You are on page 1of 49

Hard Disk Encryption

Client Administrator Guide

Version 8.5
Information in this document is subject to change without notice. No part of this document may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written
permission of GuardianEdge Technologies Inc.
©2006 GuardianEdge Technologies Inc. All rights reserved.
475 Brannan St., Suite 400
San Francisco, CA 94107
415.683.2200
GuardianEdge, Encryption Anywhere, and Authenti-Check are either trademarks or registered trademarks of
GuardianEdge Technologies Inc. Microsoft, Active Directory, Windows, and Windows XP are either registered
trademarks or trademarks of Microsoft Corporation. Any other trademarks used herein are the property of their
respective owners and are hereby acknowledged. Other product and company names mentioned herein may be the
trademarks of their respective owners.
Printed in the United States of America.
Client Administrator Guide Contents

Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
GuardianEdge Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Policy Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Client Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Registered User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Client Administrator/Registered User Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Partition Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Boot-Time Defragmenters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
System Restore Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Trusted Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Restricted Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Computer Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Frequent Information Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Pre-Windows Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Password/Token Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Automatic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The Startup Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Password Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Keyboard Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Credential Entry and Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Token Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Keyboard Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Token Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
First Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Subsequent Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
PIN Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Computer Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
About Lockouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Lockout Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Lockout Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3. The Client Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Password Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Token Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Navigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
User Interface Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Mouse Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Keyboard Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

GuardianEdge Hard Disk Encryption iii


Client Administrator Guide Contents

Hard Disk Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15


Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Check-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Account Settings Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Authenti-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4. Hard Disk Access & Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Utilities and the Recover Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
The Recover Floppy or CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Recovery Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Recover /A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Access Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Hard Disk Consistency Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Recover /D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Recover /B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Appendix A. Keyboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Keyboard List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Keyboard Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Active Keyboard Layout Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Keyboard Toggling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Keyboard Layouts: Default View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Keyboard Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Initial Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Windows XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Appendix B. Token Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Pre-Windows Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Client Console Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

GuardianEdge Hard Disk Encryption iv


Client Administrator Guide Figures

Figures
Figure 2.1—Pre-Windows Startup, Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Figure 2.2—Pre-Windows Password Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Figure 2.3—Pre-Windows Logon, One-Minute Delay for Incorrect Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Figure 2.4—Pre-Windows Token Logon, Initial Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Figure 2.5—Pre-Windows Token Logon, Subsequent Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Figure 2.6—Pre-Windows Logon, Lockout Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Figure 2.7—Computer Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 2.8—Pre-Windows Logon, Client Administrator Logon to Unlock Computer . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 3.1—Client Console Logon, Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Figure 3.2—Client Console Logon, Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 3.3—Select Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 3.4—Client Console Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 3.5—Client Console User Interface Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 3.6—Client Console User Interface, Focus on Password Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 3.7—Client Console Encryption Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 3.8—Client Console Decryption Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 3.9—Client Console Check-In Panel, Check-In With No Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 3.10—Client Console Users Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 3.11—Client Console Password Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 3.12—Client Console Authenti-Check Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 3.13—Client Console About Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure A.1—Canadian French Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.2—French Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.3—German Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.4—Spanish Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.5—United Kingdom Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.6—US English Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.7—Regional and Language Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Figure A.8—Languages Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure A.9—Text Services and Input Languages, Before New Keyboard Added . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure A.10—Add Input Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure A.11—Text Services and Input Languages, After Keyboard Added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure A.12—Regional and Language Options Advanced Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Figure A.13—Change Default User Settings Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

GuardianEdge Hard Disk Encryption v


Client Administrator Guide Introduction

1. Introduction

Overview
GuardianEdge Hard Disk Encryption ensures that only authorized users can access data stored on hard disks. This
safeguards enterprises from the accidental loss or theft of a laptop or PC and eliminates the legal need for public
disclosure. As a key component of the GuardianEdge Data Protection Platform, GuardianEdge Hard Disk offers
seamless deployment and operation across increasingly diverse IT infrastructures and environments.
This Guide explains how to authenticate to GuardianEdge Hard Disk; use the Client console to support users and
computers; provide support to users who have forgotten their password or PIN; and recover a hard disk’s data, if
necessary.
This chapter defines the GuardianEdge roles and discusses best practices. The sections are as follows:
„ “GuardianEdge Roles” on page 1
„ “Best Practices” on page 2

GuardianEdge Roles
Policy Administrator
An organization’s centralized point of control for the GuardianEdge Platform is one or more Policy Administrators. A
Policy Administrator defines installation settings and policy updates that are pushed out to Client Computers through
Active Directory. Policy Administrators create Client Administrator accounts. Installation settings and policy updates
may differ from computer to computer, and from user to user. Once policies are pushed out, they affect computer
behavior and user interface displays. Policy Administrators also assist registered users who have the One-Time
Password (OTP) recovery method available. The Policy Administrator runs the help-desk side of the OTP utility,
which requires the availability of the GuardianEdge Manager console.

Client Administrator
While the GuardianEdge Policy Administrator sets policies from a centralized location, Client Administrators
support the distributed Client Computers and their users.
As a Client Administrator, you may have one or more of the following rights and responsibilities:
„ To unregister user accounts;

„ To extend the next date by which a Client Computer is required to check in with the GuardianEdge Server to
prevent a lockout condition;
„ To unlock a Client Computer;

„ To encrypt partitions;

„ To run the GuardianEdge Hard Disk Recover Program if an unexpected error prevents a Client Computer from
booting;
„ To decrypt partitions.
A Policy Administrator uses the GuardianEdge Manager console to create and manage passwords for Client
Administrators not using tokens, by pushing out installation settings and policy updates from a centralized server.
This single-source password management allows Client Administrators to remember only one password as they
move among many Client Computers. If password(s) were local to each computer, then remembering multiple
passwords would become unwieldy.

GuardianEdge Hard Disk Encryption 1


Client Administrator Guide Introduction

Registered User
GuardianEdge Hard Disk protects the data stored on a user’s hard disk by requiring users to authenticate before it
allows Windows to load. This could have been configured in one of three ways:
„ Single Sign-On (SSO) enabled—If Single Sign-On is enabled, registered users will be prompted to authenticate
once, each time they restart their computer.
„ Single Sign-On not enabled—If the user is an authenticating user and Single Sign-On is not enabled, the user will
need to log on in pre-Windows to GuardianEdge Hard Disk and then separately to Windows.
„ Automatic authentication—Users are not prompted to provide credentials to GuardianEdge Hard Disk and the
process is completely transparent to them.

Client Administrator/Registered User Comparison


Table 1.1 shows a comparison between registered users and Client Administrators.

Table 1.1—Client Account Comparison


Client Features Registered User Client Administrator
Created when user registers interactively or is Created by installation settings
Account Creation
registered silently. and/or policy updates.
Deleted by Client Administrator through
unregister function, if allowed. Also may be Deleted by Policy Administrator
Account Deletion
deleted automatically when account is unused for through policy updates.
a specified period.
Changed by Policy
Password Changes Can change their password.
Administrator.
Enabled by installation settings and/or policy
Single Sign-On (SSO) Not available.
updates.
Authenti-Check and One-Time Password (OTP)
may be enabled by installation settings and/or
Logon Assistance Not available.
policy updates. Client Administrators can always
provide logon assistance.
Encryption rights assigned by installation
Encryption Always available.
settings and policy updates.
Decryption rights assigned by
Decryption rights assigned by installation
Decryption installation settings and policy
settings and policies.
updates.
Can become locked out of Client Computer if
Cannot become locked out.
computer is required to check in with the
Lockout Removes and prevents lockout
GuardianEdge Server at a required interval but
conditions.
does not, and lockout is used for enforcement.

Best Practices
Partition Changes
Once partitions have been encrypted, they must not be repartitioned, reformatted, or resized with any third-party
utility that is not a part of Windows. In addition, the drive letters of encrypted partitions must not be changed.

GuardianEdge Hard Disk Encryption 2


Client Administrator Guide Introduction

Boot-Time Defragmenters
GuardianEdge Hard Disk relies on its client database files. Boot-time defragmenters can scramble the client database
files. If used, they will cause the Client Computer to fail to boot.

System Restore Tools


GuardianEdge Hard Disk encryption relies on the Client Computer’s master boot record (MBR). System restore tools
that replace the MBR, such as IBM’s Rescue and Recovery, can cause the Client Computer to fail to boot.

Trusted Software
Firewalls and anti-virus software should be installed on Client Computers to protect against viruses and secure
computers against invasive software that arrives over the network, such as a Trojan horse. File sharing, peer-to-peer
networks, and FTP servers are not recommended. Network logon scripts must be approved scripts. If remote access to
stored data is allowed, users with remote access must be required to authenticate.

