Guardian Edge Client Administrator Guide

8/8/2019 Guardian Edge Client Administrator Guide

1/49

Hard Disk Encryption

Client Administrator Guide

Version 8.5


2/49

Information in this document is subject to change without notice. No part of this document may be reproduced or

transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written

permission of GuardianEdge Technologies Inc.

2006 GuardianEdge Technologies Inc. All rights reserved.

475 Brannan St., Suite 400

San Francisco, CA 94107

415.683.2200

GuardianEdge, Encryption Anywhere, and Authenti-Check are either trademarks or registered trademarks of

GuardianEdge Technologies Inc. Microsoft, Active Directory, Windows, and Windows XP are either registered

trademarks or trademarks of Microsoft Corporation. Any other trademarks used herein are the property of theirrespective owners and are hereby acknowledged. Other product and company names mentioned herein may be the

trademarks of their respective owners.

Printed in the United States of America.


3/49

Client Administrator Guide Contents

GuardianEdge Hard Disk Encryption iii

Contents1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

GuardianEdge Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Policy Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Client Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Registered User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Client Administrator/Registered User Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Partition Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Boot-Time Defragmenters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

System Restore Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Trusted Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Restricted Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Computer Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Frequent Information Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32. Pre-Windows Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Password/Token Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Automatic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

The Startup Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Password Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Keyboard Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Credential Entry and Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Token Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Keyboard Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Token Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

First Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Subsequent Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

PIN Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Computer Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

About Lockouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Lockout Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Lockout Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3. The Client Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Password Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Token Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Navigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

User Interface Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Mouse Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Keyboard Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15


4/49

Client Administrator Guide Contents

GuardianEdge Hard Disk Encryption iv

Hard Disk Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Check-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Account Settings Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Authenti-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4. Hard Disk Access & Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Utilities and the Recover Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

The Recover Floppy or CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Recovery Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Recover /A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Access Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Hard Disk Consistency Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Recover /D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Recover /B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Appendix A. Keyboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Keyboard List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Keyboard Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Active Keyboard Layout Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Keyboard Toggling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Keyboard Layouts: Default View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Keyboard Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Initial Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Windows XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Appendix B. Token Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Pre-Windows Logon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Client Console Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44


5/49

Client Administrator Guide Figures

GuardianEdge Hard Disk Encryption v

FiguresFigure 2.1Pre-Windows Startup, Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Figure 2.2Pre-Windows Password Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Figure 2.3Pre-Windows Logon, One-Minute Delay for Incorrect Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Figure 2.4Pre-Windows Token Logon, Initial Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Figure 2.5Pre-Windows Token Logon, Subsequent Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Figure 2.6Pre-Windows Logon, Lockout Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Figure 2.7Computer Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Figure 2.8Pre-Windows Logon, Client Administrator Logon to Unlock Computer . . . . . . . . . . . . . . . . . . . . . . . . 9

Figure 3.1Client Console Logon, Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Figure 3.2Client Console Logon, Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Figure 3.3Select Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Figure 3.4Client Console Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Figure 3.5Client Console User Interface Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Figure 3.6Client Console User Interface, Focus on Password Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Figure 3.7Client Console Encryption Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Figure 3.8Client Console Decryption Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Figure 3.9Client Console Check-In Panel, Check-In With No Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Figure 3.10Client Console Users Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Figure 3.11Client Console Password Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Figure 3.12Client Console Authenti-Check Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Figure 3.13Client Console About Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Figure A.1Canadian French Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Figure A.2French Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Figure A.3German Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Figure A.4Spanish Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Figure A.5United Kingdom Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Figure A.6US English Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Figure A.7Regional and Language Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Figure A.8Languages Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Figure A.9Text Services and Input Languages, Before New Keyboard Added . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Figure A.10Add Input Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Figure A.11Text Services and Input Languages, After Keyboard Added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Figure A.12Regional and Language Options Advanced Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Figure A.13Change Default User Settings Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32


6/49

GuardianEdge Hard Disk Encryption 1

Client Administrator Guide Introduction

1. Introduction

Overview

GuardianEdge Hard Disk Encryption ensures that only authorized users can access data stored on hard disks. Thissafeguards enterprises from the accidental loss or theft of a laptop or PC and eliminates the legal need for public

disclosure. As a key component of the GuardianEdge Data Protection Platform, GuardianEdge Hard Disk offers

seamless deployment and operation across increasingly diverse IT infrastructures and environments.

This Guide explains how to authenticate to GuardianEdge Hard Disk; use the Client console to support users and

computers; provide support to users who have forgotten their password or PIN; and recover a hard disks data, if

necessary.

This chapter defines the GuardianEdge roles and discusses best practices. The sections are as follows:

GuardianEdge Roles on page 1

Best Practices on page 2

GuardianEdge Roles

Policy AdministratorAn organizations centralized point of control for the GuardianEdge Platform is one or more Policy Administrators. A

Policy Administrator defines installation settings and policy updates that are pushed out to Client Computers through

Active Directory. Policy Administrators create Client Administrator accounts. Installation settings and policy updates

may differ from computer to computer, and from user to user. Once policies are pushed out, they affect computer

behavior and user interface displays. Policy Administrators also assist registered users who have the One-Time

Password (OTP) recovery method available. The Policy Administrator runs the help-desk side of the OTP utility,

which requires the availability of the GuardianEdge Manager console.

Client AdministratorWhile the GuardianEdge Policy Administrator sets policies from a centralized location, Client Administratorssupport the distributed Client Computers and their users.

As a Client Administrator, you may have one or more of the following rights and responsibilities:

To unregister user accounts;

To extend the next date by which a Client Computer is required to check in with the GuardianEdge Server to

prevent a lockout condition;

To unlock a Client Computer;

To encrypt partitions;

To run the GuardianEdge Hard Disk Recover Program if an unexpected error prevents a Client Computer from

booting;

To decrypt partitions.

A Policy Administrator uses the GuardianEdge Manager console to create and manage passwords for Client

Administrators not using tokens, by pushing out installation settings and policy updates from a centralized server.

This single-source password management allows Client Administrators to remember only one password as they

move among many Client Computers. If password(s) were local to each computer, then remembering multiple

passwords would become unwieldy.


7/49



Registered UserGuardianEdge Hard Disk protects the data stored on a users hard disk by requiring users to authenticate before it

allows Windows to load. This could have been configured in one of three ways:

Single Sign-On (SSO) enabledIf Single Sign-On is enabled, registered users will be prompted to authenticate

once, each time they restart their computer.

Single Sign-On not enabledIf the user is an authenticating user and Single Sign-On is not enabled, the user will

need to log on in pre-Windows to GuardianEdge Hard Disk and then separately to Windows.

