Successfully reported this slideshow.

SafeGuard Item for "SafeGuard LAN Crypt 3.01"


Published on

  • Be the first to comment

  • Be the first to like this

SafeGuard Item for "SafeGuard LAN Crypt 3.01"

  1. 1. Created: Modified: SafeGuard Item: 104111 17-Nov-2003 28-Nov-2003 Document version: 1.1 BELGIUM - Utimaco Safeware AG SafeGuard Item for “SafeGuard LAN Crypt 3.01” The information in this article applies to: • Windows 2000 Workstation SP2 or higher, Windows XP Workstation • SafeGuard LAN Crypt 3.01 Summary This document describes how to install and configure SafeGuard® LAN Crypt 3.01 on a stand-alone PC with Windows XP. It can be used to build a demo workstation to show the functionalities of LAN Crypt. Solution Description 1 Installing SafeGuard® LAN Crypt To install SafeGuard® LAN Crypt (SGLC): • At installation, select “Custom” • Select “Administration”, and be sure to select both components: “User Settings” and “Computer Settings” SGI: 104111 -1- 1
  2. 2. After the installation, setup will ask to reboot your machine. 2 Preparation for the configuration 2.1 Directories SGLC 3.0 works different than previous versions. Here are some of the major changes: • SGLC now uses certificates, which either can come from a PKI, or can be generated by LAN Crypt itself • The administration happens completely within the MMC. No keyfiles are used anymore, although old keys can be imported. • This also means that everything is configured through policies, although specific LAN Crypt settings are kept in the administration database. This database does not have to be accessible to the users; it only serves administration purposes. From this we can derive some preparations. It means we’ll need a directory for the certificates, one for the policies and one for the LAN Crypt database. Therefore, create the following directories: • <foldername>cert, • <foldername>admin and • <foldername>policy, where <foldername> is for example “d:lan crypt data”. The “cert” folder will contain the p12 files made for the users as well as the LAN Crypt administrator certificate, the “admin” folder will contain de administration database and the private key for the LAN Crypt administrator, and the “policy” folder will contain the policy files for the users. SGI: 104111 -2- 2
  3. 3. 3 Configuration 3.1 Configuration for the currently logged on user This configuration can be used if you only want to configure SafeGuard® LAN Crypt for the currently logged on user. • Start MMC • Add the snap-in “SafeGuard System Policy” to the console root • When asked whether to use the local registry or a POL file, select the Local Registry option. When you click “Finish” and then “Close”, an object will be added under the Console Root and called “SafeGuard System Policy (Local Registry)”. When expanding this object, you get the Local Computer and the Local User. Expand the Local Computer to get “SafeGuard Templates” and “LAN Crypt Configuration”. Click on “SafeGuard Templates” and LAN Crypt will ask for the LAN Crypt options. This options page is divided in different tabs. Configure the tabs as follows: 3.2 Certificates (Note: it is not necessary to keep this order, but it has an advantage: the LAN Crypt administration certificate will be created in the default directory C:Documents and SettingsAll UsersDocumentsUtimacoAdmin. When changing the path for the certificates first, the certificate will be stored in the “admin” directory created under the step “Directories”). 1. Change the location of the generated certificates and keyfiles (*.p12) to the directory created under “Directories”, i.e. <foldername>cert 2. Change the location of the security officer certificate to the administration directory1: <foldername>admin 1 The security officer private keys should be kept absolutely safe. Therefore it should not be published to avoid brute force attacks. SGI: 104111 -3- 3
  4. 4. 3.3 Other 1. Change the desired location of policy files to the policy directory, e.g. <foldername>policy. 2. Change the path for password logging of created certificates, for example to the certificates administration directory <foldername>admin. 3.4 Database 1. Browse for the administration directory defined in the “Directories” step, i.e. <foldername>admin. Keep the proposed database name “SGLCADMDB.DB”. 2. Enter a recovery key for the database encryption. The key must be exactly 32 characters long. If you want, you can save the key for backup reasons. (The “Save” button is only needed if you want to make a backup of the key.) For details about the recovery key concept please refer to the product manual. 3. Create a certificate for the LAN Crypt administration by clicking the browse button (“…”). This will bring up a new window with an overview of existing certificates. This should be empty, unless certificates have been imported first. Press the “New” button to create a LAN Crypt administration certificate. Click OK to accept all changes. A message will appear that announces the fact that the database will be created, and secured with the administration certificate. Click OK to accept. Then a message appears to tell the certificate has been created. 4 LAN Crypt configuration – Client settings First we need to define the location of the policy files for the users. Go to “SafeGuard System Policy” ”Local Computer” ”LAN Crypt Configuration” ”Client Settings”. In the right-hand side window change the following settings: • Security Officer Certificate Client Location The directory of the LAN Crypt administrator certificate, i.e. <foldername>cert • Keyfile Client Location The directory where the user will search for his private key, i.e. <foldername>cert • Policyfile Client Location The directory where the user will search for his policy file, i.e. <foldername>policy SGI: 104111 -4- 4
