搜档网
当前位置:搜档网 › 2015_Jan_Symantec_Endpoint_Encryption_11.0_MP2_Removable_Media_Evaluation_Guide

2015_Jan_Symantec_Endpoint_Encryption_11.0_MP2_Removable_Media_Evaluation_Guide

Symantec Endpoint Encryption Removable Media

Evaluation Guide

January 2015 – Covers version11 MP2 of SEE Removable Media

Statement of Confidentiality and Purpose

This confidential and proprietary informa tion (“Confidential Information”) is being delivered to a select number of parties who are believed to have interest in entering into a transaction with Symantec Corporation (“Symantec”). The sole purpose of this Proof of Concept Proposal is to assist your organization (“Company”) in deciding whether to proceed into a contractual agreement with Symantec. Company agrees that, prior to reading this Proof of Concept Proposal, Company will not distribute or use the Confidential Information contained herein and any other information regarding Symantec for any purpose other than the purpose for which it has been supplied. This Proposal, and any other Symantec related information provided, shall remain the sole property of Symantec. Company agrees not to disclose, sell, license, distribute, or otherwise make available the Confidential Information, except to the extent that such use is based on a “need to know” and is subject to terms and conditions governing the use of such Confidential Information that are at least as restrictive as Company uses to protect its own information of a similar nature.

In furnishing this Proof of Concept Proposal, Symantec undertakes no obligations. This Proof of Concept Proposal states the general intent of Symantec with respect to the subject matter herein and any performance by Symantec is contingent upon a written definitive agreement between the parties. This Proposal does not constitute a contract or an offer to form a contract. Symantec makes no representations or warranties related to the accuracy or completeness of the information in this Proof of Concept Proposal.

Getting Started

This Symantec Endpoint Encryption Evaluation Guide is built to provide the necessary information to experience Symantec Endpoint Encryption built on a Windows Server with Windows client Operating Systems hosting the encryption. The first step in deploying Symantec Endpoint Encryption is installing the SEE Management Server and this document details system requirements and deployment considerations for the Symantec Encryption Management Server, as well as for clients that will have Symantec Endpoint Encryption installed on them.

Before beginning the evaluation, you must complete the “Steps To Do Before Starting Evaluation” checklist. The Technical Requirements listed in this document are scaled down for evaluation purposes. Hardware specifications for production systems are included in the Technical Requirements section.

Contents

Getting Started (3)

Removable Media Encryption Checklist (4)

Notes (5)

Symantec Endpoint Encryption Evaluation Architecture (6)

Technical Requirements (8)

Test Environment (10)

Installation and Configuration Steps – Endpoint Encryption Management Server (13)

Installation and Configuration – Create Client Packages (18)

Helpful links and reference material (20)

Symantec Endpoint Encryption – Test Plan (21)

Appendix A. – Technical Systems Information (27)

Appendix B – Provision an Active Directory Synchronization Account using DSACLS.exe (29)

Removable Media Encryption Checklist

Use the following checklists as an overview of the steps that need to be accomplished for the Evaluation.

Steps ToDo Before Starting Evaluation

?Give the customer this document, which has the technical requirements for Symantec Endpoint Encryption Management Server, SQL Server, Management Console, and client

computers.

?Ask the customer to prepare a compatible environment before your arrival. This will include: o Prepare a physical or virtual machine hosting a supported Microsoft Windows Server installation. (Specific system and network requirements are located in the Technical

Requirements section of this document.)

o Install (or verify the availability of a Microsoft Active Directory infrastructure)

o Install (or verify the availability of a supported Microsoft SQL installation)

o Install (or verify the availability of Internet Information Services (IIS)

o Provision required accounts

o Collect one or more removable media devices (thumb drive, memory card, etc)

o Optional – Create a certificate for use as the Recovery certificate

o Optional - Obtain (or verify the availability of TLS/SSL certificates for server and client/server communications)

?Install the Operating System for (or verify the availability of) at least one client machine

?Ensure network connectivity between client and directory server if using Microsoft Group Policy for policy management and Microsoft Active Directory Synchronization ?Provide a File Connect download link and download key for Symantec Endpoint Encryption

11 for the customer.

?If the customer will perform only the server installation on their own, provide them with the Symantec Endpoint Encryption 11 Install Guide and this document.

?If the customer will complete the entire Evaluation or potions of the Evaluation on their own, provide the customer the Symantec Endpoint Encryption installation and configuration

instructions in this document.

Evaluation Steps

?Provision required accounts

?Install Symantec Endpoint Encryption Management Server

?Complete post-installation setup

o Active Directory Synchronization configuration

o Internet Information Systems (IIS) configuration

?Install SEE Management Console

?Verify SEE Management Server installation

?Verify SEE database installation

?Backup SEE database

?Create the Management Agent and Removable Media Encryption client installation packages ?Deploy the client packages

?Reboot endpoint machine

?Install other clients as desired

?Perform desired tests from the Test Plan section of this document

Notes

?This document has been written to work for customers, Symantec Sales Engineers and partner Technical Pre-Sales Engineers.

