CryptoPro Secure Disk for BitLocker Administration manual
CryptoPro Secure Disk for BitLocker 7.0 Windows 7 / Windows 8 / Windows 8.1 / Windows 10 © Copyright cpsd it services GmbH, Linz, 2020 CryptoPro Secure Disk for BitLocker Administration manual
Please contact us for further information!
cpsd it services Gmbh Wildbergstraße 32 4040 Linz Austria Tel: +43 732 781584 Fax: +43 732 781584 98 Web: http://www.cpsd.at Mail: [email protected]
Page 1 CryptoPro Secure Disk for BitLocker Administration manual
CONTENTS
Contents
1 Overview...... 7 1.1 About this manual...... 7 1.2 Who should read this manual?...... 7 1.3 How should this manual be read?...... 7 2 Introduction...... 8 2.1 The CryptoPro Secure Disk for BitLocker PBA...... 8 3 Installation/Uninstallation...... 9 4 Installation | Uninstallation of the administrative components...... 10 4.1 Prerequisites...... 10 4.1.1 Operating system...... 10 4.2 Overview (Installation)...... 10 4.3 Interactive installation...... 11 4.4 Unattended installation...... 16 4.5 Configuration of the administration-service...... 17 4.6 Update...... 24 4.7 Interactive uninstallation...... 24 4.8 Unattended uninstall...... 24 5 Installation/De-installation of the Client...... 26 5.1 Installation requirements...... 26 5.1.1 Operating system...... 26 5.1.2 Other prereqiusites...... 26 5.2 Overview (Installation)...... 26 5.3 Interactive Installation...... 28 5.4 Unattended installation...... 34 5.5 Installation parameters...... 34 5.6 Update...... 35 5.7 Interactive Uninstall...... 36 5.8 Unattended Uninstall...... 36 6 Initialization of the local components...... 38 7 Administration...... 40 7.1 Overview (Administration)...... 40 7.2 The different administration modes of CryptoPro Secure Disk for Bit- Locker...... 40 7.3 The CryptoPro Secure Disk for BitLocker Administration console...... 41 7.3.1 General features of the administration console...... 43 7.3.2 The administration console in local mode...... 44 7.3.3 The administration console in script-mode...... 49 7.3.4 The administration console in central mode...... 52 7.3.5 Restricted views in the administration console...... 55 8 Central administration...... 58 8.1 Authentication as security-operator to the central consoles...... 58 8.2 The central administration console...... 61 8.2.1 Administration of Workgroup-computers...... 62 8.2.2 Virtual node management...... 63 8.3 Initialization of the central administration console...... 67 8.4 Management of central administrators...... 68 8.4.1 Settings of central administrators...... 70 8.4.2 Adding central administrators...... 71 8.5 Dashboard...... 72 8.5.1 Client Status...... 74 8.5.2 Encryption...... 74 8.5.3 Installation...... 74 8.5.4 Initialisation...... 74 8.5.5 PBA User accounts...... 75 8.5.6 Profile Status...... 75 8.5.7 Compliance...... 75
Page 2 CryptoPro Secure Disk for BitLocker Administration manual
CONTENTS
8.6 Initialization of a client computer for central administration...... 75 8.7 Inheritance of configuration settings...... 76 8.8 Adding Domains...... 77 8.9 Removal of Domains...... 78 8.10 Search computers in the Active-Directory-tree...... 78 8.11 Administration of additional service-instances...... 79 8.11.1 Assign service-instances to Active Directory-node...... 81 8.12 Administration of client-licenses...... 81 8.13 Central Configuration of computers...... 82 8.13.1 Context menu of administered computers...... 83 8.14 Reporting...... 85 8.14.1 Administrative activities...... 85 8.14.2 Helpdesk Report...... 90 8.14.3 Status...... 91 8.14.4 Periodical report generation...... 92 8.14.5 Configure external database for reporting...... 93 8.14.6 Report format...... 94 8.15 Export of the central keypair...... 96 9 Configure application settings...... 99 9.1 General settings...... 99 9.1.1 PBA Settings...... 99 9.1.2 Authentication with User-ID and Password...... 100 9.1.3 Authentication with Smartcard...... 101 9.1.4 Smartphone Active directory users...... 101 9.1.5 Antivirus settings...... 102 9.2 Smartcard...... 103 9.2.1 Smartcard...... 103 9.3 Friendly Network...... 104 9.3.1 Friendly Network...... 104 9.4 Recovery management...... 105 9.4.1 Recovery...... 106 10 Smartphone...... 108 10.1 Device and App security...... 108 11 Helpdesk...... 109 11.1 Limitations...... 109 11.2 Helpdesk...... 110 11.3 Helpdesk Texts...... 110 12 UserManagement...... 111 12.1 User management in the administration console...... 111 12.2 Add / Change user accounts with the context menu...... 113 12.3 User capturing...... 117 12.3.1 Initial User Capturing...... 117 13 Administrate local Administrators...... 122 13.1 Privileges...... 122 14 Encryption...... 124 14.1 Drives...... 124 14.2 Encryption Key and Settings...... 125 15 Administration of Program Settings in extended View...... 127 15.1 General...... 127 15.1.1 PBA settings...... 128 15.1.2 Authentication with username and password...... 128 15.1.3 Authentication with smartcard...... 128 15.1.4 Central administration...... 128 15.1.5 Antivirus settings...... 129
Page 3 CryptoPro Secure Disk for BitLocker Administration manual
CONTENTS
15.2 Advanced...... 129 15.2.1 Hardware Settings...... 131 15.2.2 Boot Options...... 131 15.2.3 Hardware specific...... 132 15.2.4 Miscellaneous...... 132 15.2.5 Network Settings...... 133 15.2.6 Data key deletion...... 134 15.3 Client Security...... 134 15.3.1 Accounts...... 135 15.3.2 Locking...... 135 15.3.3 Checksums...... 136 15.3.4 Miscellaneous...... 136 15.3.5 TPM Support...... 136 15.4 ProfileProcessing...... 136 15.4.1 Profile Processing...... 137 15.5 Smartcard...... 138 15.6 Single Sign On...... 138 15.6.1 Single Sign On Methods...... 138 15.6.2 Advanced single sign on methods...... 139 15.7 Logging...... 139 15.7.1 Logfile...... 140 15.8 Friendly Network...... 140 15.9 Transparent PBA...... 140 15.9.1 Turn off PBA...... 141 15.10802.1x...... 142 15.10.1General 802.1X Settings...... 142 15.10.2Client credentials...... 143 15.10.3Issuing certificate authority...... 143 15.10.4PKCS#12 identity...... 143 15.11Recovery Management...... 144 15.12Smartphone...... 144 15.12.1Geräte und Appschutz...... 145 15.12.2App-Passwort Komplexität...... 145 15.12.3Kommunikationsprotokoll einschränken...... 145 16 Helpdesk...... 146 16.1 Central helpdesk...... 146 16.2 Initialize central helpdesk...... 146 16.2.1 Authentication on the central helpdesk...... 147 16.2.2 AdministrativeFunctions Helpdesk-Console...... 148 16.2.3 Helpdesk for a client...... 154 16.2.4 Helpdesk connection with central database...... 160 16.3 WEB Helpdesk...... 162 16.3.1 Set up the WEB Helpdesk...... 163 16.3.2 Configuration of the WEB Helpdesk...... 163 16.3.3 Authentication to the WEB Helpdesk...... 165 16.3.4 Helpdesk actions with the WEB Helpdesk...... 165 17 Friendly Network and software distribution...... 173 17.1 Authentication on the Friendly Network console...... 173 17.2 Initialization of the Friendly Network console...... 174 17.3 Administration of Friendly Network...... 174 17.3.1 Define Friendly Network time span...... 175 17.3.2 Administrate Friendly Network administrators...... 175 18 Password Management Console...... 178 18.1 Selection of Users, Set Passwords...... 178 18.2 Delete Passwords...... 183 18.3 Update random password...... 183
Page 4 CryptoPro Secure Disk for BitLocker Administration manual
CONTENTS
19 Hardware Profile...... 184 19.1 Create Hardware Profiles...... 184 19.2 Distribution of hardware profiles with the installation...... 185 19.3 Distribution of hardware profiles after the installation...... 185 20 Emergency recovery...... 186 20.1 Set up the recovery system...... 186 20.1.1 Define recovery operators...... 186 20.2 Set up of the external emergency medium...... 186 20.3 Start of the recovery environment...... 187 20.3.1 Start the recovery environment from an external media:...... 187 20.4 Execution of a recovery action...... 188 20.4.1 Load recovery information...... 188 20.4.2 Possible recovery actions...... 190 20.5 Central recovery console...... 193 20.5.1 Authentication to the recovery console...... 193 20.5.2 Administrate recovery administrators...... 193 20.5.3 Preparation of the recovery information...... 194 21 Emergency Recovery Bitlocker...... 199 21.1 Emergency Recovery with recovery file...... 200 21.2 Central emergency recovery...... 200 22 Desinfect - Anti Virus...... 204 22.1 Activating Desinfect...... 204 22.2 Network settings of Desinfect...... 206 22.3 The Desinfect console...... 206 22.3.1 Authentication to the Desinfect -console...... 206 22.3.2 Initialization of the Desinfect - console...... 206 22.3.3 Menu entries...... 206 22.3.4 Context menu...... 207 22.3.5 Settings|General settings...... 209 22.3.6 Settings|Scan schedule...... 209 22.3.7 Settings|Scan targets...... 210 22.3.8 Settings|Status...... 211 22.3.9 Dashboard|Server Status...... 212 22.3.10Dashboard| Computer overview...... 213 23 Pre-Boot Authentication...... 215 23.1 First start of the PBA after installation...... 215 23.2 Authentication methods...... 217 23.2.1 Authentication with user name and password...... 218 23.2.2 Certificate-based authentication with smartcard...... 221 23.2.3 Certificate-based authentication with PKCS#12 file...... 222 23.2.4 Biometric authentication with fingerprint...... 224 23.2.5 Combined authentication with user name, password and finger- print...... 227 23.2.6 Smartphone based authentication...... 227 23.3 Smartphone based authentication...... 228 23.3.1 Initialization a smartphone user...... 229 23.3.2 Smartphone-offline-authentication...... 232 23.4 Options...... 236 23.4.1 General Options...... 236 23.4.2 Windows start options...... 236 23.4.3 Network...... 237 23.5 Helpdesk...... 238 23.5.1 Online helpdesk...... 238 23.5.2 Offline Helpdesk...... 240 23.5.3 Temporary helpdesk-account in the PBA...... 241 23.6 MISC...... 243 23.6.1 Logging...... 243 23.6.2 Virtual keyboard...... 243
Page 5 CryptoPro Secure Disk for BitLocker Administration manual
CONTENTS
24 Two-Factor authentication...... 244 25 Appendix...... 245 25.1 Registry values...... 245
Page 6 CryptoPro Secure Disk for BitLocker Administration manual
1 OVERVIEW
1 Overview
1.1 About this manual This manual describes the installation, deployment, administration and usage of CryptoPro Secure Disk for BitLocker. The document provides all information to implement extensive data protection in your environment with CryptoPro Se- cure Disk for BitLocker. The manual describes all elements of the graphical user interface, and supports all aspects of successful usage of the software product.
1.2 Who should read this manual? This manual was created to support system- and security administrators with the implementation of their security-policy concerning encryption of their hard drives. Basic security know-how for Windows 7, Windows 8, Windows 8.1 or Windows 10 is assumed.
1.3 How should this manual be read? Elements of the graphical user interface are colored. In the same way user input resp. input sequences are market, e. g."‘Open MENU > SUBMENU and OPTIONS"’.
File names are displayed italic.
Proper names and brand names are displayed bold, italic and colored.
INFO! Further information about a certain subject is colored, and marked with an "‘Info"’ sign at the left side of the text.
CAUTION! Warnings are colored, and marked with a "‘Caution"’ symbol at the left side of the text. This hint indicates an action that cannot be redone, or actions that could take longer time. Security related issues are also marked with this sign.
HINT! Hints and tips are colored, and marked with a "‘Hint"’ symbol at the left side of the text.
Page 7 CryptoPro Secure Disk for BitLocker Administration manual
2 INTRODUCTION
2 Introduction
CryptoPro Secure Disk for BitLocker is an enhancement of Microsoft Bit-Locker. Microsoft Bit-Locker protects stored data encrypting the complete Hard Disk or single partitions, mainly in case of loss or theft of computers (especially laptops). CryptoPro Secure Disk for BitLocker offers user authentication mechansims, which are proceeded before booting the operating system. This Pre-Boot-Authentication (PBA) is a central Part of CryptoPro Secure Disk for BitLocker. The PBA supports various kind of authentication methods like passwords, smartcards and biometric methods (fingerprint) and therefore enhances Microsoft Bit-Locker. CryptoPro Secure Disk for BitLocker offers all necessary mechanisms to be used in an en- terprise environment, which are central administration, helpdesk for logon problems (forgotten passwords, smartcards . . . ) and recovery mechanism in case of of cor- rupted hard - or software. To achieve the highest level of security and flexibility accepted standards are used for the implementation of security mechanisms. This includes RSA 1024 or 2048 Bit and AES 256 Bit for the encryption and SHA256 for hash-creation, x509v3 cer- tificates for authentication, as well as PKCS#11 and PKCS#12 for the access of cryptographic tokens.
HINT! CryptoPro Secure Disk for BitLocker supports the following harddisk controllers: IDE, SATA, M2 Sata, NVME, PCIe
2.1 The CryptoPro Secure Disk for BitLocker PBA To get access to the encrypted partitions, the user must authenticate himself on the System. The specific logon is done within the CryptoPro Secure Disk for BitLocker Pre-Boot-Authentication (PBA). The PBA supports several different logon mechanisms: Logon via user ID and password User ID and password optionally can be synchronized with the Windows logon credentials to achieve a Single-Sign-On.
Logon via smartcard or token The certificate based authentication via smartcard or USB-token provides the highest level of security of all logon methods. Logon via PKCS#12 File This kind of a logon is a certificate based authentication, whereby the certificate and the according key is saved to a password protected PKCS#12 file. Logon via fingerprint The authentication via fingerprint can be used without any further authentica- tion (not recommended) or in combination with a user ID and password.
A successful logon of the user is required to start the operating system and to provide access to Microsoft Bit-Locker encrypted data. Independent from the used logon mechanism in the PBA, different variants of a Single-Sign-On to the Operating System can be implemented.
Page 8 CryptoPro Secure Disk for BitLocker Administration manual
3 INSTALLATION/UNINSTALLATION
3 Installation/Uninstallation
CryptoPro Secure Disk for BitLocker consists of two MSI-installation packages. 1. The client-install packet has to be installed on all computers, which hard disk should be encrypted. This package represents the installation of the hard disk encryption itself.
2. The administration-install packet installs some administrative components resp. services to perform local or central administration of the client-computers perform central administration of the Friendly Network functionality perform central administration of the emergency recovery functionality central administration and performance of helpdesk-actions To use the local administration, the administration console included in this pack- age has to be installed on each client computer, that should be administered locally. This installation package can optionally be installed on a different com- puter within the network, to be able to use the central components.
HINT! The server-install packet does not require a server-operating system. How- ever, it is recommended to install it on a server operation system due to perfor- mance reasons.
Both available install packets are standard-MSI-packets, which support the MSI- standard functionality (install, repair, uninstall. Each packet can be installed resp. uninstalled with- or without user interaction. In the case of unattended installation (without user interaction) the program msiexec.exe (system component) has to be called with some parameters, that are described in the subsequent chapters. In interactive mode, you just have to follow the instructions of the install wizard. The installation, uninstallation and update of the CryptoPro Secure Disk for BitLocker client-components is described in detail in chapter "5 Installation/De-installation of the Client". Details about the installation of the administration components are de- scribed in "4 Installation | Uninstallation of the administrative components".
Page 9 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
4 Installation | Uninstallation of the administrative components
The administration packet (EDAAdmin.msi) of CryptoPro Secure Disk for Bit- Locker is a standard-MSI-packet which supports standard MSI functionality (install, uninstall repair). It can be performed with- or without user interaction. In the case of unattended installation (without user interaction) the program msiexec.exe (sys- tem component) has to be called with some parameters, that are described in the subsequent chapters. In interactive mode, you just have to follow the instructions of the install wizard.
4.1 Prerequisites HINT! Microsoft .NET Framework 4.6.1 (or higher) has to be installed on the target computer. HINT! An empty database on a Microsoft SQL Server is required. The account which is defined later to access the database must be assigned the database role db_owner and the standard scheme must be dbo. Additionally the option collation for the database must not be case-sensitive. HINT! If Microsoft SQL Server 2008 R2 or older is used, Microsoft .NET Framework 3.5 SP1 has to be installed on the target computer too.
4.1.1 Operating system
CryptoPro Secure Disk for BitLocker can be installed under the following oper- ating systems:
Windows 10
Windows Server 2012 R2 Windows Server 2016 Windows Server 2019
4.2 Overview (Installation) The installation of the administrative components of CryptoPro Secure Disk for BitLocker copies files, creates registry entries and installs the central administra- tion service. This service requires the privilege to access Windows Active Direc- tory. To start the service under a user account that provides the according privi- leges, a configuration has to be performed, that is described in "4.5 Configuration of the administration-service"
The installation consists of he components
Administration service This component is the central service to administer the client computers. To perform central administration of CryptoPro Secure Disk for BitLocker, this component has to be installed on at least one computer within the network.
Page 10 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
HINT! The central administration service of CryptoPro Secure Disk for BitLocker communicates via port 8081 (TCP and UDP). During installation of this compo- nent, port 8081 will automatically be opened within the Windows firewall.
Administration consoles These components are the consoles to perform central administration, create a script or for local administration. To perform central administration of CryptoPro Secure Disk for BitLocker, this component has to be installed on at least one computer within the network. For local admin- istration of CryptoPro Secure Disk for BitLocker this component has to be installed on every client computer that is administered locally.
Helpdesk console This component is the console for helpdesk-operators. It is nec- essary to perform helpdesk actions. To perform helpdesk-actions, this compo- nent has to be installed on at least one computer within the network.
Friendly Network This component installs the console for central administration of the Friendly network functionality. For the configuration of Friendly net- work, this component has to be installed on at least one computer within the network.
Emergency console This component installs the console for central administration of emergency recovery information. For the central configuration of emergency recovery information, this component has to be installed on at least one com- puter within the network.
Antivirus console this component installs the console managing the virusscan func- tionality.
Password management console this component installs the console for central administration of Windows-user passwords. Web helpdesk this component installs the files that can be used to set up the CryptoPro Secure Disk for BitLocker Web helpdesk. The MSI package supports logging. The install parameters to activate logging are:
/i Installation of the msi-packet (EDAAdmin.msi) /L*v Name of the log file Activate logging with given log file
e. g.: msiexec.exe /i EDAAdmin.msi /L*v msilog1.txt
4.3 Interactive installation CAUTION! For the installation of the administrative components of CryptoPro Secure Disk for BitLocker, local administration privileges are required.
1. Start the setup package of CryptoPro Secure Disk for BitLocker (EDAAd- min.msi) by a double click. The "’Welcome"’-dialog appears:
Page 11 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
2. On the next page you are required to accept the license agreement. Accept the agreement, and press NEXT.
Page 12 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
3. On the next page the installation directory can be selected.
Page 13 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
4. The next page provides a selection of program features.
Administration service This component is the central service to administer the client computers. Administration consoles This item has sub-components for central, script or local administration. Helpdesk console This component is the console for helpdesk-operators. It is necessary to perform helpdesk actions. Friendly Network console This component installs the console for central administration of the Friendly Network functionality. Emergency console This component installs the console for central adminis- tration of emergency recovery information. Antivirus console This component installs the console for central administra- tion of Antivirus functionality. Password management console this component installs the console for cen- tral administration of Windows-user passwords. Web Helpdesk This component installs the source files of a WEB site, which can be used to set up the CryptoPro Secure Disk for BitLocker Web- helpdesk. Select the required features, and press NEXT. HINT! The administration consoles do not have to be installed on the same computer as the central service.
Page 14 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
If UAC is activated, you are required to confirm, that the installer is trusted.
5. CryptoPro Secure Disk for BitLocker can be installed now. Start the instal- lation with install
6. Finish the installation with Finish
Page 15 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
HINT! If the central administration service was selected for installation, right after the installation was finished, the configuration of the central administration service will be started. More details about the configuration of the central administra- tion service can be found at "4.5 Configuration of the administration-service".
4.4 Unattended installation HINT! For unattended installation of CryptoPro Secure Disk for BitLocker, msiexec.exe has to be performed in elevated mode if UAC (User Account Control) is activated. To perform the installation in elevated mode you can start cmd.exe by right click and choosing "‘Start as administrator"’. In this command shell msiexec.exe will be elevated.
After the installation of CryptoPro Secure Disk for BitLocker, a basic configu- ration is required. This configuration is performed by the EDAAdminInit.exe program which opens automatically during the interactive installation.
With an unattened installation, EDAAdminInit.exe is not called automatically by de- fault. So the process of the installation and configuration can be separated by calling EDAAdminInit.exe later manually.
Configuration script
However it is possible to provide a prepared configuration file via the CONFIG pa- rameter to the setup, where all necessary configuration data is present. This file is
Page 16 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
taken as an input to EDAAdminInit.exe and can be executed automatically and unat- tended by providing its filename to the setup package.
Additionally the setup package looks for a file called EDAAdminInit.toml in the cur- rent directory of the msi package. If such a file is found, it is taken and processed automatically. The CONFIG parameter is not needed then.
For an unattended installation open a command shell (cmd.exe) and start msiexec.exe with the following parameters:
/i Installation of the msi-packet (EDAAdmin.msi) /quiet no user interaction CONFIG=FILENAME absolute path to the config file
e. g.: msiexec.exe /i EDAAdmin.msi /quiet CONFIG=C:\\EDAAdminInit.toml
INFO! More information about msiexec.exe you can find in the according documentation, or by starting msiexec.exe without parameter.
4.5 Configuration of the administration-service The central administration service requires some basic configuration like the database name or the certificate for TLS. Right after a standard installation, a wizard will be started, that supports the config- uration of the service.
The wizard can either perform the configuration immediately or store the config- uration data in a file for an unattended configuration. The data in this file is stored in the TOML-Format which allows easy editing with a text editor.
This toml-file can be executed by EDAAdminInit with the commandline parameter -c. The wizard does not appear and the settings from the configuration file are ap- plied immediately.
Example:
EDAAdminInit.exe -c EDAAdminInit.toml
However if something goes wrong, an error message pops up. Add the commandline parameter -l=0 for a complete silent configuration.
A sample configuration script (EDAAdminInit-sample.toml) is available beside the software manual.
1. The wizard starts with the "’Welcome"’-dialog:
Page 17 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
2. On the next page you have to configure the user account for the administration service.
HINT! The user account of the administration service requires the privilege to start system services, write to the program directory and the registry. Additionally user privileges to access the Active Directory are required. If this privilege is missing, the administration console cannot display the available domains
Page 18 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
automatically. In this case the domains have to be added manually by the administrator. Local system account This option runs the service under the local system account. This account has the privilege to start system services. However, normally this account has no privilege to access Active Directory. So, if this option is selected, the administration console cannot display the available domains automatically. This Account With this option a user account can be defined. The service will run under the defined account. The account has to have privileges to start system services. To enable automatic display of Active Directory domains and its content, the account should additionally have privileges to access Active Directory. Configure the user account, and press NEXT. The next page supports network configuration of the service.
The following options are available on this dialog:
Computername This field has to contain the FQDN of the computer, as it is available via network connection. Port This field has to contain the Port, where the service should be available. Use SSL for LDAP connections Check this option, if the LDAP connections to the server should be secured via SSL. This options requires the according configuration of [Microsoft Active Directory], so that AD communication supports SSL. Enable workgroup environment With this option it is possible to administer client computers, that are not in a Windows-Domain, but in a workgroup. Create self signed certificate By checking this option, the CryptoPro Se- cure Disk for BitLocker central service will create a new, self signed certificate for securing its communication to the clients.
Page 19 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
Use existing certificate With this option, an already existing certificate will be used for SSL communication CN This field has to contain the common name of the certificate. Thumbprint This field contains the thumbprint of the selected certificate. Reregister certificate after renewal If the certificate has changed, the con- figuration program tries to find a feasible certificate by itself. This is helpful in case of automated certificate renewal.
The next page supports the database configuration of the central service.
Skip database configuration Choose this option if you want to configure just the central helpdesk. No connection to a database will be configured. Just the helpdesk-services will be installed on this machine. Use Microsoft SQL Server With this option, an already existing Microsoft SQL Server database can be used to store the internal data of CryptoPro Secure Disk for BitLocker. Logon with Windows Credentials With this option the authentication to the Microsoft SQL Server will be performed with those Windows credentials, that are used to run the administration service. CAUTION! If the administration service was configured under the locale system account, this option makes the database inaccessible. Choose the op- tionLogon with given username and Password in this case. Logon with given username and Password With this option an exist- ing database account, that has access rights to the database, can be defined. This account will be used by the CryptoPro Secure Disk for BitLocker administration service, to logon to the Microsoft SQL Server database . Username contains the user name, and Password has to contain the password of the according database account.
Page 20 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
Server can be used to select the existing Microsoft SQL Server. With [Refresh] the field [Server], which lists all available Microsoft SQL Server instances, can be refreshed. Database is used to define the database name on the Microsoft SQL Server. Choose the name of an empty database.
Define the preferred database settings, and press NEXT. CAUTION! CryptoPro Secure Disk for BitLocker supports more than one instance of adminstration services, for reliability reasons reasons. For this purpose, the database configuration of all instances has to use the option Use Microsoft SQL Server. All instances of the administration service have to use the same, al- ready existing database. The next page supports the database configuration of the central helpdesk ser- vice.
Skip database configuration Choose this option if you want to skip the database configuration of the central helpdesk. This is the case if there is no helpdesk service installed on the target machine .
Use Microsoft SQL Server With this option, an already existing Microsoft SQL Server database can be used to store the internal data of the Cryp- toPro Secure Disk for BitLocker helpdesk.
Logon with Windows Credentials With this option the authentication to the Microsoft SQL Server will be performed with those Windows creden- tials, that are used to run the administration service.
Page 21 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
CAUTION! If the administration service was configured under the locale system ac- count, this option makes the database inaccessible. Choose the optionLogon with given username and Password in this case. Logon with given username and Password With this option an existing database account, that has access rights to the database, can be defined. This ac- count will be used by the CryptoPro Secure Disk for BitLocker admin- istration service, to logon to the Microsoft SQL Server database . User- name contains the user name, and Password has to contain the password of the according database account. Server can be used to select the existing Microsoft SQL Server. With [Refresh] the field [Server], which lists all available Microsoft SQL Server instances, can be refreshed. Database is used to define the database name on the Microsoft SQL Server. Choose the name of an empty database.
Migrate the existing SQLite database Older versions of CryptoPro Secure Disk for BitLocker used a different database format to store the helpdesk data. With this option the content of an old database can be migrated to tha new database.
SQLite file Defines the file, that has to be migrated to the new database..
Select the preferred Helpdesk-database settings and press Next. CAUTION! CryptoPro Secure Disk for BitLocker supports more than one instances of the central helpdesk service. In this case all instances have to choose the option Use Microsoft SQL Server. All instances of the helpdesk service have to use the same database. 3. the next dialog supports the optional key import from a key file.
Page 22 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
This dialog supports the key import from a keyfile that was saved from an- other administration service instance. The import enables the administration of clients, that were initialized by another server instance. HINT! The keys can be exported to a password protected key file within the admin- istration console. With those keys it is possible to administer already installed and initialized clients, even if the original database cannot be used anymore, and even if the central administration has to be re installed from the scratch.
HINT! The export of the keys can be restricted by defining a set of passwords (four- eye-principle). It is recommended to set those passwords after the installation via the admin console!
Please refer to Export of the central keypair
4. Start the configuration of the administration service with Next
5. finalize the configuration with Finish.
Page 23 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
4.6 Update To perform an update of CryptoPro Secure Disk for BitLocker you need the newest MSI-install-packet. In a command line window, type the following command: msiexec -i EDAAdmin.msi
. . . and follow the instructions. For an unattended update use the parameter /quiet.
4.7 Interactive uninstallation For interactive uninstall of CryptoPro Secure Disk for BitLocker:
1. Select START > Control Panel to open the Windows control panel. 2. In the control panel double click SOFTWARE. 3. Select CryptoPro Secure Disk Administration and press Uninstall. The unin- stall wizard will be started. Press Next and follow the instructions of the wizard to finish the uninstall process.
