![]() Restrict remote access to trusted/authorized systems only.Restrict access to administrative or management systems to authorized privileged users.Additionally, Symantec recommends the following measures to reduce risk of attack: In addition to an aggressive patching strategy and a layered approach to network defense, Symantec recommends using security products, such as Symantec Endpoint Protection (SEP) to lower the attack surface of unprivileged malware in general within the enterprise. Remember, it is best practice to securely store, and audit access to, the Master Recovery Certificate.Security is always top priority for Symantec, and Symantec Encryption is a critical component that adds to the overall security of the enterprise. Remove Master Recovery Cert from Recovery Machine.Open/Recover file, and save decrypted copy.Plug USB into machine with SEE-RME installed.Install Master Recovery cert to machine with SEE-RME installed (i.e.Receive encrypted file, and put it onto a USB stick via a machine that does not have SEE-RME.This is just like how the Removable Access Utility behaves, and also how the SEE-RME client behaves when user certs are available. The SEE-RME Client automatically looks for certs when opening encrypted files, and should just find it. In this case, it should be that of your admin user. the one with the private key) in the currently logged on user's personal certificate store. To recover a RME encrypted file, all you need is to have the Master Recovery Certificate (i.e. As well, the machine containing the private key for recovery does not need to have RME installed – the Recovery Cert can also be used via the Removable Media Access Utility to decrypt files. Also, unlike our previous release of SEE Removable Storage, SEE 11 RME does display a pop up window when the Recovery Cert decrypts files but unlike the normal decryption process it does not ask for the decryption password – it just decrypts the file after verifying the private key of the recovery cert is present in the local cert store. Enhanced Key Usage: Encrypting File Systemįor key size, we also recommend using at least 2048.We recommend using the Basic EFS template as it is a leaner template containing the following Key Usage attributes, listed below: To create the root cert using Microsoft's Certificate Services you can pick one of the default templates such as User, Basic EFS or Administrator which will all work fine for a Recovery Cert. The server side cert can be installed on any desired machine to perform the recovery feature and the client side will be need to be embedded during the RME MSI creation process. The best way to create these certs is to create an initial root cert, install it in a local cert store and then export it twice so you have a client cert type PKCS #7 and then a server side cert type PKCS #12. Regardless if files were encrypted with a password, encryption cert and/or a group key - as long as the public key portion of the recovery cert is embedded in the client MSIs you can still decrypt the files. ![]() Master Recovery Certificate to be placed in the cert store of a designated machine(s) to perform the recovery - which will be type PKCS#12/.PFX and contain the private key.Client Certificate to be embedded in RME Client MSIs - type PKCS#7/.p7b which contains the public key.Using the Recovery Certificate with Symantec Removable Media Encryption (RME) requires the creation of two certificates as follows: To select a different certificate file, click Change certificate. Before you confirm the addition of the certificate to the client installer or policy, view the certificate.Īfter you confirm the certificate, the Issued By and Serial Number information appears on the Removable Media Encryption - Recovery Certificate panel. When you select a certificate, the details of the certificate appear in the Select Certificate dialog box. After you select this option, Symantec Endpoint Encryption prompts you to locate a PKCS#7 (P7B) format certificate file on your system. This option is selected by default.Ĭlick Encrypt files with a recovery certificate if you want to include a copy of the recovery certificate in the client installation package or policy. Removable Media Encryption, therefore, does not use a recovery certificate to encrypt files, in addition to the credentials that the user provides. On the Removable Media Encryption - Recovery Certificate page, select one of the two options:Ĭlick Do not encrypt files with a recovery certificate if you do not want to include a copy of the recovery certificate in the client installation package or policy. To configure the Recovery Certificate policy optionsĪccess the Removable Media Encryption policy options using an install-time, Active Directory, or native policy. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |