Pointsec Media Encryption MI Client Administration ... - Check Point

Endpoint Security MIPointsec Media Encryption Module 2.6Administration GuideDecember 16, 2008

ContentsPreface Introduction ...................................................................................................... 1About This Guide............................................................................................... 2Product Names Used .................................................................................... 3Who Should Read This Guide? ....................................................................... 3Other Documentation .................................................................................... 3System and Hardware Requirements.................................................................... 4Chapter 1Chapter 2Chapter 3Properties for PME - MI ClientAccessing the Pointsec MI Management Console .................................................. 5PME – MI Client Properties................................................................................. 6Accessing PME – MI Client Properties ............................................................ 7System Settings ................................................................................................ 8Accessing System Settings ............................................................................ 9Overview of System Settings .......................................................................... 9Editing Security Settings ............................................................................. 10Working with Encryption Lists ........................................................................... 37Adding Files to the Inclusion List ................................................................. 37Adding Files to the Exclusion List................................................................. 40Deploying PME - MI ClientPME – MI Client Deployment Overview .............................................................. 45Setting a Download Location for PME – MI Client .......................................... 46Configuring System Security Settings ........................................................... 49Deploying Pointsec Media Encryption ................................................................ 53Deploying Pointsec Media Encryption on a Single Computer ........................... 54Deploying Pointsec Media Encryption on Several Computers in an OU ............. 55What happens on the user’s workstation? ...................................................... 56Updating Pointsec Media Encryption Settings .................................................... 58Removing Pointsec Media Encryption ................................................................ 61Removing from a Single Computer in an OU.................................................. 61DRAFTRemoving from Several Computers in an OU.................................................. 62Providing Remote HelpEveryone Needs a Remote Help Procedure ......................................................... 65Recommended Methods of Verifying Users......................................................... 66Providing Remote Help for Pointsec Media Encryption ........................................ 66Index ........................................................................................................... 73i

PrefacePPrefaceIn This SectionIntroduction page 1About This Guide page 2Product Names Used page 3Who Should Read This Guide? page 3Other Documentation page 3System and Hardware Requirements page 4IntroductionPointsec Media Encryption – MI Client offers a way of managing PointsecMedia Encryption by using Pointsec MI. Pointsec Media Encryptionenables automatic encryption of:• Information stored• On removable memory media• In local folders on workstations• E-mail• All sorts of shared information.Pointsec Media Encryption – MI Client offers central management of thedeployment of Pointsec Media Encryption on users’ workstations, andenables administrators to supply users with Remote Help if theirinformation has become locked.With Pointsec Media Encryption – MI Client, you can ensure that yourinformation is always secure, no matter where it is.1

About This GuideAbout This GuideThis guide explains how to:• Deploy and manage Pointsec Media Encryption on workstations in yourorganization• Using Pointsec MI management console to provide Remote Help forusers who have locked their devices.This guide contains:• This introductory preface which introduces Pointsec Media Encryption– MI Client, and tells you where to find more information• Chapter 1, “Properties for PME - MI Client” on page 5 whichdocuments the settings available for Pointsec Media Encryption• Chapter 2, “Deploying PME - MI Client” on page 45 which explainshow to use Pointsec MI management console to deploy PointsecMedia Encryption on workstations in your organization• Chapter 3, “Providing Remote Help” on page 65 which explains how touse Pointsec MI management console to help PointsecMedia Encryption users to re-gain access to locked devices. To usewebRH to supply Remote Help, see the Pointsec webRH Administrator’sGuide.Note - We use the Pointsec X9.9-token in examples where dynamicpasswords are required.Note - If a setting on a property sheet or dialog box is notdocumented, then you do not need to change the setting.In this guide, Pointsec Media Encryption is henceforth often abbreviatedPME. Thus, the name of the product described in this document isgenerally shortened to PME – MI Client.2

Product Names UsedProduct Names UsedSome product names have changed, or are in the process of changing. Thistable shows the old and new names:Table 1-1Product NamesIf you haveAn older versionA newer versionThese product names are used in the software:Pointsec MIPointsec Media Encryption – MI ClientSmartCenter for Pointsec - MIPointsec Media Encryption ModuleIn this guide, the old product names are used throughout. In the software,you may see a mixture of old and new names, depending on your softwareversions. The most likely scenario is that you have a new version of theframework and an old version of the client (or module, as it will be calledin newer versions). In that case, the framework software may display thenew client/module name (Pointsec Media Encryption Module), whereas theclient/module software will display the old name, Pointsec MediaEncryption – MI Client.Who Should Read This Guide?Administrators who will be using PME – MI Client to deploy and managePointsec Media Encryption should read this guide.Note - We strongly recommend that anyone planning to install,deploy and/or administer Check Point products attend Check Pointcertification training first. Contact your sales representative or visit:www.checkpoint.com for more information.Other DocumentationFor the very latest information on PME – MI Client, please see the PME –MI Client Release Notes.For information on how to use Pointsec Media Encryption on end-users’workstation, see Pointsec Media Encryption User’s Guide.For information on how to install Pointsec MI and PME – MI Client, pleasesee their installation guides.Pointsec Media Encryption can also be deployed and managed with thehelp of Pointsec Administration Console. See the PointsecMedia Encryption Administrator’s Guide for more information.Preface 3

System and Hardware RequirementsSystem and Hardware RequirementsPlease see the PME – MI Client Release Notes for system and hardwarerequirements.4

Chapter 1Properties for PME - MI ClientThe following sections explain how to access Pointsec MI management console andreview PME – MI Client properties.In This ChapterAccessing the Pointsec MI Management Console page 5PME – MI Client Properties page 6System Settings page 8Working with Encryption Lists page 37Accessing the Pointsec MI ManagementConsoleIn the Pointsec MI management console, you configure the information and settingsneeded to deploy the device agents and security modules that protect the portablecomputing devices and the removable memory devices used in your organization.Note - For information on working with device agents, see the PointsecMI Administrator’s Guide.5

PME – MI Client PropertiesTo access the management console:1. Click Start, navigate to the Pointsec program group and select PointsecMI, Pointsec MI Management Console. The following dialog box opens:2. Enter the name and password of an authorized account and click OK.You gain access to the Pointsec MI management console:You now have access to the services and functionality needed to deployPME – MI Client to protect workstations in your organization.PME – MI Client PropertiesThe following sections describe the PME – MI Client properties andaccounts and how to access them.6

Accessing PME – MI Client PropertiesAccessing PME – MI Client PropertiesTo access PME – MI Client properties:1. In Pointsec MI management console, select Organizational Views. In theright-hand view, right-click on an Organizational View and selectProperties.The OU Properties dialog box opens:2. On the Software tab, select Pointsec Media Encryption and clickProperties.Chapter 1 Properties for PME - MI Client 7

System SettingsThe Properties for Pointsec Media Encryption on OU property sheet opens:This is where you configure PME – MI Client properties and accounts fordeployment on workstations in your organization.System SettingsThe following sections discuss PME – MI Client properties located insystem settings.8

Accessing System SettingsAccessing System SettingsTo access system settings:1. In the Properties for PME – MI Client on OU property sheet explorer,open System Settings:PME – MI Client displays the types of system settings available. Thefollowing sections discuss these settings.Overview of System SettingsThe following system security settings are available:• Authentication – these settings determine password, Remote Help andsingle sign-on (SSO) settings; for more information see“Authentication” on page 10.• Encrypted Packages – these settings determine how information ispackaged and encrypted so that it can be transmitted securely; formore information see “Encrypted Packages” on page 20.• Encryption – these settings determine how information stored locallyand on removable media is protected; for more information see“Encryption” on page 21.• Logging – this setting determines how many events are logged per logfile; for more information see “Logging” on page 27.• Miscellaneous – these settings determine license number, securedeletion of information and Graphical Identification and Authentication(GINA) settings; for more information see “Miscellaneous” on page 28.Chapter 1 Properties for PME - MI Client 9

Editing Security Settings• Recovery File Transfer – these settings determine how recoveryinformation is managed; for more information see “Recovery FileTransfer” on page 31.• Remote Help - these settings determine whether Remote Help will beaccessible for removable media, floppy disks, CD/DVDs and externalhard drives. Here you can also import a webRH profile to enableadministrators to supply Remote Help via Pointsec webRH as well asvia Pointsec MI. For more information see “Remote Help” on page 32.• Stand-alone Access– these settings determine how information can beprotected even if Pointsec Media Encryption is not installed on aworkstation; for more information see “Stand-alone Access” onpage 35.Editing Security SettingsFor each security setting, there is a dialog box where you edit the setting.If considered necessary, these dialog boxes are described in this manual,otherwise not.To edit a security setting:1. Double-click the setting you want to edit.A dialog box is opened, for example:2. Make the appropriate changes and click OK.AuthenticationThis is where you specify password options, Remote Help, single sign-on(SSO) and Cryptographic API (CAPI) settings to be deployed on end-users’workstations.10