4.8 Unattended uninstall To perform an unattended uninstall of CryptoPro Secure Disk for BitLocker, open a command line window (cmd.exe) and start the program msiexec.exe in combina- tion of the following parameters: msiexec /x "‘Path of EDAAdmin.msi"’ /qn remove=all
Page 24 CryptoPro Secure Disk for BitLocker Administration manual
4 INSTALLATION | UNINSTALLATION OF THE ADMINISTRATIVE COMPONENTS
With /quiet, the silent mode can be activated.
Page 25 CryptoPro Secure Disk for BitLocker Administration manual
5 INSTALLATION/DE-INSTALLATION OF THE CLIENT
5 Installation/De-installation of the Client
The Client-Installation Package of CryptoPro Secure Disk for BitLocker of is a standard-MSI-Package, which supports the MSI-Standard functionality (install, re- pair, uninstall). The installation / uninstallation can be done without any user inter- action. In the case of an unattended installation (without user action) the Program msiexec.exe (system component) has to be started with with some parameters (ex- plained later on). With the interactive mode you just follow the instructions of the installation-wizard.
5.1 Installation requirements 5.1.1 Operating system
CryptoPro Secure Disk for BitLocker can be installed on the following operating systems:
Windows 7
Windows 8 Windows 8.1 Windows 10 , version 1709 or lower
5.1.2 Other prereqiusites
1. CryptoPro Secure Disk for BitLocker is an extension of Microsoft Bit- Locker. Therefore all requirements to install Microsoft BitLocker have to be fulfilled.
2. The Microsoft BitLocker start partition has to exist.
3. The start partition and the Windows-partition have to be on the same physical drive.
4. CryptoPro Secure Disk for BitLocker creates a new partition with ca. 1,5 GB. For the installation resp. initialization at least one partition with 10GB (or more) free space is required. Alternatively 1,5GB unpartitioned space can be provided on the hard disk.
5.2 Overview (Installation) At the installation of the client components of CryptoPro Secure Disk for Bit- Locker all required system-drivers, services and necessary Data for the administra- tion are copied to the target computer. Necessary registry-entries are created as well. Normally the CryptoPro Secure Disk for BitLocker PBA will be initialized. There- fore a new, approximately 512MB large partition will be created. If there is not enough unpartitioned space of this size is available on the computer, an existing partition will be shrinked to get the required space. If, due to a specific rollout mech- anism (i.e. usage of an image), you want to avoid that the PBA Partition is created at the installation, the installation property "‘Initialize"’ has to be set to 0. The initializa- tion of the PBA will be performed in this case at the first start of the administration,
Page 26 CryptoPro Secure Disk for BitLocker Administration manual
5 INSTALLATION/DE-INSTALLATION OF THE CLIENT
or the first configuration by a script. The explicit call in this case is: msiexec /i EDA- ClientForBitlocker.msi INITIALIZE=0
If you install CryptoPro Secure Disk for BitLocker on a computer which already is encrypted by Microsoft BitLocker, a new BitLocker Protector protector will be created, which is secured by the PBA. Protectors, which already exist at the time of the initialization of CryptoPro Secure Disk for BitLocker will be deleted. To avoid deleting existing protectors, the installation parameter "‘DELETE_KEY_PROTECTORS"’ must be set to the value 0. The explicit call in this case is: msiexec /i EDAClientFor- Bitlocker.msi DELETE_KEY_PROTECTORS=0
If CryptoPro Secure Disk for BitLocker should use the TPM-chip for its Bitlocker- protectors, the installation parameter "‘USE_TPM"’ must be set on the Value 1. The explicit call in this case is: msiexec /i EDAClientForBitlocker.msi USE_TPM=1
HINT! If there is no TPM-chip available on the specific computer, the protectors will be cre- ated without TPM, independent from the parameter value.
At the Installation of CryptoPro Secure Disk for BitLocker you optionally can define an Initialization-Script, which was previously created. The script will be ac- tivated immediately after successful installation. For that purpose the initialization- script has to be copied to the same directory as the MSI package with the Name init.spa. The installation copies the file to the script-subdirectory auto, where it will be executed after the installation has been executed. Details about creating an ini- tialization script can be found in chapter "7 Administration".
If the client computer should be administrated by the central administration, the client has to know the copmputer where the central administration service is run- ning. For that purpose there is another installation parameter: "‘CA_SERVERNAME"’. This parameter has to contain the name (fully qualified) of the computer, where the central administration service is running. If the central Administration service is configured in a way, so that the Standard-Port (8081) is not used for the communication, you must configure the required port via the parameter "‘CA_Port"’. Example: msiexec /i EDAClientForBitlocker.msi CA_SERVERNAME=MyServer.MyDomain.local CA_PORT=8081
The installation has only one component, CryptoPro Secure Disk for BitLocker client. Therefore there is no option to select the program components to be installed.
To detect failures during the installation, you can use the logging mechanism of the MSI package. The parameter of an installation with activated logging is:
/i Installation of the msi-paket (EDAClientForBit- locker.msi) /L*v Logfile name Activate logging with defined logfile
e. g.: msiexec.exe /i EDAClientForBitlocker.msi /L*v msilog1.txt
Page 27 CryptoPro Secure Disk for BitLocker Administration manual
5 INSTALLATION/DE-INSTALLATION OF THE CLIENT
5.3 Interactive Installation For the newest information for the product releases please read the Readme file on the CD (if available). This can especially be important if you update the product to a newer Version. This information can be more up to date and therefore prior to the manual.
To execute the installation of CryptoPro Secure Disk for BitLocker, you need local administration rights. HINT! A Windows client who is prepared for BitLocker, must have an own start partition. This partition is usually created automatically with the installation of Windows 7 or Windows 8. The installation of the CryptoPro Secure Disk for BitLocker client- package requires this partition.
1. Insert the CryptoPro Secure Disk for BitLocker CD, and start the installation (ClientInstall.msi). After the start a "’Welcome"’ dialog will be displayed:
2. On the next Page you are asked to accept the license terms. Please confirm the license terms and press NEXT.
Page 28 CryptoPro Secure Disk for BitLocker Administration manual
5 INSTALLATION/DE-INSTALLATION OF THE CLIENT
3. On the following page the program component Client is displayed. This is the core of CryptoPro Secure Disk for BitLocker, and has therefore always to be selected. If you want to create a Windows PE Recovery CD (see 20.2), you can select Windows PE recovery fies too. Press NEXT, if you have selected the required components. By selecting the option Configure advanced settings you’ll get to the configuration of the advanced settings.
Page 29 CryptoPro Secure Disk for BitLocker Administration manual
5 INSTALLATION/DE-INSTALLATION OF THE CLIENT
4. The next page is only displayed, if "‘Configure advanced settings"’ was acti- vated. Here you can define the server name and port, where the central ad- ministration service is running. (look at "8 Central administration"). HINT! This Settings are only required if the specific client-computer should be ad- ministrated by the central administration of CryptoPro Secure Disk for Bit- Locker. After you have set the specific settings press NEXT. HINT! If there is more than one CryptoPro Secure Disk for BitLocker administra- tion server, the field Servername can be used to define a list of servers. For this purpose use the notation ’Servername1:Port1; Servername2:Port2 ...’ can be used.
Page 30 CryptoPro Secure Disk for BitLocker Administration manual
5 INSTALLATION/DE-INSTALLATION OF THE CLIENT
5. The next page is only displayed, if "‘Configure advanced settings"’ was acti- vated. Here you can configure the usage of the TPM chip, and other options. With Use TPM-chip, if available it can be defined that an available TPM-Chip should be used for the BitLocker-encryption.
HINT! If there is no TPM-chip available on the client computer, this setting has no ef- fect. The Bitlocker-encryption in this case will be done without the TPM-chip.
With Delete existing protectors after installation you can manage, if systems which already are encrypted with Bitlocker at the time of the installation, will delete or keep existing protectors.
HINT! CryptoPro Secure Disk for BitLocker creates new protectors during the ini- tialization, independently from this installation setting.
Use Bitlocker To Go compatibility This option must be set, if on the computer Bitlocker To Go is used or will be used later on. Without this option you may have compatibility problems.
Proceed protection for suspended drives automatically defines that the Bit- locker protection automatically will be proceeded, as soon as it detects the protections has been stopped.
Page 31 CryptoPro Secure Disk for BitLocker Administration manual
5 INSTALLATION/DE-INSTALLATION OF THE CLIENT
With activated UAC a dialog will ask you to trust the installer.
6. CryptoPro Secure Disk for BitLocker can be installed now. Start the Instal- lation with Install
Page 32 CryptoPro Secure Disk for BitLocker Administration manual
5 INSTALLATION/DE-INSTALLATION OF THE CLIENT
7. Finish the Installation with Finish
Page 33 CryptoPro Secure Disk for BitLocker Administration manual
5 INSTALLATION/DE-INSTALLATION OF THE CLIENT
5.4 Unattended installation HINT! to install CryptoPro Secure Disk for BitLocker unattended with activated UAC (User Account Control), you must start msiexec.exe in the elevated mode (ı.e. with a right mouse click on cmd.exe and "‘execute as administrator"’).
To execute an unattended installation of CryptoPro Secure Disk for BitLocker, open a command line window (cmd.exe) and start the program msiexec.exe with the following parameters:
/i Install the msi-package (EDAClientForBitlocker.msi) /quiet no user Interaction
e. g.: msiexec.exe /i EDAClientForBitlocker.msi /quiet
INFO! Additional information for msiexec.exe can be found in the according documenta- tion, or by starting msiexec.exe without parameters.
5.5 Installation parameters The installation of CryptoPro Secure Disk for BitLocker supports the following parameters:
Page 34 CryptoPro Secure Disk for BitLocker Administration manual
5 INSTALLATION/DE-INSTALLATION OF THE CLIENT
Parameter Description Default CA_SERVERNAME Defines the name of the server, where the N.A. central administration service is accessible. (see "8.3 Initialization of the central admin- istration console") CA_PORT Defines the port, where the central adminis- 8081 tration service is accessible. (see "8.3 Initial- ization of the central administration console") SCRIPT Defines the name of the script that should be N.A. copied to the auto folder of Secure Disk (path can be absolute or relative) (see "7.3.3 The administration console in script-mode") HW_PROFILES Defines the name of the hardware profiles file N.A. that should be copied to the installation folder of Secure Disk (path can be absolute or rela- tive) (see "15.2.1 Hardware Settings") VIRTUAL_OU Defines the name of a virtual group, in which N.A. the computer should be centrally adminis- tered. (see "8.2.2 Virtual node management") PREFERRED_SERVER Defines the name and port of a central server N.A. which shall be contacted first before other servers are tried. Set this parameter if there are more business locations with one local server each. CA_SERVERNAME is still neces- sary. DELETE_KEY_PROTECTORS Defines if existing key protectors should 1 be deleted after Secure Disk initialization. (1=Delete key protectors, 0=Don’t delete key protectors) USE_TPM Defines if a TPM chip shall be used to create 0 the key protector for Secure Disk. If no TPM is available, a standard usb key protector is cre- ated, no error occurs. (1=use TPM, 0=don’t use TPM) BITLOCKER_TO_GO_COMP Defines if group policy settings that prevent 0 installation, shall be changed during cre- ation of key protectors. (1=change group policy settings, 0=don’t change group policy settings) The following registry values are affected: HKLM//SOFTWARE//Policies//Mi- crosoft//FVE//EnableBDEWithNoTPM is set to 1 HKLM//SOFTWARE//Policies//Microsoft- //FVE//UseTPMKey is set to 2 HKLM//SYS- TEM//CurrentControlSet//Policies//Microsoft- //FVE//RDVDenyWriteAccess is set to 0 BITLOCKER_AUTO_RESUME Defines if the Bitlocker protection shall be re- 1 sumed automatically if a suspension is de- tected
5.6 Update CAUTION!
Page 35 CryptoPro Secure Disk for BitLocker Administration manual
5 INSTALLATION/DE-INSTALLATION OF THE CLIENT
Versions older than 3.6.x cannot be updated directly. In this cases the update has to be performed in two steps. At first, the installation has to be upgraded to a version between 3.6.x and 4.2.x. Then an update to the current version is possible. CAUTION! The partition layout of CryptoPro Secure Disk for BitLocker has changed. For this reason an update has to be performed in two steps. First of all the update has to be prepared with Reparttool_x86.exe resp.Reparttool_x64.exe. Only if this step was finished successfully, and a reboot has been performed, the update can be made. CAUTION! After a successful preparation of the update with Reparttool_x86.exe resp.Reparttool_x64.exe, a reboot has to be performed before the update process is started!
To update an existing installation of CryptoPro Secure Disk for BitLocker, you need the MSI-package of he new version. Enter the following command in the com- mand line: msiexec -i EDAClientForBitlocker.msi
. . . and follow the instructions. Of course the parameter /quiet is possible to start an unattended update.
5.7 Interactive Uninstall For the interactive Unstallation of CryptoPro Secure Disk for BitLocker please proceed as the following:
1. Select START > SYSTEMMANAGEMENT, to open the Windows system manage- ment. 2. In the SYSTEMMANAGEMENT double click SOFTWARE. 3. Select CryptoPro Secure Diskand pressREMOVE.The Uninstallation wizard will be started. Press NEXT and follow the wizard to finalize the Uninstallation.
CAUTION! If there are encrypted partitions, the uninstall will be canceled!
5.8 Unattended Uninstall To execute an unattended uninstall of CryptoPro Secure Disk for BitLocker, open a command line window (cmd.exe) and start the program msiexec.exe in with the following Parameters: msiexec /x "‘Path to EDAClientForBitlocker.msi"’ /qn remove=all
With /quiet you can start the uninstall in silent mode.
CAUTION! If there are encrypted partitions, the uninstall will be canceled!
Page 36 CryptoPro Secure Disk for BitLocker Administration manual
5 INSTALLATION/DE-INSTALLATION OF THE CLIENT
CAUTION! With this form of the uninstall you must exactly call the version of the MSI-package, which was used for installation!
Page 37 CryptoPro Secure Disk for BitLocker Administration manual
6 INITIALIZATION OF THE LOCAL COMPONENTS
6 Initialization of the local components
After installation of CryptoPro Secure Disk for BitLocker client, The system has to be initialized. Initialization will usually be performed automatically, right after installation. If the installation was performed explicitly without initiallization, the client will automatically be initialized, if the local administration console will be started for the first time on the client computer. the computer recieves configuration settings from the central administration for the first time. the client computer gets configuration settings in form of an initialization script for the first time.
CAUTION! It is important if the initialization is performed via central administration, local ad- ministration or initialization script. If a client computer is initialized via central ad- ministration, it is necessary to define local administrators, to be able to administer the computer via script or local administration later on. If the computer was initial- ized via script or local administration, it is necessary to activate the configuration option for central administration before it can be administered centrally.
A fully initialized client-system of CryptoPro Secure Disk for BitLocker must meet the following conditions:
The installation was completed successfully After a successful installation, all necessary files and registry entries are installed. All necessary services are running correctly.
The CryptoPro Secure Disk for BitLocker PBA is initialized The CryptoPro Se- cure Disk for BitLocker PBA is located in a separate primary partition on the hard disk. The PBA is usually created, but not activated during the installa- tion. Optionally the creation of the PBA during the installation process can be suppressed. In this case the PBA is created either at the first start of the admin- istration console in local mode, at the first activation of an initialization script, or at the first configuration of the client computer with the central administration console.
All settings have been defined For a fully initialized system, it is necessary that all settings are configured. The initial configuration of the settings can be de- fined with the administration console in local mode, by the central administra- tion service, or the activation of a client initialization script.
HINT! Since the initialization of a client computer requires the configuration of all available settings, an initialization script has to contain all settings. In contrary to the initialization script, a configuration script can contain only a subset of all available settings.
There is at least one user account Without a user account no PBA authentica- tion would be possible. Therefor a fully initialized system requires at least on e PBA user account. Like the initial settings, the user account can be created
Page 38 CryptoPro Secure Disk for BitLocker Administration manual
6 INITIALIZATION OF THE LOCAL COMPONENTS
with the administration console (local or central) or with an initialization script.
HINT! Instead of a user account, it is also possible to activate the automatic capturing of a user account (see "12.3 User capturing") at the next login.
There is at least one administrator A fully initialized CryptoPro Secure Disk for BitLocker client requires at least one administrator. Therefore it is nec- essary that the initialization creates the first administrator account. The first administrator account is a special account (main administrator) which has all administrator privileges. In case of initialization via local administration, the administrator which logged on to the administration console is defined as main administrator. In case of initialization via initialization script, the administrator which created the script is defined as main administrator. In case of initializa- tion via central administration, no explicit administration account is needed.
CAUTION! If the administration console is started on a client that is not fully initialized, the administrator that logged on to the console will become the main administrator of the client computer.
CAUTION! If a client is initialized by an initialization script, the administrator that created the script will become the main administrator of the client computer.
The PBA is activated The activation of the PBA is done automatically during the initialization. So, after the first start of the local administration console, after initialization via central administration service, or after initialization via initial- ization script, the PBA will be active. Once the PBA is activated a pre-boot- authentication is required at every system start.
HINT! After initialization the PBA is in self-test-mode. To ensure a boot process without problems, the PBA needs to detect some settings, than might be different depending on the according hardware. In self-test-mode the PBA tries to find the required settings by changing the values until a boot process was successful.
Page 39 CryptoPro Secure Disk for BitLocker Administration manual
7 ADMINISTRATION
7 Administration
7.1 Overview (Administration) The administration of CryptoPro Secure Disk for BitLocker consists of the follow- ing parts:
Configuration of program settings CryptoPro Secure Disk for BitLocker pro- vides a lot of configuration options like look and feel of the PBA, activation resp. deactivation of several program options, or configuration of technical details. The configuration of program settings is described in detail in "9 Configure ap- plication settings".
Management of administrators CryptoPro Secure Disk for BitLocker supports the definition of multiple security administrators with different rights. Adminis- trator management is described in chapter "13 Administrate local Administra- tors".
User management The CryptoPro Secure Disk for BitLocker PBA supports mul- tiple users with different authentication mechanisms. User management is de- scribed in chapter "12.1 User management in the administration console".
Configuration of encryption settings Disk encryption can be customized by dif- ferent configuration parameters to individual requirements. Configuration of encryption settings is described in section "14 Encryption".
Configuration of Friendly Network settings Friendly Network enables encrypted client computers to be started at a defined time without user authentication. This functionality can be used for instance to implement Friendly Network. Computers that are located winthin the company-network are booting without PBA, directly to the operating system login. If the computer is used outside of the company network, a PBA authentication is requred. Another possible usage-scenario is the unattended start of an encrypted client for maintenance reasons. Configuration of Friendly Network is described in chapter "17 Friendly Network and software distribution".
Administration of emergency data CryptoPro Secure Disk for BitLocker sup- ports several repair- resp. emergency mechanisms in case of boot problems. Configuration of the according emergency mechanisms is describen in chapter "20 Emergency recovery".
Helpdesk CryptoPro Secure Disk for BitLocker supports extensive Helpdesk- functionality, that manages logon problems (forgotten password, forgotten PIN, damaged smartcard, etc.). The CryptoPro Secure Disk for BitLocker Helpdesk is described in chapter "16 Helpdesk".
7.2 The different administration modes of CryptoPro Secure Disk for BitLocker CryptoPro Secure Disk for BitLocker supports three different methods of Admin- istration:
1. Local administration In case of local administration (see "7.3.2 The adminis- tration console in local mode") the administration console (see "7.3 The Cryp- toPro Secure Disk for BitLocker Administration console") is started directly on the client machine. The administration console displays the current settings
Page 40 CryptoPro Secure Disk for BitLocker Administration manual
7 ADMINISTRATION
of the according client computer. Changing the values in the console, directly changes the configuration of the client. HINT! The administration console is described in "7.3 The CryptoPro Secure Disk for BitLocker Administration console" 2. Script based administration In script based mode, the required configura- tion settings are stored in encrypted and signed script files. The administration console provides the ability to generate a script file from the current settings, load script files, and view its contents. If a script file is copied to the subdirec- tory auto of the CryptoPro Secure Disk for BitLocker installation directory on a client computer, the script is processed automatically, i. e. the configura- tion settings stored in the script are activated.
HINT! For the successful processing of a script file it is required that the script file was created by an administrator which has already been configured on the client computer as an authorized administrator. Only initialization scripts (a special kind of script that is used to initially configure a client computer) are excluded from this rule. HINT! Transferring script files to the client computer is not part of the CryptoPro Secure Disk for BitLocker administration. HINT! More information about script based administration can be found "7.3.3 The administration console in script-mode"
3. Central administration Central administration (see "8 Central administra- tion") uses the central administration service of CryptoPro Secure Disk for BitLocker. The central administration service must be installed and config- ured on a computer on the network. The administrator can connect to the administration service via the administration console from any computer in the network. All client computers that are accessible in Active Directory can be administered by the central service.
7.3 The CryptoPro Secure Disk for BitLocker Administration console The CryptoPro Secure Disk for BitLocker administration console is the tool that covers all aspects of the administration. After installing the administration package, an entry of CryptoPro Secure Disk for BitLocker administration appears in the Windows program group. After starting the administration console a dialog ap- pears to select the administration mode.
Page 41 CryptoPro Secure Disk for BitLocker Administration manual
7 ADMINISTRATION
The security operator has to define at this dialog, in which of the 3 available modes he wants to start the administration console.
HINT! If Keep selection for future logins is checked, no welcome dialog will appear in later calls of the administration console anymore. The console will be launched in that mode, which is currently selected.