Restricted Users
Only administrators should have software installation privileges. Users should not have the ability to edit the
GuardianEdge Registry settings or the system date and time.

Computer Shutdown
It is best not to leave a computer unattended, particularly in an insecure location, such as a cafe. If you must step
away, you should invoke the Windows screensaver that requires Windows credentials before it allows you to get back
into Windows.

Password Security
Both Client Administrators and registered users should not share passwords and should avoid writing them down.
Client Administrators and registered users should be aware of others watching over his/her shoulder as s/he types. If
this has happened, the password should be changed.

Frequent Information Backup


User data as well as log files should be backed up on a regular basis. This will allow users to recover from theft or
hard disk failure. The user data backups should be physically protected or encrypted.

GuardianEdge Hard Disk Encryption 3


Client Administrator Guide Pre-Windows Authentication

2. Pre-Windows Authentication

Overview
Basics
Pre-boot authentication prevents unauthorized users from accessing encrypted data. This important feature takes full
effect after the first user registers in Windows to GuardianEdge Hard Disk. The first user is forced to register after
any grace restarts expire.
Once the first user has registered, a Client Computer’s behavior upon restart is based on the GuardianEdge policy.

Password/Token Authentication
If a policy is enabled that requires all users on a Client Computer to authenticate, upon restart the computer will first
display the GuardianEdge Startup screen. This screen begins the GuardianEdge Hard Disk pre-Windows logon
process.
As a Client Administrator, you gain access to the computer by authenticating to GuardianEdge Hard Disk at the
pre-Windows logon prompt using your GuardianEdge password or PIN. You then log on at the Windows prompt
using your Windows credentials.
The exception to the pre-Windows logon process is when an Autologon policy is in place. This process bypasses
pre-Windows authentication so that administrators can run software installations and upgrades that require system
reboots. Should an Autologon policy be in effect, you and other users authenticate only at the Windows prompt.

Automatic Authentication
If a policy is enabled that allows all GuardianEdge users on a Client Computer to be automatically authenticated, no
pre-Windows authentication is required. You and all other users authenticate only at the Windows prompt. If
automatic authentication is enabled, you can skip to “Computer Lockout” on page 8.

The Startup Screen


Once the first user registers, the GuardianEdge Startup screen is displayed each time the computer is turned on,
unless users are automatically authenticated.
The Policy Administrator may have configured the Startup screen to contain:
„ The default image and text, or

„ The default image with changed logon instructions, or


„ The default image with a changed legal notice, or

„ The default image with both changed instructions and changed legal notice, or

„ A custom image.

GuardianEdge Hard Disk Encryption 4


Client Administrator Guide Pre-Windows Authentication

Figure 2.1 shows the default Startup screen.

Figure 2.1—Pre-Windows Startup, Default

If you are authenticating with a token and the token is already inserted, you may not see this Startup screen, or you
may see it flash briefly. Go directly to “Token Logons” on page 7. If you authenticate with a token and have not yet
inserted it, insert it now, then go to “Token Logons” on page 7.
If you authenticate with a password, press CTRL+ALT+DEL and proceed to the next section.

Password Logons
Once you have pressed CTRL+ALT+DEL, the pre-Windows password Logon screen appears.

Keyboard Selection
GuardianEdge Hard Disk shows the active keyboard layout in a bar displayed in the lower right-hand corner of your

computer screen, similar to this: . If your administrator defined multiple


keyboards and you need a keyboard layout different than the one identified in the bar, you can press Left
ALT+SHIFT or CTRL+SHIFT—the key sequence depends on which sequence was defined to Windows—to toggle
to another keyboard.

GuardianEdge Hard Disk Encryption 5


Client Administrator Guide Pre-Windows Authentication

Figure 2.2—Pre-Windows Password Logon

Credential Entry and Verification


To log on to GuardianEdge Hard Disk, type your user name or UPN into the User name field. The UPN syntax is
username@domain.topleveldomain; for example, mbrown@your-org.com. Select your domain from the Domain
drop-down menu. If you used UPN syntax, no domain selection is necessary.
Type your password into the Password field. Click OK.
If your password is correct, you advance to the Windows logon prompt. If your password is not correct, the logon
fails. Check your password and re-enter the logon information.
Your Policy Administrator may have implemented a logon delay to occur when one or more incorrect password
attempts are made. This delay helps protect the computer against unwanted password-guessing attacks. If such a
setting or policy is in place and you trigger that restriction, a message appears informing you that the number of
allowed logon attempts has been exceeded and that you can try again in 60 seconds. Figure 2.3 shows an example.

Figure 2.3—Pre-Windows Logon, One-Minute Delay for Incorrect Logon

GuardianEdge Hard Disk Encryption 6


Client Administrator Guide Pre-Windows Authentication

Token Logons
Keyboard Selection
GuardianEdge Hard Disk shows the active keyboard layout in a bar displayed in the lower right-hand corner of your

computer screen, similar to this: . If your administrator defined multiple


keyboards and you need a keyboard layout different than the one identified in the bar, you can press Left
ALT+SHIFT or CTRL+SHIFT—the key sequence depends on which sequence was defined to Windows—to toggle
to another keyboard.

Token Preparation
If you are using an RSA token, connect the USB-connector end of your token to a USB port or into a USB extension
cable attached to your computer.
If you are using a smart card, when you insert it, hold the card so that the side containing the gold chip is on top and
the card end containing the chip is closest to the reader.
If your token or the reader has a light, the light blinks when information from your token is being read. Wait until the
blinking stops before taking the next action, such as clicking OK from the Logon screen. Do not remove your token
until authentication is complete.

First Logon
Figure 2.4 shows an example of the token Logon screen that displays the first time you log on to the Client Computer.

Figure 2.4—Pre-Windows Token Logon, Initial Logon

To authenticate, type your PIN into the PIN field then click OK. Do not remove your token until processing
completes.

The first time this Logon screen appears, it displays only the PIN field. Once you enter your PIN and
click OK, this message appears, “Unrecognized token. Please wait. This will take a few moments.” This
short delay occurs because the system is recording the token ID and certificate information.

Subsequent Logons
Once you log on the first time, the next time you reboot, the screen will display User name and Domain fields in
addition to the PIN field (Figure 2.5), and the “unrecognized token” message will not appear.

GuardianEdge Hard Disk Encryption 7


Client Administrator Guide Pre-Windows Authentication

Figure 2.5—Pre-Windows Token Logon, Subsequent Logons

Type your PIN into the PIN field and click OK. Do not remove your token until processing completes.

PIN Verification
If your PIN is correct, you advance to the Windows logon prompt once the credentials are verified.
If your PIN is not correct, the logon fails. Check your PIN and re-enter the information, then click OK to resubmit. If
it fails again, contact the appropriate administrator.
You can also reference Appendix B “Token Error Messages” and check the section “Pre-Windows Logon” on
page 33.

Tip: If you are using an RSA SID800 token and your authentication fails, remove the token, then re-insert
it and re-enter your credentials. Click OK.

Computer Lockout
About Lockouts
If lockouts are used to force a Client Computer to check in with the GuardianEdge Server according to a prescribed
schedule, when a computer fails to check in, users will not be able to boot to Windows.

Lockout Prevention
If a Client Computer is about to be locked, a Server Communication Required warning message appears before the
Startup screen loads (Figure 2.6).

Figure 2.6—Pre-Windows Logon, Lockout Warning

GuardianEdge Hard Disk Encryption 8


Client Administrator Guide Pre-Windows Authentication

The message identifies the number of days left before the lockout and advises the user to contact a Client
Administrator. After the user clicks OK, the Startup screen will be displayed.
If a user contacts you about this warning, prevent the lockout in one or more of the following ways:
„ Resolve the problem that is preventing the Client Computer from connecting to the GuardianEdge Server.

„ Log on to the Client Computer at the pre-Windows logon prompt, which automatically extends the next
communication due date.
„ Use the Client console Check-In panel to extend the due date further.

Lockout Recovery
If the Client Computer is already locked, an Access Denied error message appears immediately upon reboot as shown
in Figure 2.7.

Figure 2.7—Computer Lockout

Click OK. The Client Administrator Logon screen for lockouts appears (Figure 2.8).

Figure 2.8—Pre-Windows Logon, Client Administrator Logon to Unlock Computer

Only you can log on to the computer; users cannot proceed to Windows. Your action will unlock the computer and
extend the next communication due date.

If Autologon is activated while a computer is in a lockout state, the Autologon policy preempts the
lockout condition for as long as the Autologon policy is in effect. This functionality ensures that a
communication lockout condition does not disrupt the completion of the Autologon process, which is
used to allow software installations and upgrades to run without users authenticating in pre-Windows.