Editing Security SettingsTable 1-1SettingAuthenticationMethodExplanationHere you select the method of authentication users will use to access anduse Pointsec Media Encryption on their workstations.Password Use this option to set a fixed password as the authenticationmethod. See below for password options.CorporatepasswordPassword is the default authentication method.Use this option if you do not want PointsecMedia Encryption to prompt users for a password whenstarting Windows.If this setting is used, the local folder encryption function isdeactivated.Using this setting decreases security by making it possiblefor users to access Pointsec Media Encryption without beingauthenticated.SSO withPointsec forPCTo set a corporate password, see “Corporate password” onpage 11.Use this setting to enable Pointsec for PC, versions 4.1 SR2.16, 4.2 SR 1.6 and later, and Pointsec Media Encryptionsingle sign-on (SSO).When this setting is enabled, users whose workstations areprotected by Pointsec for PC and Pointsec Media Encryptiononly have to authenticate themselves to Pointsec for PCwhen the workstation starts.Before you deploy Pointsec Media Encryption with thisoption enabled, ensure that Pointsec for PC:• is installed correctly on users’ workstations• has successfully completed encryption of the users’workstationsTo maintain security and force users to authenticatethemselves to both Pointsec for PC and PointsecMedia Encryption, do not enable this setting.Chapter 1 Properties for PME - MI Client 11

Editing Security SettingsTable 1-1SettingExplanationSSO withEntrustCAPIauthenticationSelect this setting to enable SSO between Entrust clientsthat do not use CAPI-based authentication and PointsecMedia Encryption.If this option is the selected authentication method, the firsttime users log on after Pointsec Media Encryption has beeninstalled, they will be prompted to enter a PointsecMedia Encryption password. After that, users will only needto successfully authenticate themselves to Entrust to gainaccess to Pointsec Media Encryption.Select this setting to enable SSO between any MicrosoftCAPI certificate-based authentication and PointsecMedia Encryption.If this option is the selected authentication method, the firsttime users log on after Pointsec Media Encryption has beeninstalled, they will be prompted to select theirauthentication certificate and enter a PointsecMedia Encryption password. After that, users will only needto select their certificate to gain access to PointsecMedia Encryption.Number ofAttemptsIf you deploy Pointsec Media Encryption CAPI-enabled onworkstations whose users do not use certificates forauthentication, those users will not be able to use PointsecMedia Encryption.This setting specifies the number of consecutive failed authenticationattempts a user is allowed to make when being authenticated by PointsecMedia Encryption.Once the specified number of failed attempts has been exceeded, theuser must restart Windows and try authentication again.This setting only applies if password has been selected as theauthentication method.Default number of consecutive failed attempts = 1Minimum number of consecutive failed attempts = 3Maximum number of consecutive failed attempts = 9912

Editing Security SettingsTable 1-1SettingUnlimitedNumber ofAttemptsExplanationThis setting specifies that the user is allowed an unlimited number ofconsecutive failed authentication attempts when being authenticated byPointsec Media Encryption.This setting only applies if password has been selected as theauthentication method.Min passwordlengthMinuppercaselettersMin digitsMin specialcharactersAllowing an unlimited number of authentication attempts reduces thesecurity level by opening for brute force attacks.This setting specifies the minimum length of a user’s password.Default: 8 alphanumeric charactersMinimum: 4 alphanumeric charactersMaximum: 13 alphanumeric charactersThis optional setting specifies the minimum number of uppercase lettersthat must be used when setting a password.The default number of uppercase letters: 1There is no minimum number of uppercase letters required. However, toincrease password strength, we recommend that you specify at least one(1) uppercase letter.Maximum number of uppercase letters:13This optional setting specifies the minimum number of digits that mustbe used when setting a password.The default number of digits:1There is no minimum number of digits required. However, to increasepassword strength, we recommend that you specify at least one (1) digit.Maximum number of digits:13This optional setting specifies the minimum number of special charactersthat must be used when setting a password.The default number of special characters: 1There is no minimum number of special characters required. However, toincrease password strength, we recommend that you specify at least one(1) special character.Maximum number of special characters:13You can use the following special characters:!?”#$%&/()=@{|}[\]´’*_-,.;:^~Chapter 1 Properties for PME - MI Client 13

Editing Security SettingsTable 1-1SettingTime-out formediapasswordForce userauthenticationExplanationThis optional setting determines, in seconds, the time interval duringwhich Pointsec Media Encryption waits for the user to enter a passwordwhile attempting to access protected information stored on media.If the user does not enter a password within this interval, an errormessage is displayed.Default minimum time interval: 120 secondsMinimum time interval: 10 secondsMaximum time interval: 600 secondsTo disable this setting, select the Unlimited check box.Select this setting to force users to authenticate themselves whenprompted to do so by Pointsec Media Encryption. In effect, this settingdisables the cancel option in the Pointsec Media EncryptionAuthentication dialog box.The default value for this setting is No.This setting does not apply to the local administrator account. If you logon to Windows using the local administrator account, you will have accessto the cancel option in the Pointsec Media Encryption Authenticationdialog box. This can be helpful for maintenance and troubleshootingpurposes.This setting does not apply if the authentication method has been set toSSO with Entrust or CAPI.14

Editing Security SettingsTable 1-1SettingDefault accesslistExplanationThe dialog opened when you double-click this option contains three tabs:Certificates, LDAP Search Paths and Error Codes. These tabs aredescribed here.Certificates On this tab, you can specify a list of certificates to beautomatically added to the access list of protected CD/DVD,PKCS7 packages and removable media.If the protected CD/DVD, PKCS7 package or removablemedia has a certificate entry that matches a certificate onthis list, the user can access the media without entering apassword. If the CD/DVD, package or media does not have acertificate entry, the user will be prompted for the passwordwhen first accessing the media.The certificate entry is then generated for the currentcertificate. Any subsequent access to the media with thesame certificate will not require a password, even when thisaccess is performed by a different user on a differentworkstation – only the certificate must be the same.A user can add/remove certificate entries for media manuallyfrom the Encryption menu using the Manage Keys option.For more information, see the Pointsec Media EncryptionUser’s Guide.This setting does not apply to encrypted files stored locally.To add certificates to the default access list:1. On the Certificates tab, click Add to open the followingdialog box:Chapter 1 Properties for PME - MI Client 15

Editing Security SettingsTable 1-1SettingExplanationCertificates 2. From the Search base drop-down list, select the LDAPserver on which the certificates are stored. Click Search.3. From the list displayed, select the certificates you wantto include in the client package.4. Repeat step 1 – step 3 to add more servers if required.Click OK to close the dialog box and click OK again to closethe Default Access List dialog box.LDAPSearchPathsOn this tab, you enter the addresses to the LDAP serversstoring certificates for entries on the default access list ofPointsec Media Encryption-protected CD/DVD, PKCS#7encrypted files and removable media.To specify LDAP servers:1. In the Name field, enter a name for the LDAP server.2. In the URL field, enter the Uniform Resource Locator(URL) to the server.3. Click Add to save the information. The information isshown in the list.16

Editing Security SettingsTable 1-1SettingExplanationLDAPSearchPaths4. Repeat step 1 – step 3 to add more servers if required.5. Click OK to close the dialog box.LDAP search base syntax:LDAP://host/ou=organizational_unit,cn=common_name,dc=domain_component:port_numberExample LDAP search bases:LDAP://2kas1.uk.pmt.demo/ou=democompany,dc=uk,dc=pmt,dc=demoLDAP://pointsecpdc.pointsec.testlab.intranet/CN=Users,DC=pointsec,DC=testlab,DC=intranetLDAP://securitypdc.security.testlab.intranet/CN=Users,DC=security,DC=testlab,DC=intranetLDAP://directory.company.com:1389CorporatepasswordError CodesThis setting is available only if CAPI authentication isenabled.On this tab, you can add and remove error codes thatPointsec Media Encryption will ignore when checking thechain of the certificate used to authorize access to protectedinformation stored in CD/DVDs, encrypted packages andremovable media.For more information, see your CAPI documentation inMSDN and the documentation from your cryptography andPKI provider(s).Here you can set a corporate password that is used if corporate passwordhas been selected as the authentication method.It is not possible to automatically change a deployed corporate passwordon users’ workstations when updating Pointsec Media Encryption settingsin the Pointsec MI management console. To change a corporate password,update and deploy the system settings as described in chapter 2,“Deploying PME - MI Client” on page 58. Then, manually, on users’workstations, change the old password to match the new password in theprofile.Chapter 1 Properties for PME - MI Client 17

