Dell Endpoint Security Suite Enterprise Advanced Installation Guide v3.8

Enable Encryption on a Server Operating System

1. As a Dell administrator, log in to the Management Console.
2. Select Endpoint Group (or Endpoint), search for the endpoint or endpoint group to enable, select Security Policies, and then select the Server Encryption policy category.
3. Set the following policies:
   • Server Encryption - Select to enable Encryption on a server operating system and related policies.
   • SDE Encryption Enabled - Select to turn on SDE encryption.
   • Encryption Enabled - Select to turn on Common encryption.

   • Secure Windows Credentials - This policy is Selected by default.

     When the Secure Windows Credentials policy is Selected (the default), all files in the \Windows\system32\config files folder are encrypted, including Windows credentials. To prevent Windows credentials from being encrypted, set the Secure Windows Credentials policy to Not Selected. Encryption of Windows credentials occurs independently of the SDE Encryption Enabled policy setting.

4. Save and commit the policies.

Customize Activation Logon Dialog

The Activation Logon dialog displays:

• When an unmanaged user logs on.

• When the user selects Activate Dell Encryption from the Encryption icon's menu, located in the notification area.

  

  The text is customizable to include any site-specific or customer-specific installation and activation instructions.

  To customize the text in this dialog, add the following registry key on the client computer:

  [HKLM\SOFTWARE\Dell\Dell Data Protection\Encryption\CustomResources]

  "ActivationDisclaimer"=REG_SZ:"custom activation instructions"

Set Encryption External Media Policies

The original encrypting computer is the computer that originally encrypts a removable device. When the original computer is a protected server - a server with Encryption on a server operating system installed and activated - and the protected server first detects the presence of a removable device, the user is prompted to encrypt the removable device.

• Encryption External Media policies control removable media access to the server, authentication, encryption, and more.

• Port Control policies affect removable media on protected servers, for example, by controlling access and usage of the server's USB ports by USB devices.

The policies for removable media encryption can be found in the Management Console in the Server Encryption technology group.

Encryption on a Server Operating System and External Media

When the protected server's EMS Encrypt External Media policy is Selected, external media is encrypted. Encryption links the device to the protected server with the Machine key and to the user, with the User Roaming key of the removable device's owner/user. All files added to the removable device are then encrypted with those same keys, regardless of the computer it is connected to.

When the user does not agree to encrypt a removable device, the user's access to the device can be set to blocked when used on the protected server, Read only while used on the protected server, or Full access. The protected server's policies determine the level of access on an unprotected removable device.

Policy updates occur when the removable device is re-inserted into the original protected server.

Authentication and External Media

The protected server's policies determine authentication functionality.

After a removable device has been encrypted, only its owner/user can access the removable device on the protected server. Other users cannot access the encrypted files on the removable media.

Local automatic authentication allows the protected removable media to be automatically authenticated when inserted in the protected server when the owner of that media is logged in. When automatic authentication is disabled, the owner/user must authenticate to access the protected removable device.

When a removable device's original encrypting computer is a protected server, the owner/user must always log in to the removable device when using it in computers that are not the original encrypting computer, regardless of the Encryption External Media policy settings defined on the other computers.

Refer to AdminHelp for information on Server Encryption Port Control and Encryption External Media policies.

Suspend an Encryption on a Server Operating System

Suspending an encrypted server prevents access to its encrypted data after a restart. The virtual server user cannot be suspended. Instead, the encrypted server's Machine key is suspended.

Prerequisites

• Help desk administrator rights, assigned in the Management Console, are required to suspend an endpoint.

• The administrator must be logged in to the Management Console.

  In the left pane of the Management Console, click Populations > Endpoints.

  Search or select a hostname, then click the Details & Actions tab.

  Under Server Device Control, click Suspend then Yes.

  

  

  NOTE:

  Click Reinstate to allow Encryption of server operating systems to access encrypted data on the server after it restarts.