Endpoint Security Suite Pro Advanced Installation Guide v1.8

Activate - Activation occurs when the computer has been registered with the Security Management Server/ Security Management Server Virtual and has received at least an initial set of policies.

Active Directory (AD) - A directory service created by Microsoft for Windows domain networks.

Advanced Authentication - The Advanced Authentication product supports login with self-encrypting drives, SSO, and manages user credentials and passwords. In addition, Advanced Authentication can be used to access not only PCs, but any website, SaaS, or application. Once users enroll their credentials, Advanced Authentication allows use of those credentials to logon to the device and perform password replacement.

Application Data Encryption - Application Data Encryption encrypts any file written by a protected application, using a category 2 override. This means that any directory that has a category 2 protection or better, or any location that has specific extensions protected with category 2 or better, will cause ADE to not encrypt those files.

BitLocker Manager - Windows BitLocker is designed to help protect Windows computers by encrypting both data and operating system files. To improve the security of BitLocker deployments and to simplify and reduce the cost of ownership, Dell provides a single, central management console that addresses many security concerns and offers an integrated approach to managing encryption across other non-BitLocker platforms, whether physical, virtual, or cloud-based. BitLocker Manager supports BitLocker encryption for operating systems, fixed drives, and BitLocker To Go. BitLocker Manager enables you to seamlessly integrate BitLocker into your existing encryption needs and to manage BitLocker with the minimum effort while streamlining security and compliance. BitLocker Manager provides integrated management for key recovery, policy management and enforcement, automated TPM management, FIPS compliance, and compliance reporting.

Cached Credentials - Cached credentials are credentials that are added to the PBA database when a user successfully authenticates with Active Directory. This information about the user is retained so that a user can log in when they do not have a connection to Active Directory (for example, when taking their laptop home).

Common Encryption – The Common key makes encrypted files accessible to all managed users on the device where they were created.

Deactivate - Deactivation occurs when SED management is turned OFF in the Remote Management Console. Once the computer is deactivated, the PBA database is deleted and there is no longer any record of cached users.

Encryption External Media - This service within the Dell Encryption client applies policies to removable media and external storage devices.

Encryption External Media Access Code - This service within the Security Management Server/ Security Management Server Virtual allows for recovery of Encryption External Media protected devices where the user forgets their password and can no longer login. Completing this process allows the user to reset the password set on the removable media or external storage device.

Encryption Client - The Encryption client is the on-device component that enforces security policies, whether an endpoint is connected to the network, disconnected from the network, lost, or stolen. Creating a trusted computing environment for endpoints, the Encryption client operates as a layer on top of the device operating system, and provides consistently-enforced authentication, encryption, and authorization to maximize the protection of sensitive information.

Endpoint - a computer that is managed by Security Management Server/ Security Management Server Virtual.

Encryption Keys - In most cases, the Encryption client uses the User key plus two additional encryption keys. However, there are exceptions: All SDE policies and the Secure Windows Credentials policy use the SDE key. The Encrypt Windows Paging File policy and Secure Windows Hibernation File policy use their own key, the General Purpose Key (GPK). The Common key makes files accessible to all managed users on the device where they were created. The User key makes files accessible only to the user who created them, only on the device where they were created. The User Roaming key makes files accessible only to the user who created them, on any Shielded Windows (or Mac) device.

Encryption Sweep - An encryption sweep is the process of scanning the folders to be encrypted on a managed endpoint to ensure the contained files are in the proper encryption state. Ordinary file creation and rename operations do not trigger an encryption sweep. It is important to understand when an encryption sweep may happen and what may affect the resulting sweep times, as follows: - An encryption sweep will occur upon initial receipt of a policy that has encryption enabled. This can occur immediately after activation if your policy has encryption enabled. - If the Scan Workstation on Logon policy is enabled, folders specified for encryption will be swept on each user logon. - A sweep can be re-triggered under certain subsequent policy changes. Any policy change related to the definition of the encryption folders, encryption algorithms, encryption key usage (common versus user), will trigger a sweep. In addition, toggling between encryption enabled and disabled will trigger an encryption sweep.

On-Access Malware Protection - When a user accesses files, folders, and programs, the on-access scanner intercepts the operation and scans the item.

Preboot Authentication (PBA) - Preboot Authentication serves as an extension of the BIOS or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. The PBA prevents anything being read from the hard disk, such as the operating system, until the user has confirmed they have the correct credentials.

SED Management - SED Management provides a platform for securely managing self-encrypting drives. Although SEDs provide their own encryption, they lack a platform to manage their encryption and available policies. SED Management is a central, scalable management component, which allows you to more effectively protect and manage your data. SED Management ensures that you will be able to administer your enterprise more quickly and easily.

System Data Encryption (SDE) - SDE is designed to encrypt the operating system and program files. To accomplish this purpose, SDE must be able to open its key while the operating system is booting. Its intent is to prevent alteration or offline attacks on the operating system by an attacker. SDE is not intended for user data. Common and User key encryption are intended for sensitive user data because they require a user password in order to unlock encryption keys. SDE policies do not encrypt the files needed by the operating system to start the boot process. SDE policies do not require preboot authentication or interfere with the Master Boot Record in any way. When the computer boots up, the encrypted files are available before any user logs in (to enable patch management, SMS, backup and recovery tools). Disabling SDE encryption triggers automatic decryption of all SDE encrypted files and directories for the relevant users, regardless of other SDE policies, such as SDE Encryption Rules.

Threat Protection - The Threat Protection product is based on centrally managed policies that protect enterprise computers against security threats. Threat Protection consists of: - Malware Protection - Checks for viruses, spyware, unwanted programs, and other threats by automatically scanning items when accessed or based on schedules defined in policy. - Client Firewall - Monitors communication between the computer and resources on the network and the Internet and intercepts potentially malicious communications. - Web Protection - Blocks unsafe websites and downloads from those websites during online browsing and searching, based on safety ratings and reports for websites.

Trusted Platform Module (TPM) - TPM is a security chip with three major functions: secure storage, measurement, and attestation. The Encryption client uses TPM for its secure storage function. The TPM can also provide encrypted containers for the software vault.

User Encryption – The User key makes files accessible only to the user who created them, only on the device where they were created. When running Dell Server Encryption, User Encryption is converted to Common Encryption. One exception is made for external media devices; when inserted into a server with Encryption installed, files are encrypted with the User Roaming key.