Symantec Endpoint Encryption 11.3.x Issues, Tips and Tricks - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Monday, August 17, 2020

Symantec Endpoint Encryption 11.3.x Issues, Tips and Tricks

 This post is to record some issues, tips and tricks I met during working on Symantec Endpoint Encryption project.

  • ESXi VM Hard Drive Recognized As RemovableMedia
  • SEE USB File Certificate Recovery Configuration and Recover Process
  • Auto Logon Client Configuration
  • SEE Encryption Process Paused and Not going forward

ESXi VM Hard Drive Recognized As RemovableMedia


Solution:



SEE USB File Certificate Recovery Configuration and Recover Process

1  SEE USB File Certificate Recovery Configuration

Recovery certificate: enable this encryption policy option for Removable Media Encryption.

Removable Media Encryption encrypts a file with a recovery certificate, in addition to the password or certificate that is set on a computer. The recovery certificate provides an option to recover an encrypted file in case the password or the certificate that was used for encryption is lost.

Removable Media Encryption encrypts a file with the public key of the recovery certificate. You or a client administrator can then use the copy of the recovery certificate that includes the private key to recover an encrypted file.

Ensure that the Recovery Certificate does not contain the private key and possesses the mandatory key usage.

If you enable the use of device session passwords on the Default Passwords panel, Removable Media Encryption ignores the Recovery Certificate policy.

To configure the Recovery Certificate policy options
  1. Access the Removable Media Encryption policy options using an install-time, Active Directory, or native policy.

  2. On the Removable Media Encryption - Recovery Certificate page, select one of the two options:

    • Click Do not encrypt files with a recovery certificate if you do not want to include a copy of the recovery certificate in the client installation package or policy. Removable Media Encryption, therefore, does not use a recovery certificate to encrypt files, in addition to the credentials that the user provides. This option is selected by default.

    • Click Encrypt files with a recovery certificate if you want to include a copy of the recovery certificate in the client installation package or policy. After you select this option, Symantec Endpoint Encryption prompts you to locate a PKCS#7 (P7B) format certificate file on your system.

      When you select a certificate, the details of the certificate appear in the Select Certificate dialog box. Before you confirm the addition of the certificate to the client installer or policy, view the certificate.

      After you confirm the certificate, the Issued By and Serial Number information appears on the Removable Media Encryption - Recovery Certificate panel. To select a different certificate file, click Change certificate.

Using the Recovery Certificate with Symantec Removable Media Encryption (RME) requires the creation of two certificates as follows:
  1. Client Certificate to be embedded in RME Client MSIs - type PKCS#7/.p7b which contains the public key.
  2. Master Recovery Certificate to be placed in the cert store of a designated machine(s) to perform the recovery - which will be type PKCS#12/.PFX and contain the private key. Regardless if files were encrypted with a password, encryption cert and/or a group key - as long as the public key portion of the recovery cert is embedded in the client MSIs you can still decrypt the files.
The best way to create these certs is to create an initial root cert, install it in a local cert store and then export it twice so you have a client cert type PKCS #7 and then a server side cert type PKCS #12. The server side cert can be installed on any desired machine to perform the recovery feature and the client side will be need to be embedded during the RME MSI creation process.

To create the root cert using Microsoft's Certificate Services you can pick one of the default templates such as User, Basic EFS or Administrator which will all work fine for a Recovery Cert. We recommend using the Basic EFS template as it is a leaner template containing the following Key Usage attributes, listed below:
  • Basic EFS Template Attributes
  • Key Usage: Key Encipherment
  • Enhanced Key Usage: Encrypting File System

For key size, we also recommend using at least 2048.

Also, unlike our previous release of SEE Removable Storage, SEE 11 RME does display a pop up window when the Recovery Cert decrypts files but unlike the normal decryption process it does not ask for the decryption password – it just decrypts the file after verifying the private key of the recovery cert is present in the local cert store.

As well, the machine containing the private key for recovery does not need to have RME installed – the Recovery Cert can also be used via the Removable Media Access Utility to decrypt files.

2  Recover Process

To recover a RME encrypted file, all you need is to have the Master Recovery Certificate (i.e. the one with the private key) in the currently logged on user's personal certificate store.  In this case, it should be that of your admin user.  The SEE-RME Client automatically looks for certs when opening encrypted files, and should just find it.  This is just like how the Removable Access Utility behaves, and also how the SEE-RME client behaves when user certs are available.

In summary, the Admin would:

  1. Receive encrypted file, and put it onto a USB stick via a machine that does not have SEE-RME
  2. Install Master Recovery cert to machine with SEE-RME installed (i.e. Recovery Machine)
  3. Plug USB into machine with SEE-RME installed
  4. Open/Recover file, and save decrypted copy
  5. Remove Master Recovery Cert from Recovery Machine

Remember, it is best practice to securely store, and audit access to, the Master Recovery Certificate.


Auto Logon Client Configuration

Auto Logon Client can be generated from following screen. Just choose "Always Autologon" and disable "Use TPM if available". 

SEE Encryption Process Paused and Not going forward


When the encryption process hangs or pauses it is beacause it found a bad sector.  The follow steps are recommended to get past the bad sector.

 

  1. Run decrypt command from the Symantec Endpoint Encryption Management Server (SEEMS)

  2. Run checkdisk with the following switches: /f /R

  3. Run defrag on the device

  4. Re-encrypt the device

    1. if re-encrypt fails go to next step

  5. Re-image device

  6. Re-install and re-encrypt the device

    1. if re-encrypt fails go to next step

  7. Replace hard drive or device

  8. Re-install and re-encrypt the device


Open up the Windows Event Logs --- in the Application Logs, Both Symantec Endpoijnt Encryption and Whole Disk Encryption will write a log for the failure reason. Typically BAD sectors or Blocks on disk --- too many and it will pause and stop encrypting.



Next





References










No comments:

Post a Comment