Editing Security SettingsTable 1-1SettingCorporatepasswordFloppy DisksExplanationHere you can set a corporate password to be used if you do not want theuser to be prompted for a password when floppy disks are used.Corporatepassword forRemovableMediaSelecting this setting reduces security, as any computer with PME –MI Client installed with the same profile will be able to access ANYencrypted floppy disk without authentication.Here you can set a corporate password to be used if you do not want theuser to be prompted for a password when removable media are used.Corporatepassword forCDsSelecting this setting reduces security, as any computer with PME –MI Client installed with the same profile will be able to access ANYencrypted removable media without authentication.Here you can set a corporate password to be used if you do not want theuser to be prompted for a password when a CD is used.Corporatepassword forExternal HarddrivesSelecting this setting reduces security, as any computer with PME –MI Client installed with the same profile will be able to access ANYencrypted CD without authentication.Here you can set a corporate password to be used if you do not want theuser to be prompted for a password when an external hard drive is used.Max Numberof SSO Hostsfor FloppyDisksSelecting this setting reduces security, as any computer with PME –MI Client installed with the same profile will be able to access ANYencrypted external hard drive without authentication.Specify the maximum number of hosts that can access floppy disks viasingle sign-on (SSO) by using a workstation key. Hosts in excess of thisnumber will be able to access the floppy disk but will not be able to useSSO.Default: 10Minimum: 1Maximum: It is possible to specify maximum 99 hosts, or to set the valueto “unlimited”.18

Editing Security SettingsTable 1-1SettingMax Numberof SSO Hostsfor RemovableMediaMax Numberof SSO Hostsfor CDsMax Numberof SSO Hostsfor ExternalHard drivesUser SelectedMax Numberof SSO Hostsfor FloppyDisksUser SelectedMax Numberof SSO Hostsfor RemovableMediaUser SelectedMax Numberof SSO Hostsfor CDsUser SelectedMax Numberof SSO Hostsfor ExternalHard drivesExplanationSpecify the maximum number of hosts that can access removable mediavia single sign-on (SSO) by using a workstation key. Hosts in excess ofthis number will be able to access removable media but will not be ableto use SSO.Default: 10Minimum: 1Maximum: It is possible to specify maximum 99 hosts, or to set the valueto “unlimited”.Specify the maximum number of hosts that can access a CD via singlesign-on (SSO) by using a workstation key. Hosts in excess of this numberwill be able to access the CD, but will not be able to use SSO.Default: 10Minimum: 1Maximum: It is possible to specify maximum 99 hosts, or to set the valueto “unlimited”.Specify the maximum number of hosts that can access an external harddrive via single sign-on (SSO) by using a workstation key. Hosts in excessof this number will be able to access the external hard drive but will notbe able to use SSO.Default: 10Minimum: 1Maximum: It is possible to specify maximum 99 hosts, or to set the valueto “unlimited”.Select Yes if you want to enable the user to decide how many hosts areallowed to access an encrypted floppy disk using single sign-on (SSO).Select Yes if you want to enable the user to decide how many hosts areallowed to access encrypted removable media using single sign-on (SSO).Select Yes if you want to enable the user to decide how many hosts areallowed to access an encrypted CD using single sign-on (SSO).Select Yes if you want to enable the user to decide how many hosts areallowed to access an encrypted external hard drive using single sign-on(SSO).Chapter 1 Properties for PME - MI Client 19

Editing Security SettingsEncrypted PackagesPointsec Media Encryption can package and encrypt one or more files forsecure transferal (for example via e-mail) or storage. The following settingsare available for encrypted packages:Table 1-2SettingAllow auto-openDefault messageAllow customizedmessagesExplanationSelect Yes here to allow the user to create an encrypted packagewhose contents will automatically opened when the encryptedpackage is decrypted.Here you can enter a default message to be included with eachencrypted package. The message will be displayed when someonetries to access the encrypted package.Select Yes here to allow users to enter their own message to bedisplayed to the recipient when the encrypted package is decrypted.The default value is No – the user will not be able to enter acustomized message.PKCS#7algorithmIf the value is Yes, users will be given the option to enter acustomized message to be displayed when someone tries to accessthe encrypted package.Here you specify the algorithm to use when using certificate-basedencryption to protect a package. This enables PointsecMedia Encryption users to attach certificates, other than their own ordefault certificates, to the information to be packaged and encrypted.PKCS#7 works on single files only.The following algorithms are available:• DES – The Data Encryption Standard (DES) algorithm operateson 64-bit blocks of data, using a 56-bit key.• 3DES – A mode of the DES algorithm that encrypts the datathree times.• RC2_40 – a 40-bit key-size block cipher• RC2_128 – a 128-bit key-size block cipher• RC4_40 – a 40-bit key-size block cipher• RC4_128 – a 128-bit key-size block cipher.20

Editing Security SettingsEncryptionHere you define which information is to be protected by PointsecMedia Encryption and which encryption algorithm to use.Table 1-3SettingLocal foldersExplanationThis setting enables Pointsec Media Encryption protection of fileson users’ workstations.Yes – Default setting. The files listed on the Inclusion List will beencrypted. See “Working with Encryption Lists” on page 37 formore information.No – Select this value if you do not want files on users’workstations to be protected by PME – MI Client.If you select No, the Pointsec Media Encryption GraphicalIdentification and Authentication (GINA) is not installed.AlgorithmOnce deployed as disabled on workstations, you cannot enable thissetting using an update profile. To enable it, you mustreinstall Pointsec Media Encryption on the workstations.Select which algorithm to use when encrypting.The following algorithms are available:Inclusion/ExclusionLists FoldersInclusion/ExclusionLists Floppy Drive• AES – 256-bit key length• 3DES – 192-bit key length• Blowfish – 256-bit key length.Here you specify which folders should and should not be encryptedon a workstation protected by Pointsec Media Encryption.For more information, see “Working with Encryption Lists” onpage 37.Here you specify which files should and should not be encryptedon floppy drives used with a workstation protected by PME –MI Client.For more information, see “Working with Encryption Lists” onpage 37.Chapter 1 Properties for PME - MI Client 21

Editing Security SettingsTable 1-3SettingInclusion/ExclusionLists RemovableMediaInclusion/ExclusionLists CD/DVDsInclusion/ExclusionLists External HarddriveProtect Floppy DiskExplanationHere you specify which files should and should not be encryptedon removable media including USB, USB2, PCCARD, and Firewirehard drives and storage cards used with a workstation protected byPME – MI Client.For more information, see “Working with Encryption Lists” onpage 37.Here you specify which files should and should not be encryptedon CDs and DVDs used with a workstation protected by PME –MI Client.For more information, see “Working with Encryption Lists” onpage 37.Here you specify which files should and should not be encryptedon external hard drives used with a workstation protected by PME– MI Client.For more information, see “Working with Encryption Lists” onpage 37.Here you select whether or not to encrypt information stored onfloppy disks.The following settings are available:Protect RemovableMedia• No – Select this value if you do not want floppy disks on users’workstations to be protected by Pointsec Media Encryption.• Yes – Default setting. Information stored on floppy disks will beencrypted.Here you select whether or not to encrypt information stored onremovable media including USB, USB2, PCCARD, and Firewirehard drives and storage cards.The following settings are available:• No – Select this value if you do not want removable media onusers’ workstations to be protected by PointsecMedia Encryption.• Yes – Default setting. Information stored on removable mediawill be encrypted.Check the Pointsec Media Encryption release notes for the latestinformation on supported media.22

Editing Security SettingsTable 1-3SettingProtect CD/DVDExplanationHere you select whether or not to encrypt information stored onCDs.The following settings are available:Protect ExternalHard drives• No – Select this value if you do not want CDs on users’workstations to be protected by Pointsec Media Encryption.• Yes – Default setting. Information stored on CDs will beencrypted.Here you select whether or not to encrypt information stored onexternal hard drives.The following settings are available:User SelectedFloppy DiskProtection• No – Select this value if you do not want external hard drivesused on users’ workstations to be protected by PointsecMedia Encryption.• Yes – Default setting. Information stored on external harddrives will be encrypted.Here you select whether or not to allow users to select whether toencrypt information on floppy disks.The following settings are available:• No – Default setting. Select this value if you do not want toallow users to decide whether to encrypt floppy drives.• Yes – Select this setting if you want to allow users to decidewhether to encrypt floppy drives. The user will then beprompted to enter a password when creating a file on thefloppy disk.If the user chooses not to encrypt the disk, the prompt will bedisplayed again when a new file is copied to the floppy disk.Once the user has selected to encrypt a floppy disk, the only wayto stop encryption is to reformat the floppy disk.Chapter 1 Properties for PME - MI Client 23

Editing Security SettingsTable 1-3SettingUser SelectedRemovable MediaProtectionExplanationHere you select whether or not to allow users to select whether toencrypt information on removable media devices including USB,USB2, PCCARD, and Firewire hard drives and storage cards.The following settings are available:• No – Default setting. Select this value if you do not want toallow users to decide whether to encrypt removable mediadevices.• Yes – Select this setting if you want to allow users to decidewhether to encrypt removable media devices. The user willthen be prompted to enter a password when creating a file ona removable media device.If the user chooses not to encrypt, the prompt will be displayedagain when a new file is copied to the removable media device.User SelectedCD/DVD ProtectionOnce the user has selected to encrypt, the only way to stopencryption is to reformat the device.Here you select whether or not to allow users to select whether toencrypt information on CDs and DVDs.The following settings are available:• No – Default setting. Select this value if you do not want toallow users to decide whether to encrypt CDs and DVDs.• Yes – Select this setting if you want to allow users to decidewhether to encrypt CDs and DVDs. The user will then beprompted to enter a password when writing a file to a CD or aDVD.If the user chooses not to encrypt, the prompt will be displayedagain when the user wants to write to a CD/DVD the next time.User SelectedExternal Hard driveProtectionOnce the user has selected to encrypt a CD, the only way to stopencryption is to reformat the media.Here you select whether or not to allow users to select whether toencrypt information on external hard drives.The following settings are available:• No – Default setting. Select this value if you do not want toallow users to decide whether to encrypt external hard drives.• Yes – Select this setting if you want to allow users to decidewhether to encrypt external hard drives. The user will then beprompted to enter a password when creating a file on anexternal hard drive.If the user chooses not to encrypt, the prompt will be displayedagain the next time a file is saved to the external hard drive.Once the user has selected to encrypt, the only way to stopencryption is to reformat the external hard drive.24

Editing Security SettingsTable 1-3SettingAuto InitializeFloppy DriveEncryptionExplanationHere you select whether or not to allow the use of a floppy drivewithout entering a password, for example automatically creatingkeys, and encrypting them with the workstation key.The following settings are available:• No – Default setting. Select this value if you do not want toallow the use of a floppy drive without entering a password.• Yes – All files on the floppy drive will be encryptedautomatically without a password being requested. The floppydrive will then be accessible only on the workstation whereencryption was initialized.The user can correct this situation by adding sharing passwordswhen authenticating to the floppy, or by using the Encryptionsettings dialog.Chapter 1 Properties for PME - MI Client 25

Editing Security SettingsTable 1-3SettingAuto InitializeRemovable MediaEncryptionExplanationHere you select whether or not to allow the use of removable mediawithout entering a password, for example automatically creatingkeys, and encrypting them with the workstation key.The following settings are available:Auto InitializeCD/DVD Encryption• No – Default setting. Select this value if you do not want toallow the use of a removable media device without entering apassword.• Yes – All files on the device will be encrypted automaticallywithout a password being requested. The device will then beaccessible only on the workstation where encryption wasinitialized.The user can correct this situation by adding sharing passwordswhen authenticating to the media, or by using the Encryptionsettings dialog.Here you select whether or not to allow the use of a CD/DVDwithout entering a password, for example automatically creatingkeys, and encrypting them with the workstation key.The following settings are available:Auto InitializeExternal Hard driveEncryption• No – Default setting. Select this value if you do not want toallow the use of a CD/DVD without entering a password.• Yes – All files on the CD/DVD will be encrypted automaticallywithout a password being requested. The CD/DVD will then beaccessible only on the workstation where encryption wasinitialized.Here you select whether or not to allow the use of an external harddrive without entering a password, for example automaticallycreating keys, and encrypting them with the workstation key.The following settings are available:• No – Default setting. Select this value if you do not want toallow the use of an external hard drive without entering apassword.• Yes – All files on the external hard drive will be encryptedautomatically without a password being requested. The externalhard drive will then be accessible only on the workstationwhere encryption was initialized.The user can correct this situation by adding sharing passwordswhen authenticating to the external hard drive, or by using theEncryption settings dialog.26

Editing Security SettingsLoggingThis is where you specify the content of the log file.Table 1-4SettingEvents per fileExplanationHere you specify how many events will be logged in the log file.Minimum: 1 eventDefault: 10 eventsMaximum: 99999 eventsLogging fordevicesOnce the maximum number of events is reached, the log file is writtento the workstation, and can then be transferred to the server.Here you specify whether or not actions on encrypted files onremovable media/devices will be logged.Enabling logging for devices may cause the client computer to operatemore slowly.The following settings are available:• No – Default setting. Select this value if you do not want to logactions on encrypted files on removable media/devices.• Yes – Enable logging of actions on encrypted files on removablemedia/devices.Chapter 1 Properties for PME - MI Client 27

Editing Security SettingsMiscellaneousThis is where you specify the Pointsec Media Encryption license number,how information is to be deleted securely, and Graphical Identification andAuthentication (GINA) settings.28

Editing Security SettingsTable 1-5SettingLicense numberNumber ofoverwritesExplanationThis is where you enter the license number for your PointsecMedia Encryption installation.Here you specify how many times deleted information will beoverwritten when securely deleting files. The options are as follows:1 = Overwrite the file once with random data. This method is fast, butless secure.3 = Overwrites the file first with a pattern, then with its complement,and finally with random data. This method is more secure and isrecommended for standard use.7 = Overwrites the file first with a pattern, then with its complement,and then five times with random data. This method is slower, but isconsidered to be extremely secure and is recommended when deletinghighly confidential information.The 7-overwrite option should be sufficient for all but the very mostsensitive information. For details on US Department of Defensestandard 5220.22-M for secure deletion, see for examplehttp://nsi.org/Library/Govt/Nispom.html, paragraph 8-306.Chapter 1 Properties for PME - MI Client 29

Editing Security SettingsTable 1-5SettingAllowed GINAsExplanationHere you can specify exactly which GINAs Pointsec Media Encryptionwill accept while being installed on a user’s workstation.By default, this list is empty and Pointsec Media Encryption willaccept any GINAs it finds at installation.To ensure that Pointsec Media Encryption only accepts GINAs yourorganization trusts and/or has tested, you can specify them here.For example, to ensure that Pointsec Media Encryption only acceptsMicrosoft’s GINA and/or Pointsec for PC’s GINA, add msgina.dll andpssogina.dll to the list.To control GINA chaining behavior, you may list default and customerGINAs known to be working in a multiple GINA environment. If anyadditional GINA not listed under ‘Allowed GINAs’ is found on a clientduring installation, the installation will either abort or prompt the userfor approval before continuing, depending on installation method.To specify specifically allowed GINAs:1. Enter the name of the GINA to allow and click Add:The GINA is shown in the list.Note - Enter only the name of the GINA, not the full dll path.2. Repeat the step above to add more GINAs. Click OK to close thedialog box.See the current Pointsec Media Encryption Release Notes for a list ofGINAs we do not recommend allowing.30

Editing Security SettingsTable 1-5SettingLanguageExplanationHere you specify the language to be used in the user interface.The options are as follows:User SelectedLanguage• Automatic• English• German• French• JapaneseHere you specify whether or not the user will be able to select thelanguage used.The following settings are available:• No – Select this value if you do not want to allow the user tochange the language.• Yes – Select this value to enable the user to change the languagesettings in the Options dialog.Recovery File TransferOnce Pointsec Media Encryption has been installed on a workstation,recovery information must be transferred to the recovery folder. Thefollowing settings configure this transfer.Table 1-6SettingWait until recovery filetransferredDevice recovery filetimeoutExplanationSelect Yes to ensure that the recovery folder is successfullysaved in the correct location before activating PointsecMedia Encryption.Default value is No.Enter the length of time in seconds that you want PointsecMedia Encryption to wait for a successful recovery filetransferal to the recovery folder.Minimum: 1 secondDefault: 60 secondsMaximum: 999 secondsChapter 1 Properties for PME - MI Client 31

Editing Security SettingsRemote HelpThe Remote Help settings determine whether Remote Help will beaccessible for removable media, floppy disks, CD/DVDs and external harddrives. Here you can also import a webRH profile to enable administratorsto supply Remote Help via Pointsec webRH as well as via Pointsec MI.Table 1-7SettingRemote Help for removablemediaRemote Help for floppydisksExplanationSelect Yes to enable administrators to help a removablemedia user with stand-alone access if the user has forgottenthe password.Remote Help can be used to reset the password for allremovable media devices except write-protected devices. Forthese devices, Remote Help provides only one-time accessand does not allow password change.Select Yes to enable administrators to help a floppy disk userwith stand-alone access if the user has forgotten thepassword.Remote Help can be used to reset the password for all floppydisks as long as they are not write-protected. Forwrite-protected disks, Remote Help provides only one-timeaccess and does not allow password change.32

Editing Security SettingsTable 1-7SettingRemote Help for CD/DVDExplanationSelect Yes to enable administrators to help a CD/DVD userwith stand-alone access if the user has forgotten thepassword.Enable Remote Help forexternal hard drivesFor CDs/DVDs, Remote Help provides only one-time accessand does not allow password change.Select Yes to enable administrators to help a user withstand-alone access to an encrypted external hard drive if theuser has forgotten the password.Remote Help can be used to reset the password for allexternal hard drives as long as they are not write-protected.For write-protected disks, Remote Help provides onlyone-time access and does not allow password change.Chapter 1 Properties for PME - MI Client 33

Editing Security SettingsTable 1-7SettingImport webRH profileExplanationUse this option to include a webRH profile to enable users toreceive Remote Help from Pointsec webRH.By default, this setting is not enabled.For information on creating webRH profiles and providingRemote Help using Pointsec webRH, see the Pointsec webRHPME Extension Administrator’s Guide.To import a webRH profile:1. Double-click the Import webRH profile option to open theImport webRH profile dialog box:1. Click to browse to and select the webRH profile toimport.3. Enter the password associated with the profile, and clickOK. The webRH profile is imported and is displayed in thevalue field.When creating an update profile, remember to import thewebRH profile into the profile if it is still required. If you donot, the webRH profile will not be available when the updateprofile is deployed.34

Editing Security SettingsStand-alone AccessEnabling stand-alone access provides users with the ability to accessencrypted information stored on removable media and/or floppy disk(s)without having Pointsec Media Encryption installed on the workstationused to access the media or disks.Table 1-8SettingStand-alone access forremovable mediaStand-alone access forfloppy disksStand-alone access forCD/DVD disksStand-alone access toExternal Hard drivesUser Selected Stand-aloneAccess to RemovableMediaExplanationSelect Yes to enable users to access encrypted information,as long as they know the password, stored on removablemedia used by a workstation even though PointsecMedia Encryption is not installed on the workstation.Select Yes to enable users to access encrypted information,as long as they know the password, stored on floppy disksused by the workstation even though PointsecMedia Encryption is not installed on the workstation usingthe disks.Select Yes to enable users to access encrypted information,as long as they know the password, stored on a CD/DVD usedby the workstation even though Pointsec Media Encryption isnot installed on the workstation using the disks.Select Yes to enable users to access encrypted information,as long as they know the password, stored on an externalhard drive used by the workstation even though PointsecMedia Encryption is not installed on the workstation usingthe external hard drive.Here you select whether or not to allow users to decidewhether allow stand-alone access to removable media.The following settings are available:• No – Default setting. Select this value if you do not wantto allow users to decide whether to use stand-aloneaccess.• Yes – Select this setting if you want to allow users todecide whether to decide whether to use stand-aloneaccess. The Stand-alone access check box will then beaccessible when the user creates a file on removablemedia.Chapter 1 Properties for PME - MI Client 35

Editing Security SettingsTable 1-8SettingUser Selected Stand-aloneAccess to Floppy DriveExplanationHere you select whether or not to allow users to decidewhether allow stand-alone access to floppy drives.The following settings are available:User Selected Stand-aloneAccess to CD/DVDs• No – Default setting. Select this value if you do not wantto allow users to decide whether to use stand-aloneaccess.• Yes – Select this setting if you want to allow users todecide whether to decide whether to use stand-aloneaccess. The Stand-alone access check box will then beaccessible when the user creates a file on a floppy drive.Here you select whether or not to allow users to decidewhether allow stand-alone access to CDs and DVDs.The following settings are available:• No – Default setting. Select this value if you do not wantto allow users to decide whether to use stand-aloneaccess.• Yes – Select this setting if you want to allow users todecide whether to decide whether to use stand-aloneaccess.User Selected Stand-aloneAccess to External HarddrivesNumber of authenticationattempts without delayThe Stand-alone access option will be available when theuser writes a file to a CD or DVD, in the Initializeencryption window under Options. The option will also beavailable via the Start button.Here you select whether or not to allow users to decidewhether allow stand-alone access to external hard drives.The following settings are available:• No – Default setting. Select this value if you do not wantto allow users to decide whether to use stand-aloneaccess.• Yes – Select this setting if you want to allow users todecide whether to decide whether to use stand-aloneaccess. The Stand-alone access check box will then beaccessible when the user creates a file on an externalhard drive.Sets the number of times a user can fail to authenticatehim/herself before Pointsec Media Encryption delays accessto the authentication dialog box.Minimum: 1 failed attemptDefault: 3 failed attemptsMaximum: 99 failed attempts36

Working with Encryption ListsTable 1-8SettingAuthentication delayAuthentication multiplierRe-encrypt encryptedpackagesExplanationSets the length of time in minutes a user must wait to accessthe authentication dialog box after exceeding the set numberof failed authentication attempts.Minimum: 1 minuteDefault: 3 minutesMaximum: 99 minutesSets the number the authentication delay will be multipliedby to determine how long a user must wait before he/she mayattempt to authenticate themselves again.Minimum: 1Default: 3Maximum: 99Select Yes here if you want an already encrypted package tobe encrypted again.By default this setting is set to No to ensure that PointsecMedia Encryption does not encrypt an already encryptedpackage when a user stores it on removable media or a floppydisk that requires encryption.Working with Encryption ListsInclusion and exclusion lists enable you to specify which files PointsecMedia Encryption should and should not encrypt on users’ workstations.There are inclusion and exclusion lists for the following:• Folders on the workstation• Floppy drives• Removable media• CDs/DVDs• External hard drivesThe following sections explain how to add files to these lists.Adding Files to the Inclusion ListFiles on the inclusion list will be encrypted by Pointsec Media Encryption.Chapter 1 Properties for PME - MI Client 37

Adding Files to the Inclusion ListTo add files to the inclusion list:1. Open the Encryption system setting and double-click the relevantInclusion/Exclusion lists setting.The Inclusion/exclusion list window opens, for example:2. On the Inclusion List tab, click Add. The following dialog box opens:38

Adding Files to the Inclusion ListThe following fields and options are available:Table 1-9Field/optionFile MaskExplanationHere you enter the names of files you want to add to the inclusion list.You can include the wildcard * and environment variable in the names.* wildcard examples:In the following example, all files in the folders specified with the fileextension doc will be added to the list:*.docIn the following example, all files in the folders specified with the filename contract will be added to the list:contract.*In the following example, all files in the folders specified will be addedto the list:*% environment variable example:In the following example, all files with the file extension doc stored inthe folder specified in the system variable windir will be added to thelist:%windir%\On workstations running localized Windows:On workstations running localized versions of Windows, you must editabsolute exclusion paths; that is, paths that do not use environmentvariables, to point to the localized paths.For example, on workstations running Windows in German, change:%SystemDrive%\Documents and Settings\*\Application Data\to:%SystemDrive%:\Dokumente und Einstellungen\*\AnwendungsdatenChapter 1 Properties for PME - MI Client 39

Adding Files to the Exclusion ListTable 1-9Field/optionFolder MaskRecursiveExplanationHere you enter the path to the folder containing files you want to add tothe inclusion list. You can include the wildcard * and environmentvariable in the paths.You can use the wildcard * character as a placeholder for any folder ordrive name.* wildcard examples:The following examples will add the paths to Windows user profilefolders:C:\Documents and Settings\*\Application Data\C:\Documents and Settings\*\Local Settings\TempThe following example will include the temp folder on any drive:*:\tempThe following example adds several uniformly named folders at the sametime:*:\Archive\Customers\*\Secret AgreementsSuch as:c:\Archive\Customers\Huge Mart\Secret Agreementsc:\Archive\Customers\Giant Mart\Secret Agreementsd:\Archive\Customers\Sandwich Queen\Secret Agreements% environment variable examples:The following examples use environment variables in paths to folders:%SystemDrive%\Documents and Settings\%windir%\Select this box if you want all files in a folder and its sub-folders will beadded to the inclusion list.By default, this check box is not selected. This means that only files inthe specified folder are added to the inclusion list.Adding Files to the Exclusion ListHere you specify which types of files are never to be encrypted.Note - The exclusion list you define and deploy on a user’s workstationhas priority over a protected list configured on a workstation by a user.See the Pointsec Media Encryption User’s Guide for information onprotected lists.40

Adding Files to the Exclusion ListTo add files to the exclusion list:1. Open the Encryption system setting and double-click the relevantInclusion/Exclusion lists setting.2. In the Inclusion/exclusion lists window, open the Exclusion Lists tab, forexample:By default, the exclusion list for folders contains files and file typeswhich may be needed by the system during startup or when runningapplications.Removing these items from the exclusion list will very likely havenegative effects on the system and on applications.For more information, see “About the Exclusion List Contents” onpage 42.To use the default folders exclusion list for removable media, floppydrives, CDs/DVDs or external hard drives, simply click Default. Theitems of the default folder exclusion list will be displayed.3. Click Add. The following dialog box opens:Chapter 1 Properties for PME - MI Client 41