?This document assumes the reader has completed the Symantec Endpoint Encryption Workshop either by attending an instructor led and/or self-paced session.

?This document assumes the reader has access to Symantec Endpoint Encryption technical publications and Symantec File Connect.

?This document is for a typical Removable Media Evaluation. It does not cover the use of Microsoft SQL or Microsoft IIS.

?This Evaluation guide assumes the use of a lab environment, which is recommended for testing.

If production equipment will be used please make sure that a current backup of all related

systems is taken and that the current release notes are checked for potential incompatibilities. It is also recommended that no production data is encrypted during this testing.

?We recommend decrypting all files encrypted on removable media taking the Management Server offline or deleting it.

Symantec Endpoint Encryption Evaluation Architecture

The Symantec Endpoint Encryption management system, known as Symantec Endpoint Encryption Management Server, is designed to be a simple addition to an existing infrastructure. By leveraging standards-based, widely-deployed technologies such as Active Directory, IIS, SQL Server, the Symantec Endpoint Encryption Management Server offers fast deployments and minimal need for training, rollout, and support costs.

Among the many benefits of a standards-based approach is an architecture based on a familiar, proven technologies which ultimately flatten the training curve for new administrators while ensuring fewer problems and consistent troubleshooting. For enterprises using Active Directory as their principle directory services infrastructure, the Symantec Endpoint Encryption platform natively integrates and makes direct use of existing servers, datastores, replication schemes, and policy management frameworks. Since most organizations already have measures in place to ensure the scalability, resiliency, and fault-tolerance of their Active Directory services infrastructure, this is one less consideration to worry about when deploying the Symantec Endpoint Encryption Management Systems. In fact, integrating with Active Directory completely eliminates the need for a separate infrastructure or for deploying a new management tool. Active Directory already provides the ability to manage security applications the same way it manages other programs and policies. Policy for the Symantec Endpoint

Encryption platform is managed centrally using Group Policy Objects and applied to users and devices that reside within Organization Units of the directory.

Similarly, many enterprises also have devices on their network that are not part of their Windows domain infrastructure or reside “unregistered”. For instance, these devices might include employee-purchased PCs for enterprise-wide BYOPC initiatives, employee home computers that periodically access the corporate network via remote access connection, or devices belonging to independent agents or contractors. SEEMS allows these machines to be managed from the same console as machines registered within the corporate domain.

Operationally, the environment for policy management and reporting within the Symantec Endpoint Encryption platform is implemented directly using an MMC (Microsoft Management Console) snap-in. This familiar interface makes it possible for administrators to implement data protection policies with minimal training within a single console. Policy deployment is performed using standard Windows Group Policy Objects (GPOs) which leverage existing directory services groupings for users and machines. Administrative privileges and security policies are native and directly supported with no need for synchronization or operation within another management console.The benefit of this architecture is a highly scalable system, easily scalable to hundreds of thousands of endpoints, as well as in-built high availability and server failover. The system also provides true, end-to-end, enterprise-class, granular auditing and reporting as well as strong, two-factor, advanced authentication capabilities.

Technical Requirements

All systems that are part of the evaluation should meet or exceed the minimum system requirements defined below.

Note: Microsoft Internet Explorer 8, 9, 10, or 11 required to view online Help

Test Environment

The following information outlines a simple testing environment for evaluating Symantec Endpoint Encryption.

Domain Controller/Member Server with Active Directory and DNS ? A computer running Windows Server 2008/2012, which is either the DomainController of a test domain or a member of an existing test domain. The servershould have the following

softwareinstalled:

o Microsoft SQL 2008, 2012 or 2014

o Microsoft Active Directory

o Microsoft Domain Name Services

o Microsoft Internet Information Services (IIS) 6.0 or later

o Microsoft .NET (See table on page 8 for specific versions)

Client Computer

?At least one client computer running a supported operating system.

?One or more removable media devices

Provisioned Accounts:

The following accounts are required in order to successfully install and configure the various settings for Symantec Endpoint Encryption. The name next to each account is a suggestion to simplify the process. Each account is a domain user account and must be configured in your Active Directory test environment.

?Management Server account –seeadmin

?Database creation account –seeadmin

?IIS client account –iisadmin

?Policy administrator account –seeadmin

?Active Directory synchronization account –adsync

User accounts:

?You must have at least one user account, either domain account or local user account, to authenticate to the endpoint.

Other environmental requirements include:

?Firewall access open over port assigned to IIS (suggested 8080 or 8081). Port 80 is not recommended as it is often reserved for internal or general websites. This will cause a conflict

and encrypted endpoints will fail to communicate with the Management Server.

o Firewall changes are only necessary if the test will include any endpoints communicating from outside the test/production environment.

?Local admin rights on each client system that will be used.

?For more environmental considerations please consult the Symantec Endpoint Encryption Management Server 11 Installation Guide.

Enabling the web server (IIS) role on the Management Server

The IIS role and https://www.sodocs.net/doc/1412581063.html, must be enabled on with the appropriate settings before installing the Symantec Endpoint Encryption Management Server.

To enable the web server (IIS) server role and role services:

1.Click Start >Administrative Tools >Server Manager.

2.In the left pane of the Server Managersnap-in, right-click Roles and click Add

Roles.

3.On the welcome page of the Add Roles Wizard, click Next.

4.On the Select Server Roles page, select Web Server (IIS).

5.On the Add features required for Web server (IIS) dialog box, click Add

Required Features, and then click Next.

Note: Selecting the IIS role automatically selects the additional role services

that IIS requires. Do not deselect any of these pre-selected check boxes.

6.Click Nextagain.

7.On the Select Role Services page, go to Web Server > Application

Development, and click https://www.sodocs.net/doc/1412581063.html,.

8.On the Add role services and features required for https://www.sodocs.net/doc/1412581063.html, dialog box,

click Add Required Role Services. Selecting this option also auto-selects

.NET Extensibility, ISAPI Extensions, and ISAPI Filters.

9.Expand the Security option, and then click Basic Authentication.

10.Expand Management Tools, and then click IIS Management Scripts and

Tools and then click IIS 6 Management Compatibility.

11.Click Next, and then click Install.After the Add Roles Wizard indicates that the installation is

successful, click Close. Choose File and then click Exit to close the Server Manager snap-in.

Installation and Configuration Steps – Endpoint Encryption Management Server

In this section we will briefly discuss the tasks that must be performed to prepare a Symantec Encryption Management Server for the test environment. The Symantec Encryption Management Server Installation Guide and the Online Help provide extensive details for the installation and configuration. This document will give only the steps necessary to prepare for this Evaluation.

Please download the most current Symantec Endpoint Encryption Management Server Install Guide to help you complete the tasks referenced here.

Management Server installation

Installation Overview

?Execute the installation .msi

?Connect the server to the database

?Configure the database

The detailed installation steps can be found starting on page 38 of the Symantec Encryption Management Server Installation Guide.

1)Log into the server computer that will host the Symantec Endpoint Encryption installation using an

account with local administrator privileges.

Note: If you are using SQL Authentication, no prior provisioning is required. If Windows

authentication will be used, log in with the provisioned windows domain account.

2)Launch the Symantec Endpoint Encryption installation by double-clicking on the SEE Management

Server.msi.

Note: It is recommended that the installation be completed through command line by typing the following command:

Replace [path] with the correct path to the .msi file. Also, replace [logpath] with a path where you want the installation logfile saved to. The logfile will provide important details if any errors appear during the installation. The Symantec Support team will request this file for troubleshooting.

3)When the Symantec Endpoint Encryption Installation Wizard appears, select Next.

4)Accept the End User License Agreement and select Next.

5)Database Location and Credentials:

a)Database Instance: Enter the NetBIOS name for the SQL instance. For example, SEEMS1. If it is a

named instance, include the name of the instance. “S EEMS\NamedInstance”. Alternatively, you can click on browse to locate the appropriate SQL server instance.

b)If an SSL certificate has been configured for communication, select Enable TLS/SSL – This is not

recommended for evaluation purposes.

c)If a custom SQL port number was configured, enable the selection and enter the appropriate

port.

d)Authentication method – Select windows authentication to the use the Microsoft Windows

account currently logged in. Select SQL authentication to use SQL Server account credentials.

e)Select Next.

6)For a new installation, select Create a new database. We recommend leaving the default name.

7)Database Access:

Windows Authentication – Select this to use a previously provisioned Windows account

(seeadmin).

Note: For evaluation purposes, we recommend using the windows account. If you prefer to use SQL authentication, review the specific installation steps in the SEE Install Guide, page 34.

8)Database Access:

a)Enter the Windows credentials as domain\username and the correct password

b)Select Next.

c)If the account exists, a message will appear notifying you. Select Yes.

9)Database Configuration: Leave the default settings and select Next.

10)Enter a Management Password from 2-32 characters long.

a)Record this on page 12 of the evaluation guide.

Note: In your production environment, record the password and store it in a secure location such as

a safe. This is the key to the entire installation.

b)Select Next.

11)Leave the default installation path and select Next.

12)Select Install.

13)Click Finish after the installation completes.

14)The SEEMS Configuration Wizard will appear after you click Finish. Do not launch any of the

remaining SEE installations. Go to the next section.

SEEMS Configuration Wizard

The SEEMS Configuration wizard completes the Management Server installation by configuring Active Directory Synchronization and the IIS settings for client/server communication.

1)Directory Service Sync

a.Select Microsoft Active Directory and select Next.

2)Active Directory Configuration – Enter the correct Active Directory information that matches your

test environment, then select Next.

3)Web Service Configuration – Enter the IIS account credentials you plan to use for client/server

communication. This account can be the same account you are using for the SEE Manager.

a.Be sure to enter a port that will be open on the firewall to allow for successful

communications.

b.Select Finish when done and click OK when the success message appears.

Install SEE Management Agent and Removable Media Encryption Server installers

The next step in the installation is to install the components that make up the Management Console. The Management Console is used for creating client packages, managing policy, reporting, and help desk functions.

Management Agent

1)Double-click on the SEE Management Agent.msi or SEE Management Agent x64, depending on the

server operating system.

Note: It is recommended that the installation be completed using the command line with the log switch to track the installation in case there are errors.

2)Select Next on the first installation page.

3)Select Next on the Multi-Factor Authentication page.

4)Accept the license agreement and select Next.

5)Token Authentication – leave this default unless you will be testing smartcards or tokens.

6)Select Next on the Destination Folder window.

7)Database Server

a.Ensure “Use SEE Server” is selected.

b.Database Server - Input the database server (and instance name if needed) or select Browse

and choose the correct SQL Server instance.

c.Database Name: Leave default unless you chose a different database name during the

Management Server installation.

d.Authentication: Select Windows Authentication or SQL authentication.

e.Select Next.

f.Management Password: Enter the password you created during the installation and noted

on page 12 of this guide, then select Next.

g.Select Install.

h.Select Finish when complete.

Removable Media Encryption

1)Double-click on the appropriate SEE Removable Media Encryption or Removable Media Encryption

x64.

2)Select Next on the first page of the wizard.

3)Accept the license agreement and select Next.

4)Select Install.

5)Select Finish when complete.

Congratulations! You have successfully installed and configured the Symantec Endpoint Encryption Management Server.

You can continue to Creating Client Packages.

Installation and Configuration – Create Client Packages In this section we will install the Symantec Endpoint Encryption client packages, which will enable Removable Media encryption. Other documentation covers this in more detail, including the Symantec Endpoint Encryption Install guide. This document will give only the steps necessary to prepare for this Evaluation.

Create Symantec Management Agent Client Package

1)Select Start > All Programs > Symantec Endpoint Encryption Management Server.

2)Click on Symantec Endpoint Encryption Software.

3)Select Management Agent and choose the following settings (Select Next for each page):

a.Password Authentication– leave defaults

https://www.sodocs.net/doc/1412581063.html,munication

i.The information should already be populated. Change the status update interval to

5 minutes.

ii.Enter the IIS account password and select Finish.

c.Save the SEE Management Agent Client.msi to a location of your choice.

d.Select OK on the success window.

Create the Symantec Endpoint Encryption Removable Media Client Package

1)Select Start > All Programs > Symantec Endpoint Encryption Management Server.

2)Expand Symantec Endpoint Encryption Software.

3)Select Removable MediaEncryption and choose the following settings:

a.Access and Encryption

i.Access – leave default

1.Encryption Format – leave default

2.Automatic Encryption – leave default

Note: Configuring Symantec Data Loss Prevention and the Flexresponse

plugin for encryption of files per Symantec DLP is beyond the scope of this

document. Please contact your sales engineer for assistance with

configuring this option if desired.

3.On-Demand Encryption

a.Select both options

b.Device and File Type Exclusions

i.Select the options based on your intended test plan.

c.Encryption Method

i.Select A password and/or certificate.

d.Default Passwords

i.Session Passwords

1.Allow or deny Session Passwords based on your specific environment

requirements.

e.Recovery Certificate– leave default.

Note: Configuration and use of a supported Recovery certificate is beyond the scope of this

document. If you wish to test the Recovery certificate, please obtain a copy of Creating a

Recovery Certificate for Symantec Endpoint Encryption Removable Storage for assistance.

f.Portability

i.Select all 3 options

g.Expired Certificates– leave default and select Finish.

h.Save the SEE Removable Media Client.msi to the same location as the Management Agent.

i.Select OK on the success window.

The next step is to install the software on the test clients.

You have just deployed Symantec Endpoint Encryption!

Helpful links and reference material

1)For the Support KB landing page for Symantec Endpoint Encryption, go here.

2)An online help is provided in the product and is available after installation. It contains extensive

details about the various policy settings, reports, and other important details.

相关主题