DDP Client with No Server Connection

@TB73 

Yes, the client will remain to function even without the server. The client will retain the policies last set by the server. 

Your biggest hurdle is when you attempt to decrypt or recovery data as the back-end server will no longer be available with the key material. Additionally no changes in policy can occur as that is managed by the server (which is no longer available). 

Let me know if you end up having any other questions on this. 

-Brian 

L4 | Dell Data Security #IWork4Dell

Thanks Brian!

In order to work around that hurdle is there a way to export the keys so that I can refer to them as individual files when running the 'cmgau -f' command?

@TB73 when using CMGAU -F, it will unlock against either the hostname or device computer identification (DCID) if a server is actively present. 

The unlock will pull down all keys associated with that specific endpoint. Once you close the CMGAU application it will terminate the unlock of data. 

Are you attempting to download the key bundles to use at a later date? If so, you could use CMGAD bundle to download a keybundle. The downside of this method is that you are required to create a password with that bundle. If you lose that password, you will not have access to the CMGAD bundle. 

-Brian

L4 | Dell Data Security #IWork4Dell

Brian,

Yes, I would like to download all the keys from the server so that I can refer to them 'offline' when using the cmgau utility.

I tried out the cmgad utility - it is asking for the MCID or DCID of a client. How do I go about accessing/downloading all of the keys instead of one by one which it looks like the cmgad utility is doing?

Thanks.

@TB73 

 Key bundles can only be downloaded on a per hostname basis. The security posture of the product  would be weakened significantly by allowing a single key bundle to contain all hostnames within the company. 

The Dell Security Management Server database encodes all keys to ensure no unauthorized access is attempted to download all key bundles for the corporation. Only using an authorized tool can key bundles be downloaded on an as needed basis. 

Let me know if there are any other questions I can answer for you.

-Brian

L4 | Dell Data Security #IWork4Dell 

Hi Brian,

Since I was handed this DDP application many years ago (from someone long gone from the company) I am being told by management here that there is such a thing as a single 'master' key that I can use to decrypt each individual laptop on my network. Is there such a key available? (No luck googling it so far.)

Thanks,

Tim

@TB73 

At one point your management was correct. In Credant v7.3 and earlier (2012 and earlier) there was a method to manual generate a master file for all endpoints using system data encryption (SDE). This manual method was determined to weaken an environment's security posture and has since been addressed. 

v8.3 would not include this ability. 

-Brian

L4 | Dell Data Security #IWork4Dell

Hi Brian,

A follow up question on this scenario:  I went ahead and brought down the services on the servers and the clients seem to be working fine.

What I did next was to rotate/change the password for the CMGAU Active Directory account as per company security policy. (I am not sure if this AD account is something Dell set up or if it is an company-created account for the DDP application. Remember, I inherited this system a few years back.) What this password change did now is that I cannot successfully run the CMGAU.exe utility. Is there some connection between this AD account and the running of a what I believe to be stand-alone since I will be pulling the encryption key from a file and not the server?

Note: After bringing up the services again, I also cannot login to the console. This is after the CMGAU AD account password was changed.

Regards,

Tim

Hi @TB73,

It sounds like what you changed was what we refer to as our "service account" which might be used as a Logon As for our Dell Security Server services on your main server for Database and Active Directory access.  Since it sounds like those services are running I am going to assume they are set as local system or you went ahead and updated the Logon As settings once you rotated the password.  There is another place where this service account is used and it requires you to be inside the console to set \ update the information.

I believe you are attempting to access the console via your AD account?  If so that will not work because we currently do not have an authenticated connection to your directory.  There is a default local account we have named Superadmin, do you by chance have the login password for that account?  If so you can login as that user, go to the domains area of the console, and update the service account with the new password.  If you do not know the superadmin password let me know and I can DM you some steps to reset it.  

With regards to not being able to run CMGAU if you are running that and not selecting to use a previously downloaded file then that utility makes a live connection to the server to request a recovery bundle for the device you input.  Once you resolve the issue detailed above you should be able to use CMGAU for online requests again.

If you are using CMGAU using a previously downloaded file the issue detailed above should not apply and as long as your entering the password that was entered when you created the file via our CMGAD tool it should work without issue.

Hi Stephen,

Appreciate the quick response. As for your questions and assumptions:

1. As far as I know, the 'cmgau' Active Directory account is not a service account. I have another account (credantservice) that is set to run the Dell services on the backend servers. Its password was also changed at the same time as the cmgau account and I was able to successfully restart all the Dell server services without a problem.

2. Yes, I have been using my AD account credentials to login to the console ever since I started administering this system.

3. No, I do not have the password for the Superadmin account. Please send those steps to reset it, as mentioned.

4. Yes, I am running the cmgau utility by attempting to access the encryption key from the backend servers. This is where it is failing now. Both camgau and cmgad utilities were working fine before the cmgau account password was change.

Regards,

Tim

4.

@TB73 

Check your PMs for instructions on how to reset superadmin.  Once you get that reset go into the domains area of your console, go to settings, and there will be a user name and password field.  That is the account we use to authenticate user requests to your directory.  Update that information and you should be able to start using CMGAD/CMGAU again.