After selection of the required administration mode, an authentication as security- operator is required. The authentication details a Page 42 CryptoPro Secure Disk for BitLocker Administration manual 7 ADMINISTRATION 7.3.1 General features of the administration console Some properties of the Administration console are subject to the Administration mode (see"7.2 The different administration modes of CryptoPro Secure Disk for BitLocker"). The console provides the following menu entries that are independent of the mode: The left part of the console displays the client computer name(s). A menu in Windows- Outlook-style, which allows to select the administration pages, is displayed be- neath. Depending on the menu selection the according administration page appears in the right part of the console. If Settings are selected, a submenu is displayed right next to the computer name, which provides selection of the respective detail page. The console provides the following menu entries that are independent of the mode: View | restrict view CryptoPro Secure Disk for BitLocker offers the possibility to create restricted views (see "7.3.5 Restricted views in the administration console") to hide settings that are not used frequently. This menu item can be used to define which settings should be hidden in the restricted view. View | advanced view Wiht this item the console switches to the advanced view. This mode displays settings that have been hidden in the restricted view. Page 43 CryptoPro Secure Disk for BitLocker Administration manual 7 ADMINISTRATION About This menu item provides general information about CryptoPro Secure Disk for BitLocker. HINT! The about dialog offers the possibility to view the content of the Log-directory where the log file of CryptoPro Secure Disk for BitLocker. is located 7.3.2 The administration console in local mode The administration console in local mode requires authentication as a local security operator. The security operator has to logon with his PKCS#12-file an the according password. The operator has to be defined as local security operator on the client computer (see "13 Administrate local Administrators"). With Change password the password of the PKCS#12-Datei can be changed. HINT! If the client computer is not yet initialized, the first logon to the local administration console causes initialization of the client. In this case, of course there is no local administrator account defined yet. The security operator that logs on to the local administration console for the first time, becomes the main security operator of the client computer. Page 44 CryptoPro Secure Disk for BitLocker Administration manual 7 ADMINISTRATION The left part of the administration console shows the name of the client computer, which is administered. In local mode, the configuration of the client computer is administered, on which the administration console was started. The console shows the current settings of the administered computer. Changes performed by the local administration console, will be applied to the client computer immediately after pressing Apply. The console provides the following local-mode specific menu entries File | save initialization script Here, the currently displayed configuration can be saved to a script file. File | load initialization script The configuration can be loaded from a script file. By pressing Apply, the configuration settings from the script are applied on the current computer. Capture user opens a dialog that allows the configuration of automatic users captur- ing. Page 45 CryptoPro Secure Disk for BitLocker Administration manual 7 ADMINISTRATION Capture user with Windows credentials Enabling this option automatically will capture a new user account at the next Logon. The credentials of the user correspond to those used by the user for logging on to Windows. Capture a password user for PBA only (no WIN credentials) Enabling this op- tion automatically will capture a new user account at the next logon. User-ID and password can be freely chosen. The credentials do not correspond to those used by the user for logging on to Windows. Capture a smartcard user) Enabling this option automatically will capture a new smartcard based user account at the next logon. Capture a virtual smartcard) Enabling this option automatically will capture a new PBA user that is based on a virtual smartcard, if the next Windows lo- gon is performed with a Microsoft virtual smartcard. HINT! To capture a virtual smartcard user, the next Windows logon has to be per- formed with an already existing Microsoft virtual smartcard. Page 46 CryptoPro Secure Disk for BitLocker Administration manual 7 ADMINISTRATION HINT! At the capturing of a virtual smartcrad account, the user has to enter the PIN of his virtual smartcard a second time, directly after logon to the operating system. Capture a PKCS12-user) Enabling this option automatically will capture a new user account at the next logon. The new user can log on to the PBA with a PKCS#12 file. Capture a Fingerprint Only user) Enabling this option automatically will capture a new user account at the next logon. The new user can log on to the PBA with his finger print. Capture Fingerprint additionally to a Win Credential or PBA password user) Enabling this option automatically will capture a fingerprint additionally to an already existing password account. HINT! The password account must already exist. HINT! This option is valid for accounts with Windows-credentials, as well as for PBA- only password accounts. Capture Windows-credentials additionally for Single Sign On) Only user ac- counts with Windows credentials can perform a login to the operating system with the same credentials as for the PBA. All other accounts will not perform a Single Sign On to Windows per default. Enabling this option will capture Windows-credentials for the next PBA account that is used for logon. Once the Windows-credentials have been captured, the according PBA account is ready for Single Sign On to Windows. Account should have a virtual smartcard for single sign on) This option defines, that the account should have Microsoft virtual smartcard credentials that can be used for single sign on in an helpdesk case. HINT! Virtual smartcard SSO credentials are only possible for virtual smartcard based PBA accounts. Convert captured user to a smartphone user With this option, the captured user will be initialized as a Smartphone user. HINT! If the newly captured user is a user with Windows credentials, first of all the user will be captured at the next Windows-logon. When the user then logs on to the PBA for the first time, his account will be converted into a Smartphone account. Init captured user for smartphone helpdesk With this option, the captured user will be initialized for Smartphone helpdesk. HINT! If the newly captured user is a user with Windows credentials, first of all the user will be captured at the next Windows-logon. When the user then logs on to the PBA for the first time, his account will be initialized for Smartphone helpdesk. Page 47 CryptoPro Secure Disk for BitLocker Administration manual 7 ADMINISTRATION Second factor required for next captured user this option defines, that at the next logon a second factor (YubiKey) shall be captured to the according ac- count. HINT! The according password accounts must already exist. HINT! As long as the user does not capture the second factor for his password account, logon without the second factor is still possible. Starting with the first logon with the second factor, the secound factor will be mandatory Second factor immediately mandatory for next captured user this option de- fines, that at the next logon a second factor (YubiKey) shall be captured to the according account. CAUTION! A logon woithout second factor is not possible anymore. CAUTION! All options for automatic user capturing refer to the immediately next logon to the system. If the capture action of the user account fails at the next logon, the corre- sponding settings are deleted. The automatic detection of a user will not be resched- uled at a later time. With Apply all changes will be applied. With Status a window is displayed, that reporst the configurtion status of Friendly Network (see "17 Friendly Network and software distribution"), Helpdesk (see "16 Helpdesk"), and recovery (see "20 Emergency recovery"). Page 48 CryptoPro Secure Disk for BitLocker Administration manual 7 ADMINISTRATION 7.3.3 The administration console in script-mode The left part of the console shows the path to the script-file that is currently edited. Below there is a selection for each administration page. This selection determines the contents, that should be included to the script. INFO! Scripts do not have to contain all available configuration settings. Settings that are not included to the script, will remain unchanged when the script is applied to a client computer. HINT! There are two different kind of scripts. initialization scripts are used to initial- ize a client computer. So, they are used just for the very first configuration of the computer. (see "6 Initialization of the local components"). Change scripts are Page 49 CryptoPro Secure Disk for BitLocker Administration manual 7 ADMINISTRATION used to change the settings of a client-computer that is already initialized. Since a completely configured computer needs all configuration settings, at least one user account and at least one administrator account, an initialization script has to contain all those settings. Change scripts may contain just a subset of those settings. The console in script-mode has the following specific menu entries: Actions | Transparent With this option it can be defined that the target computer should boot with- out PBA authentication for a required number of system starts. The field Boot counter defines the required number of system starts without PBA authentica- tion. HINT! After the defined number of system starts, the PBA on the target computer will be re activated automatically . The left side of the console additionally contains a menu in Windows-Outlook-style, which supports the selection of administration pages. Dependend on this selection, the right part of the console contains the details about the selected administration page. If Settings are selected, an additional selection menu is displayed, to choose the detail page of the settings. In script mode, a certain configuration is saved in a script file, so that it can be activated on any number of client computers at a later time. When the script is generated, no client computer settings are processed. Therefore, no corresponding configuration settings are displayed. So the console just contains default values at the start of the script mode. If an existing script is loaded, the contents of the loaded script will be displayed. With Save the configuration is stored in a script-file. With Load a script-file is loaded, and its contents are displayed. With the selection Initialization script resp.Change script the operator can switch between processing Initialization- resp. Change scripts. When the script is saved, the operator has to define the target path of the script file on the next dialog. After that, an authentication dialog, as described in "7.3.2 The Page 50 CryptoPro Secure Disk for BitLocker Administration manual 7 ADMINISTRATION administration console in local mode" , is displayed. CAUTION! Please note that the authentication has to be performed with a PKCS#12 file, that corresponds to a valid administrator account on all target computers. A change script can only be applied to a client computer, if it was cerated by a valid adminis- trator. HINT! In case of an initialization script, the authentication can be performed with an ar- bitrary administrator account. The initialization script can be applied to all client computers, that are not already initialized. (see "6 Initialization of the local compo- nents"). The administrator account that was used to authenticate the initialization script will become local main administrator on all client computers. Page 51 CryptoPro Secure Disk for BitLocker Administration manual 7 ADMINISTRATION 7.3.4 The administration console in central mode The administration console in central mode requires an authentication as security operator. The authentication is described in chapter "8.1 Authentication as security- operator to the central consoles". The left part of the console, contains a list of all computers of the Windows-Active- Directory. In central mode, the configuration of all computers and computer-groups, which are located in the Windows Active Directory can be administered. All settings of the currently selected computer are displayed at the right part of the console. The console provides the following central-mode-specific menu items: File | save initialization script With this item, the currently displayed configura- tion can be saved to a script file. Page 52 CryptoPro Secure Disk for BitLocker Administration manual 7 ADMINISTRATION HINT! This menu item is not available, if the operator has authenticated with Win- dows authentication to the console. File | Export node settings Saves the current node configuration to a file. File | Import node settings Loads the configuration from a file. This file can con- tain a previously exported configuration, or an initialization script. With Apply all loaded configuration settings will be applied to the selected node. File | load initialization script The configuration can be loaded from a script file. By pressing Apply, the configuration settings from the script are be activated on the current computer. HINT! This menu item is not available, if the operator has authenticated with Win- dows authentication to the console. View | Show assigned servers This option switches the display on the left side of the console. Instead of a symbol that shows if the selected node has settings (resp. users, helpdesk settings etc.) defined, a different symbol is diaplayed if the node was assigned to a specific server. (see "8.11 Administration of additional service-instances"). View |Show startup dialog At the start of the administration console usually a dialog is displayed, which supports choosing the required mode (see "7.3 The CryptoPro Secure Disk for BitLocker Administration console"). With this menu item this mode-selection-dialog can be activated / deactivated. HINT! This menu item is only displayed in the extended view View | Show all folders If this item is activated, all nodes are displayed in the Ac- tive Directory-structure. If this item is deactivated only such Active Direc- tory-nodes are displayed, which contain at least one computer object. View | Show only nodes with settings If this item is activated, only nodes are displayed where specific settings are defined (general settings, helpdesk, users, etc.). Nodes which inherit all settings are hidden. HINT! This menu item is only displayed in the extended view CA | Login performs a re-logon to the central administration service. CA | Logout performs a logoff of the central administration service. CA | administrators allows the management of security administrators who can log on to the central administration service. CA | add domain adds a domain to the displayed Active Directory-tree. CA | Activate virtual node management activates / deactivates the management via virtual OU’s (see "8.2.2 Virtual node management"). CA | Manage central services supports management of multiple instances of the central administration service. CA | Reporting manages creation resp. saving of reports in CSV-format. Page 53 CryptoPro Secure Disk for BitLocker Administration manual 7 ADMINISTRATION Maintenance | Sync with active directory detects if there have been changes within the Active Directory-structure, and if applicable synchronizes the changes with CryptoPro Secure Disk for BitLocker. HINT! This menu item is only displayed in the extended view Maintenance | Check database integrity provides an extended mechanism for Active Directory-synchronization. HINT! This menu item is only displayed in the extended view Maintenance | Export server key pair exports the key pair of the CryptoPro Se- cure Disk for BitLocker-servers for backup purposes. Enables a new installa- tion with new database with the same keys, so that existing clients still can be administered. HINT! This menu item is only displayed in the extended view Maintenance | HSM opens a new windows to activate the integration of a Hard- ware Security Module. Please refer to the document ’HSM integration guide’ for further information. HINT! This menu item is only displayed in the extended view Help | license supports management of client-licenses. With Apply all changes are applied to the selected computer. As in local mode Capture user opens a dialog that allows you to configure the au- tomatic capturing of user accounts (see "7.3.2 The administration console in local mode"). With Status a window is displayed, that reports the configuration status of Friendly Network (see "17 Friendly Network and software distribution"), Helpdesk (see "16 Helpdesk"), and recovery (see "20 Emergency recovery"). Page 54 CryptoPro Secure Disk for BitLocker Administration manual 7 ADMINISTRATION Show difference is used to indicate any differences between the current configura- tion of a computer to the settings defined in the central administration console. Overwrite inherited settings allows you to assign configuration settings to a client computer or group of computers, that are different from the settings of its parent nodes in the Active Directory. Apply settings to client allows to overwrite configuration settings that were created locally by settings created with the central administration console. More detailed information about central administration can be found in chapter "8 Central administration" 7.3.5 Restricted views in the administration console The settings of CryptoPro Secure Disk for BitLocker represent the desired se- curity policy in the field of authentication and disk encryption. In many cases, after a first definition of the policy, the settings are modified rarely. CryptoPro Secure Disk for BitLocker offers the possibility to hide infrequently used options from the standard view. The menu entry View | Views opens a dialog, which supports the creation of reduced views. Each setting can be defined as an extended setting, which is only visible in the extended view. Page 55 CryptoPro Secure Disk for BitLocker Administration manual 7 ADMINISTRATION If a particular setting should be hidden in the default view, the according checkbox in the column Hide has to be checked. In addition to Hide there is an option Deacti- vate. This option deactivates the according setting, so that it cannot be processed in th administration console. Page 56 CryptoPro Secure Disk for BitLocker Administration manual 7 ADMINISTRATION The menu entry View | Advanced settings switches between default- and extended view. In the default view, all extended settings are hidden. The extended view dis- plays all available settings. HINT! The definition of a restricted view is user-specific. i. e. each Windows-user can de- fine his individual restricted view. HINT! Disabling specific settings affects both the restricted, and the extended view. Page 57 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION 8 Central administration Beside the administration console, for central administration of CryptoPro Secure Disk for BitLocker there are a number of additional consoles: The CryptoPro Secure Disk for BitLocker Friendly Network console supports management of "Secure Software Distribution" and "Friendly Network" (see "17 Friendly Network and software distribution"). The CryptoPro Secure Disk for BitLocker Recovery console supports manage- ment of recovery data (see "20 Emergency recovery"). The CryptoPro Secure Disk for BitLocker Password Management console supports management of Windows-passwords, that can be used by smartcard users in Helpdesk-case (see "18 Password Management Console"). All central consoles require authentication as security operator. 8.1 Authentication as security-operator to the central con- soles Authentication as central security-operator is performed with a PKCS#12-file. The security-operator has to logon with his PKCS#12-file and the according pass- word. With Change Password the passsword of the PKCS#12-file can be changed. With Save P12 to database for simple logon the PKCS#12-file of the security oper- ator can be saved to the central database. This enables simple logon (User-ID and password). On the left side of the Change Password button, there is a selection but- ton which supports switching between PKCS#12 logon,Simple logon and Windows logon. // As an alternative to PKCS#12-logon, there is the simple logon. Page 58 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION in this case the authentication is performed with User-ID and password. With Change Password the password of the security-operators can be changed. On the left side of the Change Password button, there is a selection button which supports switching between PKCS#12 logon,Simple logon and Windows logon. HINT! Activation of simple logon can be done either in the management of central adminis- trators (see "8.4 Management of central administrators"), or by saving the PKCS#12- file to the database during a PKCS#12-based logon. // The third way to authenticate as an administrator is the Windows-authentication. In this case the authentication is performed based on Windows-logon-credentials. On the bottom of the dialog, there is a selection button which supports switching between PKCS#12 logon,Simple logon and Windows logon. HINT! Activation of the Windows-authentication can be done in the management of central administrators (see "8.4 Management of central administrators"). HINT! Windows-authentication supports, if configured accordingly, Single Sign On. In this case no explicit authentication as security operator is required (see "8.4 Manage- ment of central administrators"). HINT! Independent of the authentication type, the Logon dialog provides a combo-box to Page 59 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION select the Instance of the central service. If more than one instance of central ser- vice is used, this combo-box supports the selection of the service, where to connect with the console. With the green plus-button and the red cross-button, URL’s of com- puters where service instances are running can be added or deleted from the combo box). Page 60 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION 8.2 The central administration console The main part of central administration is performed with the administration console in central mode (see "7.2 The different administration modes of CryptoPro Secure Disk for BitLocker"). The left part of the console contains all computers from the Active Directory. Com- puters or groups that should be managed, can be selected here. For each computer (or group of computers) the required configuration can be defined. With Apply the settings will be applied to the central administration service. HINT! The settings will be activated on the client computers at a later time The computer symbols are displayed in different colors, where each color represents a specific state: Gray A computer displayed in gray is not yet initialized for central administration. Page 61 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION Red A computer displayed in red could not activate the configuration settings de- fined by the central administration. This state indicates a problem. Green A computer displayed in green is exactly in the state that was defined by the central administration. Green-Yellow A computer displayed in green-yellow was formerly green but has not applied the latest defined configuration. Red-Yellow A computer displayed in red-yellow was formerly red but has not ap- plied the latest defined configuration. 8.2.1 Administration of Workgroup-computers To be able to administer client computers that are not member of a Active Di- rectoryDomäne with the CryptoPro Secure Disk for BitLocker administration console, the option Enable Workgroup-mode has to be selected at the initialization of the central service (see "4.5 Configuration of the administration-service"). Each client computer which is not a domain member, will be displayed directly under the root node WORKGROUP after he established a connection to the central service for the first time. With the context menu Manage workgroup (right mouse button) sub-nodes can be defined, and client computers can be assigned to sub-nodes. Add computer Adds a client computer to the selected node. HINT! Client computers can be added to nodes, before they connect to the central administration for the first time. If the client computer connects to the central administration, it will get the right settings. Add OU Adds a sub node to the selected node. Rename renames the selected node resp. computer um. Cut Cuts the selected node resp. computer, to be pasted on a different position. Paste Pastes the selected node resp. computer on the selected position. Delete Deletes the selected node resp. computer. HINT! Nodes that are not empty, cannot be deleted. Administration of workgroup computers is performed the same way, as Active Di- rectory-computers. Page 62 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION 8.2.2 Virtual node management Virtual node management supports client computer management in a different struc- ture than defined by the Active Directory. Virtual node management has to be enabled by the menu item CA | Activate virtual node management. In the directory tree at the left side of the console, a ne node VIRTUAL is displayed, if virtual node management is activated. Page 63 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION The right mouse button opens a context menu, which supports management of vir- tual nodes. Page 64 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION Add computer Adds a client computer to the selected node. The fully qualified name of the client computer has to be entered. HINT! Client-computers can be assigned to virtual nodes before they connected to the central administration for the first time. If a computer with the according name connects for the first time, it will get the settings defined at the virtual node. Add OU Adds a sub-node to the selected virtual node. If the context menu is opened at a sub-node of VIRTUALit contains additional menu items. Delete Deletes the node from the virtual node management. Delete subtree Deletes the whole subtree from the virtual node management. Rename Renames a node. Cut Cuts a node. HINT! If client computers that are managed via virtual node managemet are deleted or renamed, they will be excluded from the administration. Those computers cannot be managed centrally anymore, but their state (concerning encryption, PBA accounts etc.) will be left unchanged. Page 65 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION Virtual nodes can additionally be managed via drag and drop. Single nodes or whole subtrees can be moved to a different node under VIURTUAL. It is also possible to copy nodes and subtrees from the Active Directory-tree to the virtual node structure. Virtual node management can administer Active Directory-computers as well as computers that are not in the Active Directory. If an Active Directory-computer is administered via virtual node management, set- tings can only be defined under the node VIRTUAL. In the Active Directory-tree such a computer is displayed with a special star-icon. With a mouse-click the accord- ing node in the VIRTUAL-subtree will be opened. Page 66 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION At the installation of a client computer, with the install parameter VIRTUAL_OU the name of the virtual OU can be defined, which should be assigned to the client com- puter. In this case the according computer is directly assigned to the virtual node at his first connection to the central administration. The client computer does not have to be moved to the VIRTUAL-subtree manually. HINT! If client comoputers are assigned to virtual OU’s via installation parameter, it has to be made sure, that the according virtual OU already exists at the time of te first connection from the client to the server. Otherwise the client cannot be initialized correctly. 8.3 Initialization of the central administration console At the first call of the central administration console, the user has to enter port and computer name where the central administration service is running. The computer name has to be provided fully-qualified. Page 67 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION Type in the computer name, where the central administration service is running. Type in the port, where the central administration service is running. armature 8.4 Management of central administrators Management of central administrators of CryptoPro Secure Disk for BitLocker can be performed via CA | Administrators. This dialog lists all central administrators. Page 68 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION ADD new Admin ... allows creation of new administrators. Delete Selected deletes the selected administrator. Export P12 ... supports export of the keys in form of a PKCS#12 file for an admin- istrator that is managed within the central database. Reset passwort resets the password of an administrator that is configured for sim- ple logon. Passwords of PKCS#12 based administrator accounts or AD-users or -groups cannot be reset. Page 69 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION HINT! This button is only visible, if an adminstrator with simple logon is selected. 8.4.1 Settings of central administrators Name contains the common name of the administrator. This value will be extracted from the PKCS#12 file used for authentication„ if default logon was selected. With simple logon, the username will be taken. With Active Directory based logon, the distinguished name will be displayed. Administrative realms defines subsections of the Active-Directory. For those subsections, the administrator has administrative privileges. With this feature, administrators can be restricted to specific parts of the Active Directory. Only computers that are located in this part can be administered by the according administrator. Allow login to central administration defines, if the administrator has the right to work with the central administration. HINT! If the administrator does not have the right Allow configuration of central ad- ministration, he has read only privileges to the configuration data. Allow configuration of central administration defines, if the administrator has the right to manage client computers via central administration. Friendly Network administration defines, if the administrator has the right to manage Friendly Network settings. Page 70 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION allow Recovery administration defines, if the administrator has the right to act as central recovery operator. allow adding/removing Administrators efines, if the administrator has the right to manage other central administrators. allow adding domains defines, if the administrator has the right to add domains to the central administration. allow audit management defines, if the administrator has the right to administer reports of the central administration. allow Single Sign On is displayed, if AD-users or -groups are selected. This field defines, if a logon to the central administration console is allowed with Single Sign On (without typing in Windows-user ID and password again). 8.4.2 Adding central administrators CryptoPro Secure Disk for BitLocker supports four different types of central ad- ministrators: Simple logon The authentication is done with an arbitrary user name and pass- word. default logon The authentication is done with a PKCS#12-file, and according pass- word. AD-User An existing Active Directory Windows- user account is defined as valid central administrator. Page 71 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION AD-Group An existing Active Directory group is defined as valid central adminis- trator. Members of that group can logon to the central administration. For Active Directorybased administrators (users or groups), it is possible to define, if they can authenticate via Single Sign On. In case of Single Sign On authentication, the account of the currently active Windows user is authenti- cated. Input of user ID and password is not required in this case. If Single Sign On is not activated, the user has to type in his Windowscredentials at every logon attempt. 8.5 Dashboard The dashboard of CryptoPro Secure Disk for BitLocker provides an overview of all client-states, which are administered centrally. The diagram Overview provides a graphical overview. View supports the selection of different criteria for the overview. The table Summary displays number resp. percentage of client-computers, which correspond to the according category of the selected criteria. The table Details lists all client computers, which match the selected category of table Summary. With a double-click on a computer in table Details, the according node in the Active Directory-tree at the left side of the console is opened. Page 72 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION HINT! The dashboard does not display the most current values, but it relates to the last report (see"8.14.3 Status"). Loaded Report contains the generation date of the used report. With Refresh, a new report can be generated. The generation of a new report can, dependent on the number of clients, take a long time. Dependent on the selection in View, Overview, Summary and Details different con- tents will be displayed. Page 73 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION 8.5.1 Client Status Client Status provides an overview, if the current status of client computers differs from the configured status. With Show encryption in progres as different status it can be defined, if client-computers which are currently within the encryption progress, shall be displayed in a separate status. Furthermore the states O.K (No differences to the defined state), Differences (Client has differences to defined state) and unknown are listed. 8.5.2 Encryption The view Encryption provides an overview of the encryption states of the client- computers. Encrypted computers, plain computers, and computers that are cur- rently within the encryption process are displayed in a separate status. 8.5.3 Installation The view Installation provides an overview of the installed product versions on the client computers. 8.5.4 Initialisation The view Initialisation provides an overview, if the client computers are successfully initialized for Helpdesk, Friendly Network and Recovery. With an additional selection it can be defined, if the initialization status of Friendly Network, Online Helpdesk, Offline Helpdesk, Recovery data in database (indicates Page 74 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION if the recovery data were sent to central database) resp.Recovery data in folder (indicates if the recovery data have been stored to a defined folder) have to be displayed. HINT! The table Details shows all categories of initialization, independent from the selec- tion. 8.5.5 PBA User accounts The view PBA user accounts provides an overview of the number of PBA user ac- counts on the client computers. Client computers are summarized in the categories of 1 user, 2-3 users, 4-5 users ans more than 5 users. 8.5.6 Profile Status Profil Status provides an overview of when the client computers have received their last settings, resp. when they reported their status. As an additional selection it can be defined if the displayed status should relate to the last status that was sent to the central administration (Status sent), when the last configuration profile from the central administration was received (Profile re- ceived), resp. when the configuration of the client was changed for the last time. (Profile generated / changed). Computers are aggregated in categories of less than one day, 2-3 days, 4-10 days, 11-30 days, and more than 30 days. 8.5.7 Compliance Compliance provides an overview of the compliance state of the clients. The compli- ance state is a result of the current state compared with the defined settings for this client. A client is compliant if there are no differences between its actual state and the last received settings of the client. In contrast to Client Status it is not relevant if the client has already applied the current settings or is pending. 8.6 Initialization of a client computer for central administra- tion The initialization of a client machine for the central administration is performed au- tomatically. The following conditions have to be met: The client packet of CryptoPro Secure Disk for BitLocker has to be installed on the computer Details for the installation of the client packet can be found at "5 Installation/De- installation of the Client" Server and port have to be stored in the Registry On the client computer the name of the server where the central admininstration service is installed, as well as the port have to be stored in a Registry entry. The following Registry entries have to exist in the Registry-path HKLM\SOFTWARE\cpsd\SecureDisk\base: ServerName . . . Name of the computer, where the central administration ser- vice is installed. ServerPort . . . Port on which the central admininstration service is running. Page 75 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION Both parameters can be set during the installation in the extended settings, or by setting the according MSI-Properties. In this case the call of the client installation packet has to be: msiexec.exe /i EDAClient.msi CA_SERVERNAME=ServerName CA_PORT=8081 Existing network connection Server and client have to be able to establish a net- work connection. INFO! A client computer that was initialized and configured locally, does not allow central administration per default. A client that should be integrated to cen- tral administration at a later time, has to get the configuration setting Allow central administration in the general settings. This has to be done with local administration or per script. 