GuardianEdge Hard Disk Encryption 9


Client Administrator Guide The Client Console

3. The Client Console

Overview
The Client console allows you to perform the following tasks:
„ Encrypt one or more partitions on the hard disk, if they are not already encrypted or have been decrypted.

„ Decrypt one or more partitions on the hard disk, if decryption is necessary and allowed by policy.

„ Unregister user accounts, if unregistering is allowed by policy.

„ View the encryption status of the hard disk partitions.

„ View and extend the date the computer must next check in with the GuardianEdge Server, if check-in is required.

„ View the GuardianEdge user accounts on the computer.


This chapter begins with instructions on how to log on to the Client console, and then describes how to perform
GuardianEdge Hard Disk tasks and GuardianEdge Account Settings tasks.
Once you are in Windows, launch the GuardianEdge Client console by selecting GuardianEdge Client from the
Start menu.

Logon
When the Client console launches, it prompts you for your credentials. If you log on with a token, see “Token
Logons” on page 11. If you log on with a password, see the next section.

Password Logons
If your account uses a password to authenticate, the Logon screen prompts you for your password (Figure 3.1).

Figure 3.1—Client Console Logon, Password

To log on to the Client console with a password, in the Password field type your GuardianEdge Client Administrator
password, then click Log On.
If your password is not correct, the logon will fail. Check your password and re-enter the information.

GuardianEdge Hard Disk Encryption 10


Client Administrator Guide The Client Console

Your Policy Administrator may have implemented a logon delay to occur when one or more incorrect logon attempts
are made. This delay helps protect the computer against unwanted password-guessing attacks. If such a setting or
policy is in place and you trigger that restriction, a message appears informing you that the number of allowed logon
attempts has been exceeded and that you can try again in 60 seconds.
If your authentication succeeds, you will be given access to the Client console. Skip to the section “Welcome” on
page 13.

Token Logons

Token Insertion
The Logon panel prompts you to insert your token.

Figure 3.2—Client Console Logon, Token

If your token is already inserted, skip to the next section; otherwise, insert your token.
If you are using an RSA token, connect the USB-connector end of your token to a USB port or into a USB extension
cable attached to your computer. Make sure that the RSA token software recognizes your token: wait until the RSA
icon in your system tray changes to include a plus sign .
If you are using a smart card, when you insert your token, hold the card so that the side containing the gold chip is on
top and the card end containing the chip is closest to the reader.
If your token or the reader has a light, it blinks when information from your token is being read. If you are using an
Axalto smart card, the icon’s computer screen changes from black to blue while the icon’s golden token blinks, then
returns to black when the blinking stops . Wait until all blinking stops before taking the next action, such as
clicking Next. Do not remove the token until authentication is complete.

PIN Entry
In the PIN field, type your PIN, then click Log On. Do not remove the token until authentication completes.
If your authentication succeeds, you are given access to the Client console. Skip to the section “Welcome” on
page 13.
If your authentication fails or if you encounter token, certificate, or PIN errors during logon, please refer to Appendix
B “Token Error Messages” and check the section “Client Console Logon” on page 56 for possible causes and
resolution.

GuardianEdge Hard Disk Encryption 11


Client Administrator Guide The Client Console

Your Policy Administrator may have implemented a logon delay to occur when one or more incorrect logon attempts
are made. This delay helps protect the computer against unwanted attacks. If such a setting or policy is in place and
you trigger that restriction, a message appears informing you that the number of allowed logon attempts has been
exceeded and that you can try again in 60 seconds.

Certificate Selection
If the Select Certificate dialog (Figure 3.3) appears, continue reading; otherwise, skip to the next section “Welcome”
on page 13.

Figure 3.3—Select Certificate

Your administrator may have set up your GuardianEdge certificate with the values listed immediately below. These
are the values that the GuardianEdge software uses to identify your certificate automatically for authentication.
For RSA SID800:
„ DATA_ENCIPHERMENT and KEY_ENCIPHERMENT (Key Usage)

„ EMAIL_PROTECTION (Enhanced Key Usage)


For Smart Card:
„ DATA_ENCIPHERMENT and KEY_ENCIPHERMENT (Key Usage)

„ EMAIL_PROTECTION (Enhanced Key Usage)


For Common Access Card (CAC):
„ KEY_ENCIPHERMENT (Key Usage)
However, if more than one certificate—or no certificate—exists with these values, the Select Certificate dialog
(Figure 3.3) opens and you must manually identify your GuardianEdge certificate.
Select your GuardianEdge certificate by clicking on the appropriate row, then clicking OK. In the Figure 3.3
example, the administrator created two certificates with the expected Key Usage settings, so this user identifies their
certificate based on Expiration Date.
If you select a certificate that is not valid, you will receive an error message. If you don’t know which certificate to
choose, contact your administrator.

GuardianEdge Hard Disk Encryption 12


Client Administrator Guide The Client Console

Welcome
The Client console opens to the Welcome panel, which appears with an enabled navigation pane (Figure 3.4).

Figure 3.4—Client Console Welcome

GuardianEdge Hard Disk Encryption 13


Client Administrator Guide The Client Console

Navigation
User Interface Elements
The Client console is divided into several sections.
Banner

Navigation
Pane

Quick
Help
Pane

Main
Pane

Figure 3.5—Client Console User Interface Elements

The elements are as follows:


„ The banner displays the product logo, the name of the currently logged on user, and the user’s domain or local
computer name.
„ The navigation pane contains hyperlinks to all tasks. Each task has its own panel.
„ The main pane displays a task panel.

„ The Quick Help pane provides context-sensitive help based on the location of your mouse. See the next section
for how to display Quick Help.

Mouse Navigation
You may navigate the Client console using a mouse or using the keyboard.
If you are using a mouse:
„ To load a panel, click the desired hyperlink in the navigation pane; the panel loads into the main pane.

„ To display Quick Help, click the help icon . The Quick Help pane appears. To close the Quick Help pane, click
the help icon again.

GuardianEdge Hard Disk Encryption 14


Client Administrator Guide The Client Console

Keyboard Navigation
If you are using the keyboard:
„ Press the TAB key to move among the screen elements. A dotted line surrounds the link, input field, button, or
icon, indicating which element has the focus.
„ To load a panel, press the TAB key to the desired link in the navigation pane, then press ENTER. The panel loads
into the main pane (Figure 3.6).

Figure 3.6—Client Console User Interface, Focus on Password Link

„ To display Quick Help, press the TAB key until the focus is on the help icon , then press ENTER or the
SPACEBAR. To close the Quick Help pane, press ENTER or the SPACEBAR again. Note that Quick Help
applies at the panel level; context-sensitive Quick Help is available only when using a mouse.
„ To select a check box, press the TAB key to place focus on the box, then press the SPACEBAR. To toggle off the
selection, press the SPACEBAR again.
„ To activate a button, press the TAB key to place focus on the button, then press ENTER or the SPACEBAR
The TAB key follows standard user-interface behavior:
„ Tabbing order within each panel is top to bottom, left to right.

„ To move down, press the TAB key; to move up, press Shift-TAB.

„ To scroll, use the UP ARROW key and the DOWN ARROW key.

When you use the TAB key to navigate, you may need to press the key more than once to place the focus
on the next desired link, input field, button, or icon, depending on the location of the current focus.

Hard Disk Tasks


Encryption
The full encryption of the Client Computer is usually set up to begin immediately after installation. It is unlikely that
you will need to use the Client console to start this process manually.

GuardianEdge Hard Disk Encryption 15


Client Administrator Guide The Client Console

Use the Encryption panel to view the encryption status of the hard disk partitions or manually begin the encryption of
a hard disk partition. To open the Encryption panel, click Encryption. The Encryption panel appears. Figure 3.7
shows an example.

Figure 3.7—Client Console Encryption Panel

The Status field next to each partition shows which state a partition is in. The states are: Encryption Pending,
Encrypting, Encrypted, Decryption Pending, Decrypting, and Decrypted.
If partitions are listed with a status of Decrypted, Decrypting, or Decryption Pending you can check the check box
beside them to select them for encryption. A check box beside a partition will not be available if the partition has a
status of Encrypted, Encrypting, or Encryption Pending. This unavailability could also occur if a remote
decryption policy prevents encryption.
Should you need to encrypt the disk, you should first connect to an uninterruptible power source, since an
interruption of power could cause data corruption. For example, if you are encrypting a laptop, fully charge the
battery or plug in the laptop before you start.
Once you select one or more partitions, the Encrypt Selected Partitions button becomes available. Click Encrypt
Selected Partitions. A partition’s status changes to Encryption Pending, then to Encrypting.
While encryption is running, the panel shows the (0-99) percentage of partition encryption, such as Encrypting
(80 %). When encryption completes, no percentage is shown; a lock icon accompanies the Encrypted state for
easy visual confirmation that this partition is fully encrypted.
Users can continue to work while partitions are encrypting.

