EMBASSY Security Center ESC 2.9.5 Client Manual Updated November 28, 2012 http://www.wave.com ESC 2.9.5 User Guide Wave Systems Corp.
ESC 2.9.5 Client Manual Contents Contents ........................................................................................................................................................ 2 1. Introduction .......................................................................................................................................... 4 2. Installation ............................................................................................................................................
ESC 2.9.5 Client Manual 8. Self-Encrypting Drive Management .................................................................................................... 33 8.1 Initializing Drive Security............................................................................................................. 33 8.2 Un-initialization ........................................................................................................................... 35 8.3 Secondary Drive Support .........................
ESC 2.9.5 Client Manual 1. Introduction Welcome and thank you for choosing Wave’s EMBASSY® software products. The latest updates to ESC can be found in the readme.txt in the root folder of the installation disk. ESC allows one to: • • • Enable and use the security features of self-encrypting hard drives (SEDs) Use advanced Trusted Platform Module (TPM) management functions o ESC includes the Wave CSP/Toolkit, which enables advanced authentication features of the TPM.
ESC 2.9.5 Client Manual 2. Installation ESC can be installed interactively or silently following the instructions in this section. Antivirus software can interfere with the installation, so it is recommended this be disabled. It is also recommended that other open programs be shut down to prevent them from interfering with the installation. Running critical Windows updates can interfere with the installation, so it is recommended to Update Windows prior to installing ESC.
ESC 2.9.5 Client Manual 2.1.4. Compatibility with 3rd Party Security Packages NOTE: TSS, as used below, refers to the Trusted Computing Group’s (TCG) Software Stack Specification Dell Data Protection | Access (DDP|A) If the Dell Security Driver Pack is installed (this is listed as “Dell Data Protection | Access | Drivers” in add remove programs), ESC will remove this driver pack and replace it with drivers packaged in ESC.
ESC 2.9.5 Client Manual 2.1.5. Support Statement For SED Management All platforms and SEDs which meet the following criteria are supported by Wave. • PC OEM Platforms: o From either Dell, HP or Lenovo. o Ordered and ship from the factory with an SED. o Released within the last three (3) years. • Self-Encrypting Drives: o all TCG OPAL1-compliant SEDs o Most TCG OPAL2-compliant SEDs. 2.1.5.1.
ESC 2.9.5 Client Manual 2.2. Upgrades ESC 2.9.5 supports direct upgrades from ESC 2.8.4 and ESC 2.8.0. The drive the drive can remain initialized while performing this upgrade install. Chained upgrades from 2.7.3 to 2.8.4 to 2.9.5 are also supported. If using fingerprint readers: Ensure that NTRU TSS is *NOT* installed on the endpoint *PRIOR* to upgrade or installation of ESC. Failure to do this check may result in fingerprint logon and new fingerprint enrollments to fail.
ESC 2.9.5 Client Manual 2.3. Interactive Installation 1. Run WaveSetup.exe in the root folder of the ESC installation media. 2. Follow the instructions in the wizard to complete the installation. 3. CAUTION: Carefully read the last window prior to clicking Finish. Some third-party security software programs may not be compatible with Wave software and, if so, a note will say so here. 4. ESC will prompt for a restart following the installation.
ESC 2.9.5 Client Manual 2.4. Silent Installation User Account Control (UAC) must be disabled, or the installer must be run as administrator. Following ESC installation, ESC must be restarted to use any functionality other than SED management. Run the following command from the command prompt: WaveSetup.exe –silent –install Other commands: Silent uninstallation WaveSetup.exe –silent –uninstall Show(Hide) icons on desktop WaveSetup.exe –icon(-nicon) Omit component installers: WaveSetup.
ESC 2.9.5 Client Manual 2.5. Installing ESC to Manage TPM To fully utilize the TPM for authentication or Wave Endpoint Monitor (WEM), a Trusted Software Stack (TSS) is required. If no software has been installed on the client prior to installing ESC, the ESC installer will automatically install the WaveTSS middleware. If other TPM management software is present, ESC may not install.
