MSI Installation Walk Through
Example with SGE4.20
(note: screenshots are from 4.11 version)
This document serves as a basic SafeGuard Easy install guide regarding a typical corporate configuration with preparations for the 'Optional' Centralized Server Management Console and Secure Auto Login (SAL). There are many different ways to go about a full install mainly dependent on two factors:
Customer's corporate security policy
Supported software distribution tools used by the customer
Please read the Quick FAQ document (separate document) and the Readme.txt to prepare for the events and system requests that will occur during installation.
At the minimum - to prepare the Security Officers workstation, it is recommended to install the Configuration File Wizard found in step 5. This module allows for a standard Install.CFG file to be created and used in conjunction with the SGEasy.MSI package to accommodate large rollouts and ensure consistency 11511g69l throughout the enterprise.
Prepare the system for SafeGuard Easy.
Backup your data, Remove any 'flash drives', and connect formatted (partitioned) hard disks you wish to encrypt (USB, Firewire, etc). Disable Antivirus program and other applications that modify or protect the MBR. Ensure you have the proper administrative rights to perform the install. Optionally, verify the integrity of the hard disk with a quick scandisk.
1: Insert the SGE CD, Auto Start begins, Select Language, then SafeGuard Easy Client. (review the Read Me for the latest updated information).
2: SGE Welcome screen - click Next
3: Agree to the License Agreement - click Next:
4: The installation path - click Next:
5: Select modules to install - see
screenshot below.
*For admin workstations select the Administration Tools -
Optional: For client machine installs that will connect to a Centralized Server Management Console - Select Server Connection to enable the client to communicate to the server. Click Next:
6: If you selected 'Server Connection' above - you will get the below prompt:
Enter the exact NetBios name or IP address of the Server that this client is to connect to. NOTE: If not sure you will use the Server Module - type .OFFLINE
Click Next:
7: Click Next -
8: Installation process indicator -
9: Now begins the actual configuration of SafeGuard Easy 4.20 - These following settings are 'general recommendations' and fit a large percentage of the environments.
* Default option is 'Partitioned'. This provides the most flexibility of which HHDs get encrypted.
10: Workstation Configuration = 3 parts: General, Encryption, Users.
The General tab encompasses universal settings affecting the system.
Tokens: Choose 'Token Optional' if utilizing tokens with SGE.
Note: Only choose "With Token Only" if you have a centralized token distribution point set up and configured to distribute tokens.
11: Below are the default settings - but can be modified as management sees fit.
Note: 'Password at System Start' is the PBA (PreBoot Authentication Screen).
12: Encryption Tab: Default is AES-256, but 9 others are available.
13: Create the Keys: You can choose Random for each device to maximize security, however, to share encrypted data via Floppies and Removable media - each workstation needs to be configured with the same Keys. This would require you to document the keys used and secure the pass-phrase used.
14: Configure the Drives: You can leave the Floppy and Removable drives unencrypted and enable later - however, you should select to encrypt the Hard Disk at this point.
15: After selecting the Hard Disk to encrypt - you need to 'double click' on which partitions to encrypt. A 'key' symbol will appear beside the partition(s) you selected to encrypt. The encryption process will occur upon the next reboot.
* When using the Configuration File Wizard the Removable and Hard Disk options differ as A-Z partitions will be available to select.
16a: User Tab Options: By default two accounts are created: System and User. It is recommend to create (2) additional management accounts, Admin and Helpdesk.
Add users by clicking the Icon with a green sign.
It is Mandatory to create a password for all users.
For the USER account it is recommended to configure as 'Default User', 'Change Password at Next Logon', and leave 'Rights' with none additional selected.
16b: Set the Helpdesk account to allow 'Simplified Remote Login' and NO to 'Password Change Allowed' (below screen shots).
16c: Set the Admin account to allow 'Simplified Remote Login' and NO to 'Password Change Allowed' (below screen shots).
17: User Rights - Each 'account' has these exact options available. It is recommended that the "User" account should have No Rights Selected. The "Admin" account should have All Rights, and the "Helpdesk" account should have rights 8* (counting from top to bottom). * 8 allow resetting of other users password via the Challenge/Response process.
18: Confirm Settings: Click Install:
19: Finish screen: Click Finish:
20: Reboot prompt - Click Yes:
21: During your first reboot, your system will partly boot up, flash the below message, then reboot again - this is normal and should be expected. At this phase SGE is replacing the Windows MBR with it's own.
22: Upon your first reboot - You will now see a background with the SafeGuard Easy image and will receive the regular Windows Logon prompt (GINA). Your next reboot is when the PreBoot Authenication (PBA) prompt is enabled. *see item #26
23: Since we chose encryption for the Hard Disk - the Encryption Process window will appear. This window allows you to monitor the progress and throttle the system utilization used to complete this process. SGE will not consume all of the system resources, but If this one-time process is interfering with your work, slide the bar towards 1%. Note: This encryption process Can Not be terminated, even upon reboot, SGE will continue where it left off.
24: Below is a screen shot of the system Task Manager to review the utilization of the systems resources (with the encryption slide bar at 100%). The encryption process is mostly hard disk IO's. The faster the hard disk is, the quicker the encryption process will be. In current benchmark tests - expect 18min per 10GB of hard disk space.
25: Below is the prompt you will receive when the Encryption process is complete.
26: Below is a screen shot of the PBA (Pre-Boot Authentication) screen that you will receive after you reboot again. It is OK to reboot while the encryption process above is still running - it will continue to run where it left off until completed.
27: After entering the users' password - You will receive a prompt for a new password due to the settings configured in the User Account creation setup options 'Default User' and 'Change Password at Next Logon'. Enter new password and confirm new password. You will be subject to any password restrictions set during the install process above.
28: If you enabled SAL during the install (step 5) you will receive this prompt below after authenticating into Windows. This is the SAL (Secure Auto Logon) feature to allow seamless integration with your desktop environment. The prompt is asking if you wish to have this SafeGuard Easy's ID (user) reference your windows account. Windows password changes will remain transparent and securely stored when changed at the local machine.
*Chose Yes to allow SAL to log you into Windows on subsequent reboots.
*Chose No to disable SAL for this SGE user account (to avoid this from appearing again for this SGE User - check the box "Don't ask this question again for the current SGE user").
Customers under a maintenance agreement are eligible to receive regular news and product updates and have full access to Worldwide Support Options and the online FAQ database (frequently asked questions) - be sure to visit our support web site: www.utimaco.com\support\knowledge.html
Customers without a maintenance agreement are eligible to access the limited online FAQ database at: www.utimaco.com\support\PublicKnowledge.html
|