Decryption
Use the Decryption panel to view the decryption status of the hard disk partitions or manually begin the decryption of
a hard disk partition. To open the Decryption panel, click Decryption. The Decryption panel appears. Figure 3.8
shows an example.

GuardianEdge Hard Disk Encryption 16


Client Administrator Guide The Client Console

Figure 3.8—Client Console Decryption Panel

The Status field next to each partition shows which state a partition is in. The states are: Encryption Pending,
Encrypting, Encrypted, Decryption Pending, Decrypting, and Decrypted.
While decryption is running, the panel shows the (0-99) percentage of partition decryption, such as Decrypting
(20 %). When decryption completes, no percentage is shown; an unlock icon accompanies the Decrypted state for
easy visual confirmation that this partition is fully decrypted.
The Encryption panel also shows encryption and decryption status information.
If you have decryption rights, you may need to use them for the following reasons:
„ The operating system is about to be upgraded.
„ A major physical change in the core hardware is about to occur. For example, an upgraded processor or
motherboard is going to be installed. Changes to the partition table are not possible on an encrypted computer and
the hard disk must be decrypted prior to the repartitioning.
„ You are uninstalling GuardianEdge Hard Disk.
Should you need to decrypt the disk, first connect to an uninterruptible power source, since an interruption of power
could cause data corruption. For example, if you are decrypting a laptop, plug in the laptop before you start.
If partitions are listed with a status of Encrypted, Encrypting, or Encrypting Pending you can check the check box
beside them to select them for decryption. Once you select one or more partitions, the Decrypt Selected Partitions
button becomes available. Click Decrypt Selected Partitions. A decrypted partition’s state changes to Decryption
Pending, then to Decrypting.
A check box beside a partition will not be available if the partition has a status of Decrypted, Decrypting, or
Decryption Pending, if you do not have the right to decrypt, or if a remote decryption policy is active.
Users can continue to work while partitions are decrypting.

GuardianEdge Hard Disk Encryption 17


Client Administrator Guide The Client Console

Check-In
Client Computers may be configured to connect with the GuardianEdge Server. At designated intervals, they attempt
to send important recovery, status, and account information, including:
„ The date and time of the connection;

„ The encryption state of the hard disk;

„ Data used by the One-Time Password recovery method; and

„ Information used by the Recover Program.


The Policy Administrator optionally can add a policy to enforce check-in by locking out users when a computer is
required to check in but does not. If lockout occurs, the Client Computer remains in a pre-Windows state after restart
so that no user can log on and a Client Administrator must log on to allow the user to boot into Windows.
Use the Check-In panel:
„ To find out what check-in policy is in place;

„ To obtain the time and date of the last communication attempt;


„ To see the next communication date information, if check-in is enforced by lockout;

„ To extend the next communication date, if check-in is enforced by lockout and a network problem or a user’s or
computer’s known circumstance is preventing communication.
To access the panel, from the navigation pane click Check-In. The Check-In panel appears.

Figure 3.9—Client Console Check-In Panel, Check-In With No Enforcement

Figure 3.9 shows an example of a computer that has checked in and is not subject to a lockout enforcement policy.
The information displayed in the Check-In panel varies as described in the following table.

GuardianEdge Hard Disk Encryption 18


Client Administrator Guide The Client Console

Table 3.1—Check-In Panel Information


Field Label Value Meaning
Communication with the GuardianEdge Server
Date and time
occurred on the specified date at the specified time.
Last communication
with the This Client Computer has never connected to the
GuardianEdge Server GuardianEdge Server. The user will not have access to
never connected
the OTP recovery method. The recover /B option is not
available.
A lockout enforcement policy is in effect and this
Client Computer must make contact with the
Future date and time
GuardianEdge Server no later than the specified date
and time.
Past date and time in red with
Next communication A lockout enforcement policy is in effect and this
a warning icon . Tooltip Client Computer has failed to connect within the
due by message, “Communication is mandatory interval. A lockout is imminent.
overdue,” appears.
not applicable until the
The first user has not yet registered.
first user registers
not applicable A lockout enforcement policy is not in effect.

The Extend Due Date button is only available under the following circumstances:
„ If you are logged in as a Client Administrator,

„ If at least one user has registered,

„ If a lockout enforcement policy is in effect, and

„ If the Client Computer is configured to communicate with the GuardianEdge Server.


If lockouts are used for enforcement of check-in and the computer fails to check in, then users will not be able to boot
to Windows. If the Check-In panel indicates that a lockout is imminent, click Extend Due Date. The Next
communication due by field will be incremented from today’s date and time by the required communication
interval.
Separately, you should ensure that the issue preventing the Client Computer from connecting to the GuardianEdge
Server is resolved. The lockout experience is discussed further in “Computer Lockout” on page 8.

Account Settings Tasks


Users
Use the Users panel to view GuardianEdge accounts on a computer and to unregister users. To open the Users panel,
click Users in the navigation pane. The Users panel appears, populated with the registered user and Client
Administrator accounts on that computer. Figure 3.10 shows an example.

GuardianEdge Hard Disk Encryption 19


Client Administrator Guide The Client Console

Figure 3.10—Client Console Users Panel

You may have the right to unregister users. When you unregister a user, the user’s GuardianEdge account is deleted
and that user can no longer log on in pre-Windows.
Reasons for unregistering a user include:
„ Employee departure;

„ Workstation or laptop reallocation;

„ Registered user account maximum approaching or reached;

„ Logon assistance methods (Authenti-Check and/or OTP) do not succeed or are not available.
Select the check box next to the user account(s) that you want to unregister. The Unregister Selected Users button
becomes available. Click Unregister Selected Users. The account is removed and the Number of registered users
is decremented.

If you unregister the only user—or the last user of many users—either leave the computer at the Windows
logon prompt or usher the next user of that computer past the pre-Windows logon prompt. As soon as
they try to access Windows, they will be prompted to register for their own GuardianEdge account. Once
they register, they will be able to log on in pre-Windows.

A policy may exist that mandates unregistering of users who do not log on for a specified number of days. Inactive
users will be automatically unregistered and will no longer be visible on the Users list.

GuardianEdge Hard Disk Encryption 20


Client Administrator Guide The Client Console

Password
Your password is set by installation setting or policy. Therefore, your password panel will display as follows:

Figure 3.11—Client Console Password Panel

Authenti-Check
You do not have Logon Assistance methods available. Therefore, your Authenti-Check panel will display as follows:

Figure 3.12—Client Console Authenti-Check Panel

About
Use the About panel to find out which version of GuardianEdge Framework and GuardianEdge Hard Disk the Client
Computer is running. To open the About panel, click About.

GuardianEdge Hard Disk Encryption 21


Client Administrator Guide The Client Console

Figure 3.13—Client Console About Panel

The build number is accessible as a Tool Tip when you hover your mouse over the version number. The build number
can be used to see whether patches have been applied.

GuardianEdge Hard Disk Encryption 22


Client Administrator Guide Hard Disk Access & Recovery

4. Hard Disk Access & Recovery

Overview
GuardianEdge provides utilities and a Recover Program to assist you in the event that a GuardianEdge Hard Disk
Client Computer fails to boot. While the Recover Program can be run by a qualified Client Administrator, we
recommend that you contact GuardianEdge Technical Support for assistance with the process.

Utilities and the Recover Program


The following utilities and Recover Program can be used to attempt data recovery on a user’s computer:
„ GuardianEdge Hard Disk Access Utility (32-bit)—GuardianEdge provides the 32-bit Access Utility separately. It
enables a Client Administrator to boot from a CD-ROM and access the hard disk by using the Microsoft Windows
Preinstallation Environment (Windows PE). Accessing the computer through Windows PE allows administrators
to back up data to servers or external disks for hard disk replacement, perform file system and Windows system
repair, and complete other system administration tasks.
„ GuardianEdge Hard Disk Access Utility (16-bit)—The 16-bit Access Utility ships with GuardianEdge Hard Disk
as access.exe and is installed by default in the following directory on the server: C:\Program Files\Encryption
Anywhere\Encryption Anywhere Hard Disk\DOS. This version can be handy if you are off site; its smaller size is
useful for email distribution. However, this version requires extra hardware and software to run, such as a New
Technology File System (NTFS) reader and shareware to view the data. Therefore, the 32-bit Access Utility is
recommended.
„ Recover Program—This program can be used in the event that the problem is related to GuardianEdge Hard Disk.
The program attempts to regain access to data on your hard disk by repairing the GuardianEdge client database
files or by performing an emergency decryption of the entire hard disk.
Contact GuardianEdge Technical Support at your earliest convenience when dealing with a technical issue that
involves critical data. Document all events that preceded the problem, list any actions taken, and identify any error
messages encountered. Depending on your situation, Technical Support personnel may walk you through one or more
of the following steps as you attempt recovery.