8.7 Inheritance of configuration settings The central administration of CryptoPro Secure Disk for BitLocker is based on that structure of client computers, that is defined in Windows-Active-Directory. By defining some configuration settings in an Active-Directory-Node it is possible, to inherit those settings to all child computers under the selected node. A redefinition of the settings, and with this a break in the inheritance is possible by clicking Override inherited settings. Only with this option it is possible to access the corresponding fields of the several input screens. The values of Settings and Encryption are inherited together. Thus for example it is possible to interrupt the inheritance of the Settings by the definition of new values. In this case also the inheritance of Encryption settings is broken at this node. INFO! Note that the inheritance of the groups Settings and Encryption will always be in- terrupted entirely. If, for example, the help desk settings in a node will be defined different from the parent node, then all other settings will also excluded from inher- itance. CAUTION! Note that users and administrators are inherited in different ways. By definition of a new user or administrator in a node, the inheritance is not interrupted. The new user or administrator is just defined in addition to the inherited values. If a user or administrator is defined at a certain node, this will not be visualized by the according Page 76 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION icon in the directory tree. Users and administrators can be defined for specific nodes without interrupting the inheritance. With Activate inheritance a computer (resp. all computers of an AD-node) can be reintegrated to inheritance. At this point all settings that were defined directly at the according node will be replaced by inherited values of the parent node. 8.8 Adding Domains The administration console of CryptoPro Secure Disk for BitLocker displays per default domains, that are accessible with the credentials of the central administra- tion service. The menu item CA | Add domain allows, to add additional domains. Domain This field has to contain the name of the domain, that should be added. Include subdomains automatically This option automatically includes all subdo- mains of the newly added domain. Use existing service credentials If this option is selected, access on Active-Directory of the added domain is performed with the user account, which is defined for the central administration service. This account has to have read-privileges for the Active-Directory of the domain. HINT! If this option is not selected, the credentials of a privileged user account have to be provided in Username, Password and Confirmation. Page 77 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION Username This field has to contain the username of an account which has read- privileges for the Active-Directory of the chosen domain. HINT! Input to this field is just necessary, if Use existing service credentials is not activated. Password This field has to contain the password of an account which has read- privileges for the Active-Directory of the chosen domain. HINT! Input to this field is just necessary, if Use existing service credentials is not activated. Confirmation This field has to contain the password, which was entered in in Pass- word. HINT! Input to this field is just necessary, if Use existing service credentials is not activated. 8.9 Removal of Domains Domains can be removed by privileged central administrators. The according do- main will not be displayed subsequently. For this purpose, in the tree view of Active Directory, the context menu has to be activated on the according domain entry with a mouse-right-click. The menu entry Remove domain removes the node. HINT! Domains can be added again at a later time. Clients that are already configured can be administered again in that case. 8.10 Search computers in the Active-Directory-tree To facilitate the retrieval of client computers in huge Active Directory environ- ments, the administration console of CryptoPro Secure Disk for BitLocker offers the possibility to search client computers. Directly above the Active Directory-tree, there is an input field. Here the name (or parts of the name) of the wanted computer can be entered. HINT! Input of a Joker (’*’) is supported Page 78 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION By pressing the magnifier (at the right side) the search is started. If the search is not successful the search field will be bordered red. If the search has exactly one hit the computer tree will be opened, so that the found client is visible. The found client will be selected for administration. If the search has more than one hit the search field will be converted to a com- bobox that contains all search results. HINT! The search starts at the currently selected node. With that, the duration resp. result count can be limited. If there is no result at a search, please make sure that you selected the right start-node. 8.11 Administration of additional service-instances Different instances of the central administration service of CryptoPro Secure Disk for BitLocker can be installed in parallel on different computers. This can improve reliability or load distribution. If more than one instencae of the central adminis- tration service is available, the clent selects one instance by chance. If a client computer cannot establish a connection to a service-instance, it switches to another instance. To run different instances of the administration service, the administration install packet (see "4 Installation | Uninstallation of the administrative components") has to be installed on different computers. At the configuration of the service (see "4.5 Configuration of the administration-service") one has to take care, that all instances of the service have to refer to the same database. Page 79 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION HINT! All instances of the central service have to refer to the same database. Data stor- age in several, redundant databases is not directly supported by CryptoPro Secure Disk for BitLocker. Of course internal mechanisms of the database system can be used, as long as there is just one database instance visible for the central adminis- tration service of CryptoPro Secure Disk for BitLocker. To activate several service instances for the client-computers, the menu entry CA | Manage central services has to be selected. All server-instances that refer to the same database are listed. The column Enabled has to be used to enable the according instance. A server can be denoted as Master. A master server is responsible for various database operations, like synchronization with the Active Directory, releasing out- dated client licenses and the daily integrity check. HINT! Per default, only the first server-instance is enabled. Newly installed instances have to be enabled by a privileged administrator. If a helpdesk server established a connection to the central service (via helpdesk console) the helpdesk server has also to be activated centrally, before he can ac- cess the central service. This can be done in the column Helpdesk. If this field is not accessible, probably the connection between Helpdesk and central service was not established yet. (see "16.2.4 Helpdesk connection with central database") HINT! If the column Helpdesk is not visible, no connection from any Helpdesk server to the central database was established. Even if helpdesk service and central admin service run on the same computer, the connection has to be explicitly established. Page 80 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION 8.11.1 Assign service-instances to Active Directory-node Activated service instances cann be assigned to Active Directory-nodes (Domains, OUs, Computers). With this, all clients under the according Active Directory-node only connect to the assigned instances. The assignement can be done with the con- text menu in the Active Directory-tree-view (right mouse click). The menu item Assign central servers has to be chosen. HINT! If a node is assigned more than one server, the client computers decide by chance which server instance they use. To provide reliability, more than one server can be assigned to a node. HINT! If all assigned server instances will be removed from a node, subsequently all avail- able servers will be valid for this node. 8.12 Administration of client-licenses The administration of client computers with the central administration components of CryptoPro Secure Disk for BitLocker requires the according number of client licenses. At purchasing, you get an according license file. This license file has to be imported to the central administration. At the first call of the central administration, the user is requested to provide his license file. Page 81 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION The field File has to contain the full path of the license file. Then Apply has to be pressed. HINT! The license dialog can be viewed at any time with Help | License. Licenses that were purchased at a later time can be activated here. Beside the possibility to activate new licenses, the license dialog provides an overview of the already activated licenses. Additionaly a time limit can be set after used client licenses will be available again when a CryptoPro Secure Disk for BitLocker client was uninstalled. Alternatively the according license can to be released in the administration. Right-click on the ac- cording computer in the Active Directory-tree. In the context-menu select Release license. 8.13 Central Configuration of computers The central configuration is done, apart from the inheritance( see "8.7 Inheritance of configuration settings"), like the local administration (see "9 Configure application settings" and following chapters). The managed settings are valid for the computer, that is selected in the Active Directory-tree on the left side of the console. In contrast to the local administration is has to be noted, that configuration settings are not directly applied to the client computer. They are first passed to the central Page 82 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION administration service, and applied to the according client computer at a later time. This can result in short-term differences between desired and actual configuration of the client computer. This is indicated by different colors of the client computers in the computer tree. Yellow means that the client has not yet applied the new computer configuration. Red means that the desired configuration could be applied.. With Show differences the differences between desired and actual configuration are displayed. If the differences are caused by the fact, that configuration settings of the accord- ing computer where changed by an administrator with local administration, with Overwrite local settings the desired settings of the computer, as defined in central administration, can be restored. 8.13.1 Context menu of administered computers With the right mouse button, a context menu can be opened at an administered computer. Dependent on the status of the client computer, the according context menu can contain different items: Overwrite local settings If a central administered client computer was configured exceptionally by local administration, the settings configured by local adminis- tration can be discarded with this menu item. The client computer is set to the configuration settings, that are defined centrally. HINT! This option is displayed only if Advanced settings is selected in the menu. Page 83 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION Delete Settings This option deletes all settings of the selected computer. Deactivate inheritance This option enables the configuration of not inherited set- tings for a node (see "8.7 Inheritance of configuration settings"). Activate inheritance This option activated inheritance. Settings which were made directly at this node will be discarded. All settings will be inherited by the parent node (see "8.7 Inheritance of configuration settings"). Release license This menu item releases the according client license (see "8.12 Administration of client-licenses"). HINT! If the client compute is still active, at the next connection to the central service a new client licenseis claimed. Assign central servers If more than one instances of the central server are config- ured (see "8.11 Administration of additional service-instances") specific server instances can be assigned to specific client computers resp. OU’s. The accord- ing computers will only connect to the assigned server instances. Reset Helpdesk initialisation This option performs a new initialization of the helpdesk, according to the current settings. Reset Friendly Network initialisation This option performs a new initialization of Friendly Network. Enabled Self-Test This option activates the self test of the PBA. CAUTION! This option should only be activated, if there are problems in booting Windows after the PBA. Generate new dr2 data This option creates new recovery data for the selected computer, according to the current settings. Capture user Allows to capture PBA user accounts for the selected computer (see "7.3.2 The administration console in local mode"). Set transparent bootcounter This option opens a dialog to define a counter, The counter determines the number of system starts, at which the target computer boots without PBA authetication. After the target computer has reached the defined number of transparent system starts, the PBA is re activated automati- cally. CAUTION! With this option the PBA on the target computer is deactivated temporarily. For the defined number of system boots, no authentication is required. Note that the computer is not protected as long as the PBA is deactivated. Status With this option the status of the according computer can be displayed.(see "7.3.2 The administration console in local mode"). Delete data encryption key on client With this option the data key of the se- lected computer will be deleted. Consequently no start of the encrypted op- erating system is possible anymore. Page 84 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION HINT! This option provides a sub-menu which defines if recovery data that are stored in the central database should be deleted or kept. CAUTION! This option makes the target system unusable. All data on the selected client computer will be lost. Allow new TLS client certificate If mutual TLS is activated for the communica- tion with the clients, (see 25, each client requests a certificate from the server. For security reasons it is not allowed to recieve another certificate if the client allready got the certificate once. If the client has to be re-installed (resp. re- paired by the recovery console) , it has to be explicitly allowed with this option, that the client can get another certificate. HINT! This option is only displayed, if the extended view is activated. Convert to Smartphone user accounts With this potion, all user accounts of the according computer can be converted to smartphone accounts. Initialization of the Smartphone Helpdesk With this option, all user accounts of the according computer can be initialized for the smartphone helpdesk. 8.14 Reporting CryptoPro Secure Disk for BitLocker supports the generation of reports, to get an overview of number and encryption state of the installed clients. In general there are three different kinds of reports: Client Status Number and encryption states of installed clients. Administrative activities Activities of central administrators like logon, or config- uration of specific settings. Helpdesk reports List of helpdesk actions. HINT! The menu item CA | Reporting is only visible, if the current administrator has the right to manage reports. 8.14.1 Administrative activities Administrative activities, like definition of configuration settings or adding adminis- trators etc. are logged by CryptoPro Secure Disk for BitLocker. They are visible via menu item CA | Reports | Activities | Central Service. Page 85 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION The entries are sorted descending by time. Each event has at least the following properties: Time The time (UTC) at which the event has occurred. Event the event type. Administrator The administrator, that triggered the event. Object The event target, this could be e. g. a computer, a OU or an administrator Details If there is additional information for the event, they can be displayed by clicking the symbol in that column. As default, the first 50 events are loaded. If the list is scrolled to the bottom, the application loads the next entries automatically. Events can also be filtered. Filter options are: minimum / maximum time, event type, administrator or object. If ad- ministrator or object are selected, it is possible to define a substring of the required value. If the combobox of events, administrators and objects does not contain a specific value, this means that there is no event in the database with this value. Page 86 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION The "‘Search"’ button loads the first 50 events that match the filter criteria. The button "‘reset filter options"’ deletes the current filter options. All events will be be displayed unfiltered. The status bar at the bottom shows the total number of events, based on the current filter options, and the number of already loaded events. Event details If there is additional information for an event, it is displayed in a separate window. This window can be opened by clicking the symbol in column "‘Details"’. The win- dows e. g. shows the according settings of a node: The additional information of a new administrator are displayed in the following way: Page 87 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION Save events To save the events in CSV file, the button "‘Save events"’ has to be pressed. HINT! Not only the displayed events, but all events that match the filter criteria will be saved. For each event with additional information, the csv file will contain multiple rows. Each row has has a column eventID, which references the according event. HINT! The event labels etc. are not localized, and therefore differ from the displayed values in the administration console. Delete events Since the number of logged events can grow fast, it is possible to delete old events. With "‘Delete old entries from database"’ a windows is displayed, where the delete options can be specified. Page 88 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION There are two possible approaches: Delete periodically A daily job can be configured, which deletes old events. With "‘Apply"’ this job can be created or deleted. No events will be deleted immedi- ately by pressing "‘Apply"’. Delete immediately With "‘Delete now"’ the according events will be deleted from the database. The following delete options can be defined: Older than days Deletes all events that were created longer than a certain number of days ago. Keep last Deletes all events except a certain number of the newest events. Older than Deletes all events that were created before a certain date. HINT! Deletion of events will be logged as an own event, which cannot be deleted. Page 89 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION Logged events The following events will be logged: Logon Logon of a central administrator to the console. Logoff Logoff of a central administrator from the console. Admin added A new central administrator was created. Admin changed Settings of a central administrator were changed. Admin deleted A central administrator was deleted. Settings changed Client settings on a node were changed or set. Settings deleted Client settings were deleted, and inheritance was activated. Local settings reset Client settings were overwritten with centrally defined val- ues. Server assigned to node A server was assigned to a domain / OU. Server assignment reset All server assignments of a domain / OU were removed. Server activation Activation of an additional central server. Domain added/changed A new domain was added resp. changed. Domain removed A domain was removed. Server keypair exported The central key pair was exported as a backup. Report events deleted Old report entries were deleted. Recovery data exported Recovery data of a client were accessed centrally. Self online recovery Online recovery was performed directly, without approval of a central administrator. Online recovery granted An online recovery request was permitted. Online recovery rejected An online recovery request was denied. User password set The Single Sign On password of a smartcard user was set in Active Directory. User password deleted The Single Sign On password of a smartcard user was removed from the database. 8.14.2 Helpdesk Report Helpdesk instances that are connected to the central administration (registered and activated) send information concerning helpdesk activities to the central administra- tion. This information can be displayed in a separate report. Connecting a helpdesk instance with the central administration is described in "16.2.4 Helpdesk connection with central database". The report can be opened with CA | Reporting | Activities | Helpdesk. The following activities are reported: Page 90 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION Create/delete helpdesk operators Change helpdesk operator privileges Create/delete helpdesk instances Logon/logoff of a helpdesk operator Helpdesk cases including chosen options. All helpdesk activities starting from the selected date are displayed in the list. Server and start date can be selected by the according comboboxes. HINT! The list entries can be sorted by clicking on the column headers. The currently displayed activities can be stored to a file. This can be done with the menu entry File | Save. the activities will be stored in CSV-format. 8.14.3 Status CryptoPro Secure Disk for BitLocker supports report creation to get an overview over number and state of encrypted client computers.The overview is displayed with CA | Reporting | Status | Central Service. Page 91 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION This overview shows the begin- and end-time of the last report. Additionally the total number of installed clients is displayed, separated in computers that are al- ready encrypted, computers that are currently in the encryption process, and the total number of installed clients. HINT! If there was no report generated at all, or if the first report is not finished yet, 1.1.1970 is displayed as start- and end-date. Status contains the state of the last report. Since report generation can take some time, a progress bar is displayed if report generation is currently in progress. HINT! The report dialog can be closed during report generation. The report generation will not be cancelled in that case. Report generation can be managed with 4 buttons (left to right): Generate a new report A new report will be generated. The progress will be dis- played. Periodic reports The generation of new reports can be triggered periodically (daily, weekly,...). Configure external reporting database The report data can additionally be stored to a SQL Server database. Save last report as csv-file The last report can be stored in CSV-format (comma separated values) to a local file.furbiz 8.14.4 Periodical report generation Reports can be generated automatically at a defined time. The defined settings are displayed in an separate dialog. With menu item ZA | Reporting and pressing the calender-button in the middle, the configuration dialog will be opened. Page 92 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION The table shows the current settings. With the Plus-button, new settings can be de- fined. The Delete-button deletes the selected settings from the table. A single entry in the list can be activated or deactivated. Changes will be saved after pressing Apply. Cancel closes the windows, and cancelles all changes. Time can be defined daily, weekly, monthly or user defined by entering a Cron- Expression. By switching the the time-mode, the according input fields will be dis- played. In Daily-mode a time has to be entered. Weekly and Monthly additionally require the inpunt of a day (weekday resp. day of month). With Apply, the entry will be added to the table, but not saved in the central database. INFO! The defined settings are internally stored as a cron-expressions. A cron-expression is used to automate tasks that should be performed periodically. The cron-expression is generated automatically, and displayed in the table. User defined allows more detailled settings by directly entering a cron-expression. CryptoPro Secure Disk for BitLocker uses a slightly modified syntax. A detailled description of the syntax can be found at http://quartznet.sourceforge.net/ tutorial/lesson_6.html HINT! After adding or modifying entries, Apply has to be pressed, to save the settings to the central database. 8.14.5 Configure external database for reporting Report data can optionally be stored to an external SQL Server database. It is also possible to use the central administration database. Four new tables will be generated in the selected database: SDReporting_ReportDbEntry Contains a list of client computers (including all data that would also be stored in a csv formatted report. The format is described in the next section.) SDReporting_ReportDbUserEntry Contains a list of all users per client computer. SDReporting_ReportStatistics Contains a summary of the last report. SDReporting_VersionInfo Internal table for versioning of the report data. With Configure external reporting database, the required settings for accessing the database can be configured. The settings are similar to the configuration of the central administration database. An instance of an already existing database has to be selected. Page 93 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION HINT! If no server and database name is visible, make sure that the SQLServer browser service is running, and the firewall does not block this service. Server instance and database name can also be entered manually. For authentication either a user name and password can be defined (Logon with given Username and password), or the credentials of the central administration ser- vice can be used (Logon with Windows Credentials). 8.14.6 Report format A report can be stored as file in CSV-format (comma separated value). This format allows a simple evaluation, e. g. in Excel. Each element is separated by a comma. The first row contains column names, all subsequent lines contain report data for a single client computer.The columns are: Name Full client name including domain. NodeState Client state related to the current configuration. Possible values: Ok Client is synchronized. In the administration console it is displayed in green. Pending Client has not the latest settings. In the administration console it is displayed in yellow. Difference There are differences between client configuration and centrally defined configuration. In the administration console it is displayed in red. Page 94 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION Unknown The client is not centrally administered. In the administration con- sole it is displayed in grey. InstallState The install-state of the client. Possible values: Installed Client is fully installed. Unknown Client is existing in the database, but not centrally administered. (e. g. if the license is released) Version The current version of the client-software StatusSentAt Last time, the client sent its status to the central service. ProfileReceivedAt Last time, the client recieved its settings from the central ser- vice. ProfileTimestamp Last time, the client settings were changed centrally. HasDifferences Is there a difference between defined configuration and current status? Encrypted Is the client encrypted? ("‘yes"’, "‘no"’, "‘inProgress"’) WakeOnLAN Is the client initialized for Friendly Network? ("‘yes"’, "‘no"’, "‘dis- abled"’). OnlineHelpdesk Is the client initialized for Online-Helpdesk? ("‘yes"’, "‘no"’, "‘dis- abled"’) OfflineHelpdesk Is the client initialized for Offline-Helpdesk? ("‘yes"’, "‘no"’, "‘dis- abled"’) Dr2CentralAvailable Are recovery data for the client available centrally? ("‘yes"’, "‘no"’, "‘disabled"’) Dr2InFolderAvailable Have recovery data for the client been stored to a folder? ("‘yes"’, "‘no"’, "‘disabled"’) UserCount Number of (PBA) users in the client. Path Path of the computer in the Active Directory (domain and OUs). LastUser Name of last user who was logged on at the client. ReportedBy The identifier of the central database where the report entry origi- nates. Used to separate report entries from different environments. ServerListTimestamp Timestamp of the last change on the serverlist that the client applied. Compliance Compliance state of the client ("‘Compliant"‘, "‘NonCompliant") SecureEraseState Information if Secure Erase was performed during the action "Delete data encryption key on client" EncryptionState Current state of the encryption process ("‘Plain"‘, "‘EncryptionIn- Progress"‘, "‘EncryptionPaused"‘, "‘Encrypted"‘, "‘DecryptionInProgress"‘, "‘De- cryptionPaused"‘, "‘Unknown"‘) EncryptionPercent Encryption progress percentage of all drives that shall be en- crypted Page 95 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION EncryptionStartedAt Starting time of the encryption process (If encryption hasn’t started yet the value is "‘NULL"‘) EncryptionFinishedAt Finished time of the encryption process (If encryption hasn’t finished yet the value is "‘NULL"‘) EAPCertAvailable A certificate for 802.1X was issued to the client. ("‘yes"’, "‘no"’, "‘disabled"’) EAPCertNotValidAfter Date until the 802.1X certificate is valid. "‘NULL"‘ if there’s no certificate on the client 8.15 Export of the central keypair CryptoPro Secure Disk for BitLocker uses a central keypair for authorization with the client computers. This keypair is essential for the communication between server and clients. The keys can be exported in a password protected file and imported again during the server initialization with EDAAdminInit.exe. Even if you have a permanent loss of the SQL database the clients can still be managed by setting up a new database and importing this keypair. Maintenance | Export server key pair exports the key pair of the CryptoPro Se- cure Disk for BitLocker-servers for backup purposes. Enables a new installa- tion with new database with the same keys, so that existing clients still can be administered. HINT! This menu item is only displayed in the extended view CAUTION! The export of the keys can be restricted by defining a set of passwords (four-eye- principle). It is recommended to set those passwords after the installation via the admin console! Page 96 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION Press Manage authorization to protect the key export process with a four-eyes- principle. Page 97 CryptoPro Secure Disk for BitLocker Administration manual 8 CENTRAL ADMINISTRATION Define here the number of the needed passwords (0-5) that have to be entered before the export process. Then enter each password along with its confirmation. Page 98 CryptoPro Secure Disk for BitLocker Administration manual 9 CONFIGURE APPLICATION SETTINGS 9 Configure application settings In contrast to all other administration pages of the administration console, the set- tings are structured in sub-pages. Those sub-pages are displayed, if settings are selected. 9.1 General settings The General settings include presentation, and internationalization options. 9.1.1 PBA Settings The PBA settings can be configured in this section. Language The language of the PBA can be defined with this option. Page 99 CryptoPro Secure Disk for BitLocker Administration manual 9 CONFIGURE APPLICATION SETTINGS Keyboard Layout The keyboard layout of the PBA can be defined here. CAUTION! If the chosen keyboard layout does not match the physical keyboard, unin- tended input and thereby authentication problems may occur in the PBA! Screen resolution This option allows to configure the screen resolution in the PBA. PBA Audio Support The CryptoPro Secure Disk for BitLocker-PBA provides support for visually handicapped persons in form of audio output. This feature can be activated with this option. Configure background image This switch determines whether the background image on the client should be changed. Background image With this option a new wallpaper for the PBA can be estab- lished. Enter the full path of the background image file. Authentication mechanism This option defines the default-authentication mech- anism of the PBA. 9.1.2 Authentication with User-ID and Password This section supports configuration of password based user authentication. Perform Active Directory check for UserID/Password accounts At a PBA-authentication, a connection to the Active Directorycan optionally be established, to check the credentials. With this option, the Active Directorypassword check can be activated. If the users domain password was changed since the last login to this computer, the user can logon with his new password. The changed password will be updated in the PBA. HINT! For Active Directory-check a network connection to the central administration service is required. Check Active Directory for unknown password accounts This setting defines, that for accounts that are not existing in PBA yet, an according Active Direc- tory-check will be performed. If this check is successful, the according account will be created within the PBA. With this option it is possible to log on to the PBA with a valid domain account, even if this account is not existing in the PBA. Captured password accounts should have SSO credentials If Check Active Di- rectory for unknown password accounts is activated, each logon with valid do- main credentials that do not correspond with a PBA account, a new PBA account will be captured. This option defines, if PBA accounts which are captured that way, should get SSO-credentials. If the option is activated, the credentials of the user are stored in encrypted form with the account. In an helpdesk case the SSO credentials enable the usage of helpdesk SSO mechanisms of CryptoPro Secure Disk for BitLocker. More information about SSO data can be found at "12.2 Add / Change user accounts with the context menu". Page 100 CryptoPro Secure Disk for BitLocker Administration manual 9 CONFIGURE APPLICATION SETTINGS Check Active Directory before local cache This setting defines, if in the case of an existing PBA account, the Active Directory-check should be performed in any case, or just if the authentication fails with the locally cached credentials. 9.1.3 Authentication with Smartcard This section supports configuration of smartcard based user authentication. Perform Active Directory check for certificate accounts At a PBA-authentication, a connection to the Active Directorycan optionally be established, to check the logon-certificate. With this option, the Active Directorypassword check can be activated. If the keys have changed since the last login to this computer (e. g. by issuing a new certificate), the user can logon with his new credentials. The changed credentials will be updated in the PBA. HINT! For Active Directory-check a network connection to the central administration service is required. Check Active Directory for unknown certificates This setting defines, that for certificate accounts that are not existing in PBA yet, an according Active Di- rectory-check will be performed. If this check is successful, the according account will be created within the PBA. With this option it is possible to log on to the PBA with a valid domain account, even if this account is not existing in the PBA. An according certificate based PBA account will be created at every successful smartcard based logon to Windows, as long as the account does not already exist. HINT! This is also the case for virtual smartcards, if virtual smartcardsaccounts are allowed. If a virtual smartcard based account is created, the user has to re- enter his PIN in a separate dialog. Captured certificate accounts should have SSO credentials If Check Active Di- rectory for unknown certificates accounts is activated, each logon with valid domain certificates that do not correspond with a PBA account, a new PBA ac- count will be captured. This option defines, if PBA accounts which are captured that way, should get SSO-credentials. If the option is activated, the password credentials of the user are stored in encrypted form with the account. In an helpdesk case the SSO credentials enable the usage of helpdesk SSO mecha- nisms of CryptoPro Secure Disk for BitLocker. More information about SSO data can be found at "12.2 Add / Change user accounts with the context menu". Check Active Directory before local cache This setting defines, if in the case of an existing PBA account, the Active Directory-check should be performed in any case, or just if the authentication fails with the locally cached credentials. 9.1.4 Smartphone Active directory users Configuration of ther Smartphone-based user authentication. Use smartphone for captured AD password accounts With this option, a pass- word based user which is captured via Active Directory check will be con- verted to a smartphone user. Page 101 CryptoPro Secure Disk for BitLocker Administration manual 9 CONFIGURE APPLICATION SETTINGS HINT! If the conversion to a smartphone user fails or is canceled, the conversion will be done at the next logon with this user account. Use smartphone for captured AD smartcard accounts With this option, a smart- card based user which is captured via Active Directory check will be converted to a smartphone user. HINT! If the conversion to a smartphone user fails or is canceled, the conversion will be done at the next logon with this user account. Force immediate conversion of new user account to a smartphone account This option makes sure, that in case of a failed or canceled conversion into a smartphone account, the original (unconverted) account cannot be used to per- form a PBA logon. HINT! This user account can only be used for PBA logon, if the conversion to a smart- phone account was successful. Helpdesk with smartphone enabled for new AD users With this option, user ac- count which is captured via Active Directory check will be initialized for smart- phone helpdesk. 9.1.5 Antivirus settings This section supports configuration of antivirus functionality. Activate PBA virus scanner Activates resp. deactivates the virus scan functional- ity of Desinfect for the selected client. HINT! Note that if this option is not activated for a client, all settings in the Desinfect -console become ineffective for the selected client! HINT! Note that if this option is activated, a client license for Desinfect will be used by the selected client computer Virus scanner only mode Defines if the selected client computer should only use the functionality ofDesinfect (if this option is activated) or, additionally uses the CryptoPro Secure Disk for BitLocker PBA and encryption(if this option is deactivated). HINT! If the option Virus scanner only mode is activated, a virus scan is only possible if the client computer is connected to the central service of CryptoPro Secure Disk for BitLocker HINT! If the option Virus scanner only mode is activated, the CryptoPro Secure Disk for BitLocker PBA is deactivated. In this case all other settings of the Cryp- toPro Secure Disk for BitLocker administration-console except network set- tings and Desinfect activation are ineffective (see "22.2 Network settings of Desinfect "). HINT! If the option Virus scanner only mode is activated, but at the same time Cryp- toPro Secure Disk for BitLocker is configured for an encryption of the client Page 102 CryptoPro Secure Disk for BitLocker Administration manual 9 CONFIGURE APPLICATION SETTINGS computer, this encryption will not be performed by CryptoPro Secure Disk for BitLocker. Therefore the according clients will be displayed in red color in the console. For more information concerning Desinfect functionality see "22 Desinfect - Anti Virus". 9.2 Smartcard The PBA optionally supports smartcard based authentication. PBA smartcard usage can be configured on this page. 9.2.1 Smartcard These options allow to configure the useage of smartcards at PBA authentication. P11 Module PKCS #11 modules are used to access smart cards. Depending on the software or the manner in which a smart card has been issued, the correspond- ing PKCS #11 module has to be used for access. This option specifies which PKCS #11 module shall be used to access the used smart cards. HINT! The auto setting allows generic access, where internally all available PKCS#11 Page 103 CryptoPro Secure Disk for BitLocker Administration manual 9 CONFIGURE APPLICATION SETTINGS modules are tried until a successful smartcard access. Key usage list This list defines which certificates the PBA uses for authentication. The PBA takes the first matching certificate on the smartcard for authentica- tion. A certificate matches, if it has any of the defined key usages. 