Automatic authenticationUsers are not prompted to provide credentials to GuardianEdge Hard Disk and the

process is completely transparent to them.

Client Administrator/Registered User ComparisonTable 1.1 shows a comparison between registered users and Client Administrators.

Best Practices

Partition ChangesOnce partitions have been encrypted, they must not be repartitioned, reformatted, or resized with any third-party

utility that is not a part of Windows. In addition, the drive letters of encrypted partitions must not be changed.

Table 1.1Client Account Comparison

Client eatures Registered User Client Administrator

Account CreationCreated when user registers interactively or is

registered silently.

Created by installation settings

and/or policy updates.

Account Deletion

Deleted by Client Administrator through

unregister function, if allowed. Also may be

deleted automatically when account is unused for

a specified period.

Deleted by Policy Administrator

through policy updates.

Password Changes Can change their password.Changed by Policy

Administrator.

Single Sign-On (SSO)Enabled by installation settings and/or policy

updates.Not available.

Logon Assistance

Authenti-Check and One-Time Password (OTP)

may be enabled by installation settings and/or

policy updates. Client Administrators can always

provide logon assistance.

Not available.

EncryptionEncryption rights assigned by installation

settings and policy updates.Always available.

DecryptionDecryption rights assigned by installation

settings and policies.

Decryption rights assigned by

installation settings and policy

updates.

Lockout

Can become locked out of Client Computer if

computer is required to check in with the

GuardianEdge Server at a required interval but

does not, and lockout is used for enforcement.

Cannot become locked out.

Removes and prevents lockout

conditions.
http://-/?-


8/49



Boot-Time DefragmentersGuardianEdge Hard Disk relies on its client database files. Boot-time defragmenters can scramble the client database

files. If used, they will cause the Client Computer to fail to boot.

System Restore ToolsGuardianEdge Hard Disk encryption relies on the Client Computers master boot record (MBR). System restore tools

that replace the MBR, such as IBMs Rescue and Recovery, can cause the Client Computer to fail to boot.

Trusted Softwareirewalls and anti-virus software should be installed on Client Computers to protect against viruses and secure

computers against invasive software that arrives over the network, such as a Trojan horse. ile sharing, peer-to-peer

networks, and TP servers are not recommended. Network logon scripts must be approved scripts. If remote access to

stored data is allowed, users with remote access must be required to authenticate.

Restricted UsersOnly administrators should have software installation privileges. Users should not have the ability to edit the

GuardianEdge Registry settings or the system date and time.

Computer ShutdownIt is best not to leave a computer unattended, particularly in an insecure location, such as a cafe. If you must step

away, you should invoke the Windows screensaver that requires Windows credentials before it allows you to get backinto Windows.

Password SecurityBoth Client Administrators and registered users should not share passwords and should avoid writing them down.

Client Administrators and registered users should be aware of others watching over his/her shoulder as s/he types. If

this has happened, the password should be changed.

Frequent Information BackupUser data as well as log files should be backed up on a regular basis. This will allow users to recover from theft or

hard disk failure. The user data backups should be physically protected or encrypted.


9/49


Client Administrator Guide Pre-Windows Authentication

2. Pre-Windows Authentication

Overview

BasicsPre-boot authentication prevents unauthorized users from accessing encrypted data. This important feature takes full

effect after the first user registers in Windows to GuardianEdge Hard Disk. The first user is forced to register after

any grace restarts expire.

Once the first user has registered, a Client Computers behavior upon restart is based on the GuardianEdge policy.

Password/Token AuthenticationIf a policy is enabled that requires all users on a Client Computer to authenticate, upon restart the computer will first

display the GuardianEdge Startup screen. This screen begins the GuardianEdge Hard Disk pre-Windows logon

process.

As a Client Administrator, you gain access to the computer by authenticating to GuardianEdge Hard Disk at the

pre-Windows logon prompt using your GuardianEdge password or PIN. You then log on at the Windows prompt

using your Windows credentials.

The exception to the pre-Windows logon process is when an Autologon policy is in place. This process bypasses

pre-Windows authentication so that administrators can run software installations and upgrades that require system

reboots. Should an Autologon policy be in effect, you and other users authenticate only at the Windows prompt.

Automatic AuthenticationIf a policy is enabled that allows all GuardianEdge users on a Client Computer to be automatically authenticated, no

pre-Windows authentication is required. You and all other users authenticate only at the Windows prompt. If

automatic authentication is enabled, you can skip to Computer Lockout on page 8.

The Startup ScreenOnce the first user registers, the GuardianEdge Startup screen is displayed each time the computer is turned on,

unless users are automatically authenticated.

The Policy Administrator may have configured the Startup screen to contain:

The default image and text, or

The default image with changed logon instructions, or

The default image with a changed legal notice, or

The default image with both changed instructions and changed legal notice, or

A custom image.


10/49



igure 2.1 shows the default Startup screen.

Figure 2.1Pre-Windows Startup, Default

If you are authenticating with a token and the token is already inserted, you may not see this Startup screen, or you

may see it flash briefly. Go directly to Token Logons on page 7. If you authenticate with a token and have not yet

inserted it, insert it now, then go to Token Logons on page 7.

If you authenticate with a password, press CTRL+ALT+DEL and proceed to the next section.

Password LogonsOnce you have pressed CTRL+ALT+DEL, the pre-Windows password Logon screen appears.

Keyboard SelectionGuardianEdge Hard Disk shows the active keyboard layout in a bar displayed in the lower right-hand corner of your

computer screen, similar to this: . If your administrator defined multiple

keyboards and you need a keyboard layout different than the one identified in the bar, you can press Left

ALT+SHI T or CTRL+SHI Tthe key sequence depends on which sequence was defined to Windowsto toggle

to another keyboard.


11/49



Figure 2.2Pre-Windows Password Logon

Credential Entry and Verification

To log on to GuardianEdge Hard Disk, type your user name or UPN into the User name field. The UPN syntax [email protected]; for example, [email protected]. Select your domain from the Domain

drop-down menu. If you used UPN syntax, no domain selection is necessary.

Type your password into the Password field. ClickOK.

If your password is correct, you advance to the Windows logon prompt. If your password is not correct, the logon

fails. Check your password and re-enter the logon information.

Your Policy Administrator may have implemented a logon delay to occur when one or more incorrect password

attempts are made. This delay helps protect the computer against unwanted password-guessing attacks. If such a

setting or policy is in place and you trigger that restriction, a message appears informing you that the number of

allowed logon attempts has been exceeded and that you can try again in 60 seconds. Figure 2.3 shows an example.