Adding Files to the Exclusion ListThe following fields and options are available:Table 1-10Field/optionFile MaskFolder MaskRecursiveExplanationHere you enter the names of files you want to add to the inclusion list.You can include the wildcard * or *.* and environment variable in thenames.See “Adding Files to the Inclusion List” on page 37 for examples of howto specify files. The rules for using the wildcard * and environmentvariables are the same.Here you enter the path to the folder containing files you want to add tothe exclusion list. You can include the wildcard * and environmentvariable in the paths.You can use the wildcard * character as a placeholder for any folder ordrive name.See “Adding Files to the Inclusion List” on page 37 for examples of howto specify folders. The rules for using the wildcard * and environmentvariables are the same.Select this box if you want all files in a folder and its sub-folders will beadded to the exclusion list.By default, this check box is not selected. This means that only files inthe specified folder are added to the exclusion list.About the Exclusion List ContentsThe following list documents the current default exclusion list for folderson the workstation.Note - The default folders exclusion list can easily be used also forremovable media, floppy drives, CDs/DVDs or external hard drives. See“The following fields and options are available:” on page 39.42

Adding Files to the Exclusion ListFor the latest information on files on the default exclusion list, alwayscheck the Release Notes delivered with your copy of PME – MI Client.Table 1-11Folder Mask File Mask RecursiveDescription%ProgramFiles%\ * No Program files.%SystemDrive%\ * Yes Various files involved inthe system boot processand Pointsec for PC bootfiles: prot_ins.sys,boot_sav.bot.%SystemDrive%\Documents andSettings\*\%SystemDrive%\Documents andSettings\*\Application Data\%SystemDrive%\Documents andSettings\*\Cookies\%SystemDrive%\Documents andSettings\*\Favorites Media\%SystemDrive%\Documents andSettings\*\LocalSettings\Application Data\%SystemDrive%\Documents andSettings\*\LocalSettings\History\%SystemDrive%\Documents andSettings\*\LocalSettings\Temp\%SystemDrive%\Documents andSettings\*\LocalSettings\Temporary InternetFiles\%SystemDrive%\Documents andSettings\*\My Pictures\%SystemDrive%\Documents andSettings\*\Start Menu\* Yes The user’s part of registryhives and user profilerelated, ntuser.dat,ntuser.dat.log,ntuser.ini.* No Application data thatmight be required by anapplication which startsbefore PointsecMedia Encryption.* No* No* No Application data thatmight be required by anapplication which startsbefore PointsecMedia Encryption.* No* Yes* No* Yes* NoChapter 1 Properties for PME - MI Client 43

Adding Files to the Exclusion ListTable 1-11Folder Mask File Mask Recursive%SystemDrive%\Documents andSettings\*\Templates%SystemDrive%\Documents andSettings\Administrator\%SystemDrive%\Documents andSettings\All Users\%SystemDrive%\Documents andSettings\Default User\%SystemDrive%\Documents andSettings\LocalService\%SystemDrive%\Documents andSettings\NetworkService\* No* No* No* No* No* No%windir%\ * No Windows folder.*:\ *.ini No Initialization files.*:\ *.ipp No*:\ *.upp No*:\ *.rec No*:\ *.exe No Executable files.*:\ *.dll No Dynamically linked libraryfiles.*:\ *.sys No System configuration files.*:\ *.com No Command files.*:\ *.vxd No Virtual device driver files.*:\ *.bin No Binary files.*:\ *.lnk No*:\ pagefile.sys Yes System page files.*:\ vol_char.dat Yes File used by Pointsec forPC.*:\PrePointsec - System VolumeInformation\Description* No File used by Pointsec forPC.*:\System Volume Information\ * No Data for various systemservices such as indexingand system restore.44

Chapter 2Deploying PME - MI ClientThis chapter explains how to deploy PME – MI Client to protect workstations in yourorganization.Note - Some of the screen shots in this chapter may come fromdifferent versions of the product. The accompanying text is, however,correct.PME – MI Client Deployment OverviewDeploying PME – MI Client involves completing the following tasks in Pointsec MImanagement console:• Setting a download location for PME – MI ClientCreate an installation package and set a path to the download location for it. Theinstallation package is a .cab file containing Pointsec Media Encryption and otherfiles to be deployed, see “Setting a Download Location for PME – MI Client” onpage 46.• Creating system security settings to be deployed on the workstations.To configure system security settings, see “Configuring System Security Settings”on page 49.• Deploying Pointsec Media Encryption on user’s workstationsInstall Pointsec Media Encryption on users’ workstations, see “Deploying PointsecMedia Encryption” on page 53.45

Setting a Download Location for PME – MI ClientSetting a Download Location for PME – MI ClientThe first step when deploying PME – MI Client is to create an installationpackage and to specify download locations for it. The installation packageis a .cab file containing Pointsec Media Encryption and other files to bedeployed.To configure a download location for PME – MI Client:1. In Pointsec MI explorer, navigate to Services:2. Right-click on Download Locations and select New Download Location. Thefollowing dialog box opens:3. Enter the following information:Table 2-1FieldNameDescriptionDescriptionEnter a name for the location.Enter a description of the location.4. Click OK. PME – MI Client creates the location and displays it in theproperty sheet, for example:46

Setting a Download Location for PME – MI Client5. Right-click on the location and select Properties: The DownloadLocation Properties dialog box opens:6. Select the relevant version of Pointsec Media Encryption and clickCreate Package. The Package for Pointsec Media Encryption dialog boxopens:7. Enter the following information:Table 3:PathSource PathDestinationPathDescriptionClick Browse and open the directory containing the filesyou want to include in this installation package.Click Browse and open the directory in which you want tostore this installation package.8. Click Create to create the installation package.Wait for the process to complete. When PME – MI Client displays thefollowing message:Chapter 2 Deploying PME - MI Client 47

Setting a Download Location for PME – MI Client9. Click OK and Close to return to the Download Location Properties dialogbox:10. Click Modify Path. The following dialog box opens:48

Configuring System Security Settings11. Here you specify the address of the download location. Enter thefollowing information:Table 2-1Option Field/option DescriptionFile ShareDownloadHTTPDownloadUNC PathURLAccesssecurityEnter, or click Browse to locate, theUniversal/Uniform Naming Convention(UNC) path to the installation downloadlocation.Enter the Uniform Resource Locator (URL)to the installation download location.Here you can specify the name andpassword of an account withe access to thedownload location.User name – Enter the account name.Password – Enter the account password.Retype – Re-enter the account password.Note - The account you are using when creating the installation packagemust have write privileges for the location you specify.Note - On workstations on which you want to deploy PointsecMedia Encryption, the local workstation account must have read accessto the location.12. Click the Verify button to ensure that you have a functioningconnection to the database.13. Click OK to complete creating and configuring the installation package.The next step is to configure the PME – MI Client system security settingsto be installed on end-users’ workstations.Configuring System Security SettingsThis section describes how to configure Pointsec Media Encryption securityprofile settings to be deployed on the workstations.Depending on if you want to deploy Pointsec Media Encryption on one orseveral computers, you need to configure the settings accordingly. If youwant to configure the system security settings for:Chapter 2 Deploying PME - MI Client 49

Configuring System Security Settings• One single computer, see “Configuring System Security Settings for aSingle Computer” on page 50• Several computers in an OU, see “Configuring Security Settings for AllComputers in an OU” on page 52.Configuring System Security Settings for a SingleComputerTo configure settings for a single computer:1. In Pointsec MI explorer, right-click on the computer in which you aredeploying PME – MI Client and select Properties. The following dialogbox opens:2. Select Pointsec Media Encryption, open the General tab and clickProperties.50

Configuring System Security SettingsThe following property sheet opens:3. Configure the system security settings you want to deploy. Seechapter 1, “Properties for PME - MI Client” on page 5 for moreinformation.Tip - To specify the setting’s default value, right-click on the setting andselect Reset to default value.The next step is to deploy Pointsec Media Encryption on the end-user’sworkstation. See “Deploying Pointsec Media Encryption on a SingleComputer” on page 54.Chapter 2 Deploying PME - MI Client 51

Configuring System Security SettingsConfiguring Security Settings for All Computers inan OUTo configure settings for all computers in an OU:1. In Pointsec MI explorer, right-click on the OU in which you aredeploying Pointsec Media Encryption and select Properties. Thefollowing dialog box opens:2. Select Pointsec Media Encryption and click Properties.The following property sheet opens:52