9.3 Friendly Network On this page the options for Friendly Network can be configured. 9.3.1 Friendly Network Here, the Friendly Network settings can be defined. Enable Friendly Network This option determines whether the computer can boot automatically using Friendly Network if required. Enable Secure Software Distribution This option determines whether the com- puter can boot automatically using Secure Software Distribution if required. Enable Friendly Network-Only mode This option specifies, if the computer should be started only via Friendly Network. If this mode is activated, the PBA tries to Page 104 CryptoPro Secure Disk for BitLocker Administration manual 9 CONFIGURE APPLICATION SETTINGS start the client computer via Friendly Network. If this attempt fails (e. g. be- cause of missing Friendly Network configuration or missing network connectiv- ity), there is no logon screen displayed in the PBA, but the PBA continues to try starting the client computer via Friendly Network. HINT! CryptoPro Secure Disk for BitLocker normally ensures, that at least one valid PBA-user account exists on the client computer. This avoids, that it is impossible to log on with a valid account. In Friendly Network-Only mode Cryp- toPro Secure Disk for BitLocker does not make sure, that there is at least one valid PBA account. Therefore it is possible to configure a client computer in a way, so that there is no PBA user account, and even all PBA account types might be disabled. (see "15.3 Client Security") CAUTION! In Friendly Network-Only mode it is not ensured that there is at least one valid PBA user account. If, with this configuration, the Friendly-Network-mechanism does not work (e. g. because of network problems) it is impossible to start the client-computer! HINT! In Friendly Network-Only mode it is not mandatory to create a PBA user account, but, however, it is possible to define one ore more PBA accounts. If a client in Friendly Network-Only mode has at least one valid user account, it is possible to get to the logon screen by pressing Shift-Ctrl-F6 in the PBA. This allows to start a computer which is in Friendly Network-Only mode, even if Friendly Network does not work. Friendly Network Timeout Secure Software Distribution tries to connect to the Friendly Network Service after a specified period of time without user interac- tion in the PBA login screen. This period of time can be defined with this option. 9.4 Recovery management This page supports configuration of the Emergency-Recovery functionality. Page 105 CryptoPro Secure Disk for BitLocker Administration manual 9 CONFIGURE APPLICATION SETTINGS 9.4.1 Recovery This page supports the configuration of Recovery. CryptoPro Secure Disk for BitLocker Recovery provides emergency mechanisms, if the encrypted operating system is not able to boot anymore, because of soft- or hardware damage. Save to local recovery store Recovery information is used to repair and recover data in case of emergency. This option defines, if recovery information should be stored locally on the computer. If this option is activated, recovery informa- tion is stored locally in encrypted form. If, in case of emergency, the PBA itself is still intact, the local recovery data can be used for recovery. CAUTION! To use the local recovery information, a local administrator or recovery opera- tor has to logon. CAUTION! Since under certain circumstances the CryptoPro Secure Disk for BitLocker PBA itself can be damaged, the local recovery data cannot be used in any case. therefore recovery data are additionally available via central administration. If a computer is not centrally administered, recovery data should always be stored centrally, to avoid data loss. Save to central recovery store This option defines, if recovery information is stored Page 106 CryptoPro Secure Disk for BitLocker Administration manual 9 CONFIGURE APPLICATION SETTINGS centrally. For this option the central recovery service has to be installed and ini- tialized. This service collects and stores recovery data of all client computers. HINT! Especially if random keys are used, recovery information of all clients have to be available. This option supports the collection of recovery information in a central place. CAUTION! Since the CryptoPro Secure Disk for BitLocker PBA itself could be damaged, sthe local recovery data cannot be used in any case. therefore recovery data are additionally available via central administration. If a computer is not cen- trally administered, recovery data should always be stored centrally, to avoid data loss. Save to Folder This option determines whether the emergency information cre- ated for this computer will be stored in a defined directory. The destination folder itself is defined in an additional option. The recovery-information is stored in encrypted form, where just security administrators and recovery operators have access. HINT! Especially when using randomly generated keys, the emergency information of each computer has to be available in emergency case. This option supports the collection of all emergency information in one place. Folder to save DR2 in If was determined that the emergency informationshall be copied to a central directory (Save to folder), this option defines the full path of the destination directory specified. The folder must already exist. The file name of the recovery information is derived from the computer name, date and time per default. The name can be changed using the advanced settings. If no destination folder is specified with this option and the option Username (for remote file access) With this option, the user ID of a privileged user user account can be specified, This user account is used to copy the Recovery-information file to the specifed target directory. HINT! This option can be used if the destination folder requires special rights. Domain (for remote file access) With this option, the domain of a privileged user user account can be specified, This user account is used to copy the Recovery- information file to the specifed target directory. Page 107 CryptoPro Secure Disk for BitLocker Administration manual 10 SMARTPHONE HINT! This option can be used if the destination folder requires special rights. Password (for remote file access) With this option, the password of a privileged user user account can be specified, This user account is used to copy the Recovery-information file to the specified target directory. HINT! This option can be used if the destination folder requires special rights. 10 Smartphone This section configures settings for smartphone accounts. 10.1 Device and App security This section provides configuration settings for device and app security of smart- phone accounts. Smartphone protection required This option defines, if the CryptoPro Secure Disk Authenticator smartpone app requires an activated device protection on the phone. Page 108 CryptoPro Secure Disk for BitLocker Administration manual 11 HELPDESK Smartphone app password required This option defines, if the CryptoPro Se- cure Disk Authenticator smartpone app requires an own password. 11 Helpdesk The settings for help desk functionality to be configured with these options. 11.1 Limitations The options of a Helpdesk-operator can be limited in this section. Challenge Response Length A help desk action is performed using a challenge- response procedure. Challenge and Response are encrypted and coded values that must be transmitted by telephone as strings. With this option the length of these strings can be defined. Possible values are full (full length, 80 characters), long (65 characters), medium (50 characters) and short (30 characters). Where: The longer Challenge and Response, the longer the key, and thus the higher the security. CAUTION! For security reasons it is recommended to use the full length of Challenge and Response. Page 109 CryptoPro Secure Disk for BitLocker Administration manual 11 HELPDESK 11.2 Helpdesk These options allow to configure the helpdesk. Enable online helpdesk If a network connection exists, the transfer of Challenge and Response in case of an Helpdesk action can be done via the network. In this case, the corresponding values are not exchanged by telephone. Here it can be determined whether the option of the online help desk is activated. Enable offline helpdesk Here you can specify whether the offline help desk (via phone) shall be activated. CAUTION! It is recommended that you enable this option. If this option is disabled, there may be cases where no help is possible. Online helpdesk URL For the online help desk, the appropriate help desk service has to be installed on a computer that is reachable via a defined URL over the network. The URL of the helpdesk service can be defined with this option. CAUTION! Specifying the correct URL of the help desk is necessary to handle the online help desk. If the help desk service at the specified URL is not accessible, an offline-Helpdesk is carried out. 11.3 Helpdesk Texts During a helpdeskAction there is some individual text that is displayed to the user. This section supports the configuration of the individual helpdesk text. Online helpdesk text1 When a user in the PBA performs an online help desk ac- tion, he is guided by a reference text. Here, this individual text can be specified. Online Helpdesk text2 When a user in the PBA performs an online help desk ac- tion, he is guided by a reference text. Here, this individual text can be specified. Offline Helpdesk text1 When a user in the PBA performs an offline help desk ac- tion, he is guided by a reference text. Here, this individual text can be specified. Offline Helpdesk text2 When a user in the PBA performs an offline help desk ac- tion, he is guided by a reference text. Here, this individual text can be specified. Page 110 CryptoPro Secure Disk for BitLocker Administration manual 12 USERMANAGEMENT 12 UserManagement User accounts for the CryptoPro Secure Disk for BitLocker PBA can be created in different ways. Create a PBA-user with the administration console (pre-distributed user account). In this case a user account is created in the administration console, and dis- tributed with the mechanism of CryptoPro Secure Disk for BitLocker (cen- tral administration, script based administration) to the client-computer. Details for pre-distributed user accounts can be found in chapter "12.2 Add / Change user accounts with the context menu". HINT! This procedure is used for scenarios where one or a few user accounts should be created on many client-computers. Automatic creation of user accounts at the client-computer (capturing). In this case the client-computer will be set to a status where you have the one time opportunity to create a user account by entering new logon credentials. Detailed information for user capturing can be found under "12.3.1 Initial User Capturing". HINT! This process is used, if different user accounts should be created on a larger amount of computers. Automatic creation of user accounts with activated Active Directory-Check. This is a special form of user capturing. If on a client-computer the Active Directory check for unknown userID/password accounts] resp.Active Directory check for unknown certificate (look at "9 Configure application settings") is ac- tivated, with every successful Windows logon, an according PBA-user account automatically will be created, if it is not existing yet. Automatic creation of a user account with the helpdesk. This form is also a special case of user capturing. In this case the client- computer is set to the capturing-status not via the administration console, but via helpdesk. (look at "16.2.3 Helpdesk for a client") 12.1 User management in the administration console Here you can manage user accounts of the CryptoPro Secure Disk for BitLocker PBA. Page 111 CryptoPro Secure Disk for BitLocker Administration manual 12 USERMANAGEMENT In this table all user accounts of the managed client-computer will be displayed. Column Name shows the user name, if it is a password-user Column Domain shows the Domain name, if it is a password-user. If this is a password-user, who is only valid on the PBA, the value [PBA] will be displayed. ColumnDN shows the Distinguished Name of the certificate, if this is a certificate- user. ColumnPW visualizes if this is a password-user. ColumnSC visualizes if this is a certificate-user. ColumnFP visualizes if this is a fingerprint user. Column Smartphone visualizes if this is a smartphone user. Column SSO visualizes, if for this user account Single Sign On Data should be stored. Column Helpdesk visualizes, if this user account is initialized for the helpdesk. Column Smartphone Helpdesk visualizes, if this user account is initialized for the smartphone helpdesk. Column Local User visualizes, if this a local user. This user was captured directly on the client-computer and not via central administration. INFO! This column only will be displayed, if the administration console is running in central mode. Page 112 CryptoPro Secure Disk for BitLocker Administration manual 12 USERMANAGEMENT By clicking the right mouse button in the user table a menu will be opened which allows to add, change or delete users. 12.2 Add / Change user accounts with the context menu With Add User resp.Change User a window will be open to edit the user data. Password defines that this is a password based user. Certificate defines that this is a certificate based user. Fingerprint defines that this is a fingerprint based user. Automatic capturing of Windows credentials for SSO defines, that for the spe- cific user automatically Windows-credentials for Single Sign On shall be cap- tured. Those credentials will be captured, which are used for password-based Page 113 CryptoPro Secure Disk for BitLocker Administration manual 12 USERMANAGEMENT Windows-logon, which is executed directly after the first PBA-authentication of the specific user account. Username, domain and password of the Windows-logon are saved in encrypted form at the PBA-account. This data can be used for a Windows-Single Sign On. Therefore after successful authentication at the PBA a Windows-logon without any user entries is performed. So it is possible to link a password-based Win- dows-account with a PBA account. The PBA-account type (password, smart- card, PKCS#12, fingerprint) is not relevant. In principal every PBA-Account can have password-based Windows-Single Sign On data. HINT! If the PBA-account is based on Windows-credentials, capturing Single Sign On Data is a special case. The SSO Data with this type of account are always identical with the original PBA-logon credentials. Therefore a Windows-SSO is possible without SSO-data. However, it is recommended to capture SSO-Data for this type of user accounts, as they are required to initialize the user account for the Helpdesk. CAUTION! The SSO-Data are used for Windows-SSO and for helpdesk-scenarios. If for a PBA user account no SSO data are stored, the account cannot be initialized for the helpdesk. In this case the user can perform a PBA-Authentication via helpdesk , but he has to perform an explicit Windows-logon after passing the PBA. If the PBA-account has been initialized for the helpdesk, in an helpdesk- case an automatic Windows-logon will be executed. To use this helpdesk- functionality it is required to store the SSO-Data, even if Single Sign On is not used in normal cases. More details for the helpdesk-functionality can be found under "16.2.3 Helpdesk for a client". Force immediate conversion of user account to a smartphone user defines, that the user account shall be converted to a smartphone user. CAUTION! If the conversion to a smartphone user fails, the account cannot be used any longer for PBA authentication. Helpdesk with smartphone enabled defines, that the account shall be initialized for smartphone helpdesk. In case of a password-based User, the second tab of the user page looks like: Page 114 CryptoPro Secure Disk for BitLocker Administration manual 12 USERMANAGEMENT Username displays the user name of the account. HINT! with the according Button you can import data of a domain account from the Active Directory. Domain displays the domain of the user account. Password contains the specific password. Confirmation is used to confirm the password. PBA-Only user specifies if this is a PBA-Only user or a Windows-user. capture fingerprint for this account defines, if additionally to the password, a fingerprint for this account should be captured. Page 115 CryptoPro Secure Disk for BitLocker Administration manual 12 USERMANAGEMENT In case of a certificate-based user, the second tab of the user page looks like: Distinguished name contains the Distinguished Name of the user certificate. Import from Active Directory allows to import a certificate based account from Active Directory. Import from P12 file allows to import a certificate based account from an existing PKCS#12 File resp. a certificate file. smartcard required defines if for the logon a smartcard must be used, or if a logon can be done also with a PKCS#12 file. allow user to use recovery data defines if this user should be a recovery-operator (look at "20 Emergency recovery"). Page 116 CryptoPro Secure Disk for BitLocker Administration manual 12 USERMANAGEMENT 12.3 User capturing In contrary to directly enter logon credentials for new user accounts, within this section you can define actions which cause that on the target computer a user auto- matically can be captured. The user who is doing the immediate next logon after the target computer has been set to this mode, is able to capture a new user account. With Capture a Dialog will open which configures the automatic capturing of Users. 12.3.1 Initial User Capturing Here you can define the options for the automatic capturing of users. CAUTION! The opportunity for automatic user capturing does exists only for one logon. If the creation of the user account fails, or instead of the creation of a new account you lo- gon with a existing account, you cannot automatically capture a new user account at a later time, as long as the security administrator does not re-activate the capturing mode. INFO! This option can be used for the roll-out of larger amounts of computers. Via a single administrative action multiple computers can be set to the capturing status where automatic creation of new, password based user accounts can be done. Therefore at every computer the dedicated end user can create his account by himself. Page 117 CryptoPro Secure Disk for BitLocker Administration manual 12 USERMANAGEMENT Capture a user with Windows credentials Here you can set the computer into a mode where it is possible at the next start to capture a user automatically. In this mode the user has not to authenticate at the PBA, as he will pass di- rectly to the logon of the operating system. Here a correct logon with an ex- isting Windows-User Account must be done. The logon credentials (username, domain, password) will be transferred to the PBA. So a new PBA-user will be created automatically and his logon credentials will be the same as used for the Windows logon. HINT! The status where you can do the automatic capturing is active only for a single logon attempt. Independent if a user has been captured or not, this mode will be switched off after the logon has been done. If at this stage a normal logon has been executed without the capturing of a new user, the capturing option for a new user will be turned off. Capture a password user only for the PBA (NO Windows credentials) Here you can set the computer into a mode where it is possible with the next start to Page 118 CryptoPro Secure Disk for BitLocker Administration manual 12 USERMANAGEMENT capture a user automatically. In this mode the user has not to authenticate at the PBA, but can capture directly new credentials (userID, password) and a new user account will be created. This account is only valid in the PBA. An automatic logon to Windows is not possible with this account. HINT! The status where you can do the automatic capturing is active only for a single logon attempt. Independent if a user has been captured or not, this mode will be switched off after the logon has been done. If at this stage a normal logon has been executed without the capturing of a new user, the capturing option for a new user will be turned off. Capture a Smartcard-User Here you can set the computer into a mode where it is possible with the next start to capture a smartcard user automatically. In this mode the User does not have to authenticate at the PBA, but can present an (already issued) smartcard for which on the specific computer no account already exists. By entering the correct PIN, a new certificate based user account will be created. HINT! The status where you can do the automatic capturing is active only for a single logon attempt. Independent if a user has been captured or not, this mode will be switched off after the logon has been done. If at this stage a normal logon has been executed without the capturing of a new user, the capturing option for a new user will be turned off. Capture a virtual smartcard-user Here you can set the computer into a mode where it is possible with the next start to capture a virtual smartcard user au- tomatically. In this mode the user has not to authenticate at the PBA, as he will pass directly to the logon of the operating system. If an already existing Win- dows virtual smartcard is used for the logon, an according virtual smartcrad based PBA account will be created. HINT! At the creation of a virtual smartcard account, the user has to re-enter the PIN in a separate dialog HINT! The account will only be created, if no other certificate based account with the according distinguished name already exists, even if the existing account is not a virtual, but a physical smartcard. Accounts with identical DN, no matter if physical or virtual smartcard are not supported. HINT! The status where you can do the automatic capturing is active only for a single logon attempt. Independent if a user has been captured or not, this mode will be switched off after the logon has been done. If at this stage a normal logon has been executed without the capturing of a new user, the capturing option for a new user will be turned off. Capture a PKCS#12-User Here you can set the computer into a mode where it is possible with the next start to capture a PKCS#12-based user automatically. A PKCS#12-based user is a certificate based user, where the certificate and pri- vate key are not on the smartcard, but stored in a password protected PKCS#12 file. To use this file for a certificate based logon, it must be saved to a USB Stick. Page 119 CryptoPro Secure Disk for BitLocker Administration manual 12 USERMANAGEMENT In this mode the user does not have to authenticate at the PBA, but must use a PKCS#12 file, which is not assigned to an existing user account, to create a new account. By entering the correct password a new certificate based PKCS#12 user account will be created. HINT! The status where you can do the automatic capturing is active only for a single logon attempt. Independent if a user has been captured or not, this mode will be switched off after the logon has been done. If at this stage a normal logon has been executed without the capturing of a new user, the capturing option for a new user will be turned off. Capture fingerprint Only user Here you can set the computer to a status, where it is possible with the next start to capture a fingerprint user account auto- matically. This account only needs the fingerprint for the logon. In this mode the user does not have to authenticate to the PBA, but can create a new user account initialized with his fingerprint. CAUTION! User accounts based only on fingerprint are not recommended due to security reasons! Instead it is recommended to use a password-based account, which additional uses a fingerprint. HINT! At the capturing of a fingerprint it is not possible to check if this fingerprint is already assigned to an existing account. Therefore it is theoretically possible to capture multiple accounts which are all assigned to a fingerprint of the same person. HINT! The status where you can do the automatic capturing is active only for a single logon attempt. Independent if a user has been captured or not, this mode will be switched off after the logon has been done. If at this stage a normal logon has been executed without the capturing of a new user, the capturing option for a new user will be turned off. Capture fingerprint additionally to a Win Credential or PBA password-user Here you can set the Computer to a status, where it is possible with the next start to capture a fingerprint for an existing password based user account auto- matically. If in this mode a logon via password-based account should be done, the user must capture a fingerprint additionally to the password. For the logon with this account the password as well as the fingerprint must be correct. Op- tionally the fingerprint can replace the UserId. This means: After presenting the fingerprint the specific account will be found and than you only have to enter the password. HINT! The User account must already exist to capture an additional fingerprint. An exception is the password-based ”Only-PBA”-user account. Those accounts can be captured in one step with an additional fingerprint. Therefore the captur- ing of a password user only for PBA as well as the capturing for an additional fingerprint with a password user have to be activated. HINT! The status to capture a fingerprint is active only for a single logon attempt. In- dependent if a fingerprint really has been captured, this mode will be switched Page 120 CryptoPro Secure Disk for BitLocker Administration manual 12 USERMANAGEMENT off after the logon has been done. If within this mode i.e. a certificate-based logon is executed, the possible capturing of a fingerprint will be deactivated. Account should have Windows-credentials for Single Sign On For every PBA- Account optionally a password, userId and domain of a specific Windows-account can be captured. Those values will be required for the process of an automatic Windows logon (SSO) after the authentication on the PBA. It is irrelevant if the PBA account is password-, certificate- or fingerprint. With this option you can activate the status, where you can capture Windows-credentials for an existing PBA account. For the captured account, Windows SSO-credentials will be cap- tured additionally. The Windows credentials of the user which is used for Win- dows-logon right after capturing the new user, will be automatically assigned to the newly captured PBA-user as its Windows SSO credentials. Subsequently the Windows logon of this account can be done automatically with this creden- tials (SSO) according to the configuration of SSO. More Information for Single Sign On Data you can be found at "12.2 Add / Change user accounts with the context menu". HINT! If for the specific account Windows credentials are already existing, respec- tively if it is a PBA Account with Windows credentials, no new SSO Credentials will be captured. HINT! The status where the capturing of Windows credentials is possible, is active only for a single logon attempt. Independent if Windows credentials have been captured, this status will be switched off after one logon. If at this status, i.e. a logon with an account that already had Windows credentials has been done, the option to capture new Windows credentials will be deactivated. Convert captured user to a smartphone user With this option, the captured user will be converted to a smartphone user. HINT! If the captured user is an account with Windows credentials, the user will be captured at his next Windows-logon. At his next logon to the PBA, the initialization as a smartcard user will be done. Init captured user for smartphone helpdesk With this option the captured user will be initialized for smartphone helpdesk. HINT! If the captured user is an account with Windows credentials, the user will be captured at his next Windows-logon. At his next logon to the PBA, the initialization for smartcard helpdesk will be done. Page 121 CryptoPro Secure Disk for BitLocker Administration manual 13 ADMINISTRATE LOCAL ADMINISTRATORS 13 Administrate local Administrators Here you can manage local administrators and their administrative privileges. Local administrators can administrate client computers according to their assigned rights, via local administration console or via scripts. 13.1 Privileges In this section you can manage administrative rights of local Administrators. General Settings This option defines if the selected security administrator has the right to change the general settings. Advanced settings This option defines if the selected security administrator has the right to change the advanced settings. Client security settings This option defines if the selected security administrator has the right to change the client security. Page 122 CryptoPro Secure Disk for BitLocker Administration manual 13 ADMINISTRATE LOCAL ADMINISTRATORS Profile processing settings This option defines if the selected security adminis- trator has the right to change the profile settings. Helpdesk settings This option defines if the selected security administrator has the right to change the helpdesk settings. Smartcard settings This option defines if the selected security administrator has the right to change the smartcard settings. SSO settings This option defines if the selected security administrator has the right to change the SSO settings. Log settings This option defines if the selected security administrator has the right to change the logging Settings. Friendly Network settings This option defines if the selected security administra- tor has the right to change the Friendly Network Settings. 802.1X Settings This option defines if the selected security administrator has the right to change the 802.1X configuration settings. User management This option defines if the selected security administrator has the right to manage user accounts. Administrator management This option defines if the selected security adminis- trator has the right to manage security administrator accounts. Encryption settings This option defines if the selected security administrator has the right to manage the encryption. Recovery settings This option defines if the selected security administrator has the right to perform recovery management. Page 123 CryptoPro Secure Disk for BitLocker Administration manual 14 ENCRYPTION 14 Encryption This section supports administration of encryption options. 14.1 Drives This page is used to administrate the encryption options. Drives Here you can define the encryption settings for specific hard drives. Possible settings are encrypt all, all plain, and individually. With individually you can define individually for every drive within the list if it should be encrypted or not. Encrypt With this button you can define the selected drive to be encrypted. Decrypt With this button you can define the selected drive to be plain. Page 124 CryptoPro Secure Disk for BitLocker Administration manual 14 ENCRYPTION Remove selecetd With this button the selected drive will be removed from the drive List. HINT! This button is only visible in script mode Add Drive With this button the selected drive will be added to the drive List. HINT! This button is only visible in script mode 14.2 Encryption Key and Settings This page is used to administrate the encryption options. Encrypt only used sectors Here you can define if the initial encryption should en- crypt all sectors, or just sectors that are in use. Page 125 CryptoPro Secure Disk for BitLocker Administration manual 14 ENCRYPTION HINT! The settings for the drive encryption can still be managed with those mechanisms, which Microsoft provides for the administration of BitLocker. Details can be found in the documentation of Microsoft BitLocker. Page 126 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW 15 Administration of Program Settings in extended View As described in chapter "7.3.5 Restricted views in the administration console", the CryptoPro Secure Disk for BitLocker Administration Console can display an ex- tended view. Within this extended view, several rarely used configuration options are viewed. Those options are described in this chapter. In principle this chapter describes the administration of program settings. Basic ex- planations for this subject, as well as the description of the basic options, you can find in chapter "9 Configure application settings". In this chapter only those options are described, which are not described at ("9 Configure application settings"). HINT! Please note that the content of the extended or limited view can be customized in- dividually. (look at"7.3.5 Restricted views in the administration console"). 15.1 General Page 127 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW 15.1.1 PBA settings See "9.1.1 PBA Settings". 15.1.2 Authentication with username and password See "9.1.2 Authentication with User-ID and Password". 15.1.3 Authentication with smartcard See "9.1.3 Authentication with Smartcard". 15.1.4 Central administration Here you can define if this Computer can be administrated by the central Adminis- tration. Allow central administration Depending how the Client-Computer was initialized (via central Administration, local Administration or Script), this Setting is acti- vated or deactivated. This option allows switching a computer from a local to a central administration or vice versa. Page 128 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW HINT! This Setting will be not displayed if the administration console is used in central mode. 15.1.5 Antivirus settings See "9.1.5 Antivirus settings". 15.2 Advanced The Advanced Settings mainly refer to the boot process of the computer resp. to the encrypted target system. Those Settings are usually tightly aligned to the used hardware. CAUTION! This settings should only be changed if there are problems at the boot process. Page 129 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW Page 130 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW 15.2.1 Hardware Settings Here the specific hardware-settings which influences the behavior of the boot pro- cess can be configured. Configure hardware settings This Option defines that individual configuration of Hardware Settings shall be performed. If this option is not activated, configura- tion of the according settings is disabled. CAUTION! This settings should only be changed if there are problems at the boot process. 15.2.2 Boot Options Here you can define settings for the boot process. CAUTION! This settings should only be changed if there are problems at the boot process. boot directly into host system This Setting defines how the boot process from the PBA to Windows will be done. CAUTION! This settings should only be changed if there are problems at the boot process. pass static data in memory This setting defines how the data will be transferred from the PBA to Windows in the boot process. CAUTION! This settings should only be changed if there are problems at the boot process. Page 131 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW pass dynamic data in memory This setting defines how the data will be trans- ferred from the PBA to Windows in the boot process. CAUTION! This settings should only be changed if there are problems at the boot process. boot via BIOS after hibernation Some hardware models require a boot via BIOS after hibernation. This setting allows to configure this behaviour. CAUTION! This settings should only be changed if there are problems at the boot process. Activate selfest The PBA has a selftest function, where it scans for the optimal configuration of the extended settings. This selftest is activated after the In- stallation and will be deactivated after successful booting. With this option you can reactivate the selftest at a later ime. CAUTION! This settings should only be changed if there are problems at the boot process. 15.2.3 Hardware specific Here you can define hardware-specific Settings for the PBA. AHCI Reset This Option defines if the PBA should perform a reset of the AHCI reg- ister. CAUTION! This settings should only be changed if there are problems at the boot process. Reset Disk This Option defines if the PBA should perform a reset of the hard disk. CAUTION! This settings should only be changed if there are problems at the boot process. Use ACPI This Option defines if within the PBA the ACPI support is activated. CAUTION! This settings should only be changed if there are problems at the boot process. AHCI host reset This Option defines if within the PBA a reset of the AHCI registers will be done. CAUTION! This settings should only be changed if there are problems at the boot process. 15.2.4 Miscellaneous Here you can define additional general settings of the PBA. Page 132 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW Activate USB2 support This Option defines if within the PBA the support of USB2 is activated. CAUTION! This settings should only be changed if there are problems at the boot process. load PCMCIA driver This Option defines if within the PBA the PCMCIA driver should be loaded. CAUTION! This settings should only be changed if there are problems at the boot process. CAUTION! If this Option is not activated, PCMCIA smartcard readers will not be supported. 15.2.5 Network Settings Here you can define Network specific Settings within the PBA. Activate Network This Option defines if within the PBA network support is acti- vated. CAUTION! If this option is deactivated, Friendly Network or Online helpdesk cannot be used! HINT! If this option is activated, Wireless LAN or Wired LAN have to be activated, to be able to use the network capability of the CryptoPro Secure Disk for BitLocker PBA. Use DHCP This option defines, if the PBA should get its IP-adress via DHCP. HINT! If this option is deactivated, the PBA uses the IP-adress that was active at the last Windows-session. Wired LAN This Option activates wired network access in the PBA. Wireless LAN This Option defines if Wireless LAN will be supported in the PBA. Predefined wireless SSID Optionally in this field you can enter the SSID of the WLAN-Net, which is usually used. Predefined wireless password Optionally in this field you can enter the password of the WLAN-Net, which is usually used. Prefer WLAN This Option defines if WLAN should be used as the preferred network connection. Only if a network connection via WLAN cannot be established, a wired connection will be used. If the button is deactivated, a wired connection will primarily be used. Page 133 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW 15.2.6 Data key deletion This option allows to define extended settings for data key deletion (see "8.13.1 Con- text menu of administered computers"). Message shown after key deletion After deletion of the data key (see "8.13.1 Context menu of administered computers") the target system on the according computer cannot be decrypted anymore. Consequently a start of the target system is not possible anymore. So, in the PBA a message will be displayed, which can be defined here. 15.3 Client Security The client security supports configuration of several security settings of the Client- Computers. Page 134 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW 15.3.1 Accounts Security Settings, which manages the behavior for adding, deleting and editing user accounts. Allow Windows credential accounts With this Option it can be defined if PBA- Accounts based on Windows-credentials are allowed. Allow PBA-Only password accounts With this Option it can be defined if pass- word based accounts that are valid just in the PBA are allowed. Allow smartcard accounts With this Option it can be defined if smartcard based PBA-accounts are allowed. Allow fingerprint accounts With this option it can be defined if PBA-accounts based on a fingerprint (without additional password) are allowed. CAUTION! This kind of a PBA user account provides less Security than others. It is not recommended to use the type of PBA account. Allow PKCS12-account With this option it can be defined if PBA-accounts based on PKCS12 files are allowed. Allow Windows credentials plus fingerprint accounts With this option it can be defined if PBA-accounts based on Windows-credentials plus fingerprint are allowed. 