Figure 2.3Pre-Windows Logon, One-Minute Delay for Incorrect Logon


12/49



Token Logons

Keyboard SelectionGuardianEdge Hard Disk shows the active keyboard layout in a bar displayed in the lower right-hand corner of your

computer screen, similar to this: . If your administrator defined multiple

keyboards and you need a keyboard layout different than the one identified in the bar, you can press LeftALT+SHIFT or CTRL+SHIFTthe key sequence depends on which sequence was defined to Windowsto toggle

to anotherkeyboard.

Token PreparationIf you are using an RSA token, connect the USB-connector end of your token to a USB port or into a USB extension

cable attached to your computer.

If you are using a smart card, when you insert it, hold the card so that the side containing the gold chip is on top and

the card end containing the chip is closest to the reader.

If your token or the reader has a light, the light blinks when information from your token is being read. Wait until the

blinking stops before taking the next action, such as clicking OK from the Logon screen. Do not remove your token

until authentication is complete.

First LogonFigure 2.4 shows an example of the token Logon screen that displays the first time you log on to the Client Computer.

Figure 2.4Pre-Windows Token Logon, Initial Logon

To authenticate, type your PIN into the PIN field then clickOK. Do not remove your token until processing

completes.

Subsequent LogonsOnce you log on the first time, the next time you reboot, the screen will display User name and Domain fields in

addition to the PIN field (Figure 2.5), and the unrecognized token message will not appear.

The first time this Logon screen appears, it displays only the PIN field. Once you enter your PIN and

clickOK, this message appears, Unrecognized token. Please wait. This will take a few moments. This

short delay occurs because the system is recording the token ID and certificate information.


13/49



Figure 2.5Pre-Windows Token Logon, Subsequent Logons

Type your PIN into the PIN field and clickOK. Do not remove your token until processing completes.

PIN VerificationIf your PIN is correct, you advance to the Windows logon prompt once the credentials are verified.

If your PIN is not correct, the logon fails. Check your PIN and re-enter the information, then clickOK to resubmit. If

it fails again, contact the appropriate administrator.

You can also reference Appendix B Token Error Messages and check the section Pre-Windows Logon on

page 33.

Computer Lockout

About LockoutsIf lockouts are used to force a Client Computer to check in with the GuardianEdge Server according to a prescribed

schedule, when a computer fails to check in, users will not be able to boot to Windows.

Lockout PreventionIf a Client Computer is about to be locked, a Server Communication Required warning message appears before the

Startup screen loads (Figure 2.6).

Figure 2.6Pre-Windows Logon, Lockout Warning

Tip: If you are using an RSA SID800 token and your authentication fails, remove the token, then re-insert

it and re-enter your credentials. ClickOK.


14/49



The message identifies the number of days left before the lockout and advises the user to contact a Client

Administrator. After the user clicks OK, the Startup screen will be displayed.

If a user contacts you about this warning, prevent the lockout in one or more of the following ways:

Resolve the problem that is preventing the Client Computer from connecting to the GuardianEdge Server.

Log on to the Client Computer at the pre-Windows logon prompt, which automatically extends the nextcommunication due date.

Use the Client console Check-In panel to extend the due date further.

Lockout RecoveryIf the Client Computer is already locked, an Access Denied error message appears immediately upon reboot as shown

in Figure 2.7.

Figure 2.7Computer Lockout

ClickOK. The Client Administrator Logon screen for lockouts appears (Figure 2.8).

Figure 2.8Pre-Windows Logon, Client Administrator Logon to Unlock Computer

Only you can log on to the computer; users cannot proceed to Windows. Your action will unlock the computer and

extend the next communication due date.

If Autologon is activated while a computer is in a lockout state, the Autologon policy preempts the

lockout condition for as long as the Autologon policy is in effect. This functionality ensures that a

communication lockout condition does not disrupt the completion of the Autologon process, which is

used to allow software installations and upgrades to run without users authenticating in pre-Windows.


15/49


Client Administrator Guide The Client Console

3. The Client Console

Overview

The Client console allows you to perform the following tasks:

Encrypt one or more partitions on the hard disk, if they are not already encrypted or have been decrypted.

Decrypt one or more partitions on the hard disk, if decryption is necessary and allowed by policy.

Unregister user accounts, if unregistering is allowed by policy.

View the encryption status of the hard disk partitions.

View and extend the date the computer must next check in with the GuardianEdge Server, if check-in is required.

View the GuardianEdge user accounts on the computer.

This chapter begins with instructions on how to log on to the Client console, and then describes how to perform

GuardianEdge Hard Disk tasks and GuardianEdge Account Settings tasks.

Once you are in Windows, launch the GuardianEdge Client console by selecting GuardianEdge Client from theStart menu.

LogonWhen the Client console launches, it prompts you for your credentials. If you log on with a token, see Token

Logons on page 11. If you log on with a password, see the next section.

Password LogonsIf your account uses a password to authenticate, the Logon screen prompts you for your password ( igure 3.1).

Figure 3.1Client Console Logon, Password

To log on to the Client console with a password, in the Password field type your GuardianEdge Client Administrator

password, then clickLog On.

If your password is not correct, the logon will fail. Check your password and re-enter the information.


16/49



Your Policy Administrator may have implemented a logon delay to occur when one or more incorrect logon attempts

are made. This delay helps protect the computer against unwanted password-guessing attacks. If such a setting or

policy is in place and you trigger that restriction, a message appears informing you that the number of allowed logon

attempts has been exceeded and that you can try again in 60 seconds.

If your authentication succeeds, you will be given access to the Client console. Skip to the section Welcome on

page 13.

Token Logons

Token Insertion

The Logon panel prompts you to insert your token.

Figure 3.2Client Console Logon, Token

If your token is already inserted, skip to the next section; otherwise, insert your token.

If you are using an RSA token, connect the USB-connector end of your token to a USB port or into a USB extension

cable attached to your computer. Make sure that the RSA token software recognizes your token: wait until the RSA

icon in your system tray changes to include a plus sign .

If you are using a smart card, when you insert your token, hold the card so that the side containing the gold chip is on

top and the card end containing the chip is closest to the reader.

If your token or the reader has a light, it blinks when information from your token is being read. If you are using an

Axalto smart card, the icons computer screen changes from black to blue while the icons golden token blinks, then

returns to black when the blinking stops . Wait until all blinking stops before taking the next action, such as

clicking Next. Do not remove the token until authentication is complete.