ESC 2.9.5 Client Manual 2.6. Repair an ESC Installation There may be scenarios where ESC needs to be repaired. The ESC repair procedure can be run interactively or silently. 2.6.1. Perform an ESC Repair Interactively • Log into the endpoint. • Navigate to the installed programs applet: • Windows XP/Vista = Start -> Control Panel -> Add/Remove Programs. • Windows 7 = Start -> Control Panel -> Programs and Features. • Right-click EMBASSY Security Center. • Select Uninstall/Change.
ESC 2.9.5 Client Manual 2.7. Services Installed by ESC EMBASSY Security Center components are correctly configured at the time of installation. In case they’ve been changed after the fact, the startup types are listed below. Note – without a complete restart after installing ESC no feature is guaranteed to work completely. ESC 2.8.4 Services: ETBIService – This is installed by ERASConnector and must be available for ERAS management. The recommended startup type is manual.
ESC 2.9.5 Client Manual 3. Configuration for Remote Management of ESC When ESC is installed, it checks Windows policy settings to point to the ERAS Server. If the policy is not set when the installation is completed, ERAS will not be able to manage the client. The ESC component that is configured for communication is called ERAS Connector. 3.1. Installation Procedure with No Manual ERAS Connector Configuration: If you follow the following procedure when installing ESC 2.
ESC 2.9.5 Client Manual 4. TPM Lifecycle Management A TPM is a hardware chip attached to the motherboard that can make authentication to protected services or data easier and more secure. ESC can manage the TPM chip to securely store keys and certificates. Users must provide credentials to unlock certificates. Thus, the TPM provides both user and device-level authentication.
ESC 2.9.5 Client Manual Lost TPM owner password - If the TPM is owned but the owner password is lost, the TPM can be cleared in BIOS. All data previously protected by the TPM, including passwords and certificates, will be rendered useless if the TPM is cleared. Select the “Platform Security Modules” tab at the left, followed by the “Manage TPM’ tab at the top. 1. Under “Ownership”, click the button labeled “Establish”. 2. Enter the new owner password twice and select “OK’.
ESC 2.9.5 Client Manual 4.1. How to Archive and Restore TPM keys The Archive and Restore functionality is used to back up and restore all user credentials (login and encryption information) stored in the Trusted Platform Module (TPM). A backup of this data is important when re-provisioning a computer or for restoring data in the case of hardware failure. In this case, you can simply restore all of your credentials to your new computer from a saved archive file.
ESC 2.9.5 Client Manual 4.2. Wave Cryptographic Service Providers (CSPs) The following CSPs are made available on the client, and can be selected when making an advanced certificate request to a Microsoft Certificate Authority (CA). For information on how to enforce the use of a Wave CSP (to enforce the use of a TPM to access a resource), refer to the ERAS manual on the section dealing with TPM central management.
ESC 2.9.5 Client Manual Once these prerequisites are met, and ESC 2.9 is installed, both KSPs are available for usage through Windows. Wave TCG Enabled KSP This is the standard KSP. The usage of a PIN is optional. Wave TCG-Enabled Strong Authentication KSP This KSP supports only protected keys, meaning a pin must always be used with the strong authentication KSP. 1. All Keys created with this KSP are always password protected. 2.
ESC 2.9.5 Client Manual 5. TPM as a Virtual Smart Card If you have a Certificate Authority available, your TPM can give you equivalent functionality to a smart card using the TPM. Your smart card travels with your computer, and becomes a token to authenticate to remote services and the local computer. Compared to password authentication, Virtual Smart Card (VSC) makes it harder for an attacker to use your credentials because your credentials are tied to the TPM chip on your computer.
ESC 2.9.5 Client Manual 5.1. Configuration To configure TPM Virtual Smart card on the client computer to accept certificates: 1. Install ESC 2.9 2. Turn the TPM on and take ownership of it through ESC or ERAS. 3. [Optional but recommended] Open services.msc and stop the “Windows Update” service 4. Copy Install_Virtual_SmartCard_v..vbs from the ERAS installation media to the ESC client. 5. Open a Windows Command Prompt with Admin rights.
