Welcome to part two of the Dell Data Protection Encryption Policy Configuration Demo.
In part one, we showed you how to select and set a policy template. Now, we'll walk through customizing individual policies within a template and making policies available to clients.
The DDP E policy templates are collections of individual policies that are predefined with specific settings to help you meet industry compliance such as PCI or HIPAA regulations.
The templates are a good starting point, but shouldn't be considered final. You'll want to adapt them to meet your organization's specific security requirements.
So let's open up the "DDP E Management Console" and get started. After you log in, choose "Enterprise" under the "Protect & Manage" menu.
Then click on the "Security Policies" tab. From here, you'll want to choose a template and click "Save". We'll use the "Basic Protection for All Fixed Drives and External Drives" today.
This is our default encryption template. It specifies basic encryption for internal drives and removable media. Once you've saved the template, click the "Override" button to see the individual policies for the different sections that DDP E supports.
We're going to keep our focus on "Windows Encryption" today, but DDP E also supports self-encrypting drives, Microsoft BitLocker, Cloud Storage, Mac, and even mobile devices.
Now we can start modifying individual policies. The first area we'll look at is "Fixed Storage". System Data Encryption or SDE is part of the DDP E basic protection template, so its value is automatically set to "true".
If you don't want to use this type of encryption, simply change the value to "false". You can also specify the encryption algorithm. All of our templates use "AES256", which is our most secure encryption algorithm and the one we recommend.
The last section specifies which files and folders should or should not be encrypted. The online documentation will give you more detail on the syntax you should use.
At a high level, this first policy says we should encrypt everything on the system drive or the standard Windows C Drive. Since DDP E is a file-based solution, the encryption keys are not available until after Windows starts, avoiding encrypting the Windows operating system.
We've included exceptions to exclude Windows operating system files and folders like the Windows "System32" folder, the "WinSxS" folder, and the "System Volume Information" folder.
The minus sign indicates that these files should not be encrypted and ensures Windows will be bootable even though the rest of the data on the drive is encrypted.
The next area is "General Settings". This is where you can customize user and common encryption policies. The template enables common and user encryption by default.
This second section specifies which folders should be encrypted with the common encryption key, which means that only managed users will be granted access to the data in those folders.
For example, by adding the folder name here, We're specifying that anything in the common encrypted data folder should be encrypted with the common encryption key.
Moving down, you'll see the "Application Data Encryption List". This specifies the applications to be encrypted. Anything these applications write out on the disk will be encrypted using a common encryption key.
By default, the standard Microsoft Office applications like Word, Excel, and PowerPoint will be encrypted. Below that, we have policies that allow you to specify encryption for "Outlook Personal" files, "Temporary Files", or "Temporary Internet Files".
This template doesn't default to encrypting temporary Internet files, but we recommend that you do so things like passwords that may be stored in your browser cache will be protected.
This next policy specifies that "User Profile Documents" should be encrypted. If you're in a Windows XP environment, that refers to the "My Documents" folder.
And you can encrypt the "Windows Paging File". The "Managed Services" field is from older installations of our software that didn't have support for system data encryption.
Since SDE is enabled, this field is no longer required. Secure Post-Encryption Cleanup means that when there's unencrypted data, we'll encrypt it and delete the unencrypted version of the file.
The deleted file is overwritten with random data so utilities like Norton Recovery utilities can't access the unencrypted data. The "Secure Windows Credentials" policy is a best practice in terms of encryption.
It goes in and encrypts the SAM database and protects your user passwords. You can also "Block Unmanaged Access to Domain Credentials", which protects data from viruses that try to bypass password confirmation and allow anyone to log in to a user's account.
There's also a "Secure Windows Hibernation File" policy. Some systems won't notify you of the hibernation to encrypt a file. This second policy allows you to block that hibernation.
If you keep the "Secure Windows Hibernation" encryption enabled, you'll also want to enable the "Prevent Unsecured Hibernation" policy. The "User Encrypted Folders" policy allows you to specify folders that should be encrypted using a user encryption key.