PIN Entry

In the PIN field, type your PIN, then clickLog On. Do not remove the token until authentication completes.

If your authentication succeeds, you are given access to the Client console. Skip to the section Welcome on

page 13.

If your authentication fails or if you encounter token, certificate, or PIN errors during logon, please refer to Appendix

B Token Error Messages and check the section Client Console Logon on page 56 for possible causes and

resolution.
http://../User%20Guide/CCUserGuide.pdfhttp://../User%20Guide/CCUserGuide.pdfhttp://../User%20Guide/CCUserGuide.pdf


17/49



Your Policy Administrator may have implemented a logon delay to occur when one or more incorrect logon attempts

are made. This delay helps protect the computer against unwanted attacks. If such a setting or policy is in place and

you trigger that restriction, a message appears informing you that the number of allowed logon attempts has been

exceeded and that you can try again in 60 seconds.

Certificate Selection

If the Select Certificate dialog (Figure 3.3) appears, continue reading; otherwise, skip to the next section Welcome

on page 13.

Figure 3.3Select Certificate

Your administrator may have set up your GuardianEdge certificate with the values listed immediately below. These

are the values that the GuardianEdge software uses to identify your certificate automatically for authentication.

For RSA SID800:

DATA_ENCIPHERMENT and KEY_ENCIPHERMENT (Key Usage)

EMAIL_PROTECTION (Enhanced Key Usage)

For Smart Card:

DATA_ENCIPHERMENT and KEY_ENCIPHERMENT (Key Usage)

EMAIL_PROTECTION (Enhanced Key Usage)

For Common Access Card (CAC):

KEY_ENCIPHERMENT (Key Usage)

However, if more than one certificateor no certificateexists with these values, the Select Certificate dialog

(Figure 3.3) opens and you must manually identify your GuardianEdge certificate.

Select your GuardianEdge certificate by clicking on the appropriate row, then clicking OK. In the Figure 3.3

example, the administrator created two certificates with the expected Key Usage settings, so this user identifies their

certificate based on Expiration Date.

If you select a certificate that is not valid, you will receive an error message. If you dont know which certificate to

choose, contact your administrator.


18/49



WelcomeThe Client console opens to the Welcome panel, which appears with an enabled navigation pane (Figure 3.4).

Figure 3.4Client Console Welcome


19/49



Navigation

User Interface ElementsThe Client console is divided into several sections.

Figure 3.5Client Console User Interface Elements

The elements are as follows:

The banner displays the product logo, the name of the currently logged on user, and the users domain or local

computer name.

The navigation pane contains hyperlinks to all tasks. Each task has its own panel.

The main pane displays a task panel.

The Quick Help pane provides context-sensitive help based on the location of your mouse. See the next section

for how to display Quick Help.

Mouse NavigationYou may navigate the Client console using a mouse or using the keyboard.

If you are using a mouse: To load a panel, click the desired hyperlink in the navigation pane; the panel loads into the main pane.

To display Quick Help, click the help icon . The Quick Help pane appears. To close the Quick Help pane, click

the help icon again.

Banner

Navigation

Pane

QuickHelp

Pane

Main

Pane


20/49



Keyboard NavigationIf you are using the keyboard:

Press the TAB key to move among the screen elements. A dotted line surrounds the link, input field, button, or

icon, indicating which element has the focus.

To load a panel, press the TAB key to the desired link in the navigation pane, then press ENTER. The panel loads

into the main pane (Figure 3.6).

Figure 3.6Client Console User Interface, Focus on Password Link

To display Quick Help, press the TAB key until the focus is on the help icon , then press ENTER or the

SPACEBAR. To close the Quick Help pane, press ENTER or the SPACEBAR again. Note that Quick Help

applies at the panel level; context-sensitive Quick Help is available only when using a mouse.

To select a check box, press the TAB key to place focus on the box, then press the SPACEBAR. To toggle off the

selection, press the SPACEBAR again.

To activate a button, press the TAB key to place focus on the button, then press ENTER or the SPACEBAR

The TAB key follows standard user-interface behavior:

Tabbing order within each panel is top to bottom, left to right.

To move down, press the TAB key; to move up, press Shift-TAB.

To scroll, use the UP ARROW key and the DOWN ARROW key.

Hard Disk Tasks

EncryptionThe full encryption of the Client Computer is usually set up to begin immediately after installation. It is unlikely that

you will need to use the Client console to start this process manually.

When you use the TAB key to navigate, you may need to press the key more than once to place the focus

on the next desired link, input field, button, or icon, depending on the location of the current focus.


21/49



Use the Encryption panel to view the encryption status of the hard disk partitions or manually begin the encryption of

a hard disk partition. To open the Encryption panel, clickEncryption. The Encryption panel appears. Figure 3.7

shows an example.

Figure 3.7Client Console Encryption Panel

The Status field next to each partition shows which state a partition is in. The states are: Encryption Pending,

Encrypting, Encrypted, Decryption Pending, Decrypting, and Decrypted.

If partitions are listed with a status ofDecrypted, Decrypting, or Decryption Pending you can check the check box

beside them to select them for encryption. A check box beside a partition will not be available if the partition has a

status ofEncrypted, Encrypting, or Encryption Pending. This unavailability could also occur if a remotedecryption policy prevents encryption.

Should you need to encrypt the disk, you should first connect to an uninterruptible power source, since an

interruption of power could cause data corruption. For example, if you are encrypting a laptop, fully charge the

battery or plug in the laptop before you start.

Once you select one or more partitions, the Encrypt Selected Partitions button becomes available. ClickEncrypt

Selected Partitions. A partitions status changes to Encryption Pending, then to Encrypting.

While encryption is running, the panel shows the (0-99) percentage of partition encryption, such as Encrypting

(80 %). When encryption completes, no percentage is shown; a lock icon accompanies theEncrypted state for

easy visual confirmation that this partition is fully encrypted.

Users can continue to work while partitions are encrypting.

DecryptionUse the Decryption panel to view the decryption status of the hard disk partitions or manually begin the decryption of

a hard disk partition. To open the Decryption panel, clickDecryption. The Decryption panel appears. Figure 3.8

shows an example.


22/49



Figure 3.8Client Console Decryption Panel

The Status field next to each partition shows which state a partition is in. The states are: Encryption Pending,

Encrypting, Encrypted, Decryption Pending, Decrypting, and Decrypted.

While decryption is running, the panel shows the (0-99) percentage of partition decryption, such as Decrypting

(20 %). When decryption completes, no percentage is shown; an unlock icon accompanies theDecrypted state for

easy visual confirmation that this partition is fully decrypted.