Deploying Pointsec Media Encryption3. Configure the system security settings you want to deploy. Seechapter 1, “Properties for PME - MI Client” on page 5 for moreinformation.Tip - To specify the setting’s default value, right-click on the setting andselect Reset to default value.The next step is to deploy Pointsec Media Encryption on end-users’workstations. See “Deploying Pointsec Media Encryption on SeveralComputers in an OU” on page 55.Deploying Pointsec Media EncryptionThis section contains descriptions of the administrator’s tasks whendeploying Pointsec Media Encryption on end-users’ workstations, and adescription of what happens on an end-user’s workstation once theinstallation package has been deployed.You can deploy Pointsec Media Encryption either on• a single computer, see “Deploying Pointsec Media Encryption on aSingle Computer” on page 54or on• several computers in an OU, see “Deploying Pointsec Media Encryptionon Several Computers in an OU” on page 55.Note - When deploying Pointsec Media Encryption, only direct installcan be used; two-step installation is not possible.Chapter 2 Deploying PME - MI Client 53

Deploying Pointsec Media Encryption on a Single ComputerDeploying Pointsec Media Encryption on a SingleComputerTo deploy PME – MI Client on a single computer:1. In Pointsec MI explorer, right-click on the computer on which you aredeploying Pointsec Media Encryption and select Properties. Thefollowing dialog box opens:2. Select the version of Pointsec Media Encryption you want to deploy andopen the Install tab.3. Select Direct Install and click Install.Pointsec MI deploys Pointsec Media Encryption and displays thefollowing dialog box:4. Click OK. The device agent on the workstation will start to downloadthe installation package.To see what happens on the end-user’s workstation, see “What happens onthe user’s workstation?” on page 56.54

Deploying Pointsec Media Encryption on Several Computers in an OUDeploying Pointsec Media Encryption on SeveralComputers in an OUTo deploy PME – MI Client on several user’s workstations within an OU:1. In Pointsec MI explorer, right-click on the OU in which you aredeploying Pointsec Media Encryption and select Properties. Thefollowing dialog box opens:2. Select the version of Pointsec Media Encryption you want to deploy andclick Install. The following dialog box opens:Chapter 2 Deploying PME - MI Client 55

What happens on the user’s workstation?3. Select the following options:Table 2-2OptionInstallation TypeInclude sub OUsDevice NameSelectDirect InstallOnSelect the devices you want to protect.4. Click Install and Close.To select all devices, right-click in the windowand select Check all in the displayed menu.Pointsec MI deploys Pointsec Media Encryption and displays thefollowing dialog box:5. Click OK. The device agents on the workstations will start to downloadthe installation packages.To see what happens on the end-users’ workstations, see “What happenson the user’s workstation?” on page 56.What happens on the user’s workstation?When the device agent on the workstation has downloaded the installationpackage, the following dialog box is displayed:56

What happens on the user’s workstation?1. Click Next to continue. The following dialog box opens:2. Click Install to continue. The following dialog box opens:3. Click Finish.The following dialog box opens:4. Click Yes to restart immediately. After the restart, the user will beprompted to set a password in order to be able to use PointsecMedia Encryption.Chapter 2 Deploying PME - MI Client 57

Updating Pointsec Media Encryption SettingsFor more information on using Pointsec Media Encryption on anend-user workstation, see the Pointsec Media Encryption User’s Guide orthe online help installed with Pointsec Media Encryption on the user’sworkstation.Updating Pointsec Media Encryption SettingsYou can change the settings for a current installation of PointsecMedia Encryption. The settings can be modified either for one singlecomputer, or for all computers in an OU.To update the settings for either a• single computer, see “Updating Security Settings for a SingleComputer” on page 58or• all computers in an OU, see “Updating Security Settings for allComputers in an OU” on page 60.Updating Security Settings for a Single ComputerTo update settings for a single computer:1. In Pointsec MI explorer, right-click on the computer in which you areupdating the Pointsec Media Encryption settings and select Properties.The following dialog box opens:58

Updating Pointsec Media Encryption Settings2. Select Pointsec Media Encryption, open the General tab and clickProperties.The following property sheet opens:3. Modify the relevant system security settings. See chapter 1,“Properties for PME - MI Client” on page 5 for more information.Tip - To specify the setting’s default value, right-click on the setting andselect Reset to default value.4. Click OK. The Pointsec Media Encryption settings are immediatelyupdated on the workstation.Chapter 2 Deploying PME - MI Client 59

Updating Pointsec Media Encryption SettingsUpdating Security Settings for all Computers inan OUTo update settings for all computers in an OU:1. In Pointsec MI explorer, right-click on the OU whose PointsecMedia Encryption settings you want to modify, and select Properties.The following dialog box opens:2. Select Pointsec Media Encryption and click Properties.The following property sheet opens:60

Removing Pointsec Media Encryption3. Modify the relevant system security settings. See chapter 1,“Properties for PME - MI Client” on page 5 for more information.Tip - To specify the setting’s default value, right-click on the setting andselect Reset to default value.4. Click OK. The Pointsec Media Encryption settings are immediatelyupdated on the workstations.Removing Pointsec Media EncryptionThe following sections explains how to remove Pointsec Media Encryptionfrom workstations.To remove Pointsec Media Encryption from:• A single computer, see “Removing from a Single Computer in an OU”on page 61• Several or all computers in an OU, see “Removing from SeveralComputers in an OU” on page 62.Removing from a Single Computer in an OUTo remove Pointsec Media Encryption:1. In Pointsec MI explorer, right-click on the computer from which youwant to remove Pointsec Media Encryption and select Properties. Thefollowing dialog box opens:Chapter 2 Deploying PME - MI Client 61

Removing from Several Computers in an OU2. Select Pointsec Media Encryption, open the Uninstall tab and clickUninstall.The following dialog is displayed:3. Click OK. Another dialog is displayed, informing you that the removalhas been ordered on the workstation:4. Click OK again. The device agent on the workstation remove PointsecMedia Encryption.Removing from Several Computers in an OUTo remove Pointsec Media Encryption:1. In Pointsec MI explorer, right-click on the OU from which you want toremove Pointsec Media Encryption and select Properties. The followingdialog box opens:62

Removing from Several Computers in an OU2. Select Pointsec Media Encryption and click Uninstall. The followingwindow opens:3. Select the following options:Table 2-3OptionInclude sub OUsDevice NameSelectOnSelect the devices from which you want toremove Pointsec Media Encryption.4. Click Uninstall and Close.The following dialog is displayed:5. Click OK. Another dialog is displayed, informing you that the removalhas been ordered on the workstations:6. Click OK. The device agents on the workstations remove PointsecMedia Encryption.Chapter 2 Deploying PME - MI Client 63

64Removing from Several Computers in an OU

Chapter 3Providing Remote HelpThis chapter explains how to use Remote Help to help authorized users to re-gainaccess to a workstation or device if the workstation or device is locked or the user hasforgotten their password.Everyone Needs a Remote Help ProcedureAll companies and organizations should implement a Remote Help procedure to suittheir individual needs and resources. One method of implementing Remote Help is asfollows:• Assign designated Remote Help accounts to the people who will run the RemoteHelp procedure. How many accounts you need depends on your organization. Bydefault, two accounts designed for use when providing Remote Help are createdwhen installing Pointsec MI management console.• Tell users who to call when they need Remote Help.Note - Administrators who use smart cards/USB tokens forauthentication cannot provide Remote Help as smart cards/USB tokensrequire physical access to the workstation.65

Recommended Methods of Verifying UsersRecommended Methods of Verifying UsersBefore you provide Remote Help to a user, you must be sure that the useris actually authorized to access the workstation or device. You can do thisin a number of ways, for example:• Ask predetermined questions whose answers only legitimate users knowKeep a list of questions to ask, for example: ask for the user’s nameand favorite color, brand of car, etc. Make answers to questionsillogical, fixed answers; for example, when asked about his/her favoritepet, the user could answer clouds, not cat.Store the questions and answers in a separate database that isaccessible to all Remote Help administrators.• Use voice verification softwareUse security software to extract the unique, vocal characteristics of thecaller and compare them with the Pointsec MI user’s referencevoiceprint.Providing Remote Help for PointsecMedia EncryptionThe following section describes how to access Remote Help and how tochange fixed passwords or allow a user one-time access to a workstation.To access the Remote Help dialog box:1. After you have verified that the user requesting help is legitimate,log-in to Pointsec MI management console using a Remote Helpadministrator account.66

Providing Remote Help for Pointsec Media Encryption2. In the Pointsec MI explorer bar, open Remote Help and double-click onPointsec Media Encryption. The Remote Help dialog box opens:A typical Remote Help procedure is as follows:Table 3-1Who:The Remote Help administrator:The user who needs help:The Remote Help administrator:The user who needs help:Does what:Enters the name of the lockeddevice in the Search Text field andclicks Search.When found, the device’s name andOU are displayed, and the Challengeand Response field become active.Reads the challenge displayed onhis or her screen to the RemoteHelp administratorEnters the challenge in theChallenge field, clicks Get Responseand reads the response to the user.Enters the response in the Pointsecdialog box and regains access to thedevice.Chapter 3 Providing Remote Help 67