This provides highly secure encryption, granting access only to the specific user who encrypted the data or forensic admins defined in the DDP E server.
Sharing user-encrypted data on a machine isn't possible. By typing this text, we are specifying that anything in the secure user data folder should be encrypted with a user encryption key.
If you have purchased a Dell machine with our Hardware Crypto Accelerator on it, this area is where you'll turn that encryption on.
You can specify which volumes are encrypted, whether "All Fixed Volumes" or just "Your System Volumes", as well as whether a user is allowed to approve the encryption of a secondary volume or not.
The "Port Control System" area is where you'll manage which ports end users can access. None of our templates turns the "Port Control System" on by default.
You can turn this on by going to the drop-down and changing the value to "Enabled". Now you'll be able to turn on and off access to certain ports.
The "Removable Storage" area is where you'll specify encryption policies for your removable media like USB and FireWire drives, SD cards, and flash drives.
You have the option to exclude CDs and DVDs. The template automatically turns this option off so that CDs and DVDs will also be encrypted.
You can set access to unencrypted media as well. The default setting is read only, so if a user needs access to a presentation on someone else's USB drive, they'll be able to read it without having to encrypt the drive first.
We also allow "Automatic Authentication". The value is set to "Roaming", which means it's turned on. When a user encrypts removable media, they have to provide a password, which will be required when anyone tries to access the data on a machine that's not running DDP E.
Automatic Authentication ensures that when removable media is plugged into a machine that is running DDP E, it will recognize the user and automatically grant them access to the data.
The "EMS Whitelist" setting lets you select specific devices that should not be encrypted, so, for example, if your IT team needs to have bootable USB drives, you can whitelist those devices so they're not encrypted and remain bootable.
The next few policies allow you to specify your password complexity. The default is set to eight characters. You can change these settings to be as simple or complex as you like.
The rest of the policies specify the recovery process if a user forgets a password. The "Shield Permissions" area defines what server the client should talk to and how often the client should check in to see if there are policy updates.
All of the DDP E templates leave what server to talk to blank. This means that instead of using policies to figure out who to talk to, it will use a registry entry.
The "Policy Proxy Polling Interval" determines the time between check-ins. The default is every six hours or 360 minutes. The "User Experience" area determines how the end user interacts with policy updates.
The first policy specifies that the user is forced to reboot their system when policies that require a reboot are updated. If you set this policy to "false", then we'll wait until the next normal reboot to enforce the policy.
If you keep it set to "true", then the user will be prompted to reboot. The next few policies allow you to give the user the option to delay the reboot.
You can determine how long they can delay. The default is set to 15 minutes. And how many times they are allowed to delay. You can also specify whether or not end users can view the policies as they are set.
The "Local Encryption Processing Control" policy allows the user to stop or restart the encryption process. Generally, you don't want to allow this unless the user is testing specific DDP E policy settings or configurations.
For average users, you should disable this. Once you've configured your individual policies, save your changes. Then, you can go back and see that your changes were applied.
From here, we'll select "Windows Encryption" and open up the "User Experience" area again. You can see that all of the changes we made are now shown in boldface.
The last step is to commit the policies and make them available to your end clients. To do that, you'll want to go to the "Actions" menu on the left and select "Commit Policies".
Committing a policy causes the DDP E server to sort through all of the policy changes and make sure it knows what the policy should be for every user and system.
We recommend you use the "Comment" field to add any details or information about what policy changes were made. When you're finished, click the "Apply Changes" button.
The screen will automatically update after a minute. Keep in mind, it may still be a few minutes more before the end client can see the policies.
To confirm that the policies have been updated on your end client, log on to that machine, and open the "DDP E User Console". From there, you can check the specific settings for that system to confirm that the correct policies have been applied.
And with that final step, you're finished. We hope you found the DDP E policy configuration demo helpful. If you have any questions, just contact your Dell support team.
We'll be happy to help. Thank you. Dell: The power to do more.