The Encryption panel also shows encryption and decryption status information.

If you have decryption rights, you may need to use them for the following reasons: The operating system is about to be upgraded.

A major physical change in the core hardware is about to occur. For example, an upgraded processor or

motherboard is going to be installed. Changes to the partition table are not possible on an encrypted computer and

the hard disk must be decrypted prior to the repartitioning.

You are uninstalling GuardianEdge Hard Disk.

Should you need to decrypt the disk, first connect to an uninterruptible power source, since an interruption of power

could cause data corruption. For example, if you are decrypting a laptop, plug in the laptop before you start.

If partitions are listed with a status ofEncrypted, Encrypting, or Encrypting Pending you can check the check box

beside them to select them for decryption. Once you select one or more partitions, the Decrypt Selected Partitions

button becomes available. ClickDecrypt Selected Partitions. A decrypted partitions state changes to Decryption

Pending, then to Decrypting.

A check box beside a partition will not be available if the partition has a status ofDecrypted, Decrypting, or

Decryption Pending, if you do not have the right to decrypt, or if a remote decryption policy is active.

Users can continue to work while partitions are decrypting.


23/49



Check-InClient Computers may be configured to connect with the GuardianEdge Server. At designated intervals, they attempt

to send important recovery, status, and account information, including:

The date and time of the connection;

The encryption state of the hard disk;

Data used by the One-Time Password recovery method; and

Information used by the Recover Program.

The Policy Administrator optionally can add a policy to enforce check-in by locking out users when a computer is

required to check in but does not. If lockout occurs, the Client Computer remains in a pre-Windows state after restart

so that no user can log on and a Client Administrator must log on to allow the user to boot into Windows.

Use the Check-In panel:

To find out what check-in policy is in place;

To obtain the time and date of the last communication attempt;

To see the next communication date information, if check-in is enforced by lockout;

To extend the next communication date, if check-in is enforced by lockout and a network problem or a users or

computers known circumstance is preventing communication.

To access the panel, from the navigation pane clickCheck-In. The Check-In panel appears.

Figure 3.9Client Console Check-In Panel, Check-In With No Enforcement

Figure 3.9 shows an example of a computer that has checked in and is not subject to a lockout enforcement policy.

The information displayed in the Check-In panel varies as described in the following table.


24/49



Table 3.1Check-In Panel Information

The Extend Due Date button is only available under the following circumstances:

If you are logged in as a Client Administrator,

If at least one user has registered,

If a lockout enforcement policy is in effect, and

If the Client Computer is configured to communicate with the GuardianEdge Server.If lockouts are used for enforcement of check-in and the computer fails to check in, then users will not be able to boot

to Windows. If the Check-In panel indicates that a lockout is imminent, clickExtend Due Date. The Next

communication due by field will be incremented from todays date and time by the required communication

interval.

Separately, you should ensure that the issue preventing the Client Computer from connecting to the GuardianEdge

Server is resolved. The lockout experience is discussed further in Computer Lockout on page 8.

Account Settings Tasks

Users

Use the Users panel to view GuardianEdge accounts on a computer and to unregister users. To open the Users panel,clickUsers in the navigation pane. The Users panel appears, populated with the registered user and Client

Administrator accounts on that computer. Figure 3.10 shows an example.

Field Label Value Meaning

Last communication

with theGuardianEdge Server

Date and timeCommunication with the GuardianEdge Server

occurred on the specified date at the specified time.

never connected

This Client Computer has never connected to theGuardianEdge Server. The user will not have access to

the OTP recovery method. The recover /B option is not

available.

Next communication

due by

Future date and time

A lockout enforcement policy is in effect and this

Client Computer must make contact with the

GuardianEdge Server no later than the specified date

and time.

Past date and time in red with

a warning icon . Tooltip

message, Communication is

overdue, appears.

A lockout enforcement policy is in effect and this

Client Computer has failed to connect within the

mandatory interval. A lockout is imminent.

not applicable until the

first user registersThe first user has not yet registered.

not applicable A lockout enforcement policy is not in effect.


25/49


26/49



PasswordYour password is set by installation setting or policy. Therefore, your password panel will display as follows:

Figure 3.11Client Console Password Panel

Authenti-CheckYou do not have Logon Assistance methods available. Therefore, your Authenti-Check panel will display as follows:

Figure 3.12Client Console Authenti-Check Panel

AboutUse the About panel to find out which version of GuardianEdge Framework and GuardianEdge Hard Disk the Client

Computer is running. To open the About panel, clickAbout.


27/49



Figure 3.13Client Console About Panel

The build number is accessible as a Tool Tip when you hover your mouse over the version number. The build number

can be used to see whether patches have been applied.


28/49


Client Administrator Guide Hard Disk Access & Recovery

4. Hard Disk Access & Recovery

Overview

GuardianEdge provides utilities and a Recover Program to assist you in the event that a GuardianEdge Hard DiskClient Computer fails to boot. While the Recover Program can be run by a qualified Client Administrator, we

recommend that you contact GuardianEdge Technical Support for assistance with the process.

Utilities and the Recover ProgramThe following utilities and Recover Program can be used to attempt data recovery on a users computer:

GuardianEdge Hard Disk Access Utility (32-bit)GuardianEdge provides the 32-bit Access Utility separately. It

enables a Client Administrator to boot from a CD-ROM and access the hard disk by using the Microsoft Windows

Preinstallation Environment (Windows PE). Accessing the computer through Windows PE allows administrators

to back up data to servers or external disks for hard disk replacement, perform file system and Windows system

repair, and complete other system administration tasks.

GuardianEdge Hard Disk Access Utility (16-bit)The 16-bit Access Utility ships with GuardianEdge Hard Disk

as access.exe and is installed by default in the following directory on the server: C:\Program Files\EncryptionAnywhere\Encryption Anywhere Hard Disk\DOS. This version can be handy if you are off site; its smaller size is

useful for email distribution. However, this version requires extra hardware and software to run, such as a New

Technology File System (NTFS) reader and shareware to view the data. Therefore, the 32-bit Access Utility is

recommended.

Recover ProgramThis program can be used in the event that the problem is related to GuardianEdge Hard Disk.

The program attempts to regain access to data on your hard disk by repairing the GuardianEdge client database

files or by performing an emergency decryption of the entire hard disk.