ESC 2.9.5 Client Manual A reboot is required after taking ownership of the TPM and before enrolling the certificate. Otherwise, the certificate snap-in will prompt for the smart card during enrollment. 4. When using the TPM Virtual Smart Card, you must have the appropriate trusts to your Certificate Authorities. This trust can be created when you download a CA certificate chain from your CA. Without the appropriate trust, you will not be able to enroll certificates. 5.
ESC 2.9.5 Client Manual NOTE: The page may appear to be "frozen", but it should only take a few minutes for the installation to complete. It may seem like it's taking a long time for the certificate request to go through. This is normal and will depend on network connection, machine speed, etc. 5.3. Change Pin The steps to change the TPMVSC pin are slightly different depending if Wave Secure Logon is set. To change the PIN if Wave Secure Logon is set: 1.
ESC 2.9.5 Client Manual Remote Desktop – To remote desktop into a computer without TPM virtual smart card, a separate MSI that ships with ERAS must be installed on the target computer. Uninstalling TPM Virtual Smart Card – To uninstall the TPM Virtual Smart card, you will need to run the following command line from an elevated command prompt: CScript.exe Uninstall_Virtual_SmartCard.vbs 5.5.
ESC 2.9.5 Client Manual 5.5.1 Cached Virtual Smartcard Expiration How long the VSC credential is cashed is based on configurations set on the network domain controller. The endpoint’s local security policy also needs to be set for how long the credential will remain cached: 1. Open an elevated command prompt. 2. Type gpedit.msc. 3. Navigate to Local Security Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies . 4.
ESC 2.9.5 Client Manual 6. Wave Endpoint Monitor Wave Endpoint Monitor (WEM) is an additional product that can use ESC to help you detect Advanced Persistent Threats (APTs) that would otherwise go unnoticed for long periods of time and cause severe damage and data loss. An APT could be a rootkit, and could even reside in infected firmware. To combat this, Wave utilizes tamper-resistant storage locations on the TPM called Platform Configuration Registers (PCRs).
ESC 2.9.5 Client Manual 7. Secure Windows Logon Wave Secure Logon is a way to make authentication to Windows easier and more secure. One would set Secure Windows Logon if they desired Single Sign On (SSO) with the SED or wanted to use Finger Print Authentication to Windows. Fingerprint data is protected by the TPM when the TPM is available. Secure Windows Logon also supports using a certificate on a smart card to log on to Windows.
ESC 2.9.5 Client Manual 7.1. Biometrics The use of biometrics is supported for Secure Windows logon and for authentication to the TPM. Supported Fingerprint Sensors The following table lists two columns; the name given by the manufacturer is in the first column. If the label for the sensor is not available, Windows Device Manager can be used to check the VID and PID of the sensor.
ESC 2.9.5 Client Manual Sensor Name Dell Laptop Sensors: Broadcom Sensor Identifier in Device Manager: Broadcom Sensor VID_0A5C&PID_5802 Broadcom Sensor VID_0A5C&PID_5803 UPEK Sensors VID_0A5C&PID_5801 VID_0483&PID_2016 VID_147E&PID_2016 VID_147E&PID_1000 UPEK TCS1 UPEK TCS3 UPEK TCS4 Eikon solo sensor VID_147E&PID_1001 VID_0483&PID_2015 The process to check the VID and PID in Windows 7 is to go to Device Manager (You can get here if you press Windows key + R, and type devmgmt.msc and hit enter).
ESC 2.9.5 Client Manual The Fingerprint Sensor VID and PID are found in Device Manager 7.2. How to Enroll Fingerprints Fingerprint authentication can be used for Secure Windows. A fingerprint reader is required. To enroll fingerprints: 1. Click on the “Windows Login” tab at the left 2. Click the “Enroll/Update” button 3. Follow the instructions in the wizard. You will be prompted to enter your Windows password before enrolling your fingerprints. You may select which fingerprints you wish to add.
ESC 2.9.5 Client Manual 7.3. Smart Card at Secure Windows Logon A smart card can be enrolled for authentication with Secure Windows Logon, provided the smart card middleware is available. After a valid Windows certificate is placed on the card through the Microsoft Windows Smart Card enrollment process, Secure Windows Logon must be set for certificate authentication. To do this 1. Open ESC. 2. Select the Windows Login tab. 3.
ESC 2.9.5 Client Manual 7.4. Configurable Logon Graphic The logon graphic for Windows, when Wave secure logon is enabled, can be configured to a different bitmap image than the default Wave logo. Only one logo can be used on one computer at a time, each user will see the same logo. Requirements: • Wave Secure Logon must be enabled for the logo to be visible. • A bitmap image must be used. • The recommended image size is 128x128 pixels, images of other sizes will be scaled down. Procedure: 1.
ESC 2.9.5 Client Manual 8. Self-Encrypting Drive Management EMBASSY Security Center manages the hardware-based security functions of self-encrypting drives, which have data encryption embedded in the drive hardware. This functionality is used to ensure that only authorized users can access encrypted data (when drive locking is enabled, however drive locking is selected by default when initializing the drive). 8.
ESC 2.9.5 Client Manual 7) Enter the username and password again at the practice screen. 8) Click Verify. This step is mandatory, in order to prevent lockout in the case of a forgotten username and/or password. 9) A prompt will display as a reminder to back up the username and password. CAUTION: The username/password can be saved as an electronic file or printed out and kept it in a secure place.
ESC 2.9.5 Client Manual 10) A Drive Initialized screen will display. The security has been enabled on this self-encrypting drive, and password authentication will be required to access the data. 11) Click Done to complete the initialization process. 8.2 Un-initialization Un-initialization will not delete drive data, but will remove the drive security, remove all users, and allow the drive to be initialized by someone else.
ESC 2.9.5 Client Manual 8.4 Extended User Support ERAS managed drives can support more users than normal using the “Extended Users Support” (EUS) server setting. The table below lists examples of how many users you can add to a drive. The total number of users will vary, depending on factors such as the length of each user name, and any custom pre-boot messages. Drive Seagate OPAL Hitachi (not thin drives) Micron Samsung Samsung Seagate DT 8.
ESC 2.9.5 Client Manual While only the currently logged in user can change their password from the change password screen, the drive administrator can change any user’s password from the “Trusted Drive Advanced Settings” management screen which can be accessed by pressing the “Manage” button in the “Trusted Drive” tab. 8.6 Add a User You can add additional users to unlock each drive. The number of users you can add depends on the space made available by the hard drive manufacturer.
ESC 2.9.5 Client Manual User must change password at next logon – means the user will need to change their password from the one that was assigned to them the first time they logon. This is referred to as FUMC in ERAS. More details can be found under “First Use Must Change” Once the additional user has been added, the user will appear in the “Trusted Drive Advanced Settings” screen under “Trusted Drive Users”.
ESC 2.9.5 Client Manual Name: EndpointEnrollmentServiceHost Type: REG_SZ Data/Function: String value of Endpoint Enrollment server. This can be Fully Qualified Domain Name (FQDN), NetBIOS, or IP, however if SSL is used, it must match what is used on the SSL certificate (usually FQDN). Name: EndpointEnrollmentServiceSSLEnabled Type: REG_DWORD Data/Function: 32 bit value (1=SSL on; 0=SSL off) Name: SEDSelfEnrollErrMsg Type: REG_MULTI_SZ Data/Function:Customer defined multi-string error string value. 3.
ESC 2.9.5 Client Manual 8.8 Change Drive Administrator To change the drive administrator, you will use the “Change Name” button. The new administrator must be a valid Windows user, and not already a drive user. The old administrator will no longer be a user for the drive and will not be able to authenticate to the drive, unless they are re-added as a user. In order to change the drive administrator 1. Launch ESC, navigate to the “Trusted Drive” tab and click the “Manage” button. 2.
ESC 2.9.5 Client Manual 8.9 Disable and Enable Locking The drive security can be turned off so that the data on the drive can be accessed without authentication. If the security is turned off, users will not need to authenticate to the drive or have any special software installed to access it. The users already present on the drive will not be deleted, nor will data be deleted.
