hebrew

• Hungarian

• Italian

• Icelandic

• Irish

• Japanese

• Kazakh

• Korean

• Latin American

• Norwegian


24-5

Pre-Boot Keyboards (auto detect)

• Czech (Programmers)

• Danish

• Dutch



• English (US International)

• English (UK Extended)

• Estonian

• French (Belgium)

• French (France)

• French (Canada)

• French (Swiss)

• Finnish

• Gaelic

• German (Standard)

• German (IBM)

• Greek

• Greek Latin

• Greek 220

• Norwegian with Sami

• Polish 214

• Polish Programmers

• Portuguese Brazil

• Portuguese Portugal

• Romainian

• Russian

• Slovac

• Slovac QWERTY

• Slovenian

• Spanish (Spain)

• Spanish (International)

• Spanish Variant

• Swedish

• Swiss German

• Thai Kedmanee

• Turkish F

• Turkish Q

• US Dvorak

Table 24-2. Pre Boot Keyboard Layouts

Most of the keyboard layouts also support On-Screen representations.

Please note – other languages are available on request. We are continuously updating our language translations and encourage feedback from our users.

Windows Languages (auto detect)



Table 24-3. Windows Supported Languages


24-6

24.5 System Requirements

Implementation documentation discussing appropriate hardware for typical installations of SafeBoot is available from your representative.

24.5.1 Client

Windows NT4.0, 2000, XP, 2003 Server, Vista 32bit (all versions), Vista 64bit (all versions)

128MB RAM, or OS Minimum specification

5-35MB Free hard disk space depending on localization and number of desired users)

Pentium compatible processor, multi-processor (up to 32 way), dual-core and hyper threading processors, Pentium-compatible processors such as AMD processors.

For remote administration, a TCP/IP network connection is required.

Index

7

25. Index

Active Directory, 1-9 algorithm, 1-2, 1-5, 2-1, 17-4, 19-1, 19-

3, 24-1 Attributes

explained, 1-3 Auditing, 13-1 authentication, 1-2, 1-5, 1-8 Authentication

with a smart card, 1-2 AutoBoot User, 5-23, 5-24 Auto-boot users

autoboot user, 3-3, 5-27 BIOS

Error codes, 23-14 Blowfish, 24-2 boot once, 14-4 boot process, 11-3 boot protection status, 5-21 cache, 13-1 CE Server, 1-5 challenge / response, 14-1 Client

creating an install set, 9-1 installing, 10-1 overview of, 1-7 synchronising, 11-2 using, 11-1

Connector Manager overview of, 1-9

cryptography, i Cryptography

decryption, 11-3 encryption, 1-2, 1-8, 5-25, 5-26, 19-2

Data Recovery, 1-2 decrypt, 5-21 Default Password, 3-2, 3-3, 5-27, 14-5 deploy, 1-10, 1-11, 6-1, 6-3, 9-3, 11-4 disable, 5-30, 10-2, 10-3 disabling users. See Users DNS, 5-18, 18-4 DSA, 1-5 enabling users. See Users encryption, 5-25 Encryption

algorithms, 24-1 windows swap file, 1-2

Encryption Algorithm, 1-2, 1-5, 2-1, 19-1, 19-3, 24-1

Encryption Algorithms Blowfish, 24-2 RC5, 24-1

Entities explained, 1-3

error codes, 18-3, 23-1, 23-14 error messages, 23-1 File Encryption

overview of, 1-8 file group management, 6-1 Files

deleting and exporting, 6-3 importing new, 6-3 ini files, 18-1 program and driver files, 19-1 properties, 6-4

force sync, 3-4, 8-2, 14-6 Force Sync, 5-18, 5-30, 8-2, See

Machines groups, 3-2, 5-16, 5-19, 5-20, 5-27, 5-

31, 5-32, 6-1, 8-1, 9-1, 13-3, 15-4 Importing Machines

Importing a transfer database. See Offline Installs

IP Address, 1-3, 1-4, 1-5, 5-18, 24-6 LDAP, 1-6, 1-9, 1-10 Machines

adding users to, 5-27 configuring, 5-20 creating, 5-16 Forcing Syncronization, 5-18 rebooting, 5-19 recovering, 14-1 synchronisation of, 5-29

Microsoft, i, 1-2, 9-6, 11-4, 19-1 NT Domain, 1-9 object directory, 1-3, 1-4, 1-5, 1-6, 1-7,

1-9, 1-10, 1-11, 2-2, 3-4, 5-16, 5-22, 5-25, 5-29, 5-30, 6-3, 6-4, 8-1, 9-3, 9-5, 11-1, 11-2, 11-3, 12-2, 12-3, 12-4, 13-1, 13-2, 14-5, 18-4

Objects explained, 1-3

Offline Installs, 9-3 Password

Default, 3-2, 3-3, 5-27, 14-5 passwords, 1-2, 1-5, 1-8, 5-22, 11-4,

12-2 Reset, 14-4

Pentium, 24-6 performance, 1-6, 24-1 Placeholder, 5-16, 9-3, 9-4 Pocket Windows

2002, 1-5

Index

8

privileges, 1-4 quickstart guide, ii RC5, 24-1 Reboot Machine. See Machines recovery, 1-2, 1-6, 1-8, 5-26, 5-28, 14-

1, 14-2, 14-3, 14-4, 14-6, 19-1 Recovery

offline, 14-1 online, 14-6

registry, 1-11, 6-5, 8-1, 19-1, 19-3 Registry File, 8-1 relogon, 12-4 removing safeboot, 10-1 reset password, 14-4 RSA, 1-5, 1-8 SafeBoot. See Client SafeBoot CE Server, 1-5 SafeBoot Components

SafeBoot File Encryptor, 1-1 VDisk, 1-1

SafeBoot File Encryptor, 1-1 SafeBoot Server

overview of, 1-5 SafeTech, 19-1 SBAdmCL, 13-1, 13-2

screen saver, 11-4 service, 5-30 smart card. See Authentication smartport, 24-2 Smarty, 24-2 synchronising machines, 5-29 TCP/IP, 1-3, 1-4, 1-5, 24-6 Tokens

changing during recovery, 14-5 transport database, 9-4 troubleshooting, 22-1 user status, 1-3 Users

device access, 3-5 enabling and disabling, 3-3 recovering, 14-1

virus protection, 5-23 warning text, 5-29 Windows 2000, 6-5 Windows CE, 1-5 windows logon, 5-22, 11-4, 12-1 Windows Logon

how it works, 12-2 X500, 1-6, 1-9

Administrators Guide

Documents

deployment of safeboot

safeboot direct

safeboot systems

safeboot distributor

safeboot family

safeboot n

safeboot device encryption

new edition of safeboot