Contact GuardianEdge Technical Support at your earliest convenience when dealing with a technical issue that

involves critical data. Document all events that preceded the problem, list any actions taken, and identify any error

messages encountered. Depending on your situation, Technical Support personnel may walk you through one or more

of the following steps as you attempt recovery.

The Recover Floppy or CDYour Policy Administrator will provide you with a bootable medium that includes the files listed below:

access.exe (16-bit version)

ephdxlat.bin

ephdxlat.ovl

RECOVER.EXE

Readme.txt

These files can be used on any Client Computer, as long as the Client Computer and the Manager Computer are

running the same version of GuardianEdge Hard Disk.

Recovery Steps

BasicsThe following steps should be performed in sequence:

1. Recover /A

2. Access Utility


29/49



3. Hard Disk Consistency Check

4. Recover /D

5. Recover /B

Recover /A

If your computer has encountered a serious error and you cannot load Windows, first run the Recover Program withthe /A option. The /A option attempts to repair damaged client database files.

After Recover /A runs, the Audit Trail is reset and all events logged in pre-Windows that have not been moved to the

Windows Event Log are lost.

To run Recover with the /A option, you will need the bootable Recover floppy or CD that the Policy Administrator

created.

To run Recover with the /A option:

1. Remove any bootable media.

2. Insert the Recover floppy or CD (see The Recover Floppy or CD on page 23) into the appropriate drive.

3. Restart the computer, booting from the Recover floppy or CD. You may need to modify the BIOS to boot from

CD.

4. At the A:> prompt, type Recover.exe /A.

5. You will be asked to authenticate with a Client Administrator name and password, after which you follow the

program prompts.

If the /A option succeeds in repairing the client database files and you are able to boot, you once again have access to

the computer. If the /A option does not succeed, proceed to the next step: Access Utility.

Access UtilityTwo versions of the Access Utility are available: 32-bit and 16-bit. Both versions contain text-based instructions in an

accompanying Readme file. The 32-bit version is preferred and is delivered separately from GuardianEdge; the 16-bit

version is included with GuardianEdge Hard Disk. If you do not have the 32-bit version, request it from your Policy

Administrator.Both versions of the Access Utility address possible Windows problems. If you succeed in booting with the Access

Utility, it indicates that the problem is with your Windows installation. The Access Utility will allow you to pull off

the critical files before you attempt to work on the Windows operating system.

The 32-bit Access Utility contains an NTFS reader and brings up a plug-and-play environment, allowing you to boot

from a CD using a Windows Preinstallation Environment (Windows PE). This allows you to map to a network drive

and copy your data to a safe location.


30/49



The 16-bit Access Utility ships with GuardianEdge Hard Disk. The Policy Administrator provides you with a copy.

This version runs in DOS and can be handy if you are off site and do not have disk access. Its smaller size is more

suited to being distributed by email. If you use the 16-bit Access Utility, you also need:

The Recover floppy or CD (see The Recover Floppy or CD on page 23).

An NTFS reader. This reader is a freeware tool that provides read access to NTFS partitions within the MS-DOS

environment. You can preview files on NTFS and copy files from NTFS to File Allocation Table (FAT) volumes

or network drives. The reader can be run from a DOS bootable floppy. Many sources provide the reader. The

http://www.sysinternals.com/Utilities/NtfsDosProfessional.html site is recommended.

A shareware program to view the data.

If either version of the Access Utility does not succeed, proceed to the next step: Hard Disk Consistency Check.

Hard Disk Consistency CheckIf running Recover /A fails and if the Access Utility is not able to see the hard disk or to authenticate the person

running the utility, then the possibility exists that the drive has physically failed. One frequent cause of failure is a

read/write arm failure.

Locate the bootable repair CD provided by the manufacturer and run a consistency check.

If the consistency check fails, physical problems exist.

The next step depends on the specifics of your situation. One step may be for you to send the disk to a data recovery

house for repair. Or GuardianEdge Technical Support may try a sector-by-sector image copy to back up your data

onto another disk.

Recover /DIf your disk passed the consistency check, run the Recover Program with the /D option once, to attempt to regainaccess to the data on your hard disk. The /D option attempts to repair the GuardianEdge Hard Disk client database

files, then tries to decrypt the hard disk. After Recover /D runs, the Audit Trail is reset and all events logged in pre-

Windows that have not been moved to the Windows Event Log are lost.

To run Recover /D:

1. Connect the computer to an uninterruptible power supply.

2. Remove any bootable media.

3. Insert the Recover floppy or CD (see The Recover Floppy or CD on page 23) into the appropriate drive.

4. Restart the computer.

5. At the prompt, type Recover.exe /D.

6. Authenticate with your Client Administrator user name and password.

7. When prompted, follow the program prompts.

Once the program starts running, do not stop it or shut down the computer. The process must run to completion. A

typical problem disk can take weeks to decrypt.

If the process runs into a series of bad sectorsperhaps hundreds of thousands of themit will try multiple times to

read them and the process may appear to have stopped. You will see a percentage of disk decryption displayed on the

screen; that percentage may remain at the same number for quite some time. If the process cannot successfully read a

sector after multiple attempts, the process moves to the next sector. Readable sectors are read in, decrypted, and then

written back to the disk.

Never run this option more than once, whether it succeeds or fails. Running Recover /D twice will cause

double decryption and permanent loss of data.


31/49



When the program ends, if you see a success message, you will have a fully or partially decrypted disk, depending on

the extent of damage.

Until you see a final message indicating success or failure, let the program run.

If you see a failure message, proceed to the next step.

Recover /BRecover /B should be performed only with the assistance of GuardianEdge Technical Support.

If all previous steps failed, it may mean that a very important cryptographic key cannot be found. The Recover

Program using the /B option reads from a computer-specific recovery file that contains that key, allowing you to

decrypt your data.

While you already should have a Recover floppy or CD that can be used to perform Recover /A and /D, to perform

Recover /B you will need computer-specific data and a special Recover floppy or CD from your Policy

Administrator. The Administrator creates the DAT file by exporting a Client Computers data from the GuardianEdge

Server. For this reason, Recover /B is not available for silent clients. The administrator stores the data and other

recovery files on the Recover floppy or CD that is formatted as a boot disk (see The Recover Floppy or CD on

page 23).

When the Policy Administrator creates the medium, the Administrator defines a Recovery Password to protect theDAT file. When the Administrator gives you the Recover floppy or CD, they tell you the password. Typically the

Administrator gives the DAT file a meaningful name, perhaps containing a computer-specific identifier and date,

such as Laptop4849_112907.dat.