  5. 5. Keep the Policy File Cache Directory as it is. 5 Defining Templates Now we can define the templates for LAN Crypt. Go to “SafeGuard System Policy” ”Local Computer” ”SafeGuard Templates”. 5.1 Keys The first things to define are the keys. In a single-user configuration there will be only one key. To create this key, click on “Keys” on the left-hand side, and at the right-hand side, right-click and select “New” to create the key. Use the “Random” button to create random keys. Another possibility is to import existing keys from an old keyfile – in that case right-click on the right side of the window and click “Import key from keyfile” instead. HINT To delete a key, you first need to disable it (right-click on the key, select “Enable/Disable key”). Then right-click again on the key and select “Delete” to delete it. Also note that only keys that are not used in a rule can be deleted. 5.2 Certificates When selecting “Certificates” under “SafeGuard Templates”, the login name of the currently logged on user is displayed (the list is retrieved from the place specified under the LAN Crypt options, tab “Users and Groups”. Default on a stand-alone PC is the localhost. You can get to the LAN Crypt options by right-clicking on “Keys”, “Certificates” or Encryption paths”, or clicking the “LAN Crypt options” button on the toolbar. This button is only visible when “Keys”, “Certificates” or “Encryption paths” is selected). To create a certificate for the user, double-click the username. A window containing the existing certificates pops up. To create a new certificate for the selected user, click “New”. To assign that certificate to the user, click “OK”. (Clicking “Cancel” will not delete the certificate; it will just not assign the certificate to that user). SGI: 104111 -5- 5
  6. 6. 5.3 Encryption paths Next we’ll define the encryption paths. Define all paths for all users. Later on the link between users, keys and paths will be made. This is done by selecting “Encryption paths” under the “SafeGuard Templates”. Right-click in the right window and select “New path” to browse for a path. 6 Configuring the user In the final configuration step the user will be linked to keys and paths. Select the “Local User” under “SafeGuard System Policy”. Expand that user and select “Certificates for Users”. If all is well you should see the certificate created before. Next, select “Encryption Rules”. All the defined paths, including “Key without path” should be listed. Double click the path you wish to configure for the user. In that window, select a key and the options. • “Include subdirectories” means the key and encryption will also be valid for any subdirectory of the defined encryption path. • “Exclude path” means the path cannot be used for encryption, and • “Ignore path” will result in a not working filter driver for that path. This means that no transparent encryption/decryption will take place. So if an encrypted file would be present, it will not be decrypted. SGI: 104111 -6- 6
  7. 7. Finally, create the policy file for the local user. To create the policy file and store it in the defined directory, select either “Encryption rules” or “Certificates for Users” under the Local User, and click the “Build profiles for current user” button to create the profile only for the current user, or the “Build profiles for all users” button on the toolbar. As there is only one user – the currently logged on user – this will result in the same policy file being created. Now close the MMC (you can store the console under an easy name, such as “LAN Crypt administration”). 7 Last steps Check the content of the subdirectories of what’s under <foldername>. The “cert” folder should contain the AdminCert.cer certificate, which is the certificate of the LAN Crypt administrator. This certificate will be used to verify the signature of the policy file. It should also contain a p12 file with the private key of the user, name <username>.p12. The “admin” folder contains the database (“SGLCADMIN.DB”) and a log file, the p12 with private key for the LAN Crypt administrator (“LCAdmin.p12”) and the log file of the passwords of all private keys (“p12pwlog.csv”). This file can be opened with Excel or with Notepad. Finally, the “policy” folder should contain the policy file for the user, named <username>.pol, as well as a log file for this policy file. 8 Using LAN Crypt To use LAN Crypt the user needs to open the policy file. This only happens at logon, so log off, then log on again. As there is no certificate available for the user yet, the LAN Crypt Profile Loader will warn the user. The default directory containing the private key contains a p12 file for this user, so LAN Crypt will propose to use that one. SGI: 104111 -7- 7