The Recover Floppy or CD


Your Policy Administrator will provide you with a bootable medium that includes the files listed below:
„ access.exe (16-bit version)

„ ephdxlat.bin

„ ephdxlat.ovl

„ RECOVER.EXE

„ Readme.txt
These files can be used on any Client Computer, as long as the Client Computer and the Manager Computer are
running the same version of GuardianEdge Hard Disk.

Recovery Steps
Basics
The following steps should be performed in sequence:
1. Recover /A
2. Access Utility

GuardianEdge Hard Disk Encryption 23


Client Administrator Guide Hard Disk Access & Recovery

3. Hard Disk Consistency Check


4. Recover /D
5. Recover /B

Recover /A
If your computer has encountered a serious error and you cannot load Windows, first run the Recover Program with
the /A option. The /A option attempts to repair damaged client database files.
After Recover /A runs, the Audit Trail is reset and all events logged in pre-Windows that have not been moved to the
Windows Event Log are lost.
To run Recover with the /A option, you will need the bootable Recover floppy or CD that the Policy Administrator
created.
To run Recover with the /A option:
1. Remove any bootable media.
2. Insert the Recover floppy or CD (see “The Recover Floppy or CD” on page 23) into the appropriate drive.
3. Restart the computer, booting from the Recover floppy or CD. You may need to modify the BIOS to boot from
CD.
4. At the A:> prompt, type Recover.exe /A.
5. You will be asked to authenticate with a Client Administrator name and password, after which you follow the
program prompts.
If the /A option succeeds in repairing the client database files and you are able to boot, you once again have access to
the computer. If the /A option does not succeed, proceed to the next step: Access Utility.

Access Utility
Two versions of the Access Utility are available: 32-bit and 16-bit. Both versions contain text-based instructions in an
accompanying Readme file. The 32-bit version is preferred and is delivered separately from GuardianEdge; the 16-bit
version is included with GuardianEdge Hard Disk. If you do not have the 32-bit version, request it from your Policy
Administrator.
Both versions of the Access Utility address possible Windows problems. If you succeed in booting with the Access
Utility, it indicates that the problem is with your Windows installation. The Access Utility will allow you to pull off
the critical files before you attempt to work on the Windows operating system.
The 32-bit Access Utility contains an NTFS reader and brings up a plug-and-play environment, allowing you to boot
from a CD using a Windows Preinstallation Environment (Windows PE). This allows you to map to a network drive
and copy your data to a safe location.

GuardianEdge Hard Disk Encryption 24


Client Administrator Guide Hard Disk Access & Recovery

The 16-bit Access Utility ships with GuardianEdge Hard Disk. The Policy Administrator provides you with a copy.
This version runs in DOS and can be handy if you are off site and do not have disk access. Its smaller size is more
suited to being distributed by email. If you use the 16-bit Access Utility, you also need:
„ The Recover floppy or CD (see “The Recover Floppy or CD” on page 23).

„ An NTFS reader. This reader is a freeware tool that provides read access to NTFS partitions within the MS-DOS
environment. You can preview files on NTFS and copy files from NTFS to File Allocation Table (FAT) volumes
or network drives. The reader can be run from a DOS bootable floppy. Many sources provide the reader. The
http://www.sysinternals.com/Utilities/NtfsDosProfessional.html site is recommended.
„ A shareware program to view the data.
If either version of the Access Utility does not succeed, proceed to the next step: Hard Disk Consistency Check.

Hard Disk Consistency Check


If running Recover /A fails and if the Access Utility is not able to see the hard disk or to authenticate the person
running the utility, then the possibility exists that the drive has physically failed. One frequent cause of failure is a
read/write arm failure.
Locate the bootable repair CD provided by the manufacturer and run a consistency check.
If the consistency check fails, physical problems exist.
The next step depends on the specifics of your situation. One step may be for you to send the disk to a data recovery
house for repair. Or GuardianEdge Technical Support may try a sector-by-sector image copy to back up your data
onto another disk.

Recover /D
If your disk passed the consistency check, run the Recover Program with the /D option once, to attempt to regain
access to the data on your hard disk. The /D option attempts to repair the GuardianEdge Hard Disk client database
files, then tries to decrypt the hard disk. After Recover /D runs, the Audit Trail is reset and all events logged in pre-
Windows that have not been moved to the Windows Event Log are lost.

Never run this option more than once, whether it succeeds or fails. Running Recover /D twice will cause
double decryption and permanent loss of data.

To run Recover /D:


1. Connect the computer to an uninterruptible power supply.
2. Remove any bootable media.
3. Insert the Recover floppy or CD (see “The Recover Floppy or CD” on page 23) into the appropriate drive.
4. Restart the computer.
5. At the prompt, type Recover.exe /D.
6. Authenticate with your Client Administrator user name and password.
7. When prompted, follow the program prompts.
Once the program starts running, do not stop it or shut down the computer. The process must run to completion. A
typical problem disk can take weeks to decrypt.
If the process runs into a series of bad sectors—perhaps hundreds of thousands of them—it will try multiple times to
read them and the process may appear to have stopped. You will see a percentage of disk decryption displayed on the
screen; that percentage may remain at the same number for quite some time. If the process cannot successfully read a
sector after multiple attempts, the process moves to the next sector. Readable sectors are read in, decrypted, and then
written back to the disk.

GuardianEdge Hard Disk Encryption 25


Client Administrator Guide Hard Disk Access & Recovery

When the program ends, if you see a success message, you will have a fully or partially decrypted disk, depending on
the extent of damage.
Until you see a final message indicating success or failure, let the program run.
If you see a failure message, proceed to the next step.

Recover /B
Recover /B should be performed only with the assistance of GuardianEdge Technical Support.
If all previous steps failed, it may mean that a very important cryptographic key cannot be found. The Recover
Program using the /B option reads from a computer-specific recovery file that contains that key, allowing you to
decrypt your data.
While you already should have a Recover floppy or CD that can be used to perform Recover /A and /D, to perform
Recover /B you will need computer-specific data and a special Recover floppy or CD from your Policy
Administrator. The Administrator creates the DAT file by exporting a Client Computer’s data from the GuardianEdge
Server. For this reason, Recover /B is not available for silent clients. The administrator stores the data and other
recovery files on the Recover floppy or CD that is formatted as a boot disk (see “The Recover Floppy or CD” on
page 23).
When the Policy Administrator creates the medium, the Administrator defines a Recovery Password to protect the
DAT file. When the Administrator gives you the Recover floppy or CD, they tell you the password. Typically the
Administrator gives the DAT file a meaningful name, perhaps containing a computer-specific identifier and date,
such as Laptop4849_112907.dat.

Make sure that you execute the Recover /B option on the intended computer by checking the filename on
the medium. Since the data in the DAT file is computer-specific, running /B using a recovery data file
intended for another computer will corrupt your hard disk files.
Also make sure that the computer is connected to an uninterruptible power supply; otherwise, data loss
can occur if the process stops.

Boot from the Recover floppy or CD and enter Recover.exe /B. You will be prompted for the Recovery Password
associated with this file. Enter the password. The Recover Program will generate several information and warning
messages and/or prompts, depending on what the program encounters. The most severe warning message occurs if
something goes wrong when the Recover Program attempts to compare values in the DAT file with the client
database files, as described below.
If the Recover Program detects a mismatch between the DAT file and the client database files, the program halts and
issues a warning that the data on the hard disk will be destroyed if you continue the recovery process. Cancel the
process.
If the Recover Program is unable to compare the backup file and the client database files due to file corruption of
client database files, the program halts and issues the same warning message as stated in the previous paragraph.
Only if you are absolutely certain that the DAT file is the correct file should you continue the process; otherwise,
cancel the process.
If the Recover Program detects that the DAT file is corrupted, the Recover Program halts.

GuardianEdge Hard Disk Encryption 26


Client Administrator Guide Keyboards

Appendix A. Keyboards

Overview
For computers that require pre-boot authentication, GuardianEdge offers a means of selecting different keyboard
layouts in pre-Windows.

Keyboard List
The keyboards that GuardianEdge Hard Disk supports are:
„ Canadian French,
„ French,

„ German,
„ Spanish,

„ United Kingdom, and

„ US English.