Boot from the Recover floppy or CD and enter Recover.exe /B. You will be prompted for the Recovery Password

associated with this file. Enter the password. The Recover Program will generate several information and warning

messages and/or prompts, depending on what the program encounters. The most severe warning message occurs ifsomething goes wrong when the Recover Program attempts to compare values in the DAT file with the client

database files, as described below.

If the Recover Program detects a mismatch between the DAT file and the client database files, the program halts and

issues a warning that the data on the hard disk will be destroyed if you continue the recovery process. Cancel the

process.

If the Recover Program is unable to compare the backup file and the client database files due to file corruption of

client database files, the program halts and issues the same warning message as stated in the previous paragraph.

Only if you are absolutely certain that the DAT file is the correct file should you continue the process; otherwise,

cancel the process.

If the Recover Program detects that the DAT file is corrupted, the Recover Program halts.

Make sure that you execute the Recover /B option on the intended computer by checking the filename on

the medium. Since the data in the DAT file is computer-specific, running /B using a recovery data file

intended for another computer will corrupt your hard disk files.

Also make sure that the computer is connected to an uninterruptible power supply; otherwise, data loss

can occur if the process stops.


32/49


Client Administrator Guide Keyboards

Appendix A. Keyboards

Overview

For com uters that require re-boot authentication, GuardianEdge offers a means of selecting different keyboardlayouts in re-Windows.

Keyboard ListThe keyboards that GuardianEdge Hard Disk su orts are:

Canadian French,

French,

German,

S anish,

United Kingdom, and

US English.

Keyboard Use

Active Keyboard Layout IdentificationAfter a com uter reboot, when you ress CTRL-ALT-DEL or insert a token at the Startu screen, the GuardianEdge

re-Windows Logon screen a ears. The active keyboard layout is identified in a bar dis layed in the lower right-

hand corner of that com uter screen, similar to this: .

Keyboard TogglingIf the keyboard you require is not dis layed in the bar and your administrator has defined multi le keyboards, you cantoggle to another keyboard in re-Windows. The default key sequences for switching among keyboard layouts is

ressing either Left ALT+SHIFT or CTRL+SHIFT, de ending on how the key sequence was defined in Windows.

AdvantagesHaving an alternate keyboard layout to toggle to may be useful to you if you find yourself in a situation where you are

su orting a registered user whose hysical keyboard is unfamiliar to you. For exam le, you may be assisting a user

who is in France and your user name and assword are US English. If you are logging on in re-Windows and you are

about to enter your Client Administrator assword, you can toggle to your familiar keyboard layout. The section

Keyboard Layouts: Default View on age 27 shows the default-state view of each of the six su orted keyboards.

Even though you actually will be ty ing on an unfamiliar hysical keyboard, the com uter will inter ret the incoming

characters as if they were entered from the keyboard that you have selected to be the active keyboard.

Keyboard Layouts: Default ViewThis section shows the default-state layout of each su orted keyboard. To see a keyboard layout view when the

SHIFT, CAPS, or ALTGR keys are ressed, go to Microsofts web site http://www.microsoft.com/globaldev/

reference/keyboards.mspx , which shows the com lete set of keyboard layout states.


33/49



Canadian French

Figure A.1Canadian French Keyboard

French

Figure A.2French Keyboard

German

Figure A.3German Keyboard

Spanish

Figure A.4Spanish Keyboard

United Kingdom

Figure A.5United Kingdom Keyboard

US English

Figure A.6US English Keyboard


34/49



Keyboard DefinitionMultiple keyboard layouts may already be defined in your organization. However, if you need to add a keyboard

layout, use the Windows standard method, as described in the steps in the following sections.

Initial StepsThis section describes the first steps to take to configure the additional keyboard, on both Windows XP and Windows

2000.

1. From the Start menu clickControl Panel, then double-clickRegional and Language Options. The window

opens.

Figure A.7Regional and Language Options


35/49



2. Click the Languages tab.

Figure A.8Languages Tab

3. From the Languages window, clickDetails. The Text Services and Input Languages window appears.

Figure A.9Text Services and Input Languages, Before New Keyboard Added


36/49



4. ClickAdd. The Add Input Language window appears.

Figure A.10Add Input Language

5. For each keyboard layout you wish to add, select an Input language from the drop-down menu and clickOK.

The new keyboard appears in the Text Services and Input Languages dialog (Figure A.11).

Figure A.11Text Services and Input Languages, After Keyboard Added

6. ClickApply.

Windows XPIf you are running Windows 2000, skip to the section Windows 2000 on page 32 to complete the process. If you are

running Windows XP, follow the steps in this section.

1. From the Regional and Language Options window (Figure A.7), click the Advanced tab. A new window

appears (Figure A.12).


37/49



Figure A.12Regional and Language Options Advanced Tab

2. Select the check box for Default user account settings. The following warning appears:

Figure A.13Change Default User Settings Warning

3. ClickOK to dismiss the warning.

4. ClickApply on the Regional and Language Options Advanced tab window.

5. Reboot the computer. The Registry settings, including the setting for the Default User Profile, are copied to the

pre-Windows environment, making them available during the pre-Windows logon process. Note that the Default

User Profile settings will affect all users of this computer.

Windows 2000In Windows 2000, once you complete Initial Steps on page 29, use the Registry editor, RegEdit, to update the

Default User Profile as follows:

1. Copy the values from HKEY_CURRENT_USER\Keyboard Layout\Preload to

HKEY_USERS\.DEFAULT\Keyboard Layout\Preload.

2. Copy the values from HKEY_CURRENT_USER\Keyboard Layout\Substitutes to

HKEY_USERS\.DEFUALT\Keyboard Layout\Substitutes.

3. Reboot.


38/49


Client Administrator Guide Token Error Messages

Appendix B. Token Error Messages

OverviewThis a endix lists the error messages that you may encounter while using your token to:

Authenticate in re-Windows, or

Authenticate to the Client console.

The tables in this a endix include an Action column, s ecifying actions that you can take in res onse to each error

message.

Pre-Windows LogonTable B.1 lists the error messages that may be generated when you attem t to log on to GuardianEdge Hard Disk in

re-Windows.

In some cases, the message itself contains the default instruction: Please call the help desk for assistance.

This instruction a ears in the Message column in italics. The instruction can be customized by your

Policy Administrator, so your instruction may differ from the default shown.

Table B.1Pre-Windows Logon Messages

Token

Ty eSeverity Message Meaning Action

CAC /

Smart

Card

GuardianEdge Hard

Disk has discovered

that the inserted token

can not be recognized.