68Providing Remote Help for Pointsec Media Encryption

THIRD PARTY TRADEMARKS AND COPYRIGHTSEntrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust product and servicenames are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1and SecuRemote incorporate certificate management technology from Entrust.Verisign is a trademark of Verisign Inc.The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright © 1992-1996Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice ispreserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promoteproducts derived from this software without specific prior written permission. This software is provided “as is” without express or implied warranty.Copyright © Sax Software (terminal emulation only).The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.Copyright 1997 by Carnegie Mellon University. All Rights Reserved.Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that theabove copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and thatthe name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMUDISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, INNO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTINGFROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OFOR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.The following statements refer to those portions of the software copyrighted by The Open Group.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THEWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUPBE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUTOF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by theOpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOTLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENTSHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, ORTORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE.The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' ANDANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESSFOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODSOR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open Group.The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gaillyand Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arisingfrom the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it andredistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, anacknowledgment in the product documentation would be appreciated but is not required.2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.3. This notice may not be removed or altered from any source distribution.The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistributeit and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (atyour option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the impliedwarranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should havereceived a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge,MA 02139, USA.The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001,2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files(the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute,sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: Theabove copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "ASIS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR69

ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR INCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions ofthe code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portionscopyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the NationalInstitutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999,2000, 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to gdft.c copyright 2001, 2002 John Ellson (ellson@graphviz.org). Portions relatingto JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information.Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute andmodify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation.This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with yourproductive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessibledocumentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited toimplied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their codedoes not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their priorcontributions.Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy ofthe License at http://www.apache.org/licenses/LICENSE-2.0The curl licenseCOPYRIGHT AND PERMISSION NOTICECopyright (c) 1996 - 2004, Daniel Stenberg, .All rights reserved.Permission to use, copy, modify, and distribute this software for any purposewith or without fee is hereby granted, provided that the above copyrightnotice and this permission notice appear in all copies.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THEWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENTSHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OFCONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THESOFTWARE.Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings inthis Software without prior written authorization of the copyright holder.The PHP License, version 3.0Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission,please contact group@php.net.4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission fromgroup@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number.Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. Youmay also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than thePHP Group has the right to modify the terms applicable to covered code created under this License.6. Redistributions of any form whatsoever must retain the following acknowledgment:"This product includes PHP, freely available from ".THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOTLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENTSHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, ORTORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE.70

This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email atgroup@php.net.For more information on the PHP Group and the PHP project, please see . This product includes the Zend Engine, freely available at.This product includes software written by Tim Hudson (tjh@cryptsoft.com).Copyright (c) 2003, Itai Tzur All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.Neither the name of Itai Tzur nor the names of other contributors may be used to endorse or promote products derived from this software without specificprior written permission.THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OFUSE, DATA, OR PROFITS; OR BUSINESSINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center LtdPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal inthe Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of theSoftware, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and thispermission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THEWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Copyright © 2003, 2004 NextHop Technologies, Inc. All rights reserved.Confidential Copyright NoticeExcept as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded,displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise,without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this documentfor personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary noticescontained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission ofNextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity,and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination,any downloaded and printed materials must be immediately destroyed.Trademark NoticeThe trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks ofNextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners.Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed inthe document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in anyway, including in advertising or publicity pertaining to distribution of, or access to, materials inthis document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of sucha link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600.U.S. Government Restricted RightsThe material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce,release, perform, display or disclose arerestricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause atDFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14,Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cialComputer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).71

Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator.The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Governmentis subject to restrictions as set forth in applicable laws and regulations.Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer WarrantyTHE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLESTEXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES,EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OFMATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, ORRELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.Limitation of LiabilityUNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES,INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THISDOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOURUSE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOUASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES,SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.Copyright © ComponentOne, LLC 1991-2002. All Rights Reserved.BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 ReleasePCRE LICENCEPCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, isdistributed under the same terms as the software itself.Written by: Philip Hazel University of Cambridge Computing Service, Cambridge, England. Phone:+44 1223 334714.Copyright (c) 1997-2004 University of Cambridge All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/orother materials provided with the distribution.* Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from thissoftware without specific prior written permission.THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OFUSE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICTLIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OFTHE POSSIBILITY OF SUCH DAMAGE.72

IndexAadministering 1, 5algorithms 20, 213DES 21AES 21Blowfish 21PKCS#7 20authentication 10CAPI 12corporate password 17corporate password FloppyDisk 18corporate password forCDs 18corporate password forexternal harddrives 18corporate password forremovable media 18default access list 15certificates 15error codes 17LDAP search paths 16,17force user 14max number of SSO hosts forCDs 19max number of SSO hosts forexternal harddrives 19max number of SSO hosts forfloppy disks 18max number of SSO hosts forremovable media 19min digits 13min password length 13min special characters 13min uppercase letters 13number of attempts 12SSO with Entrust 12SSO with Pointsec for PC 11unlimited number ofattempts 13user selected max number ofSSO hosts for CDs 19user selected max number ofSSO hosts for externalharddrives 19user selected max number ofSSO hosts for floppydisks 19user selected max number ofSSO hosts for removablemedia 19authentication methodcorporate password 11password 11auto initialize CD/DVDencryption 26auto initialize external harddriveencryption 26auto initialize floppy driveencryption 25auto initialize removable mediaencryption 26auto-open 20CCAPI 12CD/DVD 35certificate chain policy errors 17certificates 15corporate password 11, 17corporate password Floppy Disk 18corporate password for CDs 18corporate password for externalharddrives 18corporate password for removablemedia 18Ddefault access list 15deploying PME - MI Client 45Eencrypted packages 20auto-open 20customized message 20default message 20PKCS#7 algorithm 20encryption 21algorithms 21auto initialize CD/DVDencryption 26auto initialize externalharddrive encryption 26auto initialize floppy driveencryption 25auto initialize removablemedia encryption 26inclusion/exclusion lists CD/DVDs 22inclusion/exclusion listsexternal harddrive 22inclusion/exclusion lists floppydrive 21inclusion/exclusion listsfolders 21inclusion/exclusion listsremovable media 22lists 21, 22local folders 21Protect CD/DVD 23Protect ExternalHarddrives 23protect floppy disk 22Protect Removable Media 22user selected CD/DVDprotection 24user selected externalharddrive protection 24user selected floppy diskprotection 23user selected removable mediaprotection 24Entrust 12error codes 17events per file 27exclusion lists 21, 22adding 39contents 42file 42folder 42Ffloppy disks 35force user authentication 14GGINA 21, 30Iignore certificate chain policyerrors 17inclusion lists 21, 22adding to 3773

file 39folder 40inclusion/exclusion lists CD/DVDs 22inclusion/exclusion lists externalharddrive 22inclusion/exclusion lists floppydrive 21inclusion/exclusion lists folders 21inclusion/exclusion lists removablemedia 22Llanguage 31LDAP 16, 17license number 29localized 39logging 27logging for devices 27logging for devices 27Mmanagement consoleaccessing 5max number of SSO hosts forCDs 19max number of SSO hosts forexternal harddrives 19max number of SSO hosts forfloppy disks 18max number of SSO hosts forremovable media 19messagecustomized 20default 20miscellaneouslanguage 31user selected language 31Nnumber of attempts 12Ooverwritesnumber of 29Ppassword 11min digits 13min length 13min special characters 13min uppercase letters 13time-out 14PKCS#7 algorithm 20Pointsec for PCdeployment overview 45properties 50, 52, 59, 60removing 61security settings 49Pointsec Media Encryptiondeploying 53Protect CD/DVD 23protect floppy disk 22Protect Removable Media 22RRemote Helpimport webRH profile 34settings 32remote help 65procedure 65providing 66verifying users 66removable media 35Ssecurity settings 49authentication 10encrypted packages 20encryption 21logging 27miscellaneous 28recovery file transfer 31Remote Help 32stand-alone access 35SSOEntrust 12Pointsec for PC 11stand-alone access 35authentication attempts 36authentication delay 37authentication multiplier 37CD/DVD disks 35external harddrives 35floppy disks 35re-encrypt encryptedpackages 37removable media 35user selected stand-aloneaccess toUCD/DVDs 36external harddrive 36floppy drive 36removable media 35user selectedCD/DVD protection 24external harddriveprotection 24floppy disk protection 23language 31max number of SSO hosts forCDs 19external harddrives 19floppy disks 19removable media 19removable mediaprotection 24stand-alone access toCD/DVDs 36external harddrive 36floppy drive 36removable media 35WwebRH profileimport 3474