Keyboard Use
Active Keyboard Layout Identification
After a computer reboot, when you press CTRL-ALT-DEL or insert a token at the Startup screen, the GuardianEdge
pre-Windows Logon screen appears. The active keyboard layout is identified in a bar displayed in the lower right-

hand corner of that computer screen, similar to this: .

Keyboard Toggling
If the keyboard you require is not displayed in the bar and your administrator has defined multiple keyboards, you can
toggle to another keyboard in pre-Windows. The default key sequences for switching among keyboard layouts is
pressing either Left ALT+SHIFT or CTRL+SHIFT, depending on how the key sequence was defined in Windows.

Advantages
Having an alternate keyboard layout to toggle to may be useful to you if you find yourself in a situation where you are
supporting a registered user whose physical keyboard is unfamiliar to you. For example, you may be assisting a user
who is in France and your user name and password are US English. If you are logging on in pre-Windows and you are
about to enter your Client Administrator password, you can toggle to your familiar keyboard layout. The section
“Keyboard Layouts: Default View” on page 27 shows the default-state view of each of the six supported keyboards.
Even though you actually will be typing on an unfamiliar physical keyboard, the computer will interpret the incoming
characters as if they were entered from the keyboard that you have selected to be the active keyboard.

Keyboard Layouts: Default View


This section shows the default-state layout of each supported keyboard. To see a keyboard layout view when the
SHIFT, CAPS, or ALTGR keys are pressed, go to Microsoft’s web site http://www.microsoft.com/globaldev/
reference/keyboards.mspx, which shows the complete set of keyboard layout states.

GuardianEdge Hard Disk Encryption 27


Client Administrator Guide Keyboards

Canadian French

Figure A.1—Canadian French Keyboard

French

Figure A.2—French Keyboard

German

Figure A.3—German Keyboard

Spanish

Figure A.4—Spanish Keyboard

United Kingdom

Figure A.5—United Kingdom Keyboard

US English

Figure A.6—US English Keyboard

GuardianEdge Hard Disk Encryption 28


Client Administrator Guide Keyboards

Keyboard Definition
Multiple keyboard layouts may already be defined in your organization. However, if you need to add a keyboard
layout, use the Windows standard method, as described in the steps in the following sections.

Initial Steps
This section describes the first steps to take to configure the additional keyboard, on both Windows XP and Windows
2000.
1. From the Start menu click Control Panel, then double-click Regional and Language Options. The window
opens.

Figure A.7—Regional and Language Options

GuardianEdge Hard Disk Encryption 29


Client Administrator Guide Keyboards

2. Click the Languages tab.

Figure A.8—Languages Tab

3. From the Languages window, click Details. The Text Services and Input Languages window appears.

Figure A.9—Text Services and Input Languages, Before New Keyboard Added

GuardianEdge Hard Disk Encryption 30


Client Administrator Guide Keyboards

4. Click Add. The Add Input Language window appears.

Figure A.10—Add Input Language

5. For each keyboard layout you wish to add, select an Input language from the drop-down menu and click OK.
The new keyboard appears in the Text Services and Input Languages dialog (Figure A.11).

Figure A.11—Text Services and Input Languages, After Keyboard Added

6. Click Apply.

Windows XP
If you are running Windows 2000, skip to the section “Windows 2000” on page 32 to complete the process. If you are
running Windows XP, follow the steps in this section.
1. From the Regional and Language Options window (Figure A.7), click the Advanced tab. A new window
appears (Figure A.12).

GuardianEdge Hard Disk Encryption 31


Client Administrator Guide Keyboards

Figure A.12—Regional and Language Options Advanced Tab

2. Select the check box for Default user account settings. The following warning appears:

Figure A.13—Change Default User Settings Warning

3. Click OK to dismiss the warning.


4. Click Apply on the Regional and Language Options Advanced tab window.
5. Reboot the computer. The Registry settings, including the setting for the Default User Profile, are copied to the
pre-Windows environment, making them available during the pre-Windows logon process. Note that the Default
User Profile settings will affect all users of this computer.

Windows 2000
In Windows 2000, once you complete “Initial Steps” on page 29, use the Registry editor, RegEdit, to update the
Default User Profile as follows:
1. Copy the values from “HKEY_CURRENT_USER\Keyboard Layout\Preload” to
“HKEY_USERS\.DEFAULT\Keyboard Layout\Preload.”
2. Copy the values from “HKEY_CURRENT_USER\Keyboard Layout\Substitutes” to
“HKEY_USERS\.DEFUALT\Keyboard Layout\Substitutes.”
3. Reboot.

GuardianEdge Hard Disk Encryption 32


Client Administrator Guide Token Error Messages

Appendix B. Token Error Messages

Overview
This appendix lists the error messages that you may encounter while using your token to:
„ Authenticate in pre-Windows, or

„ Authenticate to the Client console.


The tables in this appendix include an Action column, specifying actions that you can take in response to each error
message.

In some cases, the message itself contains the default instruction: Please call the help desk for assistance.
This instruction appears in the Message column in italics. The instruction can be customized by your
Policy Administrator, so your instruction may differ from the default shown.

Pre-Windows Logon
Table B.1 lists the error messages that may be generated when you attempt to log on to GuardianEdge Hard Disk in
pre-Windows.

Table B.1—Pre-Windows Logon Messages


Token
Severity Message Meaning Action
Type
CAC / GuardianEdge Hard The type of token you are Click OK to dismiss the
Smart Disk has discovered attempting to log on with does message, remove the incorrect
Card that the inserted token not match the type of token token, then insert the correct one.
can not be recognized. your administrator configured
If you do not know which token
You will need to use a for your use.
or card type is correct—or you
token that can be
have not been issued the correct
recognized by the
card—contact the appropriate
system.
administrator. You cannot log on
until this situation is resolved.

GuardianEdge Hard Disk Encryption 33


Client Administrator Guide Token Error Messages

Table B.1—Pre-Windows Logon Messages (Continued)


Token
Severity Message Meaning Action
Type
CAC / A matching certificate The certificate on this token is Click OK to dismiss the
Smart could not be located on not the correct certificate for message, then click Cancel to
Card this token. The current your GuardianEdge account. exit the Logon screen.
token needs to be
Contact your Policy
replaced or modified
Administrator to verify that this
by an administrator.
token contains the certificate that
[Please call the help the administrator used to
desk for assistance.] establish your account.
Your certificate was issued Click OK to dismiss the
today, but is not yet valid message.
because the Certificate
If there is another Client
Authority issues certificates
Administrator assigned to this
using Greenwich Mean Time
computer, ask them to log on in
(GMT). Therefore, your local
pre-Windows, so that you can
system date has not yet caught
access Windows. Tomorrow your
up with the GMT activation
certificate should work, or you
date.
could set your local system date
ahead, to activate the certificate
now.
Smart No certificate could be Your token does not contain Click OK to dismiss the
Card found on this token. any certificates. message. Is this the token that
The current token your Policy Administrator issued
needs to be replaced or to you?
modified by an
If it isn’t, please insert that token
administrator.
now and try again. If it is,
[Please call the help contact your Policy
desk for assistance.] Administrator and let them know
that your token is missing the
required certificate.
RSA An error occurred Your token’s certificate is not Click Restart Computer from
during communication intended for your the message box. Insert the token
with the token. GuardianEdge account. that contains the certificate that
the Policy Administrator set up
To try logging on with
for you. On the Logon screen,
a token again, click
type your PIN then click OK.
Restart Computer.
Your computer will Your token does not contain If you do not know which token
restart automatically. any certificates. or certificate to use, contact the
Policy Administrator or
appropriate token administrator
and ask for help.
All Incorrect PIN. You inserted your token for Click OK to dismiss the
the Startup screen but did not message. On the Logon screen,
enter your PIN on the Logon type your PIN then click OK.
screen before clicking OK.

GuardianEdge Hard Disk Encryption 34


Client Administrator Guide Token Error Messages

Table B.1—Pre-Windows Logon Messages (Continued)


Token
Severity Message Meaning Action
Type
All GuardianEdge Hard You removed your token Click OK to dismiss the
Disk has detected that before your logon process was message. Re-insert your token.
the token has been complete. On the Logon screen, type your
removed. Please PIN then click OK.
reinsert the token and
Your token reader was Click OK to dismiss the
click OK.
unplugged after message. Plug the reader back in,
GuardianEdge Hard Disk then reboot. Insert your token at
detected your token. the Startup screen to bring up the
Logon screen. Type your PIN
then click OK.
All GuardianEdge Hard You removed your token Click OK to dismiss the
Disk could not detect a before your logon process was message. Re-insert your token.
token. To resume the complete. On the Logon screen, type your
authentication process PIN then click OK.
with a token, please
Your token reader was Click OK to dismiss the
insert a token and then
unplugged after message. Plug the reader back in,
click OK.
GuardianEdge Hard Disk then reboot. Insert your token at
detected your token. the Startup screen to bring up the
Logon screen. Type your PIN
then click OK.
All The PIN is blocked for Your PIN has been blocked by Click OK to dismiss the message
this token. The current your token software for and contact the Policy
token needs to be exceeding the maximum Administrator or appropriate
replaced or modified number of incorrect retries to token administrator.
by an administrator. enter your PIN.
[Please call the help
desk for assistance.]
All Incorrect (PIN). The PIN you entered is not Click OK to dismiss the
correct. Type your PIN again message.
then click OK.
If you think that you know your
correct PIN, re-type your PIN
then click OK.
If you do not know your PIN,
please contact your Policy
Administrator.