You will need to use a

token that can be

recognized by the

system.

The ty e of token you are

attem ting to log on with does

not match the ty e of token

your administrator configured

for your use.

ClickOK to dismiss the

message, remove the incorrect

token, then insert the correct one.

If you do not know which tokenor card ty e is corrector you

have not been issued the correct

cardcontact the a ro riate

administrator. You cannot log on

until this situation is resolved.
http://-/?-


39/49



CAC /

SmartCard

A matching certificate

could not be located onthis token. The current

token needs to be

replaced or modified

by an administrator.

[Please call the help

desk for assistance.]

The certificate on this token is

not the correct certificate foryour GuardianEdge account.


message, then clickCancel toexit the Logon screen.

Contact your Policy

Administrator to verify that this

token contains the certificate that

the administrator used to

establish your account.

Your certificate was issued

today, but is not yet valid

because the Certificate

Authority issues certificates

using Greenwich Mean Time

(GMT). Therefore, your localsystem date has not yet caught

up with the GMT activation

date.


message.

If there is another Client

Administrator assigned to this

computer, ask them to log on inpre-Windows, so that you can

access Windows. Tomorrow your

certificate should work, or you

could set your local system date

ahead, to activate the certificate

now.

Smart

Card

No certificate could be

found on this token.

The current token

needs to be replaced or

modified by an

administrator.



Your token does not contain

any certificates.


message. Is this the token that

your Policy Administrator issued

to you?

If it isnt, please insert that token

now and try again. If it is,contact your Policy

Administrator and let them know

that your token is missing the

required certificate.

RSA An error occurred

during communication

with the token.

To try logging on with

a token again, click

Restart Computer.

Your computer will

restart automatically.

Your tokens certificate is not

intended for your

GuardianEdge account.

ClickRestart Computer from

the message box. Insert the token

that contains the certificate that

the Policy Administrator set up

for you. On the Logon screen,

type your PIN then clickOK.

Your token does not contain

any certificates.

If you do not know which token

or certificate to use, contact thePolicy Administrator or

appropriate token administrator

and ask for help.

All Incorrect PIN. You inserted your token for

the Startup screen but did not

enter your PIN on the Logon

screen before clicking OK.


message. On the Logon screen,

type your PIN then clickOK.

Table B.1Pre-Windows Logon Messages (Continued)

Token

TypeSeverity Message Meaning Action


40/49



All GuardianEdge Hard

Disk has detected thatthe token has been

removed. Please

reinsert the token and

click OK.

You removed your token

before your logon process wascomplete.


message. Re-insert your token.On the Logon screen, type your

PIN then clickOK.

Your token reader was

unplugged after

GuardianEdge Hard Disk

detected your token.


message. Plug the reader back in,

then reboot. Insert your token at

the Startup screen to bring up the

Logon screen. Type your PIN

then clickOK.

All GuardianEdge Hard

Disk could not detect a

token. To resume the

authentication processwith a token, please

insert a token and then

click OK.

You removed your token

before your logon process was

complete.


message. Re-insert your token.

On the Logon screen, type your

PIN then clickOK.

Your token reader was

unplugged after


detected your token.


message. Plug the reader back in,

then reboot. Insert your token at

the Startup screen to bring up the

Logon screen. Type your PIN

then clickOK.

All The PIN is blocked for

this token. The current

token needs to be

replaced or modified




Your PIN has been blocked by

your token software for

exceeding the maximum

number of incorrect retries to

enter your PIN.

ClickOK to dismiss the message

and contact the Policy

Administrator or appropriate

token administrator.

All Incorrect (PIN). The PIN you entered is not

correct. Type your PIN again

then clickOK.


message.

If you think that you know your

correct PIN, re-type your PIN

then clickOK.

If you do not know your PIN,

please contact your Policy

Administrator.

Table B.1Pre-Windows Logon Messages (Continued)

Token

TypeSeverity Message Meaning Action


41/49



Client Console LogonTable B.2 lists the error messages that may occur when you are trying to log on to the Client console.

Table B.2Client Console Logon Messages

TokenType

Severity Message Meaning Action

CAC A token error has

occurred.

Your token may be using older

software (ActivClient Gold 3.0).

When this is the case, this generic

message is displayed for any of

the following conditions:

incorrect PIN, blocked PIN, or

expired certificate.


message, then click to

close the Client console.

Contact your Policy

Administrator or appropriate

token administrator to

determine the exact issue with

your token.

RSA A token error has

occurred.

It is possible that your certificate

cannot be found or is not beingrecognized.


message, then click to shutdown the Client console.

Log off Windows and restart

your computer. Log on and

launch the Client console.

When you are prompted to

log on, insert your token. If

you are using an RSA token,

make sure that the RSA token

software recognizes your

token. Wait until the RSA

icon in your system tray

changes to include a plus sign

. If you are using an

Axalto smart card, wait for

the icons gold token to stop

blinking and for the icon

computer screen to return

from blue to black .

Wait for any token light to

stop blinking before clicking

Log On from the Logon

panel. This wait time ensures

that your token is recognizedby the system.

If you receive this message

when you try again, contact

the appropriate administrator.


42/49



All The rogram could not

log you on. The tokenwas removed.

There is no token in your reader. ClickOK to dismiss the

message. Insert your token. Inthe Logon anel, ty e your

PIN, then clickLog On.

All Incorrect PIN. You did not enter the correct PIN. ClickOK to dismiss the

message. In the Logon anel,

ty e the correct PIN, then

clickLog On.

All The PIN is blocked for

this token. The current

token needs to be

re laced or modified


Your tokens certificate contains

a blocked PIN.

Call the a ro riate

administrator. You cannot use

this token and certificate for


until this issue is resolved.

All The rogram could not

log you on. Your

credentials could not

be verified.

The inserted token may not be for

the user who is logged in to

Windows.

It is also ossible that your token

does not contain any certificates

or that it contains certificates that

were not issued to you.

Make sure that you are the

user who is logged on to the

Windows session. If you are

not, log on to Windows now.

Make sure that the inserted

token is the one that was

issued for your GuardianEdge

account. If it is not, remove

the invalid token and insert

the valid token.

Try to log on again.

If the console still cannotverify your credentials, call

the a ro riate administrator.

You cannot use this token for


until the issue is resolved.

Table B.2Client Console Logon Messages (Continued)

Token

Ty eSeverity Message Meaning Action


43/49


Client Administrator Gu

Documents

Guardian Edge Client Administrator Guide