ESC 2.9.5 Client Manual Additional Features On This Screen – Password Synchronization, Single Sign On, Remember Last User Name and Allow tabbing of User Names are all features that do not apply to secondary drives in this software release. While they can be checked, selecting them will not change the behavior of a secondary drive. Disabling drive security exposes the encrypted data to ANY user who gains access to the drive on ANY computer. 8.
ESC 2.9.5 Client Manual 6. Type OK with capital letters 7. Click Erase. 8. A warning message will appear. 9. Click Proceed to continue erasing the drive. NOTE: The “System will immediately crash” message refers to systems where the SED is a primary drive. A crypto-erase of a primary drive will cause a system crash, but it won’t cause the system to crash if erasing a secondary SED. 8.
ESC 2.9.5 Client Manual Note: The list of keyboard layouts is not the same as the list of languages ESC is localized in. On-screen Keyboard Usage ESC includes an onscreen keyboard that can be used to enter the drive password. To make it appear, click the keyboard icon at the bottom left of the pre-boot screen. If you click the keyboard icon a second time, it will disappear. This keyboard can always be accessed with a mouse.
ESC 2.9.5 Client Manual If touch feedback does not match the actual touch location the user will be allowed to calibrate the input device. There are two ways to access the calibration screen: A. Gestures Using any input device draw two crossing lines anywhere on the screen. If using a mouse, use the left mouse button. Note – Line direction does not matter, the lines only need to cross. B. Access Button 1. Pressing the access button on the lower left corner . 2. Choose Screen Calibration from the menu.
ESC 2.9.5 Client Manual 8.12 Drive Recovery Drive recovery enables IT staff to deliver an out-of-band password to recover a locked drive. This is done through what is called a challenge-response. The client with the lost password will pull up the recovery screen and be displayed a challenge, a series of thirteen characters, to be read to the IT staff member. The IT staff member will then use the challenge to generate a recovery password, which the client will enter into pre-boot to unlock the drive.
ESC 2.9.5 Client Manual Primary Drive Recovery with ERAS Challenge Response Recovery Procedure: 1. Click Forgot you password?. 2. Select the appropriate recovery method in the drop-down 3. IF APPLICABLE: Select or enter the user and domain name to the recovery type. 4. Click the white arrow to continue. 5. Share the Recovery Challenge value with network helpdesk; they will use it to generate your Recovery Password. 6. Enter the Recovery Password 7. Click Unlock.
ESC 2.9.5 Client Manual Password Recovery Procedure: 1. Click Forgot Your Password. 2. Select Drive-based Password Recovery. 3. Enter the recovery password obtained from ERAS. NOTE: Your IT administrator or help desk should provide this to you. Example of Password Recovery Screen 48 Self-Encrypting Drive Management | Wave Systems Corp.
ESC 2.9.5 Client Manual Mobile Unlock - Local Management Access Recovery IMPORTANT: If you do not back up the password, you will not be able to recover access to the data should you forget the password. During the initialization of drive security or when changing your administrator password, you will be asked to back up your drive username and password as a text file or as a printout. It is highly recommended that you back up these credentials, and that you back them up to a drive (e.g.
ESC 2.9.5 Client Manual 8.13 Warm Reboot for Multiple Partitions ESC supports booting from multiple partitions using Microsoft Boot Manager. Other partition manager software such as GRUB is not supported. If a computer has a boot loader with multiple partitions, the BIOS may not be able to recognize the entire drive when the computer is first turned on. You can configure ESC to perform a warm-reboot to give the BIOS a chance to recognize these partitions and boot correctly.
ESC 2.9.5 Client Manual 8.14 Diagnostics Screen Information about the recovery, the self-encrypting drive, and the ESC software installed is available through a diagnostics screen. This screen can be accessed by pressing CTRL + D at any time while in preboot. Example of Diagnostics Screen 8.15 Notifications Embassy Security Center provides notifications that inform the end user of changes made to the selfencrypting drive.
ESC 2.9.5 Client Manual 8.16 Event Viewer Notifications The notifications relating to self-encrypting drives are listed under “Windows Logs” -> “Application” in Event Viewer. They can be filtered in event viewer by selecting “Wave Platform Security” as the source, and using the task category “Wave Platform Trusted Drive Security Events”. Most events are “Information” level, however a warning is issued when the drive is uninitialized.