  8. 8. Check the password file (<foldername>adminp12pwlog.csv) for the corresponding password/PIN code for the private key, and enter that password in the dialog. After clicking OK the red key in the system tray will change into a greed key, meaning you are now logged on to LAN Crypt. To check the rules right-click on the key icon in the system tray and select “Show Profile”. This will show a window containing the rules for this user. Note that two extra folders are added, the Windows directory and the program directory of LAN Crypt. By default, no encryption/decryption will happen in those folders (the “Ignore” flag is set). 9 Private Key security By default the security level of the imported private key is set to “Medium”. This means that the user will not be prompted or notified when the private key is used, so the LAN Crypt logon will happen transparently. There are two ways to set a higher security level when importing the private key: SGI: 104111 -8- 8
  9. 9. 1. Use the Microsoft Certificate Import Wizard. After successfully importing the private key, the wizard will ask to set the appropriate security level. Select “Set Security Level”, and then select “High”. Define a password to be asked every time the private key is used. Click “Finish” and then “OK”. 2. Configure the machine to always prompt for the security level when importing a private key with the Utimaco Profile Loader. This can be done using Poledit and the administrative template “c:program filesutimacoadmsguard.adm”. In Poledit open the registry, then the Local Computer. In there, select “SafeGuard Universal Token Interface – General Options” “Private Key Options” and put a check next to “Enable strong private key protection” and save the changes. Alternatively, change the registry key value directly: Hive: HKEY_LOCAL_MACHINESOFTWAREPoliciesUtimacoSafeGuard Universal Token Interface Key: “CertUserProtected” Type: REG_DWORD Value: 1 SGI: 104111 -9- 9
  10. 10. Note that this does not affect already imported private keys. It will only play when a new private key is imported. 10 Configuration for multiple users When configuring multiple users on a stand-alone system, the registry System Policy can only be used to define the machine settings. The individual users need to be configured using a policy file. Add a new snap-in in the Console Root and select again “SafeGuard System Policy”. This time, browse for a policy file. This policy file will not be read by the users and does not have to exist yet, so select <foldername>adminlancrypt.pol as the name of the policy file. You now have two items under the Console Root: “SafeGuard System Policy (Local Registry)” and “SafeGuard System Policy (<foldername>adminlancrypt.pol)”. Expand the one of the two items, the default computer or the default user (both named “.default”). LAN Crypt will ask if a SafeGuard Template GPO should be created. Choose “Yes’. Now a third item will appear under the SafeGuard System Policy, named SafeGuardTemplateGPO. This TemplateGPO will also contain an item called “SafeGuard Templates”. It has the same templates as defined in the previous sections. The difference is that under “Certificates” it will show all users defined on the system. Now you create certificates for those users as well, and also create the policy files for those users. NOTE Both “SafeGuard Templates” objects are interchangeable, meaning that an item created in one of them will also be reflected in the other. For example, if you create a new key or encryption rule in the SafeGuard Template of the SafeGuardTemplateGPO, it will also appear under the Local Registry version of that template. Conditions Starting from Service Pack 3 for Windows 2000 there is a problem with the certificate import wizard. When SP3 or SP4 is installed, do not double click the p12 file to import the private key, but use LAN Crypt for importing the key instead. This will make sure the private key is loaded in the Microsoft Enhanced CSP instead of the Microsoft Base CSP. SGI: 104111 - 10 - 10
  11. 11. Additional Information Additional information about the configuration: SafeGuard Item: 103944 Title: Installation und Administration von SafeGuard LAN Crypt 3.0 in einer ActiveDirectory Umgebung SafeGuard Item: 104238 Titel: Installation and Administration of SafeGuard LAN Crypt 3.0 in a ActiveDirectory environment SafeGuard Item: 104237 Title: Installation und Administration von SafeGuard LAN Crypt 3.01 auf einem “stand alone” PC. (German language translation of this document.) SafeGuard Item: 104239 Title: Hinweise für die Migration von SG LAN Crypt 2.x auf 3.x Note Utimaco Safeware AG provides this information and article as a service. All such documents and related graphics are provided without warranty of any kind. Utimaco hereby disclaims all warranties and conditions regarding this information. Utimaco reserves the right to make improvements and/or changes in the product(s) described herein at any time. SafeGuard® is a registered trademark of Utimaco Safeware AG. Microsoft®, Windows®, Windows NT®, Windows 2000® are registered trademarks of Microsoft Novell Netware® is registered trademark of Novell Tivoli® is registered trademark of IBM in the United States NetInstall® is registered trademark of NetSupport GmbH SGI: 104111 - 11 - 11