15.3.2 Locking Here you can define options that configure an automatic locking of the PBA after failed login attempts. Logon number after which PBA locks Here you can define after how many failed logon attempts in the PBA the specific user account will be locked. HINT! A locked user can be unlocked with the helpdesk. CAUTION! The locking of the PBA will be only activated due to failed logons with password based PBA accounts. Logon number after which PBA delays With this option you can define after how many failed logon attempts the PBA causes a delay between the several logon trials. CAUTION! The delay of the PBA is only activated due to failed logons of password based PBA Accounts. Page 135 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW Delay time in seconds With this option you can define how long the PBA delays between the logons, if the delay is activated. CAUTION! The locking of the PBA will only be activated due to failed logons with password based PBA accounts. 15.3.3 Checksums Here you can configure which kind of check of the PBA-internal data should be exe- cuted during the system start. Enable checksums The PBA can detect via checksum, if parts of the PBA have been changed. If the check identifies such a change, the boot process will be stopped. With this Option you can define if the checksum detection will be ac- tivated. 15.3.4 Miscellaneous Here you can configure additional the security settings of the PBA. Show user names Here you can configure if the PBA should display all available user names at logon. HINT! If this option is deactivated, even in a helpdesk case the available users for a Single-Sign-On won’t be displayed. Allow PBA Log Here you can configure if a log-file should be available in the PBA. 15.3.5 TPM Support Here you can configure TPM settings of the PBA. Activate TPM protection in PBA With this option it can be configured, if the PBA should be protected by the TPM. CAUTION! If this option is activated, the installation of the hard drive into another com- puter leads to an error at the start of the PBA. 15.4 ProfileProcessing Due the Profile processing you can define which messages on the Client Computer will be displayed at the moment of the Profile Processing. Page 136 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW 15.4.1 Profile Processing Here you can define, which messages should be displayed on the client computer, while configuration profiles are processed. Process profile automatically This option defines, if settings which have been saved into a script, automatically will be processed if the have been transferred to the target computers specific script-directory. Show Status GUI This option defines, if during processing of settings on the target computer, a specific status- window will be displayed. Show error messages This option defines, if during processing of settings on the target computer, error message shall be displayed in case of a failure. Show warning messages This option defines, if during processing of settings on the target computer, warning messages should be displayed. Show info messages This option defines, if during processing of settings on the target computer, information messages should be displayed. Page 137 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW Show success messages This option defines, if during processing of settings on the target computer, success messages should be displayed. 15.5 Smartcard See "9.2 Smartcard" 15.6 Single Sign On Here you can configure possible Single Sign On options. 15.6.1 Single Sign On Methods Here you can define the possible Single Sign On Methods. Enable SSO Here it can be defined if the Single Sign On is activated. If this Option is deactivated no kind of SSO will be executed. HINT! An exception is the helpdesk-Case. If the authentication s done via helpdesk, with a specific configuration a Single Sign On can be done, even if this option is Page 138 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW not activated. HINT! In principal SSO will be done with the SSO credentials of the user. Therefore a Single Sign On is only possible, if the PBA account has SSO-credentials. (look at subsec:addOrChangeUsers). Only Windows-credential user accounts can do a SSO without specific SSO-Credentials. Enable smartcard SSO With this option it can be defined, if after a PBA logon via smartcard, a smartcard based, automatic logon to Windows should be done. In this Case no SSO Credentials will be needed. CAUTION! To execute a successful smartcard SSO, it has to be assured that with the used smartcard a Windows logon is possible. Get SSO password credentials for smartcard user from central service With this option it can be defined, if smartcard users get the SSO Credentials from the central Service (Look at Chapter "18 Password Management Console"). 15.6.2 Advanced single sign on methods Here you can define advanced options for Single Sign On. Execute Windows logon in logon dialog If SSO is activated, you can define if just the logon credentials should be written to the specific fields of the logon di- alog (option deactivated), or if the Logon should be effectively executed (option activated). HINT! In most of the cases activating this option is the correct setting. If the user wants to change the logon credentials in the logon dialog (i.e.: he wants to logon to another domain), deactivating this option makes sense. HINT! If this option is deactivated, the Single Sign On will not be executed automati- cally. The logon credentials will be inserted into the logon dialog (if available), but the user must execute the logon by himself. Enable smartcard key update This option defines, ob if the keys for smartcard- based PBA accounts should be updated, if a Windows logon with a replacement card is detected. HINT! It is recommended to activate this option only if replacement cards potentially can be used, and friendly network is activated. Otherwise the key update via activated Active-Directory-Check should be preferred 15.7 Logging This section allows configuration of the logging functionality. Page 139 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW 15.7.1 Logfile Here you can define the settings for die Log-file. Logfile path Here you can define the path to the logfile of the application. ATTEN- TION! As different components of the application write log-messages into the logfile, you must pay attention that the logfile is in a directory with write access rights for user accounts, as well as for system accounts. 15.8 Friendly Network See "9.3 Friendly Network" 15.9 Transparent PBA The PBA will be completely deactivated. The computer remains encrypted but starts without PBA. HINT! Via Friendly Network it is also possible to start a client-computer without user cre- dentials in the PBA. But this is not a transparent PBA, as you still need external key Page 140 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW credentials. CAUTION! Transparent PBA has a lower Security Level than a completely activated PBA. The settings for the transparent PBA can be configured at this Page. 15.9.1 Turn off PBA Here you can deactivate PBA completely. Deactivate PBA With this Option you can deactivate PBA completely. CAUTION! With a deactivated PBA you have a reduced security level. Page 141 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW 15.10 802.1x Here you can configure the Options for 802.1X. 15.10.1 General 802.1X Settings Here you can define the general settings for 802.1X. Enable 802.1X support Here you define if the PBA does a network authentication via 802.1X. Enable 802.1X for WLAN Here you define if the PBA does a network authentica- tion via 802.1X, whereby for the network connection WLAN will be used. EAP type Here it will be defined which mechanism the PBA will use for the 802.1X authentication. Automatically enroll client certificate Here you can define if CryptoPro Secure Disk for BitLocker should automatically issue own Computer-certificates for Page 142 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW the 802.1X authentication. Verify CA Certificate prior to 802.1X authentication Here you can define, if with every certificate based 802.1X authentication the issuer certificate should be checked. 15.10.2 Client credentials Here you can define the settings for 802.1X user accounts. Client name Here you can define the name of a password based user account which will be used for a 802.1X authentication. Client password Here you can define the password of a password based user ac- count, which will be used for the 802.1X authentication. Confirmation Here the password entry of Client password has to be confirmed. 15.10.3 Issuing certificate authority Here you can define the settings for the issuer of 802.1X certificates. Certificate authority name If the option Automatically enroll client certificate is chosen, you can enter in this field the name of a Microsoft-CA, which can will used to issue 802.1X certificates. Certificate template If the option Automatically enroll client certificate is chosen, you can enter in this field the template,which should be used for issuing the 802.1X certificate. Use Certificate Enrollment Web Services This option enables the use of Microsoft’s Certificate Enrollment Web Services to retrieve computer certificates. This is necessary if the client computer is not in the Active Directory or has no direct access to an issuing CA. The client then retrieves a certificate via HTTPS from a defined enrollment server. Certificate Enrollment Policy Web Service address HTTPS address of a certifi- cate policy server. This address is usually in the following format https:// SERVERNAME/ADPolicyProvider_CEP_Kerberos/service.svc/CEP. If the client computer is within an Active Directory, this entry may be empty. 15.10.4 PKCS#12 identity CryptoPro Secure Disk for BitLocker offers the opportunity to import certificates for the 802.1X-authentication to the client via PKCS#12 file. You must copy a specific PKCS#12-file, which contains a valid 802.1X-certificate, to a defined directory at the Page 143 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW client. The directory is named: C:/ProgramFiles/SecureDisk/Client/Cert. HINT! After successful import of this certificate the PKCS#12-File at the client will be auto- matically deleted. PKCS#12-file password Here you have to enter the password of the specific PKCS#12- file which will be used for the import of the 802.1X certificate. Confirmation Here you must confirm the password which has been entered under KCS#12-file password. 15.11 Recovery Management See "9.4 Recovery management" 15.12 Smartphone Die Einstellungen zur Smartphone Authentisierung können auf dieser Seite konfig- uriert werden. Page 144 CryptoPro Secure Disk for BitLocker Administration manual 15 ADMINISTRATION OF PROGRAM SETTINGS IN EXTENDED VIEW 15.12.1 Geräte und Appschutz Hier können Einstellungen zum Schutz des Smartphones resp. der Smartphone App SecureDisk Authenticator vorgenommen werden. Geräteschutz erforderlich Mit dieser Option kann festgelegt werden, ob zum Ak- tivieren der Smartphone App SecureDisk Authenticator der Geräteschutz (PIN) erforderlich ist. Passwort für Smartphone Applikation erforderlich Mit dieser Option kann fest- gelegt werden, ob zum Aktivieren der Smartphone App SecureDisk Authen- ticator ein eigenes Passwort erforderlich ist. Import/Export der Daten des Smartphones durch den Benutzer erlauben Mit dieser Option kann festgelegt werden, ob es dem Benutzer möglich sein soll, seine Authentisierungsdaten zu exportieren resp. importieren. HINT! Das Importieren / Exportieren der Daten dient der Übertragung von Authen- tisierungsinformationen von einem Smartphone auf ein anderes. 15.12.2 App-Passwort Komplexität Hier können Einstellungen zu den Passwortregeln des Smartphone-App-Passwortes festgelegt werden. HINT! Diese Passwortregeln beziehen sich auf jenes Passwort, das mit der Option Passwort für Smartphone Applikation erforderlich aktiviert wird. Minimale Passwortlänge Hier wird die minimale Länge des Passwortes festgelegt. Sonderzeichen erforderlich Hier wird festgelegt, ob das Passwort Sonderzeichen beinhalten muss. Ziffern erforderlich Hier wird festgelegt, ob das Passwort Ziffern beinhalten muss. Groß-Klein Variation erforderlich Hier wird festgelegt, ob das Passwort sowohl Großbuchstaben als auch Kleinbuchstaben enthalten muss. 15.12.3 Kommunikationsprotokoll einschränken Hier können Einstellungen zum verwendeten Kommunikationsprotokoll zwischen Smartphone- App und PBA festgelegt werden. Bluetooth LE aktiviert Hier wird festgelegt, ob die Smartphone App SecureDisk Authenticator mit der PBA mittels Bluetooth LE kommuniziert. USB aktiviert Hier wird festgelegt, ob die Smartphone App SecureDisk Authen- ticator mit der PBA mittels USB-Kabel kommuniziert. Page 145 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK 16 Helpdesk CryptoPro Secure Disk for BitLocker offers extensive helpdesk functions, which can help due logon problems (i.e. forgotten password, forgotten PIN, corrupted smartcard). At the usage of a helpdesk function, always a central helpdesk instance is involved. The helpdesk on the opposite side will assist the user. For the execution of helpdesk functions, it is necessary that the central helpdesk instance is completely initialized and the initialization for the client computer has been already completed. 16.1 Central helpdesk The installation of the central helpdesk is executed within the installation of the cen- tral Components (look at "4 Installation | Uninstallation of the administrative compo- nents"). With the first call of the helpdesk console after the installation the initialization will be done. At the same time an additional helpdesk database will be created and initial- ized. (look at "16.2 Initialize central helpdesk"). The function of the central helpdesk will be executed via the helpdesk console, which is operated by an authenticated helpdesk operator. 16.2 Initialize central helpdesk The installation of the administration package creates an entry in the program menu for CryptoPro Secure Disk for BitLocker, which is dedicated for the helpdesk console. With the first call of the helpdesk console after the installation, the first helpdesk administrator will be created. Now the first helpdesk operator must be named. Simple logon (username and password) This option has to be selected if the authentication of the first helpdesk operator should be done with user name and password. Name Here you define the user name for the first helpdesk operator. Password Here you define the password for the first helpdesk operator. Page 146 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK Confirmation Here the password for the first helpdesk operator must be con- firmed. PKCS#12 logon This option has to be selected if the authentication of the first helpdesk operator will be done via PKCS#12 file. PKCS#12 File Here the path of the PKCS#12 file for the first helpdesk operator will be defined. PIN Here the PIN for the according PKCS#12 file will be defined. New PKCS#12 File With this button you can create a new PKCS#12 file. After successful creation of the first administrator, the helpdesk finally will be initial- ized. Due this process the helpdesk database is created and a helpdesk instance named default¨ will¨ be created. HINT! The helpdesk of CryptoPro Secure Disk for BitLocker supports multiple, indepen- dent instances. A client computer can only be accessed with one specific instance. With several different helpdesk instances you can separate client computers. 16.2.1 Authentication on the central helpdesk The helpdesk operator must be authenticated on the console. For this purpose you can use a PKCS#12 file, user name and password or the Windows logon. The cho- sen variant depends on how the account of the specific operator was created. The logon method can be changed with the first button. HINT! The logon for the Windows user account is only displayed, if the helpdesk has been connected with the central database. PKCS#12 logon This option will be selected if the chosen operator account requires a logon with a PKCS#12 file. HINT! The PKCS#12 file will be usually on a USB-Stick. Simple logon This option will be chosen if the specific operator account requires a logon with user name and password. Page 147 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK Windows logon Here you must enter the valid Windows account with the pass- word. HINT! For the logon of the main operator the logon data have to be used which has been created and defined due the initialization (Look at "16.2 Initialize central helpdesk"). 16.2.2 AdministrativeFunctions Helpdesk-Console Administration of helpdesk-operators The functions to administrate the helpdesk operators are offered on the console. To add, delete and find operator accounts is possible for every helpdesk opera- tor who has the authorization. Remove Deletes the selected helpdesk operator. Apply applies the changes which have been done on the selected helpdesk op- erator. Here you change if the operator will have administration rights (so he can administrate other operators), or which instances of the helpdesk can be accessed by this operator. Add opens the dialog to add a new helpdesk operator. Page 148 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK Administrators can be defined in different ways. If the helpdesk is used without the connection to a central database, you only can use the first two options. If the helpdesk is connected with a central database, you can add also active directory users and groups as operators. Simple logon The administrator logs on with user name and password. The selected name identifies the operator on the system. A dialog to enter user name and password will be displayed. Standard logon The logon requires a PKCS#12 file with according password. An already existing PKCS#12 file and the correct password must be en- tered. Additional at this step a new PKCS#12 file can be created. AD-user A Windows active directory user account is defined as helpdesk oper- ator. A dialog to search for a user account within the Active Directorywill be displayed. Look at "8.4 Management of central administrators" HINT! This option is only available, if the helpdesk is connected with a central database. AD-Groups Members of a group in the active directory are valid helpdesk op- erators. A dialog to select a group within the active directory will be dis- played. Look at "8.4 Management of central administrators" Page 149 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK HINT! This option is only available, if the helpdesk is connected with a central database. After the new operator is defined, access rights for this user can be issued. Username This is the character string, which identifies the operator clearly on the system. Due to the pre-selection of the operator this value is already defined. Single Sign On allowed This option will be only displayed for AD-Users resp. groups. For those operators it is possible to logon on the helpdesk console based on the actually logged on Windows user. If the actually logged in user also exists as a helpdesk operator or as a member of such a group, the logon carries out without a new password inquiry. If this is not the case or Single Sign On is not allowed, the normal logon dialog will be displayed. Has Helpdesk-administrator rights Here you can define if the operator should have administration rights. Administration rights allows, to create new op- erators and instances and to align them mutual. HINT! The privilege to execute a helpdesk case can’t be explicitly revoked. Only Page 150 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK by restriction for the access to specific helpdesk instances you can achieve a restriction. Helpdesk instances Here it is defined which helpdesk instances the operator can access. The first generated administrator has always access to all instances. For later on added operators the access to a helpdesk instance must be approved explicitly. Administration of helpdesk instances The helpdesk console offers the opportu- nity to generate new helpdesk instances. Every client must be initialized for one helpdesk instance, whereby the usage of different instances allows the separation between the clients. To export a helpdesk instance into a password protected file, this can be done with the menu entry Export helpdesk instance . With the import on or from an other helpdesk server, it can be achieved that both helpdesk servers are enabled to support those clients, which were initialized for this instance. HINT! Only helpdesk operators with administration rights can administrate helpdesk instances. After the entry of the file path the parameters have to be defined. Instance Select an instance to export. Password Define a password for the exported file. This password will be needed for the import into another helpdesk. Confirmation Here the entered password has to be confirmed. On the instance page of the helpdesk console other functions are available. Page 151 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK Remove Deletes the selected helpdesk instance. Import Imports a new helpdesk instance from a password protected file. Add Adds a new helpdesk instance. Page 152 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK Instance Name Enter a unique name for the instance. Export of client initialization data As described, every client must be initialized for one specific helpdesk instance. If the option for an automatic initialization via network is not available, it can be done via password protected CDF file (Client Distribution File).This file can be created with the corresponding menu point. HINT! Only helpdesk operators with administration rights can create this file. Page 153 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK Instance Select the instance of which the initialization data should be ex- ported. HINT! If there exists only one instance for the specific helpdesk, no selection field will be displayed. Password You can define here the password for the exported file. This pass- word is required for the import at the client. Confirmation Confirm entered password. Connection to central Service The central helpdesk optionally can be connected with the administration service. This connection is required, if helpdesk events should be be reported. (look at ("8.14.2 Helpdesk Report"). Additionally the connection to the administration service enables the helpdesk operator to se- lect a PBA-account in case of an offline helpdesk, for which the helpdesk action should be executed. (Look at "16.2.3 Offline Helpdesk". Details for connecting the helpdesk to the central service can be found at "16.2.4 Helpdesk connection with central database". 16.2.3 Helpdesk for a client Online Helpdesk If there is a network connection between the client and the helpdesk server, and the client is configured to use the online helpdesk, automatically the online variant will be chosen. Page 154 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK In the list Open requests all pending online helpdesk request are displayed. WithRefresh this list can be refreshed. In Request ID the request ID of the actual selected helpdesk request will be dis- played. In Username the user name of the PBA user account who has been requested at the helpdesk will be displayed. This two fields are used to identify and assign the request. HINT! The user who needs help must contact the helpdesk operator by phone. Due to the Request ID and the name, the operator will be able to assign the request of the user. With Grant the selected request will be positively answered. With Deny it will be rejected. If the support request has been issued, the operator must select the help action which should be executed at the client. The following actions can be selected: Bootcounter Here you can define that the user can use a specific temporary helpdesk user account for the authentication for a specific number of system starts (with a password defined by the user at the helpdesk action). After the counter runs out, this specific helpdesk account will be deleted. Until a certain date Here you can define that the user can use a specific tem- Page 155 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK porary helpdesk user account (with a password defined by the user at the helpdesk action) for the authentication until a certain date. After the date is reached, this specific helpdesk account will be deleted. Reset failure counter Depending on the configuration of the client, it could be the case that the user account is blocked due to too much failed logons. This option releases the blocking. Selfinit certificate This option allows the automatic creation of a certificate based PBA user (smartcard or PKCS#12 file). Selfinit Windows password user This option allows the automatic creation of a password based Windows user. Selfinit PBA password user This option allows the automatic creation of a pass- word based PBA user. Selfinit fingerprint This option allows to create a new fingerprint based user ac- count. Capture SSO data At the initialization of a new PBA user you can define, if the newly created user account in the PBA should include SSO credentials or not. (look at "12.2 Add / Change user accounts with the context menu"). HINT! For every helpdesk request only those help actions will be displayed, which are ap- proved by the configuration of the client. Other actions will be not displayed. HINT! Depending on the chosen helpdesk action further entries may be required. Those entry fields are only displayed after the selection of the help action. CAUTION! Before the support will be granted the user who requested the help must authenti- cate himself to the helpdesk operator. This authentication is not a part of CryptoPro Secure Disk for BitLocker. Page 156 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK After the selection of a specific helpdesk request from the list Pending requests, only those helpdesk actions will be displayed, which are allowed on this specific client depending on his configuration. All other helpdesk actions will be not displayed. After the selection of the requested helpdesk action, and the entry of required pa- rameters (e. g.. Boot-counter or expiration date) you can activate the helpdesk ac- tion with Grant. With Deny the request will be rejected. Offline Helpdesk If the online helpdesk is not available due to the configuration at the client or because of a missing online connection, the offline variant of the helpdesk will be used. After the user contacted the operator by phone, the helpdesk operator activates the offline helpdesk at the helpdesk console. Page 157 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK In the field Instance you must select the helpdesk instance for which the specific computer is configured. HINT! This field will only be displayed if there is more than one helpdesk instance. In User string you must select the user, which has been selected at the client com- puter to perform Single-Sign-On to the operating system. By pressing the button Search a dialog to select the user will be is displayed. HINT! This field assures, that the user at the client logs on exactly with the user account which he told the helpdesk operator. By entering the correct user the security of the challenge response method can be tremendously enhanced. If you don’t want to use this security method, this step can be bypassed. HINT! The user search requires the connection of the helpdesk with the central database. Without this connection the user search is not available. Page 158 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK With this dialog for the user search you must select first the computer within the specific tree structure. Beneath this computer, all users, which exist under this PBA tree structure, will be displayed. By the selection of the user in the beneath part of the computer name and user name, the selected computer will be displayed. By pressingOK the selection will be confirmed. HINT! The computer can be searched by entering a part of his name and using the wildcard sign "‘*"’. The matching computers will be displayed and not the complete Active Directorystructure. At User information the operator can enter the name of the user that required help. HINT! There is no check if the entered user name is correct. HINT! The entered user name will be part of the Helpdesk-report. Under Client information the operator can enter the computername at which the helpdesk action takes place. HINT! There is no check if the entered computer name is correct. HINT! The entered computer name will be part of the Helpdesk-report. Under Challenge the character string has to be entered which the user submitted by phone. HINT! Initially only the entry blocks A and B are visible. After data input in those blocks, Page 159 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK the rest of the blocks for the challenge response will be displayed. HINT! Depending on the configuration of the client the length of the challenge and re- sponse can be variable. As in the online case the helpdesk operator can select between the different helpdesk- actions (look at "16.2.3 Online Helpdesk "). HINT! After entering the challenge, under Helpdesk Actions only those help actions will be displayed, which are approved due the configuration of the client. Others will be not displayed. With Response the response is generated and displayed in a separate window. The response must be submitted by phone to the user in order to activate the helpdesk action at the client. HINT! Depending on the configuration of the client, the length of the challenge and re- sponse can be variable. 16.2.4 Helpdesk connection with central database Connecting to the central administration database can enhance the functionality of the helpdesk server. This would be useful in scenarios where the helpdesk is not established in a DMZ or similar environment. HINT! This event is also necessary, if the helpdesk and central administration are running at the same computer. The following functions are available: Logon at the console with Windows user account Selection of the user at offline help report helpdesk events in central database Page 160 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK The connection can be done by selecting the menu point Administration | Connect.... A dialog to enter the address of the administration service will be displayed. The entry of the server name and port will be confirmed by pressingOK. The helpdesk server will try to connect to the administration service and to register as a helpdesk server. CAUTION! Due to security reasons this connection between helpdesk and administration must be activated in the administration console in the menu CA-Administrate Central Ser- vices by an administrator: Page 161 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK Look at "8.11 Administration of additional service-instances". for more information HINT! As long the helpdesk server isn’t activated within the administration console, the additional functions are not available and will be not displayed. Save helpdesk events in central database Helpdesk events can be stored into the central database for report generation purposes. Via the administration console a report about the executed events can be displayed. Following activities / events will be reported: Create/Delete a new operator Change rights of an operator Create/Delete helpdesk instances Log on -/Log off operator Execute help for a computer (including the selected options) The helpdesk report can be generated in the central administration console. Look at "8.14.2 Helpdesk Report" 16.3 WEB Helpdesk In addition to the Helpdesk console, CryptoPro Secure Disk for BitLocker offers the option to the helpdesk operators to work browser-based. For this purpose it is necessary to set up the CryptoPro Secure Disk for BitLocker WEB-Helpdesk. Page 162 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK 16.3.1 Set up the WEB Helpdesk The install directory of CryptoPro Secure Disk for BitLocker has a subfolder with the name WebHelpdesk. In this folder there is a zip-file with the content of the WEB helpdesk directories. The content has to be unzipped, and provided as a WEB page on a WEB server. CryptoPro Secure Disk for BitLocker supports Microsoft IIS 10.0 resp.Apache 2.4. The service has to be run under https Redirection of client requests All client requests to the WEB server that do not explicitly relate to files have to be redirected to the file index.html. HINT! Apache requires the according rewrite-entries in the .htaccess file for this pur- pose HINT! Microsoft IIS requires the installation of the ’URL rewrite’ module. With this module, according rewrite rules can be defined. Definition of the API endpoint In the helpdesk directory, under asset/config the file config.json can be found. This file contains the entry ’baseUrl’ in the section ’api’. This entry has to be changed, that it matches the endpoint of the helpdesk server. HINT! Usually the entry is: ‘https://[FQDN of HelpdeskServers]:8081 /helpdeskapirest/helpdeskapirest/‘ HINT! The port number has to be exactly the port, under which the central helpdesk service of CryptoPro Secure Disk for BitLocker is running Setup of the origins On each computer where the central helpdesk-service of CryptoPro Secure Disk for BitLocker is runnung, there has to be entered a list of all valid origings in the registry. Under the registry key HKLM/SOFTWARE/cpsd/Secure- Disk/helpdesk/web there has to be a REG-SZ value that defines all valid origins in the form ’Protocol://URL:Port’. The list of origins has to be delimited by semi- colons. Example: ’https://SecureDiskWEBHelpdesk:4433’ In this case the WEB- Helpdesk is operated on a WEB server with the URL ’SecureDiskWEBHelpdesk’ on port 4433. CAUTION! It has to be made sure, that the browser that is used to access the WEB-Helpdesk trusts the certificate that is used by the central helpdesk-service of CryptoPro Se- cure Disk for BitLocker. Otherwise there will be an error at the authentication of the operator.s 16.3.2 Configuration of the WEB Helpdesk Several options can be configured for the WEB helpdesk. The configuration file can be found under ‘/assets/config/config.json‘. Logging Under ‘logging - level‘ the log level (output at browser console) can be con- figured. At level 3 only errors are logged. Maximum value is 3, minimum is 0. Page 163 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK Impressum If ‘enable‘ is set to false, this part will be removed from the navigation bar of the WEB helpdesk. Under ‘imprint - values‘ some values can be defined, which should be displayed on your website. Contact If ‘enable‘ is set to false, this part will be removed from the navigation bar of the WEB helpdesk. Under ‘contact - contacts‘ some values can be defined, which should be displayed on your website. One contact has the following fields: -name Name of the contact -phone Phone number -eMail E-Mail adress It is possible to define more than one contact. Data protection If ‘enable‘ is set to false, this part will be removed from the navigation bar of the WEB helpdesk. Under ‘data-protection - sections‘ the settings for data protection can be defined. A data protection sections consists of the fields: - headline Headline of the section -text Section text Both fields refer to entries of the i18n.json file. So the data protection sections can be provided in the required languages. The authentication of the helpdesk operator is based on the JWT (jason web token) which is transferred at each call. If an operator logs on or off, all tokens of this operator are removed from an internal whitelist, and are therefore invalidated. Con- sequently an operator can log on to the CryptoPro Secure Disk for BitLocker helpdesk server from a single computer at each time. A log on from a different computer would terminate the session of the first computer. The validity period of the log on token is security relevant, an can be configured via registry settings on the computer where the CryptoPro Secure Disk for Bit- Locker helpdesk-service is running. The values can be found under GNHKLM/SOFT- WARE/cpsd/SecureDisk/helpdesk/web/. All values are DWORD types: RestTokenMaxAge This value defines how long the logon token should be valid (in seconds). After this period the operator has to authenticate again. Default is 3600 (one hour). RestTokenRenewExpire If this value is set to 1, the reneweral period of the token is reset at each activity of the operator. In this case the validity of the token expires only, if the operator is inactive for the whole period. If this value is set to 0, the token validity expires after the period, indebendently if the operator was active or not. CAUTION! For security resons it is recommended to set this value to 0! RestTokenDeltaTime In general, at each request a new token is generated for the operator, and the old token is invalidated. Since it is possible thet some requests of an operator are sent overlapping or in wrong order, there is a short time frame where old token are kept valid. The according time frame is defined by this entry. Default is 2 seconds. RestTokenWhitelistMaxSize All valid logon token are kept on an internal whitelist. The maximum size of this whitelist is limited. If the whitelist is full, an error occurs. As a minimum value it is recommended: number of operators * 2. The maximum size of the whitelist can be defined with this entry. Default value is 1000 (= 500 operators). Page 164 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK RestCSRFTokenRequired This value defines, if in addition to the JWT also a CSRF token is required for the requests. If this entry is set to 0, no CSRF token is required. Default value is 1. CAUTION! For security reasons it is recommended to set this entry to 1! 16.3.3 Authentication to the WEB Helpdesk HINT! Nor tha the WEB-Helpdesk does not support administrative functionality. The cre- ation resp. configuration of Helpdesk-operator-accounts has to be done in the helpdesk console. (see 16.2.2) The CryptoPro Secure Disk for BitLocker WEB helpdesk just supports simple logon (user ID and password). Operator accounts with this authentication method have to be already applied. In the logon dialog the operator has to type in the operator name, the required helpdersk instance (optional) and his password. See 16.2.1. 