Activate - Activation occurs when the computer has
been registered with the
Security Management Server/
Security Management Server Virtual and has received at least an
initial set of policies.
Active Directory (AD) - A directory service
created by Microsoft for Windows domain networks.
Advanced Authentication - The Advanced Authentication product supports login with self-encrypting drives, SSO, and
manages user credentials and passwords. In addition, Advanced Authentication
can be used to access not only PCs, but any website, SaaS, or application. Once
users enroll their credentials, Advanced Authentication allows use of those
credentials to logon to the device and perform password replacement.
Application Data Encryption - Application Data Encryption encrypts any file written by a protected application, using a category
2 override. This means that any directory that has a category 2 protection or better, or any location that has specific extensions
protected with category 2 or better, will cause ADE to not encrypt those files.
BitLocker Manager - Windows BitLocker is designed to help protect
Windows computers by encrypting both data and operating system files. To
improve the security of BitLocker deployments and to simplify and reduce the
cost of ownership, Dell provides a single, central management console that
addresses many security concerns and offers an integrated approach to managing
encryption across other non-BitLocker platforms, whether physical, virtual, or
cloud-based.
BitLocker Manager supports BitLocker encryption for operating
systems, fixed drives, and BitLocker To Go.
BitLocker Manager enables you to
seamlessly integrate BitLocker into your existing encryption needs and to
manage BitLocker with the minimum effort while streamlining security and
compliance. BitLocker Manager provides integrated management for key recovery,
policy management and enforcement, automated TPM management, FIPS compliance,
and compliance reporting.
Cached Credentials - Cached credentials are
credentials that are added to the PBA database when a user successfully
authenticates with Active Directory. This information about the user is
retained so that a user can log in when they do not have a connection to Active
Directory (for example, when taking their laptop home).
Common Encryption – The Common key makes encrypted files accessible to all managed users on the device where they were created.
Deactivate - Deactivation occurs when SED management is turned OFF in the Remote Management Console. Once the computer is
deactivated, the
PBA database is deleted and there is no longer any record of cached users.
Encryption External Media - This service within the Dell Encryption client applies policies to removable media and external storage devices.
Encryption External Media Access Code - This service within the
Security Management Server/
Security Management Server Virtual allows for recovery of
Encryption External Media protected devices where the user forgets their password and can no longer login. Completing this process allows the user
to reset the password set on the removable media or external storage device.
Encryption Client - The Encryption client is the
on-device component that enforces security policies, whether an endpoint is
connected to the network, disconnected from the network, lost, or stolen.
Creating a trusted computing environment for endpoints, the Encryption client
operates as a layer on top of the device operating system, and provides
consistently-enforced authentication, encryption, and authorization to maximize
the protection of sensitive information.
Endpoint - a computer that is managed by
Security Management Server/
Security Management Server Virtual.
Encryption Keys - In most cases, the Encryption
client uses the User key plus two additional encryption keys. However, there
are exceptions: All SDE policies and the Secure Windows Credentials policy use
the SDE key. The Encrypt Windows Paging File policy and Secure Windows
Hibernation File policy use their own key, the General Purpose Key (GPK). The
Common key makes files accessible to all managed users on the device where they
were created. The User key makes files accessible only to the user who created
them, only on the device where they were created. The User Roaming key makes
files accessible only to the user who created them, on any Shielded Windows (or
Mac) device.
Encryption Sweep - An encryption sweep is the process of scanning the
folders to be encrypted on a managed endpoint to ensure the contained files
are in the proper encryption state. Ordinary file creation and rename
operations do not trigger an encryption sweep. It is important to understand
when an encryption sweep may happen and what may affect the resulting sweep
times, as follows: - An encryption sweep will occur upon initial receipt of a
policy that has encryption enabled. This can occur immediately after activation
if your policy has encryption enabled. - If the Scan Workstation on Logon
policy is enabled, folders specified for encryption will be swept on each user
logon. - A sweep can be re-triggered under certain subsequent policy changes.
Any policy change related to the definition of the encryption folders,
encryption algorithms, encryption key usage (common versus user), will trigger
a sweep. In addition, toggling between encryption enabled and disabled will
trigger an encryption sweep.
Malware Protection (Full Scan) -Malware Protection Full Scan scans the following locations for threats:
-
The computer memory for installed rootkits.
-
Hidden processes, and other behavior that suggests malware is attempting to hide itself.
-
The memory of all running processes, all drives and their subfolders on the computer.
Malware Protection (Quick Scan) -Malware Protection Quick Scan scans the following locations for threats:
-
The memory of all running processes.
-
The files that the Windows Registry references.
-
The contents of the Windows folder.
-
The contents of the Temp folder.
On-Access Malware Protection - When a user accesses files, folders, and programs, the on-access scanner intercepts the operation
and scans the item.
Preboot Authentication (PBA) - Preboot
Authentication serves as an extension of the BIOS or boot firmware and
guarantees a secure, tamper-proof environment external to the operating system
as a trusted authentication layer. The PBA prevents anything being read from
the hard disk, such as the operating system, until the user has confirmed they
have the correct credentials.
SED Management - SED Management provides a platform for securely
managing self-encrypting drives. Although SEDs provide their own encryption,
they lack a platform to manage their encryption and available policies. SED
Management is a central, scalable management component, which allows you to
more effectively protect and manage your data. SED Management ensures that you
will be able to administer your enterprise more quickly and easily.
System Data Encryption (SDE) - SDE is designed to
encrypt the operating system and program files. To accomplish this purpose, SDE
must be able to open its key while the operating system is booting. Its intent
is to prevent alteration or offline attacks on the operating system by an
attacker. SDE is not intended for user data. Common and User key encryption are
intended for sensitive user data because they require a user password in order
to unlock encryption keys. SDE policies do not encrypt the files needed by the
operating system to start the boot process. SDE policies do not require preboot
authentication or interfere with the Master Boot Record in any way. When the
computer boots up, the encrypted files are available before any user logs in
(to enable patch management, SMS, backup and recovery tools). Disabling SDE
encryption triggers automatic decryption of all SDE encrypted files and
directories for the relevant users, regardless of other SDE policies, such as
SDE Encryption Rules.
Threat Protection - The Threat Protection product is based on
centrally managed policies that protect enterprise computers against security
threats. Threat Protection consists of: - Malware Protection - Checks for
viruses, spyware, unwanted programs, and other threats by automatically
scanning items when accessed or based on schedules defined in policy. - Client
Firewall - Monitors communication between the computer and resources on the
network and the Internet and intercepts potentially malicious communications. -
Web Protection - Blocks unsafe websites and downloads from those websites
during online browsing and searching, based on safety ratings and reports for
websites.
Trusted Platform Module (TPM) - TPM is a security
chip with three major functions: secure storage, measurement, and attestation.
The Encryption client uses TPM for its secure storage function. The TPM can
also provide encrypted containers for the software vault.
User Encryption – The User key makes files accessible only to the user who created them, only on the device where they were
created. When running Dell Server Encryption, User Encryption is converted to Common Encryption. One exception is made for
external media devices; when inserted into a server with Encryption installed, files are encrypted with the User Roaming key.