ESC 2.9.5 Client Manual Event ID 3005 Un-initialization succeeded. Drive [Letter], Serial Number [Serial Number] has been successfully un-initialized • The drive protection is disabled, all users have been removed, anyone can access the drive Event ID 3006 Drive admin changed. • The drive has a new administrator. When remotely managed, the ERAS Service account should be the drive administrator. Event ID 3007 Drive admin change failed. • The drive administrator could not be changed.
ESC 2.9.5 Client Manual • The drive is no longer locked. It may still be initialized, and retain user information and credentials. Event ID 3017 Drive security disabling failed. • The drive security could not be turned off, this means credentials will still be necessary to unlock the drive. Event ID 3018 Drive recovery method set successfully. Drive [Letter], Serial Number [Serial Number] has been enrolled with Password Recovery Service.
ESC 2.9.5 Client Manual Event ID 3034 Smart card enrollment failed. • The smart card could not be enrolled, and will not be able to unlock the drive. A temporary password or recovery password may be necessary to unlock the drive, depending on its lock status. Event ID 3035 Smart card enrollment succeeded. • The smart card can now be used as a credential to unlock the drive. If a temporary password was assigned, it can no longer be used to unlock the drive. Event ID 3036 Smart card enrollment is pending.
ESC 2.9.5 Client Manual 8.17 Notification and Error Messages Several Error messages appear in the Notification area as balloons. These messages can be used to help troubleshoot issues. The IT staff troubleshooting the issues can check the Application logs in event viewer locally, or from the ERAS console. • These bubble notifications appear when the drive is being initialized, and locked: The drive login environment is being configured. Please do not turn off your computer.
ESC 2.9.5 Client Manual • Your drive login information has been successfully updated. You can now use your Windows password to access the drive. o • Your drive password was not successfully updated with your Windows password. Please contact your administrator for assistance. o • Changes could not be made to your self-encrypting drive. Your sign-on experience will not change. The drive login environment was successfully updated. o 57 Changes are being made to the drive settings.
ESC 2.9.5 Client Manual • A Windows User has been granted access to the drive. o • The drive recovery method has been set. o • The drive is no longer managed by ERAS, and no longer requires authentication to boot. A Windows User has had drive access removed. o 58 A recovery password can be generated with ERAS to unlock the drive if the user password is lost or forgotten. The drive login environment has been un-initialized.
ESC 2.9.5 Client Manual 8.18 Smart Card - Authentication ESC allows for smart card authentication at pre-boot. A user with a smart card containing a valid security certificate recognized by a Windows Certificate Authority (CA) can be granted rights to unlock the drive. The steps to enroll the certificate, which will make the drive recognize the smart card certificate, can vary depending on configuration settings made remotely.
ESC 2.9.5 Client Manual Smart Card to SED - Supported Card Readers Internal smart card readers are supported on Dell and Lenovo Platforms. External smart card readers are supported on Dell, Lenovo, and HP platforms. The external smart card readers must be CCID-compliant. HP platforms require external readers for pre-boot authentication. Smart Card to SED – Preparation The smart card must be prepared in advance.
ESC 2.9.5 Client Manual Smart Card to SED - Auto-enrollment and Auto-provisioning A policy may be set remotely by the ERAS Administrator that will automatically enroll the smart card to the drive. The enrollment will occur after the user signs onto Windows with a valid smart card. In addition, the user may or may not need to be provisioned to the drive by ERAS – this is also determined remotely by policy. An example use case could be: 1.
ESC 2.9.5 Client Manual 8.19 First Use Must Change First Use Must Change (FUMC) requires the user to change the password to a different one than what was assigned to them when they first log on. This feature does not apply to a secondary drive, in this case it may remain checked or unchecked. To set FUMC from ESC, select “User must change password at next logon” when adding a new user. Screen To Add New User 8.
ESC 2.9.5 Client Manual 8.21 Supported Languages ESC is localized in the following languages, meaning ESC will display text in those languages. For a list of supported keyboards, please view the supported keyboards list.