16.3.4 Helpdesk actions with the WEB Helpdesk After successful authentication, the WEB helpdesk selection dialog is displayed. Page 165 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK Online Helpdesk Here you can choose the online helpdesk. HINT! Beneath the online helpdesk symbol, the number of pending online helpdesk requests is shown. This indicator is not automatically refreshed. A manual re- fresh is required. Offline Helpdesk Here you can choose the offline helpdesk. Logout With this item the operator can perform a logoff. The currently logged on operator (with instance name) is displayed. Language With the flag symbol the according language can be selected. Supported languages are german and english. Online Helpdesk The online helpdesk displays an overview of open online helpdesk requests. Page 166 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK request id or username Here the list of open requests can be filtered according to the defined value. If a reques is selected, the according options of the operator are displayed. Page 167 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK For a description of the options please see 16.2.3 Apply options With this button the selected option will be applied to the client computer. Cancel With this button the helpdesk action will be cancelled. Offline Helpdesk The offline helpdesk displays the input fields for the challenge values. Page 168 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK Provide username Here you must select the user, which has been selected at the client computer to perform Single-Sign-On to the operating system. HINT! This field assures, that the user at the client logs on exactly with the user ac- count which he told the helpdesk operator. By entering the correct user the security of the challenge response method can be tremendously enhanced. If you don’t want to use this security method, this step can be bypassed. Username for report Here the name of the user who requires help can be en- tered. HINT! There is no check if the input value is correct. The purpose of this field is just to add the entered information to the helpdesk report. Computername für Report Here the name of the computer on which the helpdesk action is performed can be entered. HINT! There is no check if the input value is correct. The purpose of this field is just to add the entered information to the helpdesk report. Challenge input fields At this input fields the character string has to be entered which the user submitted by phone. Page 169 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK HINT! Initially only the entry blocks A and B are visible. After data input in those blocks, the rest of the blocks for the challenge response will be displayed. HINT! Depending on the configuration of the client the length of the challenge and response can be variable. If the magnifying glass beneath Provide username is pressed, the user-search is activated. At first the field Computername is displayed. There you have to enter the name of the according computer. After a short time all PBA user accounts of this computer are displayed for selection. HINT! The user search requires the connection of the helpdesk with the central database. Without this connection the user search is not available. After successful input of the challenge-values, all possible options for the helpdesk operator are displayed. Page 170 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK For a description of the options please see 16.2.3 Apply options With this button the response values are displayed. Cancel With this button the helpdesk action is cancelled. After pressing Apply options the response is displayed. Page 171 CryptoPro Secure Disk for BitLocker Administration manual 16 HELPDESK The response has to be transferred to the user by phone, to finish the helpdesk ac- tion. HINT! Depending on the configuration of the client the length of the challenge and re- sponse can be variable. Page 172 CryptoPro Secure Disk for BitLocker Administration manual 17 FRIENDLY NETWORK AND SOFTWARE DISTRIBUTION 17 Friendly Network and software distribution The PBA as a security feature prevents unauthorized access to the client computer. With this, events that are quite intended, like the unattended start of a computer via Friendly Network.(i.e. for software distribution), are prevented from execution. To use this feature in conjunction with the PBA, Friendly Network is implemented. CryptoPro Secure Disk for BitLocker differentiates between two Friendly Net- work scenarios: Friendly Network If Friendly Network is activated, the CryptoPro Secure Disk for BitLocker PBA connects directly after the start to the central service. It tries to get the client logon credentials from the server. If the logon credentials are available, a user authentication in the PBA is not required. The computer starts up to the user authentication of Windows. As long the computer is within a protected network, the central service is acces- sible. In this case, the logon to the PBA is omitted, and the user must authen- ticate himself within Windows. If the computer is removed from the protected network, (e. g. external usage) it is not possible to get the data from the central service and a PBA authentication is required. Secure Software Distribution In this case the computer establishes the connec- tion to the central service after a certain time frame (definable) of inactivity, to get the logon credentials. If the user is active before this time frame ends, a normal PBA authentication will be necessary. HINT! This functionality is used for scenarios of remote software distribution. If Friendly Network or Secure Software Distribution are activated, the client connects to the central service, to get the required credentials for the start of the encrypted system. The behavior of the client will be defined via administration console (look at "9.3 Friendly Network"). HINT! The configuration of the client for Friendly Network or Secure Software Distribution is not sufficient. Additionally it is required to configure the central service, that the according client should get the credentials from the server. Therefore at any time, without configuration changes at the client, the functionality of Friendly Network or Secure Software Distribution can be activated or deactivated. The central Friendly Network Console is a tool, which is used to configure which computer at which time should be able to get its credentials. 17.1 Authentication on the Friendly Network console The Friendly Network administrator must authenticate himself at the console. The authentication is done similar as for other consoles of CryptoPro Secure Disk for BitLocker (look at "8.1 Authentication as security-operator to the central consoles"). HINT! Friendly Network and the administration of recovery data are running under the same service. Therefore the authentication on the Friendly Network console at the same time is an authentication on the recovery console and vice versa. Page 173 CryptoPro Secure Disk for BitLocker Administration manual 17 FRIENDLY NETWORK AND SOFTWARE DISTRIBUTION 17.2 Initialization of the Friendly Network console With the first call of the Friendly Network (or Recovery) console an initialization has to be done. At this moment the connection towards the specific central service will be established. The central service at this moment must already be installed. (look at "4 Installation | Uninstallation of the administrative components". 17.3 Administration of Friendly Network Via the Friendly Network console you can define, which client computer at which time should get logon credentials for Friendly Network or Secure Software Distribution. The Friendly Network console displays all available computers of Active Directory. For every displayed computer you can defineFriendly Network or a time frame, within this Secure Software Distribution request has to be answered. Out of this time frame, for this client Secure Software Distribution will be not possible. HINT! If, for a Active Directorynode with several computers, a time frame has been de- fined orFriendly Network is activated, this setting is valid for all child computers of this node. Computers or nodes with a defined time frame, will be colored within the List. With Activate Friendly Network you can activate or deactivate Friendly Network for specific computers. For selected computers or network nodes under Secure Software Distribution TimeSpan the time span (with start and end time) is displayed. Remove deletes an existing entry for a time span. Edit opens a window to edit an existing time span entry. Add opens a window for the definition of a new time span entry. Page 174 CryptoPro Secure Disk for BitLocker Administration manual 17 FRIENDLY NETWORK AND SOFTWARE DISTRIBUTION 17.3.1 Define Friendly Network time span With Edit or Add the window to edit time span entries will be opened. Start time Here you can define the start time of a time span where Friendly Net- work should be possible. The definition will be done by date and time. until Here you can define the end time of a time span where Friendly Network should be possible. The definition will be done by date and time. Comments Optionally you can enter a comment here. 17.3.2 Administrate Friendly Network administrators For the Friendly Network console multiple administrators with different authoriza- tions can exist. The Friendly Network console supports the administration of these administrators. HINT! Friendly Network and the administration of recovery data are running under the same service. Therefore the administrator accounts for these two functionalities are identical. Within the Friendly Network console you can administrate administrators for both functionalities. Page 175 CryptoPro Secure Disk for BitLocker Administration manual 17 FRIENDLY NETWORK AND SOFTWARE DISTRIBUTION All administrator accounts will be listed. If you select a Friendly Network administra- tor from the list, under Adminstration realms, Rigths and Logon the details for the selected administrator are displayed. Under Name the name of the administrator is displayed. In the next field the re- quired authentication method of the administrator is displayed. Under Adminstration realms you can see, which parts of the Active Directory can be administrated by the respective Friendly Network administrator. With the sym- bols aside you can add or remove realms. If those realms are missing, the administrator is authorized to perform Friendly Net- work administration for all computers of the Active Directory. Allowl Single Sign On is only displayed for Friendly Network Administrators, which are authenticated as AD-user. Here you can define if SSO is activated, so the ad- ministrator does not have to authenticate himself explicitly on the Friendly Network console, if he is already logged on as Windows user on his computer. Under Rights you can administrate the privileges of the selected administrator. Allow central administration Here it is displayed if the administrator is autho- rized to administrate client computers via the central administration console. Page 176 CryptoPro Secure Disk for BitLocker Administration manual 17 FRIENDLY NETWORK AND SOFTWARE DISTRIBUTION Allow Friendly Network administration Here it is be displayed if the administra- tor is authorized to administrate Friendly Network. Allow recovery administration Here it is displayed if the administrator is autho- rized to administrate the recovery functionality. Allow Add/Remove administrators Here it is displayed if the administrator is au- thorized to administrate other administrators. Allow Add Domain Here itis displayed if the administrator is authorized to add do- mains to the Active Directory tree which can be administrated from the con- soles ofCryptoPro Secure Disk for BitLocker. With Delete Selected you can delete an existing administrator account. With Edit you can edit settings of an existing administrator account. With Add new Admin you can create a new administrator account. Page 177 CryptoPro Secure Disk for BitLocker Administration manual 18 PASSWORD MANAGEMENT CONSOLE 18 Password Management Console The Password Management console is a tool to set randomly generated passwords for domain users, which log on to the PBA with a certificate based account. For the domain user there must be assigned a certificate and an userID within the Active Directory. A random password is generated for the user, which will be saved en- crypted into the central database of CryptoPro Secure Disk for BitLocker and additionally set as active Active Directorypassword for this user account. At a logon of the user to the PBA (which is performed with smartcard and certificate), the PBA creates a connection to the central service of CryptoPro Secure Disk for BitLocker, and verifies if for this user a (new) password is available. If this is the case, the password, together with the userID will be transferred in encrypted form to the client. It will be stored as SSO logon credentials for the PBA user account. In an helpdesk case this SSO logon credentials can be used at a later time to perform a Windows logon. INFO! To force the PBA to request the SSO credentials from the central service at a smartcard- logon, at the SSO Settings within the administration console the option "‘Get SSO Password Credentials for smartcard user from central Service "’must be activated! Look at chapter "15.6.1 Single Sign On Methods" for more information. 18.1 Selection of Users, Set Passwords In the left part of the console the Active DirectoryTree (with all centrally admin- istrated and configured domains will be displayed look at chapter "8 Central ad- ministration"). To have a better overview, only container objects and users will be displayed. To select a user, you have to select the check box next to the user name. If the check box of a container object is checked, all users within this container will be selected. The currently selected users will be displayed in the right part of the console. Users that have no random password yet, will be displayed with a grey avatar. As soon as a random password has been set, the user will be displayed with a green avatar. Page 178 CryptoPro Secure Disk for BitLocker Administration manual 18 PASSWORD MANAGEMENT CONSOLE If at the activation of the check box of a container node the item "‘Select Sub Folder "’ is checked, all underlying users of the selected container object will be selected recursively: Page 179 CryptoPro Secure Disk for BitLocker Administration manual 18 PASSWORD MANAGEMENT CONSOLE HINT! The recursive user selection (check box "‘Select Sub Folder "’) can be time consum- ing, if he Active Directoryhas a lot of users or container objects! By clicking the button "‘Set Passwords "’ random passwords will be generated for the selected users. If a user already had a random password, it will be replaced by a new one. Page 180 CryptoPro Secure Disk for BitLocker Administration manual 18 PASSWORD MANAGEMENT CONSOLE CAUTION! Please keep in mind that original Active Directorypasswords will be overwritten by this action, and there will be no possibility to reconstruct them! It is possible that setting passwords for Active Directoryusers within specific do- mains require elevated user privileges. Therefore you have the opportunity to enter logon credentials for every domain. With a right-click on the domain node you can open the specific password dialog: Page 181 CryptoPro Secure Disk for BitLocker Administration manual 18 PASSWORD MANAGEMENT CONSOLE HINT! Such logon credentials can only be defined at domain root nodes. Page 182 CryptoPro Secure Disk for BitLocker Administration manual 18 PASSWORD MANAGEMENT CONSOLE 18.2 Delete Passwords Analog to the setting of user passwords, an existing password can be deleted. By se- lecting a user and pressing the button "‘Delete passwords "’, the password is deleted from the central database. INFO! Deleting a password does not require advanced user privileges, because this activity does not require write access to the Active Directory. The delete operation deletes the random password only from the central administration database. In the Active Directorythe previously defined random password will remain! 18.3 Update random password If within the SSO-settings of the central administration console the option "‘Get SSO password credentials for smartcard user from central service "’ is activated, (look at chapter"15.6.1 Single Sign On Methods"), at every smartcard-logon in the PBA it will be verified, if for the specific user SSO credentials have been defined in the central database. If this is the case, this credentials will be saved to the PBA user account. If the user already got SSO credentials due to a previous PBA-logon, but meanwhile there was generated a new random password, the existing SSO credentials of the user will be updated by the newer credentials. Page 183 CryptoPro Secure Disk for BitLocker Administration manual 19 HARDWARE PROFILE 19 Hardware Profile Administrators can create hardware profiles for specific notebooks or desktop PCs. With a hardware profile the computer will be started with the correct configuration without hardware self test. 19.1 Create Hardware Profiles The following steps have to be done by the administrator before rollout, to create specific hardware profiles 1. Install CryptoPro Secure Disk for BitLocker on each client computer of differ- ent kind of hardware. 2. After the Installation the self test will be started to detect the correct hardware configuration. 3. As soon as Windows is started correctly, the specific hardware configuration will be saved to the file ’ProgramData\SecureDisk\Client \hwsettings.log’ . Example [Hewlett-Packard - HP EliteBook 6930p] ACPI = offReset AHCI = onReset AHCI host = on BIOS disk reset = off Boot through BIOS = no Boot data on disk = no This configuration can be installed with the rollout. For this purpose the settings must be saved to the file ’hw_profiles.txt’ Page 184 CryptoPro Secure Disk for BitLocker Administration manual 19 HARDWARE PROFILE You can save multiple Computer configurations into the File ’hw_profiles.txt’! Example [Dell Inc. - 0JKDHD] ACPI = on Reset AHCI = on Reset AHCI host = off BIOS disk reset = off Boot through BIOS = no Boot data on disk = no [Hewlett-Packard - HP EliteBook 6930p] ACPI = off Reset AHCI = on Reset AHCI host = on BIOS disk reset = off Boot through BIOS = no Boot data on disk = no [LENOVO - 4243P95] ACPI = on Reset AHCI = on Reset AHCI host = off BIOS disk reset = off Boot through BIOS = no Boot data on disk = no 19.2 Distribution of hardware profiles with the installation The hardware profiles can be installed with the MSI command: example: msiexec /i EDAClient.msi HW_PROFILES=C:\ hw_profiles.txt Hardware profiles will be processed if ’hw_profiles.txt’ is found within the CryptoPro Secure Disk for BitLocker installations folder during installation. 19.3 Distribution of hardware profiles after the installation Hardware profiles can be loaded at any time after the installation. For this purpose, the file ’hw_profiles.txt’ has to be copied to the Folder ’Program Files\SecureDisk’ \Client. After a restart, the new configuration is active. Page 185 CryptoPro Secure Disk for BitLocker Administration manual 20 EMERGENCY RECOVERY 20 Emergency recovery Recovery - data recovery and disaster repair is used for emergency recovery and to avoid data losses. The main component is the CryptoPro Secure Disk for BitLocker (recovery application, which is able to recover the corrupted Cryp- toPro Secure Disk for BitLocker installations, and enables to access, repair or decrypt encrypted partitions. As the recovery mode is used to recover corrupted systems, the CryptoPro Secure Disk for BitLocker (recovery application will be started out of an emergency en- vironment. The emergency environment can be activated by booting the computer via an external emergency medium like i.e. a DVD. This emergency medium must explicitly be created beforehand. To execute data recovery and disaster repair it is mandatory to have the recovery information of the affected computer. Recovery information is created by according configuration of the recovery system. 20.1 Set up the recovery system Setting up the recovery system causes that the recovery information will be created and will be available. The set up can be done via the settings in the CryptoPro Secure Disk for BitLocker administration (look at "9.4 Recovery management") 20.1.1 Define recovery operators Only an authorized users can access the recovery data. For security reasons those authorized users (recovery operators) are restricted to user accounts, which have a certificate based PBA account. There are two kinds of recovery operators: admin- istrators with recovery rights or PBA users who got this privilege from a recovery operator. Administrators which have been added by the client management and have the recovery authorization, can change the recovery settings via CryptoPro Secure Disk for BitLocker recovery console and can perform the recovery. But they cannot login to the CryptoPro Secure Disk for BitLocker PBA and the recovery application at the client. Certificate based PBA users can be set as recovery operators by changing the set- tings in the user settings of the Recovery Authorization. (look at "12.2 Add / Change user accounts with the context menu"). Recovery operators can login to the recovery application which was started from an emergency medium. 20.2 Set up of the external emergency medium The CryptoPro Secure Disk for BitLocker recovery application can be started via an external medium, like a WinPE Boot-CD. To set up a WinPE CD you can use tools which are free to download from Microsoft. The instructions how to use those tools to create the WinPE CD can be found in the according documentation. At the preparation of the WinPE-recovery CD, one has to install the client package with the feature Windows PE recovery files. If this feature is selected, the required files will be installed to the subdirectory PE_DR2 of the product directoty. The subfolders x64 and Win32 contain the required files to create a WinPE-recovery CD for 64Bit (x64) or 32Bit (Win32) environments: 1. AES_Modul.sys Page 186 CryptoPro Secure Disk for BitLocker Administration manual 20 EMERGENCY RECOVERY 2. Datadll.dll 3. datastore.sys 4. de.reg 5. DR2.dll 6. EDAProfile.dll 7. EDAProfileEngine.dll 8. EDASRecovery.exe 9. EDASRecoveryDE.dll 10. EDASRecoveryEN.dll 11. en.reg 12. encfilter.sys 13. hdencrypt.sys 14. hdfilter.sys 15. libeay32.dll 16. ssleay32.dll After creation this folder can be integrated in the WinPe. The recovery application can be started with "EDASRecovery.exe" 20.3 Start of the recovery environment The recovery environment is necessary to recover corrupted and encrypted systems. For this purpose you need the CryptoPro Secure Disk for BitLocker recovery application, which can be started from the recovery environment. 20.3.1 Start the recovery environment from an external media: A previously created external bootable recovery medium (look at "20.2 Set up of the external emergency medium") can be used to reboot the computer. After the successful system start the application EDASRecovery.exe must be started. CAUTION! For some recovery actions it is important, that the version of the recovery applica- tion is the same as the installed version of CryptoPro Secure Disk for BitLocker. Therefore the recovery process has to be performed in two steps. First start the recovery application from an external medium and load the correct recovery infor- mation (see 20.4.1). After the recovery information is loaded, the encrypted partition is accessible. For all recovery actions the recovery application has then to be started from the CryptoPro Secure Disk for BitLocker installation directory. Page 187 CryptoPro Secure Disk for BitLocker Administration manual 20 EMERGENCY RECOVERY 20.4 Execution of a recovery action Recovery actions will be executed by the CryptoPro Secure Disk for BitLocker recovery application. In any case of an execution of a recovery action, the recov- ery information for this computer must be loaded. A recovery operator must have the access rights and usually will execute the recovery application. For a recovery procedure the following steps are required: 1. Start recovery application The start of the recovery application is described in more detail under "20.3 Start of the recovery environment". 2. Load recovery information 3. Analyze An analyze will be automatically executed after loading the recovery informa- tion. 4. Execute the recovery action CAUTION! For all recovery actions, the recovery application has then to be re-started from the CryptoPro Secure Disk for BitLocker installation directory, to make sure that the version of the recovery application is the same as the installed version of CryptoPro Secure Disk for BitLocker. 20.4.1 Load recovery information After the start of the recovery application the user has several options to load the recovery information: Logon If the PBA is not corrupted, a logon can be done with a PBA administrator account or by using a PKCS#12 based account. For the logon the PKCS#12 file of the administrator or the PBA is user required. All necessary information is loaded with the logon. Page 188 CryptoPro Secure Disk for BitLocker Administration manual 20 EMERGENCY RECOVERY HINT! This option is only available if the PBA is not corrupted HINT! The account of the PKCS#12 user must have recovery operator privileges Load file If available, the data with the recovery information for the specific com- puter can be loaded from a file. HINT! The File with the recovery information is encrypted. To load the file, the ac- cording PKCS#12 file with the correct PIN must be available. If the recovery data was not created on this computer, a warning message will show up, that the recovery data has been created by another system. If the key is valid to system, you can continue to work without any restrictions. Connect with the central administration If the recovery information for the com- puter is available on a central recovery server, it can be loaded online (look at: "20.5 Central recovery console"). The online connection to the server requires one out of two available authentication options: PKCS#12 file A user can specify a PKCS#12 file with the according password. If the user, at the time when the recovery information was sent to the server, was a valid recovery operator, the PKCS#12 file and password can directly be used to decrypt the received recovery information. In this case the trans- mission of the data from the server to the client will be done automatically without any user interaction on the server. If the centrally stored recovery data are not directly usable with the addressed PKCS#12 file, the data must be prepared at the central system for this user. In this case an operator on the central server must approve this interaction. Password Alternatively the user can request the recovery data encrypted by a pass- word. In this case a request ID will be generated and the request will be Page 189 CryptoPro Secure Disk for BitLocker Administration manual 20 EMERGENCY RECOVERY queued on the server. The request ID must be submitted (by Phone) to the operator of the central recovery server, who will approve the request. The local recovery operator will get the password, which must be entered into the recovery application. 20.4.2 Possible recovery actions The possible recovery actions will be a result of the status of the system analysis. If there are problems detected for a component due to this analysis, the according component will be displayed with a red cross in the system information. If this com- ponent can be recovered, a button will be displayed, which can be used to perform the recovery. If the component is marked with a green check mark, there is no need for a recovery action. The recovery functions are only possible with the loaded re- covery data: CAUTION! For most recovery actions it is important, that the version of the recovery applica- tion is the same as the installed version of CryptoPro Secure Disk for BitLocker. Therefore the recovery process has to be performed in two steps. First start the recovery application from an external medium and load the correct recovery infor- mation (see 20.4.1), so that the encrypted partitions are accessible. For all recovery actions the recovery application has then to be started from the CryptoPro Secure Disk for BitLocker installation directory. Page 190 CryptoPro Secure Disk for BitLocker Administration manual 20 EMERGENCY RECOVERY Data storage and Linux repair Decrypt disk Encrypted drives can be decrypted via Microsoft Manage-bde com- mands, as long as the right key is available. (look at: "21 Emergency Recovery Bitlocker") Set partition active Depending if the PBA is currently active or not, the PBA can be activated or deactivated by the button deactivate/activate on the right side of the screen. This will set the active partition of the system. With Deactivate the primarily active partition will be activated. With Activate the PBA partition will be activated. CAUTION! If the PBA-Partition will be set inactive, you cannot access an encrypted parti- tion after the restart. If the active partition is encrypted, the restart will fail. Initialize PBA If a problem is detected with the internal structure of the PBA, you have the possibility to re-initialize the PBA. In this case all existing settings will be revoked and the installation status will be recovered. All users and admin- istrators will be revoked as well as well as the settings for the encryption. The currently loaded data keys will be taken over, so that eventually encrypted par- titions will remain accessible. Since the encryption state after re-initialization is set to all drives plain, after a restart the system will decrypt all encrypted hard drives. If a problem was detected with the internal structures, a button Repair next to the field Data storage is valid will be displayed. In this case the installation Page 191 CryptoPro Secure Disk for BitLocker Administration manual 20 EMERGENCY RECOVERY directory of the product and the Windows system partition have to be selected. The installation directory is needed, as some of the data will be transferred into the structure of the PBA. The Windows system partition is required, that the system can be started appropriate after the PBA. HINT! For the initialization of the PBA the installation directory must be addressed, as some of the files from this folder will be needed. The Windows boot partition must be addressed, as after the successful authentication the PBA has to start the correct partition. Initialize Linux PBA If the boot loader of the CryptoPro Secure Disk for Bit- Locker PBA is corrupted, the complete Linux-PBA can be re initialized. If a problem with the Linux PBA is detected, the button Repair next to the display message PBA Linux correct will be displayed. HINT! For the initialization of the PBA the installation directory must be addressed, as some of the files from this folder will be needed. Change PBA boot configuration The recovery application has the option to change the boot configuration of the PBA. The current configuration data will be dis- played in the window. Load hardware profile After the repair, the specific hardware profile can be loaded. Select hwsetting.log or hwprofiles.txt and press the apply button. Load from disk Shows the values of the current settings in the PBA. Default Settings Reset the configuration to the default settings. Save Stores the changed data. CAUTION! Wrong configuration data can result in a non starting system. Page 192 CryptoPro Secure Disk for BitLocker Administration manual 20 EMERGENCY RECOVERY 20.5 Central recovery console The recovery console supports the administrator to manage the recovery information for many different clients. CryptoPro Secure Disk for BitLocker gives you the opportunity to store recovery information for different computers at a central place. If the system is configured for an online recovery, the recovery operator can receive the recovery information directly from the recovery service via an existing online connection. The central recovery service has the opportunity to prepare (to encrypt) the re- quested recovery information, so the recovery operator can read them. For this purpose the recovery service is used via the recovery console. 20.5.1 Authentication to the recovery console The recovery console requires the authentication from an authorized recovery ad- ministrator. The logon is performed, like the logon to the administration consoles, either with PKCS#12 file, a simple logon with user name and password, or logon with the current Windows user account. HINT! Friendly Network and recovery are running under the same service. Therefore the authentication on the Friendly Network Console at the same time is an authentica- tion on the recovery console and vice versa. 20.5.2 Administrate recovery administrators For the recovery console multiple administrators with different access rights can exist. The recovery console supports the administration of those administrators. HINT! Friendly Network and recovery are used by the same service, therefore the adminis- trator accounts for both functions are identical. Within the recovery console, all ad- ministrators for both functionality can be administrated. All administrator accounts are listed. Within this list all access rights are displayed. Name Displays the name of the administrator. Logon allowed Displays if the administrator has the right to logon to this console. Page 193 CryptoPro Secure Disk for BitLocker Administration manual 20 EMERGENCY RECOVERY Administrator administration allowed Displays if the administrator has the rights to administrate other administrators. Recovery allowed Displays if the administrator has the rights for the recovery ad- ministration. Friendly Network allowed Displays if the administrator has the rights for the Friendly Network administration. With delete existing admin accounts can be deleted. With Edit existing admin ac- counts can be edited. With New Admin a new admin account can be created. 20.5.3 Preparation of the recovery information To to make the recovery information usable for recovery operators, it could be nec- essary to prepare it by a re-encryption. The recovery information of one or more computers can be re-encrypted via the central console, so that a specific recovery operator can use it. The offline mode of the recovery console is used to re-encrypt stored recovery infor- mation, so that a specific recovery operator can use it. The re-encrypted recovery information can be saved as a recovery file. Page 194 CryptoPro Secure Disk for BitLocker Administration manual 20 EMERGENCY RECOVERY Computer Defines the computer of which you want to re-encrypt the recovery in- formation. HINT! Displays all Computers which have recovery information available in this con- sole. Create recovery info for logged in administrator With this option the recov- ery information will be encrypted, so the administrator who is currently logged on at the recovery console, is able to use the recovery information with his PKCS#12 file. Encrypt recovery info with password With this option the selected recovery in- formation will be encrypted with the password which has been entered under Password. This Password is mandatory to use recovery information. Page 195 CryptoPro Secure Disk for BitLocker Administration manual 20 EMERGENCY RECOVERY Encrypt recovery with the public key of the central admin With this option the selected recovery information will be encrypted for an existing administrator on the recovery (resp. Friendly Network) console. This administrator will need his PKCS#12 file to use the recovery information. Encrypt recovery information with a public key from certificate With this op- tion under File Name any certificate file(*.cer) can be addressed. To use the recovery information it requires the PKCS#12 file for this specific certificate. The online mode of the recovery console is used to allow support operators which have requested specific recovery information via an existing online connection. If this recovery information exists within the recovery console in a form, which can be used directly from the requesting operator, no further action is required. If the re- covery information is not readable for the operator, it has to be re-encrypted. In this case the operator, after its request, contacts the administrator of the recovery con- sole via phone. The request is visible in the recovery console and can be identified viaID. Page 196 CryptoPro Secure Disk for BitLocker Administration manual 20 EMERGENCY RECOVERY The administrator of the recovery console, after verification, has to approve or re- voke the request. If a password protected recovery information file was requested instead of a PKCS#12 protected file, the password has to be entered within the fol- lowing dialog. Page 197 CryptoPro Secure Disk for BitLocker Administration manual 20 EMERGENCY RECOVERY Console administrator and the recovery operator must exchange the password via phone. Page 198 CryptoPro Secure Disk for BitLocker Administration manual 21 EMERGENCY RECOVERY BITLOCKER 21 Emergency Recovery Bitlocker In the case of corrupted systems specific mechanism for the recovery are needed in case of encrypted data. Microsoft BitLocker provides several tools and mechanism for the recovery of cor- rupted data. Details you can get from the documentation of Microsoft BitLocker. In addition to the recovery mechanisms provided by Microsoft, CryptoPro Secure Disk for BitLocker offers a simple way to administrate the recovery password for Microsoft BitLocker. For this purpose the system has to be configured in a way that the recovery data are generated and are either stored centrally, or stored to a directory (look at "9.4.1 Recovery"). With the CryptoPro Secure Disk for BitLockerBitLocker Recovery Tool, Bit- Locker can display the recovery password At the start of the Recovery Tool a dialog to select the mode will be displayed Load Recovery Data This option has to be selected if the recovery-information of the specific computer has been saved in a file (look at: "9.4.1 Recovery"). Central Administration This option has to be selected if the recovery-information of the specific computer has been stored centrally. (Look at: "9.4.1 Recovery"). Page 199 CryptoPro Secure Disk for BitLocker Administration manual 21 EMERGENCY RECOVERY BITLOCKER 21.1 Emergency Recovery with recovery file If Load Recovery File was selected, the recovery-operator must authenticate himself with his PKCS#12 file. After successful authentication a file selection dialog will be displayed where you can select the specific recovery-file. As long as the authenticated recovery-operator has the required access rights, the BitLocker-recovery-password will be displayed. 