Reference Guide

ManualsBrandsDell ManualsConverged InfrastructureEndpoint Security Suite Pro

181

182

183

184

185

186

187

188

189

190

Security Management Server - AdminHelp v9.8

173

Some examples of variables used in folder and extension policy:

%ENV:SYSTEMDRIVE%\CustomApplication

What this does: This lists the folder \CustomApplication\ for encryption on the default drive where

Windows is installed.

-%ENV:USERPROFILE%\Desktop

What this does: This lists the user who is logged in to have their desktop obtain a category 0

protection.

Application Data Encryption (ADE)

ADE encrypts any file written by a protected application, using a category 2 override. This means that any

directory that has a category 2 protection or better, or any location that has specific extensions protected

with category 2 or better, will cause ADE to not encrypt those files.

For example, ADE will not encrypt any files written into /Windows/System32 folder, because this directory

has a default protection of category 2.

Example Policies for Common/User Key Encryption

The following set of encryption rules encrypts most of the drive, including standard Microsoft Office-type

documents in the Documents and Settings folders. This policy set should only be used for Common Encryption

(not User Encryption, Encryption External Media, or SDE). This is considered a strong policy set, and will

typically require some adjustments for local conditions and requirements.

%ENV:SYSTEMDRIVE%\

^%ENV:USERPROFILE%\;<insert standard office extensions here >

FOLDERID_Documents or %CSIDL:PERSONAL% (pre-Windows 7)

%ENV:USERPROFILE%\Desktop\

^%ENV:USERPROFILE%\;mp3.mp4.mpeg.avi.wmv.wav

-^%ENV:USERPROFILE%\Desktop\;<system file extensions to exclude>

-%ENV:SYSTEMDRIVE%\;<system file extensions to exclude>

-%ENV:SYSTEMDRIVE%\config.msi

What this does:

Encrypts all of C:\, except for protected directories

Encrypts standard Microsoft Office documents across the drive, except for protected directories,

although it will encrypt them in the USERPROFILE directory.

Encrypts all of My Documents

Encrypts all of the Desktop, except for any selected excluded extensions

Excludes common system files from encryption

Excludes all encryption from C:\config.msi directory, due to MSI upgrade migration issues

All paths are dynamic based on environment variables

System Data Encryption (SDE)

SDE is an intelligent file-based encryption method where the encryption key is auto-authenticated during the

volume mount process. A unique SDE Key is generated for each volume that is targeted for encryption by