GuardianEdge Hard Disk Encryption 35


Client Administrator Guide Token Error Messages

Client Console Logon


Table B.2 lists the error messages that may occur when you are trying to log on to the Client console.

Table B.2—Client Console Logon Messages


Token
Severity Message Meaning Action
Type
CAC A token error has Your token may be using older Click OK to dismiss the
occurred. software (ActivClient Gold 3.0). message, then click to
When this is the case, this generic close the Client console.
message is displayed for any of Contact your Policy
the following conditions: Administrator or appropriate
incorrect PIN, blocked PIN, or token administrator to
expired certificate. determine the exact issue with
your token.
RSA A token error has It is possible that your certificate Click OK to dismiss the
occurred. cannot be found or is not being message, then click to shut
recognized. down the Client console.
Log off Windows and restart
your computer. Log on and
launch the Client console.
When you are prompted to
log on, insert your token. If
you are using an RSA token,
make sure that the RSA token
software recognizes your
token. Wait until the RSA
icon in your system tray
changes to include a plus sign
. If you are using an
Axalto smart card, wait for
the icon’s gold token to stop
blinking and for the icon
computer screen to return
from blue to black .
Wait for any token light to
stop blinking before clicking
Log On from the Logon
panel. This wait time ensures
that your token is recognized
by the system.
If you receive this message
when you try again, contact
the appropriate administrator.

GuardianEdge Hard Disk Encryption 36


Client Administrator Guide Token Error Messages

Table B.2—Client Console Logon Messages (Continued)


Token
Severity Message Meaning Action
Type
All The program could not There is no token in your reader. Click OK to dismiss the
log you on. The token message. Insert your token. In
was removed. the Logon panel, type your
PIN, then click Log On.
All Incorrect PIN. You did not enter the correct PIN. Click OK to dismiss the
message. In the Logon panel,
type the correct PIN, then
click Log On.
All The PIN is blocked for Your token’s certificate contains Call the appropriate
this token. The current a blocked PIN. administrator. You cannot use
token needs to be this token and certificate for
replaced or modified GuardianEdge Hard Disk
by an administrator. until this issue is resolved.
All The program could not The inserted token may not be for Make sure that you are the
log you on. Your the user who is logged in to user who is logged on to the
credentials could not Windows. Windows session. If you are
be verified. not, log on to Windows now.
It is also possible that your token
does not contain any certificates Make sure that the inserted
or that it contains certificates that token is the one that was
were not issued to you. issued for your GuardianEdge
account. If it is not, remove
the invalid token and insert
the valid token.
Try to log on again.
If the console still cannot
verify your credentials, call
the appropriate administrator.
You cannot use this token for
GuardianEdge Hard Disk
until the issue is resolved.

GuardianEdge Hard Disk Encryption 37


Client Administrator Guide Glossary

Glossary

Active Directory Active Directory is a directory service that provides the means to manage the identities
and relationships that make up network environments. Active Directory provides
network administrators with a hierarchical view of the network and a single point of
administration for all network objects.

Active Directory Active Directory Application Mode (ADAM) is a Lightweight Directory Access
Application Mode Protocol (LDAP) directory service that runs as a user service on top of Windows, as
(ADAM) opposed to a system service such as Active Directory. The GuardianEdge Manager
stores data in ADAM rather than in Active Directory, allowing organizations to avoid
changing the Active Directory schema.

Active Directory Users The Users and Computers snap-in from Microsoft allows an administrator to find and
and Computers Snap-in organize the user and computer objects within an Active Directory structure.

Authenti-Check A self-help password recovery method for authenticating registered users who forget
their GuardianEdge passwords in pre-Windows. Policy Administrators can choose
whether to enable or disable this feature. The Authenti-Check method involves up to
three question-answer pairs, established during GuardianEdge registration. If a user
forgets his or her password, the questions are displayed and the user is prompted to
enter the answers. Correct answers authenticate the user. Then the user is prompted to
change his or her GuardianEdge password. Authenti-Check is not available to Client
Administrators or to token-based users.

Autologon Autologon is a policy used by Policy Administrators for remotely deploying software
to computers protected by GuardianEdge Hard Disk. Software installations typically
require several restarts of Client Computers, and Autologon automatically
authenticates without user or administrator intervention. The Policy Administrator
defines a window of time during which Autologon remains active, along with the total
number of restarts that may occur within the defined period. Autologon does not
decrement the number of available grace restarts.

Automatically An automatically authenticated user is a registered user who does not authenticate to
Authenticated User the GuardianEdge Platform.
Registration of this users’s account takes place after successful Windows
authentication in one of two ways, as dictated by policy: the user is registered silently,
or the user registers interactively, by entering a Registration Password. After being
registered, this user can gain access to the Client console without authenticating. Also,
after computer restart, the computer boots to Windows. The user does not encounter a
pre-Windows logon process nor require use of the pre-Windows logon-assistance
recovery methods.

GuardianEdge Hard Disk Encryption 38


Client Administrator Guide Glossary

Client Administrator The Client Administrator supports GuardianEdge registered users. Main functions
include: unregistering users (if allowed by policy), extending a computer’s check-in
due date with the GuardianEdge Server, unlocking a locked computer that has failed to
check in at the appointed time with the GuardianEdge Server, if applicable. All Client
Administrators may encrypt hard disk partitions and the default policy allows Client
Administrators to decrypt partitions.
A Policy Administrator establishes Client Administrator accounts using an installation
setting or a policy that is pushed out from the GuardianEdge Manager. The account
can be password-based or token-based, although at least one Client Administrator
account per computer must be password-based to allow the administrator to run
recovery programs. The Policy Administrator creates and manages a Client
Administrator’s password. A Policy Administrator can remove a Client Administrator
account by pushing out a policy in which the account is not present. Client
Administrators cannot change their own passwords or use any password-recovery
methods.
Between 1-50 Client Administrator accounts may exist on each Client Computer, as
defined by installation setting and policy. A Client Administrator may have an account
on more than one computer.

Client Database The client database consists of a series of volume files and is part of the GuardianEdge
file system. Once the location of the client database files has been specified during the
creation of the Client Computer installation packages and the installation has
completed, these files must never be moved or disturbed. See “Best Practices” on
page 2.

Federal Information Federal Information Processing Standards (FIPS) are issued by the National Bureau of
Processing Standards Standards. Several standards (140-1, 140-2, 140-3) provide guidelines for
(FIPS) implementing cryptographic software. The validation process is administered by
National Institute of Standards and Technology’s (NIST) Cryptographic Module
Validation (CMV) Program.

Group Policy A snap-in from Microsoft that a GuardianEdge Policy Administrator can use to assign
Management, Group GuardianEdge software and policies to users and computers.
Policy Management
Console Snap-in

Group Policy Object An object in Active Directory that contains user and/or computer policies.
(GPO)

GuardianEdge Hard Disk Encryption 39


Client Administrator Guide Glossary

GuardianEdge Data GuardianEdge Data Protection Framework provides GuardianEdge Platform–wide


Protection Framework features. The Policy Administrator uses GuardianEdge Framework to define
installation settings and policies for features such as automatically authenticating
versus authenticating registered users, password management, password-recovery
methods, authentication method (password or token), and the use of Single Sign-On.
In the Client console, these features can include GuardianEdge password changes for
authenticating registered users, Authenti-Check question and/or answer changes for
authenticating registered users, and a view of user accounts on the Client Computer.
The viewing of accounts panel also allows for the unregistering of users by Client
Administrators, if this policy is enabled.

