4_SEE RSE Policy

4_SEE RSE Policy

Native policies

  • 只能套用至 computer (套用順序:computer、Sub group、Group)
  • Native policies are designed for deployment to computers that are not managed by Active Directory.

SEE Roles

  • Policy Administrators
  • Client Administrators
  • Policy Create

SEE 有此兩類 Policy

  • 【Active Directory Policy】
  • 【Native Policy】

【Active Directory Policy】的畫面

clip_image002

展開【Machine Policy】→【Framework】→來進行以下相關項目的設定

【Client Administrator】

The password must be a minimum of two characters and no longer than 32

Token->P7B file

※ Client Admin 的驗證方式與管理權限 RSE → (用來 Unregister user),FD → (用來 Decrypt drivers、Extend lockout、Unlock)

※ Level →8.0.0 之後用不到

clip_image004

【Registered Users】

clip_image006

clip_image008

【Password Authentication】

clip_image010

clip_image012

【Token Authentication】

允許過期憑證驗證

clip_image013

【Authentication Message】

驗證遇到問題時,可依訊息所指定的方式聯繫資訊人員協助處理

clip_image014

【Communication】

用戶端電腦每隔多久傳送狀態更新給 SEE Management Server

clip_image015

展開【User Policy】→【Framework】→來進行以下相關項目的設定

【Single Sign-on】

clip_image016

clip_image017

【Authenti-Check】

clip_image018

【One-Time Password】

Full Disk 使用者忘記密碼時使用

clip_image019

展開【Machine Policy】→【Removable Storage】→來進行以下 【Removable Storage】 相關項目的設定

clip_image020

【Access and Encryption】

clip_image021

【Device and File Type Exclusions】

clip_image022

【Encryption Method】

clip_image023

【Default Password】

Session Default Password

可以設定兩個 Session Default Password

Device Session Default Password

clip_image025

clip_image027

【Recovery Certificate】

clip_image028

clip_image029

clip_image030

http://www.symantec.com/connect/forums/password-recovery-encrypted-files

If you have a master certificate, you may.

1. Launch MMC, add Certificates snap-in for my user account.
2. Expand Certificates – Current User under Console Root in the left pane, right click Personal folder, then go to All tasks -> click Request new certificate…
3. Select User as certificate type, click Next.
4. Give it a friendly name, click Next.
5. Verify the details at the last screen and click Finish.
6. By default, Windows 2003 enterprise root CA is configured to automatically generate a user certificate upon receiving a request. So now, you should see a Certificates folder under Personal folder in the left pane.
8. Click the Certificates folder, in the right pane, you should see the user certificate that’s just generated.
9. Right click the user certificate, go to All tasks -> click on Export….
10. Select No, do not export the private key and click Next.
11. Select Cryptographic Message Syntax Standard – PKCS #7 Certificates (..P7B), then next.
12. Give it a name, and click Finish.

Now create the Removable storage client package. In the Removable Storage Installation Settings –Encryption Method, select A password or A password and/or one or more certificates.

In the Removable Storage Installation Settings –Recovery Certificate, choose Encrypt files with a recovery certificate and browse and select the saved P7B certificate.

In the Removable Storage Installation Settings – Portability pane check Copy the Removable Storage Access Utility to all removable storage devices.

【Workgroup Key】

clip_image031

【Portability】

clip_image032

展開【Machine Policy】→【Full Disk】→來進行以下 【Full Disk】 相關項目的設定

【Startup】

clip_image033

【Logon History】

clip_image034

【Autologon】client 收到 policy 後要5分鐘才生效

clip_image036

clip_image037

【Remote Decryption】

clip_image038

【Client Monitor】

clip_image040

clip_image015[1]

【Local Decryption】

clip_image041