21.2 Central emergency recovery At the selection of Central Administration the recovery-operator must authenticate himself at the central administration. Page 200 CryptoPro Secure Disk for BitLocker Administration manual 21 EMERGENCY RECOVERY BITLOCKER After successful authentication, an overview of all administrated client computers will be displayed. Page 201 CryptoPro Secure Disk for BitLocker Administration manual 21 EMERGENCY RECOVERY BITLOCKER Page 202 CryptoPro Secure Disk for BitLocker Administration manual 21 EMERGENCY RECOVERY BITLOCKER With Display BitLocker password the BitLocker-recovery-password of the selected computer will be displayed. Page 203 CryptoPro Secure Disk for BitLocker Administration manual 22 DESINFECT - ANTI VIRUS 22 Desinfect - Anti Virus Many Anti-Virus products provide a bootable rescue-CD which supports finding and removing viruses even if the computer cannot be started anymore, or if the malware cannot be detected and removed in the running Windows system. Since the usage of such rescue CDs requires the computer to be booted via an external medium, in the case of encrypted hard disks this approach is not applicable. Desinfect supports virus scanning from an external environment of harddisks that are encrypted with Windows BitLocker resp.CryptoPro Secure Disk for Bit- Locker. The scan-process can be centrally administered with the Desinfect - con- sole. HINT! Scanning of partly-encrypted systems (systems where the initial encryption is not finished) is not supported. On such systems you have to wait for the initial encryption to be finished before a virus scan can be performed CAUTION! Note that the usage of Desinfect requires specific client licenses. Even if licenses of CryptoPro Secure Disk for BitLocker are already available, additional Desinfect licenses have to be purchased to use the Desinfect functionality. The administration of Desinfect requires two steps: With the CryptoPro Secure Disk for BitLocker administration console ("7.3 The CryptoPro Secure Disk for BitLocker Administration console") the virus scan functionality is generally enabled resp. disabled for specific client computers. The CryptoPro Secure Disk for Bit- Locker administration console has also to be used to define the required network configuration. All other configuration settings concerning virus-scan functionality are performed with the Desinfect -console. 22.1 Activating Desinfect Desinfect is activated resp. deactivated for specific client computers with the Cryp- toPro Secure Disk for BitLocker administration-console (see "7.3 The CryptoPro Secure Disk for BitLocker Administration console"). Page 204 CryptoPro Secure Disk for BitLocker Administration manual 22 DESINFECT - ANTI VIRUS Activate PBA virus scanner Activates resp. deactivates the virus scan functional- ity of Desinfect for the selected client. HINT! Note that if this option is not activated for a client, all settings in the Desinfect -console become ineffective for the selected client! HINT! Note that if this option is activated, a client license for Desinfect will be used by the selected client computer Virus scanner only mode Defines if the selected client computer should only use the functionality ofDesinfect (if this option is activated) or, additionally uses the CryptoPro Secure Disk for BitLocker PBA and encryption(if this option is deactivated). HINT! If the option Virus scanner only mode is activated, a virus scan is only possible if the client computer is connected to the central service of CryptoPro Secure Disk for BitLocker HINT! If the option Virus scanner only mode is activated, the CryptoPro Secure Disk for BitLocker PBA is deactivated. In this case all other settings of the Cryp- toPro Secure Disk for BitLocker administration-console except network set- tings and Desinfect activation are ineffective (see "22.2 Network settings of Desinfect "). Page 205 CryptoPro Secure Disk for BitLocker Administration manual 22 DESINFECT - ANTI VIRUS HINT! If the option Virus scanner only mode is activated, but at the same time Cryp- toPro Secure Disk for BitLocker is configured for an encryption of the client computer, this encryption will not be performed by CryptoPro Secure Disk for BitLocker. Therefore the according clients will be displayed in red color in the console. 22.2 Network settings of Desinfect The network settings of Desinfect are performed in the central administration con- sole of CryptoPro Secure Disk for BitLocker. The settings include Network set- tings of the Advanced settings (see "15.2.5 Network Settings"), and 802. 1X settings (see "15.10 802.1x") 22.3 The Desinfect console If Desinfect was activated, and the network settings were defined in the CryptoPro Secure Disk for BitLocker administration console, the functionality of Desinfect is administered in its own console. With the Desinfect console it can be defined, on which client computer at which time a virus-scan should be performed. Additionally the behaviour of the virus scan can be configured. the console shows all client computers according to the Active Di- rectory. For each displayed computer resp. node it is possible to define specific settings. HINT! If a node in the Active Directory which contains sub-nodes, gets settings, those settings are valid for all sub-nodes as long as the inheritance is not interrupted. (see "8.7 Inheritance of configuration settings") 22.3.1 Authentication to the Desinfect -console The Desinfect - administrator has to authenticate to the console. The authentica- tion is performed in the same way as for the other consoles of CryptoPro Secure Disk for BitLocker (see "8.1 Authentication as security-operator to the central con- soles"). HINT! The managementof Desinfect administrators is performed in the administration con- sole of CryptoPro Secure Disk for BitLocker. (see "8.4 Management of central administrators") 22.3.2 Initialization of the Desinfect - console If the Desinfect console is started for the first time, it has to be initialized. The initial- ization establishes a connection to the central service of CryptoPro Secure Disk for BitLocker. The central service has to be already installed (see "4 Installation | Uninstallation of the administrative components". 22.3.3 Menu entries The Desinfect - console provides the following menu entries: File|Logout Performs a logout of the administrator Page 206 CryptoPro Secure Disk for BitLocker Administration manual 22 DESINFECT - ANTI VIRUS File|Close Closes the Desinfect - console. View|Refresh Refreshes the display of the Desinfect - console View|Settings Activates the view Settings View|Dashboard Activates the view Dashboard View|Scan action Activates the view Scan action for the selected node. Report|export state Exports the current Desinfect report to a CSV-file. Report|refresh state Refreshes the Desinfect report. Help|License This menu item supports the management of client licenses of Desin- fect . View license displays information about the current license. With Set new license a new license file for Desinfect virus engines can be applied. CAUTION! THe license file of the virus engine cannot be checked at this time. If a wrong or damaged license file is applied, the virus-scan on all clients will fail! HINT! Note that those licenses are just for Desinfect . For CryptoPro Secure Disk for BitLocker with PBA resp. encryption, additional licenses are required CAUTION! In addition to the virus engine license files, Desinfect requires its own license file. This license file is managed in Dashboard|Server Status. (see "22.3.9 Dashboard|Server Status") Help|About Displays the about window of Desinfect . 22.3.4 Context menu The nodes at the left side of the Desinfect - console provide a context menu that supports several actions for the selected node: Inherit settings This option activates the inheritance. Settings that were per- formed directly at the selected node will be discarded. All settings will be inherited from the parent node. Page 207 CryptoPro Secure Disk for BitLocker Administration manual 22 DESINFECT - ANTI VIRUS Add scan action Adds a scan action for the selected node. User can cancel scan Defines if the user on the client computer shall have the opportunity to cancel the scan action. Reboot and scan now With this option the client computer will be rebooted immediately (after he has recieved the scan action). Right after the reboot a virus search will be started. Reboot and scan in 10 minutes With this option the client computer will be rebooted 10 minutes after he has recieved the scan action. Right after the reboot a virus search will be started. The user on the client computer will be informed about the scheduled reboot. Scan on next reboot With this option a virus scan will be performed at the next reboot of the client computer. Start scan With this button the scan action with the according settings is acti- vated. HINT! Note that the client computer needs a connection to the central server of CryptoPro Secure Disk for BitLocker to recieve the scan action. Com- puters that currently are not connected to the network, will get the scan action the next time they establish a connection. Cancel pending scan actions With this option, pending scan actions will be can- celed for the selected client computer. Page 208 CryptoPro Secure Disk for BitLocker Administration manual 22 DESINFECT - ANTI VIRUS 22.3.5 Settings|General settings Shutdown after scan Defines if a shutdown of the client computer should be per- formed after a virus scan. User can cancel scan This option defines if the user on the client computer should have the opportunity to cancel the virus scan. Move infected files to quarantine Defines if infected files should be moved to a quarantine folder. If this option is not activated, infected files will not be modified by the virus scan. HINT! Note that a quarantine folder will be created on each drive of the client com- puter. Used av engine Defines which virus scan engine should be used.. HINT! Currently AVIRA is the only supported virus scan engine. HINT! Note that for each virus scan engine specific licenses are required. 22.3.6 Settings|Scan schedule Supports the definition of a scan schedule which defines, at which time a virus scan on the client should be started. If the client computer is started within the defined Page 209 CryptoPro Secure Disk for BitLocker Administration manual 22 DESINFECT - ANTI VIRUS time frame, a virus scan will be performed. HINT! Note that a scheduled virus scan requires the client computer to be rebooted within the defined time frame. If within the defined time frame no reboot of the computer is performed, no virus scan will be performed. HINT! If a scheduled virus scan was not performed, it will not be made at a later time. The next scheduled scan will be performed when the client computer is booted within a defined time frame according to the schedule. HINT! Desinfect does not perform an automatic reboot of the client based on the schedule. Activate scheduled scanning Activates the scheduled scanning. If this option is not activated, all other settings on this page are ineffective. Scan every day Defines a daly schedule. Scan once a week Defines a weekly schedule. Scan once a month Defines a monthly schedule. Day and time Defines the start day and time of the scan time frame. Duration in minutes Defines the length of the scan time frame. 22.3.7 Settings|Scan targets Defines which directories on the client should be searched for viruses. Those settings apply to all virus scans on the client. Either all local drives can be defined as scan Page 210 CryptoPro Secure Disk for BitLocker Administration manual 22 DESINFECT - ANTI VIRUS targets, or a list of specific targets (drives resp. paths) can be specified. With Add new scan targets can be added to the list. With the recycle bin symbol, existing targets can be removed from the list. Scan all drives Defines that all local drives should be scanned for viruses. This option implies a recursive search. Drive Selects a drive letter for adding to the list of scan targets. Path Selects a path for adding to the list of scan targets. Recursive Defines if all subdirectories should be scanned. Browse Openes a directory selection dialog for the field Path Add Adds a new scan target according to the selected options. 22.3.8 Settings|Status This option shows details about the performed virus scans on a client. HINT! This option is only displayed if a client computer is selected. Page 211 CryptoPro Secure Disk for BitLocker Administration manual 22 DESINFECT - ANTI VIRUS Client state lists the performed scans. If a scan is selected in the list, the according details are displayed. 22.3.9 Dashboard|Server Status This option is independent of the selected node. It displays information about the virus scan engine and the components of Desinfect . Page 212 CryptoPro Secure Disk for BitLocker Administration manual 22 DESINFECT - ANTI VIRUS Update Refreshes the displayed values. Choose license With this item the specific license of the virus scan engine can be applied. 22.3.10 Dashboard| Computer overview This option provides an overview of all managed clients. With View one can select which information should be displayed. Dependent on the selected view the list Op- tion contains different criteria. If an option in the list is selected, all client computers are listed which match the selected option. Node state Provides a general overview over the managed client computers. Last scan result Displays information about the last scan results. Page 213 CryptoPro Secure Disk for BitLocker Administration manual 22 DESINFECT - ANTI VIRUS Last finished scan Displayxs information about the time, when the last virus scan was finsished. Page 214 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION 23 Pre-Boot Authentication This section describes the Pre-Boot Authentication (PBA) of CryptoPro Secure Disk for BitLocker. Within the PBA with every start of the computer a user authentica- tion is executed, and the key which is used to encrypt the hard disk is derived from the authentication credentials. The different authentication options, as well as the several features of the PBA are described on the following pages. 23.1 First start of the PBA after installation After the complete installation and initialization of CryptoPro Secure Disk for Bit- Locker (look at chapter "6 Initialization of the local components"), the PBA will be started the first time. If the default configuration is set active at the client, the „cap- turing of a user with windows-credentials “is activated, whereby in the PBA no user authentication is required. In this case Windows will be started without a user in- teraction in the PBA. (look at chapter "12.3 User capturing"). For the start of Windows out of the CryptoPro Secure Disk for BitLocker PBA, depending on the hardware of the client-computer, different configuration settings are required. Due to this reason the PBA activates with the first start a self-test- mode, which automatically detects the optimal configuration. To do so, it could be necessary to start the computer several times, until the correct configuration is found. If this self-test-mode is active an according dialog will be displayed: INFO! Please don’t switch off the Computer during the search for the correct configuration. Page 215 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION It can happen that a black screen occurs for some seconds and it looks like the computer has crashed. In the normal case the computer should do automatically restarts until Windows has been started successfully for the first time. INFO! The self-test can be time consuming. Please don’t interrupt the self-test. The self- test is only executed right after the initialization of the client and his first start. If the system has been successfully configured with the self-test, all other system starts will proceed without a self-test. Page 216 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION 23.2 Authentication methods The PBA supports several possibilities how a user can be authenticated on a Com- puter. Every authentication form will be displayed by a separate dialog window. At the start of the PBA this window will be active, which has been used for the previous authentication. In general a logon to the PBA is possible if the following requirements are fulfilled: The user account with whom you want to logon is already existing in the PBA. In this case, after entering the correct credentials (user name and password, PIN, etc.) Windows will be started. The user account with whom you want to logon does not exist in the PBA, but within the administration „capture a new user “ is activated. In this case a PBA user account will be directly created in the PBA. If a new user account with Windows-user name and password should be captured, Windows will start once without an authentication in the PBA. A new PBA user account will be cre- ated at the logon to Windows, whereby the credentials (user name, password, domain) will be taken, which have been used at the Windows-authentication (look at chapter "12.3.1 Initial User Capturing" for more details). The user account with whom you want to logon does not exist in the PBA, but in the central administration the Option „Active Directory Check for unknown password accounts“ has been activated (look at chapter "9.1.2 Authentication with User-ID and Password" for more information). If you press the F2 Key you will get to the dialog where you can select the different kind of logon forms: Page 217 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION INFO! It is possible that some of those logon forms are hidden or disabled, as they are not available at this moment (i.e. it could be deactivated by the administration or i.e. no smartcard reader is available.). The possible authentication forms will be described more detailed in the following sections. 23.2.1 Authentication with user name and password The credentials for this logon type include user name, password and domain. If the PBA-user account with those credentials exists, Windows will start. If in the administration the option „capture a new user with windows credentials“ is activated (look at chapter "12.3.1 Initial User Capturing"), the PBA will not request the credentials and windows will start without a user interaction (a specific PBA-user account will be created with the Windows-logon data). The user will be advised by the following dialog: Page 218 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION If in the administration „Capture password user for the PBA (without Windows cre- dentials)“ is activated, this PBA-user account will be directly created in the PBA. In this case the user can enter any user name and a password with a password confir- mation: Page 219 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION If the client is administrated via the central administration and the option „Active Directory password check in the PBA“ has been set to the value „Always“ (look at chapter "9 Configure application settings"), a logon to the PBA with a valid Win- dows- Active Directoryaccount is also possible, if this user account does not al- ready exist in the PBA. After you enter the credentials, the PBA creates a secure connection to the central administration, whereby the credentials will be checked against the Active Directory (AD). If this check is successful, this credentials will be used to create a new PBA-user account. In this case it is not necessary to acti- vate the automatic capturing for a user account. Due to the successful AD-check the PBA-user account will be created in any case). HINT! The Active Directory (AD) check requires, that the client computer is connected to the network, and the administration server is available. INFO! If you want to logon within the PBA to a domain which is not listed in the domain combo-box, you can type in the name of the domain together with the user name. As a delimiter you can use the „@“ or the backslash „\“Valid˙ is the form: user- name@domainname or domain name\user name. INFO! It is possible the PBA is configured in a way, that after a certain amount of failed pass- word entries, the specific PBA-user account will be locked. (look at chapter "15.3.2 Locking"). If a PBA- user account is locked, it can be unlocked via an helpdesk-action (look at chapter"16.2.3 Helpdesk for a client"). Page 220 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION 23.2.2 Certificate-based authentication with smartcard A logon with a smartcard requires that a smartcard reader is available and supported by the PBA and you can access the used smartcard with an installed PKCS#11 Mod- ule. In CryptoPro Secure Disk for BitLocker all CCID-compatible smartcard readers are supported. (as of CCID library Version 1.4.13). Per default the following PKCS#11 modules are included: SafeNet Authentication Client (eToken) 8.1 AET Safesign 3.0.2528 OpneSC 0.11.6 Cryptovision act/sc interface 6.0.15 Gemalto .NET PKCS#11 Libraries 2.2.0.12 Axalto Access Client Software 5.1 SP1 IT-Solution trustWare 1.1.0.3 IDProtect Client 610.11 Vasco CertiID 3.6.0.138 CardOS API 5.2b.015 Via administration console you can add PKCS#11-modules from third party providers (look at chapter "9.2.1 Smartcard"). If a smartcard is used for the first time, the system tries to find the according PKCS#11 module. At a successful logon the according PKCS#11 module will be saved as the appropriate module for this smartcard and will be used for all further logons. (Therefore the first logon can take a bit longer). If the automatic detection is not successful, you can select the appropriate module manually via the option- window of the PBA (look at chapter "23.4.2 Windows start options"). Page 221 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION If in the PBA, the capturing for smartcard users is activated, the user will get a message on the logon screen. („Smartcard self-init is active“). 23.2.3 Certificate-based authentication with PKCS#12 file The second certificate-based logon type in CryptoPro Secure Disk for BitLocker is the logon via PKCS#12 token. The token can be read from an USB mass storage (i.e. USB stick or external USB hard disk); in the PKCS#12 logon dialog with the but- ton „Select file “ you can open a file selection dialog and select the token.: Page 222 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION The logon will be done similar to the smartcard based logon with PIN: Page 223 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION If in the PBA the capturing of a PKCS#12 user is activated, the user will get a hint at the logon („PKCS#12 self-init is active“). 23.2.4 Biometric authentication with fingerprint If a fingerprint sensor is available at the client, which is supported by CryptoPro Secure Disk for BitLocker, a logon with fingerprint scan is possible. The following fingerprint scanners from the company UPEK are supported: Scanner with Strip Sensor based on TCD41, TCD42, TCD50v1, TCD50v2 Scanner with Flat sensor based on TCD21 (TFM Module 2.0), TCD50v3 Scanner with Strip Sensors based on TCS4B, TCS4C, TCS5B, TCS4K If the „Capturing of a fingerprint user without password“ option is activated, the user will be requested to enter a name for the to be new created PBA-User account: Page 224 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION Afterwards the user must wipe his finger repeatedly through the finger print sensor. The progress of the capturing will be displayed in percentages: Page 225 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION For further logons the finger must be wiped only once through the sensor: Page 226 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION CAUTION! This type of logon is not recommended due to security reasons! 23.2.5 Combined authentication with user name, password and finger- print It is possible to link a username/password based PBA-user account with biometric data. For this purpose in the administration the option „capturing of a fingerprint additionally to a password user “ must be activated. (look at chapter "12.3.1 Initial User Capturing"). At the next logon with the according user name, the user will be asked to scan his fingerprint (similar to the capturing of a fingerprint without pass- word, chapter "23.2.4 Biometric authentication with fingerprint"). This username/password account will be linked with the fingerprint and the logon is only possible with username, password and fingerprint. In the PBA you can start by entering the user name and password and afterwards the user must scan his finger. Alternatively the user can first scan his finger and afterwards the scanned fingerprint will be aligned to the appropriate user name and in the dialog window will be already filled out. The user just has to enter his correct password. 23.2.6 Smartphone based authentication For smartphone based logon, a smartphone is required. For further details, please see "23.3 Smartphone based authentication" Page 227 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION 23.3 Smartphone based authentication For smartphone based authentication, Android- oder iOS-smartphones can be used. Supported versions are Android 5.0 or later resp.iOS 10 or later. For the smartphone based authentication, the smartphone app CryptoPro Secure Disk Authenticator has to be installed on a feasible smartphone. Please see the documentation of CryptoPro Secure Disk Authenticator for further information. The smartphone based authentiation requires at least one account that was success- fully initialized as a smartphone user. (see "23.3.1 Initialization a smartphone user") The authentication is performed based on a bluetooth connection, or connected USB cable. Alternatively, a smartphone authentication can be done as a "smartphone- offline-authentication". This option does not require a bluetooth or USB connection. (see "23.3.2 Smartphone-offline-authentication") CAUTION! The communication via USB cable is only supported on Android-devices! CAUTION! The communication via bluetooth requires sipport of the periperal-mode. CAUTION! The bluetooth communikation between smartphone and PBA is currently in Beta- state. Dependent on the used hardware, there can be limitation in performance and / or functionality! The connection between smartphone and PBA is established automatically in the background. As soon as the connection is established, the PBA-authentication is triggered by the according authentication botton of the smartphone app. (see docu- mentation of CryptoPro Secure Disk Authenticator). No further input in the PBA is required. Page 228 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION 23.3.1 Initialization a smartphone user The initailization of a smartphone user is performed at the first PBA logon, after the administrator has defined that the according user account has to be converted to a smartphone account. (see "12 UserManagement") The user is asked to open the QR.code reader of the smartphone app, to read the QR code that is displayed by the PBA. CAUTION! The according data for the smartphone initialization are split in two QR codes.After successfully reading the first code, the display of the smartphone app switches from <1/2> to <2/2>. At this point the PBA has to be switched from the first to the second QR-code. This can be performed with the Page 229 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION If the initialized smartphone user is the first user of the according computer,at the first logon the public computer key has to be transmitted from th ePBA to the smart- phone. This is also be done by reading a two-part QR code. The public key can be displayed by pressing the Show public key button in the PBA. Page 230 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION CAUTION! The according data for the public key are split in two QR codes. After successfully reading the first code, the display of the smartphone app switches from <1/2> to <2/2>. At this point the PBA has to be switched from the first to the second QR- code. This can be performed with the Page 231 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION 23.3.2 Smartphone-offline-authentication If neither blouetooth nor USB connection between smartphone and PBA is available, the smartphone offline authentication can be used for logon. It is started by press- ing the Page 232 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION With the Page 233 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION The QR-code has to be read with the QR code reader of the smartphone app. The smartphone app then displays response characters, which have to be typed in in the PBA. After successful input, the authentication can be finished with the Page 234 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION Page 235 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION 23.4 Options By pressing the key F8 you get to the option menu of the PBA. Here you can change several parameters that influence the PBA. All changes, which have been done in the PBA, are only valid for the current logon. If the parameters shall be changed constantly, these changes must be done in the administration console. The options are described in the following. 23.4.1 General Options Here you can select language and keyboard for the PBA. Available are German and English. 23.4.2 Windows start options Here you can set different parameters for the Windows boot options: With „Windows start mechanism“ you can define, if after successful authentication, Windows will be started directly out of the running PBA, or if a reboot should be executed before Windows starts. With „Transfer data “ you can define, how data which are relevant for the start of an encrypted Windows system should be transferred. This can be done via the main memory or hard disk. (If the data passed via hard disk, they will be encrypted with a system internally generated key. With the start of Windows this data will be deleted from the hard disk). CAUTION! With the data transfer on the hard disk, sensitive data are stored. Although the data are stored only temporarily and in encrypted form, this could be a potential attack point! Use this option only in exceptional cases. Under „Hardware settings“ you can define how some hardware parts of the computer should be configured before starting Windows. You can define if a BIOS hard disk reset should be executed respectively the AHCI (Host-) controller should be reset (if available). Depending on the computer type, different settings can be necessary to start Windows correctly. HINT! Normally it is not necessary to change the hardware settings manually. The self-test- mode of the PBA (look at chapter "23.1 First start of the PBA after installation") with the first start detects the necessary settings. Therefore the required configuration will be done automatically. subsectionSmartcard options Under „Active smartcard reader“ information for the currently used smartcard-reader resp. smartcard is displayed. It contains the type of reader, the ATR of the smart- card, and the PKCS#11 module to be used. Under „PKCS#11 provider “ all available PKCS#11 modules are listed. For the cur- rently used smartcard you can select a PKCS#11 module: with „Autodetect“ the system tries to select the correct module automatically; with „select“ the user can select a specific module for the smartcard. If there is a problem with the detection of the smartcard, with „Start PCSC service “ you can re-start the PCSC Service. Page 236 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION 23.4.3 Network At this point you can adapt the network connectivity of the PBA towards the actual environment. In general at the start of the PBA via DHCP it will try first to get a wired network. Alternatively you can start a connection to a WLAN (only WPA or. WPA2). Page 237 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION 23.5 Helpdesk An important part of the PBA of CryptoPro Secure Disk for BitLocker is the helpdesk functionality. If the client is successfully initialized you can get to the helpdesk by pressing F1 key or by clicking the rescue symbol. In principal CryptoPro Secure Disk for BitLocker has two types of helpdesk vari- ants, one is the Online- and one the Offline variant, which can be activated or de- activated independently from each other(look at chapter "11.2 Helpdesk"). If both types are activated, first of all it will be tried to establish a connection to the online- helpdesk. If this fails (because of missing network connectivity), the user will be delegated to the offline-helpdesk. Detailed Information about of possible help via helpdesk you’ll find in chapter "16 Helpdesk", especially in sub-chapter "16.2.3 Helpdesk for a client". 23.5.1 Online helpdesk In the first step the user can decide, if a helpdesk action should be linked to a spe- cific PBA-user account and if SSO Credentials of the user account should be used.: After a click on the „Next“button a RequestID will be displayed in the dialog: Page 238 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION This RequestID is used by the helpdesk-operator to identify a helpdesk action. After the helpdesk-operator has verified the helpdesk request and has confirmed the re- quest, the specific action will be executed at the client. If this action is an activation of a temporary helpdesk-PBA-user account (look at chapter "16.2.3 Helpdesk for a client"), the user must entar a password, with which he can logon on the computer for the time which has been defined by the helpdesk- operator: Page 239 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION 23.5.2 Offline Helpdesk Similar to the online-helpdesk in the offline-case you can first select a PBA-user ac- count (look at chapter "23.5.1 Online helpdesk"). After a click at the „Next“Button you’ll get to the challenge-response screen in the offline-case. Depending on the configuration of the challenge and response length (look at chapter "11 Helpdesk") this can be 16 groups with 5 Digits each. The alpha- betic groups of the challenge must be transferred to the helpdesk-operator (i.e. by phone); via helpdesk-console the operator gets a response-group which the user has to enter in the specific fields: Page 240 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION 23.5.3 Temporary helpdesk-account in the PBA One of the actions which can be executed via the helpdesk at the client, is to create a temporary PBA-user account. This account is only valid for a limited amount of sys- tem starts or until a certain date. After this period the account will be deleted. The user can logon with a password which was defined at the helpdesk action. As long this temporary PBA-user account is active, the PBA is in a special helpdesk-mode. In this mode you only can use the password based logon with the temporary helpdesk account and all other PBA-user accounts are deactivated: Page 241 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION As long the Client is in helpdesk mode, the user will be informed how many system starts resp. how long this mode will still be active. If the user wants to cancel the helpdesk-mode, he can do so by pressing the F12 key. Afterwards the PBA is in normal Mode, and therefore the temporary helpdesk account is invalid. Page 242 CryptoPro Secure Disk for BitLocker Administration manual 23 PRE-BOOT AUTHENTICATION 23.6 MISC 23.6.1 Logging By pressing of the F3 Key one will get to the log-screen of the PBA, whereby the Protocol Files of the PBA application (PBA Logfile and Start Logfile), as well as the log-messages of the Linux kernel (Kernel Logfile) can be viewed. By clicking the „Save“button those protocol files can be transferred to an external Storage media. 23.6.2 Virtual keyboard If the PBA detects, that the client is equipped with a touch-screen, a symbol is dis- played at the right bottom edge of the screen, which can be used to activate a virtual keyboard. INFO! It is impossible to get to the option-screen via virtual keyboard (Ctrl+Shift+F8). The same is true for a reboot after a PBA-logon with (Ctrl+Shift+F7). This can only be done with a physical keyboard. Page 243 CryptoPro Secure Disk for BitLocker Administration manual 24 TWO-FACTOR AUTHENTICATION 24 Two-Factor authentication A two-factor authentication is a logon mechanism that requires two factors to com- plete a registration. Usually a two-factor authentication is used with smart card and PIN. The registration via Smartcard is also supported by CryptoPro Secure Disk for BitLocker. Furthermore CryptoPro Secure Disk for BitLocker also supports the two-factor Authentication via password based user account. This means that the two independent components are now no longer PIN (knowledge) and smart card (possession) (as with smart card logon), instead they are now USER ID Password and a second independent factor (for example YubiKey). Due to the non-use\ \ of cer- tificates in the case of two-factor authentication without a smartcard, it is easier to add the second factor to an existing password-based user account. Currently Cryp- toPro Secure Disk for BitLocker supports the YubiKey as a second factor. How to give a password-based user a second factor can be found in the chapter "12.2 Add / Change user accounts with the context menu" Dieser Screenshot zeigt die Aufforderung für den Benutzer zur Verwendung des zweiten Faktors (des YubiKey) Page 244 CryptoPro Secure Disk for BitLocker Administration manual 25 APPENDIX 25 Appendix 25.1 Registry values CryptoPro Secure Disk for BitLocker supports a number of registry settings, that influence the product behaviour. CAUTION! It is recommended to change the registry setting only if problems occur. SoapTimeout Registry path: HKLM /Software /cpsd /SecureDisk /base Type: DWord Default value: 5 SOAP timeout in seconds at the communication from client to server. CarrierTimeout Registry path: HKLM /Software /cpsd /SecureDisk /base Type: DWord Default value: 8 Carrier timeout in seconds at the communication from client to server. PBANetLinkSpeed100 Registry path: HKLM /Software /cpsd /SecureDisk /base Type: DWord Default value: 0 Configuration of the network card in the PBA to 100Mbit. Possible values are 0 or 1. DHCPTimeout Registry path: HKLM /Software /cpsd /SecureDisk /base Type: DWord Default value: 60 DHCP timeout in the PBA in seconds. DefaultDomain Registry path: HKLM /Software /cpsd /SecureDisk /base Type: String Default value: N.A. Default domain in the PBA, if domain display is supressed. PBALabelColor Registry path: HKLM /Software /cpsd /SecureDisk /base Type: DWord Default value: N.A. Page 245 CryptoPro Secure Disk for BitLocker Administration manual 25 APPENDIX HTML color code of the PBA font. PBALabelShadow Registry path: HKLM /Software /cpsd /SecureDisk /base Type: DWord Default value: N.A. HTML color code of the shadows of the PBA font. WOLFailedMessageDuration Registry path: HKLM /Software /cpsd /SecureDisk /base Type: DWord Default value: 10 Timeout for Friendly Network errors in seconds. 8021XTimeout Registry path: HKLM /Software /cpsd /SecureDisk /base Type: DWord Default value: 120 Timeout for 802.1.x in seconds. SmartcardRetryCount Registry path: HKLM /Software /cpsd /SecureDisk /SSO Type: DWord Default value: 1 Number of retries for a smartcard connection. AutoResumeSuspendedBitlocker Registry path: HKLM /Software /cpsd /SecureDisk /Bitlocker Type: DWord Default value: 0 Defines if Bitlocker shall be resumed automatically after a suspend. HDDisplayNoUserWarning Registry path: HKLM /Software /cpsd /SecureDisk /Base Type: DWord Default value: 0 Supresses the waring of the online helpdesk, if no user account is selected. ReleaseDHCPLease Registry path: HKLM /Software /cpsd /SecureDisk /Base Type: DWord Default value: 0 If this entry is set to 0, the DHCP lease of the PBA will not be released. If this entry is set to 1, the PBA releases its DHCP lease at every boot. Page 246 CryptoPro Secure Disk for BitLocker Administration manual 25 APPENDIX ResetOnPowerChange Registry path: HKLM /Software /cpsd /SecureDisk /Base Type: DWord Default value: 0 With this setting the laptop will be restarted if it is pulled out of the docking station, because in this case the power connection will be interrupted. RequireTlsClientCertificate Registry path: HKLM /Software /cpsd /SecureDisk /server Type: DWord Default value: 0 This registry entry enables mutual TLS for the client-server communication. CAUTION! This entry has to be made on the server! Page 247