GuardianEdge If the Client Computer is configured to have authenticating users, this password is
Password used by registered users and by Client Administrators to authenticate to GuardianEdge
Hard Disk during pre-boot authentication. Registered users who do not have SSO
enabled, as well as all Client Administrators, also use this password to authenticate to
the Client console once Windows has loaded. The Client Administrator also uses their
password to authenticate to Recover /A and Recover /D.
A Client Administrator’s password must be between 16 and 32 characters and is
defined by the Policy Administrator through installation settings and policies.
An authenticating user defines their GuardianEdge password during registration. If
SSO is off, the user can change this password using the Client console. If SSO is on,
the user’s Windows password is used as the GuardianEdge password and Windows
manages password requirements and changes.

GuardianEdge Software The snap-in runs on the GuardianEdge Manager, allowing GuardianEdge Policy
Setup Snap-in Administrators to customize GuardianEdge software before deployment, both for
GuardianEdge Framework and for GuardianEdge Hard Disk.

Master Boot Record A master boot record (MBR) is the first sector (sector zero) of a data storage device,
(MBR) such as a hard disk. It is sometimes used for bootstrapping operating systems,
sometimes used for holding a disk’s partition table, and sometimes used for identifying
disk media. On some computers it also can be unused or ignored.

Microsoft Installer The Microsoft Installer package provides a format for self-contained database files
Package (MSI) containing the requirements and instructions that the Windows Installer uses when
installing applications. MSI packages can be installed using Group Policy Objects
(GPOs).

One-Time Password The One-Time Password (OTP) Program allows authenticating users to recover from a
(OTP) forgotten password, PIN, or token with help desk assistance. This assistance provides
the user with a one-time password or response key, which allows the user to
temporarily authenticate. A password-based user is then prompted to enter a new
password. The help-desk side of the OTP Program is typically run by a Policy
Administrator, since the GuardianEdge Manager must be installed on the same
computer where the OTP Program runs. If a Client Computer never checks in with the
GuardianEdge Server, the OTP recovery method is not available.

GuardianEdge Hard Disk Encryption 40


Client Administrator Guide Glossary

Partition A logical division on a hard disk that allows the application of operating system-
specific logical formatting to that division only and not to the entire hard disk.

Password Management The ability of a Policy Administrator to define attributes to which a registered user’s
password must adhere, such as age, reusability, and complexity, if Single Sign-On
(SSO) is not enabled. This password management applies during the registration
process when an authenticating user defines a password, during password-recovery
methods when an authenticating user is prompted to change their password, and in the
Client console Password panel, where authenticating registered users without SSO
may change their GuardianEdge passwords. This feature is both a Framework
installation setting and computer policy.

Policy Administrator An organization’s centralized point of control for the GuardianEdge Platform is one or
more Policy Administrators. A Policy Administrator defines installation settings and
policy updates that are pushed out to Client Computers through Active Directory.
Policy Administrators create Client Administrator accounts. Installation settings and
policy updates may differ from computer to computer, and from user to user. The user
accounts to which policies are directly applied are not stored on the Client Computer
or in the GuardianEdge Platform; these are the Active Directory accounts. Once
policies are pushed out, however, the policy requirements display on user interface
screens. Policy Administrators also typically run the help-desk side of the One-Time
Password (OTP) Program.

Pre-Windows The GuardianEdge Hard Disk environment that loads upon reboot, before the
Windows operating system loads, if the Client Computer is configured to have
authenticating users. This environment helps protect the Client Computer’s primary
hard disk by requiring authentication before a user gains access to Windows and thus
to the computer’s file system.

Recover Program The Recover Program can be used if a Client Computer encounters a serious error and
cannot load Windows. The program attempts to regain access to data on the hard disk
by repairing the GuardianEdge client database files or by performing an emergency
decryption of the entire hard disk.

GuardianEdge Hard Disk Encryption 41


Client Administrator Guide Glossary

Registered User A registered user of a Client Computer has a GuardianEdge account and can power the
GuardianEdge Hard Disk-protected computer from an off state as well as access those
functions of the Client console which have been provided to them by policy.
A Policy Administrator defines registered user rights and the number of allowed user
accounts through installation settings and policies. (1–50 user accounts can exist on
any given computer.) Registered users are supported by Client Administrators and help
desk technicians.
Client Administrators and registered users can view a list of the users registered on a
computer by using the Client console Account Settings — Users panel. An authorized
Client Administrator can use that panel to unregister registered users, thus deleting a
user’s GuardianEdge account. If a policy is pushed out to make a registered user a
Client Administrator, then the registered user account is deleted. The user cannot hold
both roles.
Policy Administrators can view the registered user accounts on a specified Client
Computer by using a GuardianEdge Manager snap-in, the Client Monitor.

Registration When authenticating users register to the GuardianEdge Platform, they set a PIN, or a
password possibly along with important information that allows them to recover their
password, should they forget it. Once the first authenticating user has registered, the
Client Computer is in a much more secure state. For this reason, users are forced to
register after an optional, configurable number of grace restarts expires.
The GuardianEdge registration wizard walks users through a series of screens to define
and activate their GuardianEdge account. A user may register on more than one
computer.
Users who are automatically authenticated may be silently registered and do not need
to follow the interactive registration process. Automatically authenticated users who
register interactively need only enter the Registration Password.

Re-Registration Existing GuardianEdge registered users who authenticate are prompted to re-register if
a Policy Administrator issues a computer policy requiring them to change their
authentication method—from password to token, or from token to password—by a
certain date. Refer to the User Guide for details.

Silent Client A silent client is a Client Computer that does not check in with the GuardianEdge
Server, as prescribed by installation setting or policy. If the silent client option is
enabled and the computer has never checked in, the One-Time Password recovery
method and the Recover /B hard disk recovery option—which requires computer-
specific data stored in ADAM during check-in—are not available. Silent clients are
also produced when Framework Client packages are created from a GuardianEdge
Manager whose installation mode does not require connection to a GuardianEdge
Server.

GuardianEdge Hard Disk Encryption 42


Client Administrator Guide Glossary

Single Sign-On (SSO) A feature that allows GuardianEdge registered users to use their Windows password as
their GuardianEdge password. If SSO is enabled, the user logs on once in pre-
Windows and is automatically authenticated to Windows and to the Client console. If
SSO is not enabled, the user logs on in pre-Windows using their GuardianEdge
password, logs on to Windows using their Windows password, and logs on a third time
to the Client console, if they need to, using their GuardianEdge password.
Windows manages password changes, imposing Windows password criteria.
GuardianEdge Framework synchronizes the GuardianEdge password with the
Windows password, if the passwords get out of sync, if a new policy is pushed out
invoking SSO, or if the Windows password expires and must be changed.
The Client Computer must reboot to activate an SSO policy, which installs the
GuardianEdge GINA into the (Windows) GINA chain, allowing password
synchronization to take place.
SSO is not relevant to automatically authenticated users.

SSO See Single Sign-On.

Unregistration Unregistration is the removal of a GuardianEdge user account, either manually by a


Client Administrator or automatically by expiration due to lack of use within a
prescribed time.
If a new policy is pushed out that changes authenticating users to being automatically
authenticated users, all of the existing registered user accounts are unregistered.

GuardianEdge Hard Disk Encryption 43


Client Administrator Guide Index

Index description 8, 18
extending next communication due date 19
preempted by Autologon 9
A preventing 8
About panel, description 21 recovering from 9
Access Utility logging on
16-bit version 23 Client console using password 10
32-bit version 23 Client console using token 11
using 24 pre-Windows using password 5
Account Settings pre-Windows using token 7
Authenti-Check 21
Password 21 O
Users 19 One-Time Password (OTP) Program, responsibility 1
Active Directory, pushing out policies 1
Authenti-Check panel, description 21 P
Password panel, description 21
B Policy Administrator, role 1
best practices, list 2
build number, viewing 22 Q
Quick Help, use 14
C
Check-In panel, description 18 R
Client Administrator Recover floppy or CD
compared to registered user 2 DAT file creation 26
role 1 description 23
Client console Recover Program
description 10 /A option 24
Hard Disk tasks 15 /B option 26
logging on 10 /D option 25
navigating 14 Recovery Password, description 26
consistency check, when to run 25 recovery, see hard disk recovery
registered user
D compared with Client Administrator 2
Decryption panel, description 16 unregistering 20
viewing 19
E
Encryption panel, description 15 T
token error messages
H Client console logon 36
Hard Disk pre-Windows logon 33
Check-In 18 token logon
Decryption 16 certificate key usage 12
Encryption 15 Client console 11
hard disk recovery multiple certificates 12
overview 23 pre-Windows 7
steps 23
U
K unregistering users
keyboards description 20
defining 29 effects 20
identifying active 27 how to 20
list 27 Users panel, description 20
toggling among 5, 27
V
L version information, viewing 21
lockout
Check-In panel settings 19

GuardianEdge Hard Disk Encryption 44

You might also like