0% found this document useful (0 votes)

221 views566 pages

DriveLock Admin Guide

Uploaded by

Jurica Parsic

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

221 views566 pages

DriveLock Admin Guide

Uploaded by

Jurica Parsic

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 566

Administration Guide 7.

Table of Contents

Part I Document Conventions 11

Part II DriveLock Management Console 13

1 Management Console Structure 14
2 Changing the User Interface Language 16
3 Checking for Updates 17
4 Configuring Server Connections 18
5 Selecting the DriveLock Configuration Mode 20
6 Configuring User Permissions to Console Nodes 21

Part III Deploying DriveLock Configuration Settings 24

1 Creating and Using a Local Policy 25
2 Deploying Policies by Using Group Policy 30
3 Deploying Policies by Using Centrally Stored Policies 32
4 Deploying Policies by Using Configuration Files 36

Part IV Scanning Your Network with the Device Scanner 40

1 Using the Device Scanner 41
2 Reviewing Scan Results 45

Part V Configuring Global DriveLock Settings 50

1 Using Predefined Security Configurations 51
2 Creating Configuration Reports 52
3 Activating Your License 54
4 Agent Hardening and Global Security Settings 59
Configuring Global Security Settings in Basic Configuration mode 59
Configuring Global Security Settings in Extended Configuration mode 63
Permissions for the DriveLock Agent Service 63
Locking Down the DriveLock Agent 65
Running DriveLock in Windows Safe Mode 65
Password to Uninstall DriveLock 66
Agent Remote Control Settings and Permissions 67
5 Configuring the Agent User Experience 69
Configuring the Agent User Experience in Basic Configuration mode 70
Configuring the Agent User Experience in Extended Configuration mode 74
Taskbar notification area settings 74
Offline Unlock Control Panel Settings 74
User Interface Language on Agents 76
Creating Security Awareness Campaigns 77
Creating Campaign Elements 79
6 Connecting to the DriveLock Enterprise Service 81
Configuring Event Transmission Settings in Basic Configuration mode 82
Configuring DriveLock Enterprise Service Connections 83
Updating Legacy Security Reporting Center Connections 87

Administration Guide 7.7 2 © 2018 DriveLock SE

Administration Guide

Configuring a DES Connection for the Device Scanner 87

Monitoring Agents by Using the DriveLock Enterprise Service 88
Agent Monitoring Using the DriveLock Management Console 88
Sending Licensed Computer Information to the DES 90
7 Configuring the DriveLock Simulation Mode 91
8 Using the DriveLock Policy File Storage 93
9 Using Multilingual Notification Messages 97
Defining Languages and Standard Message Texts 98
Defining Custom Message Texts for Multiple Languages 102
10 Configuring Additional Settings 106
Configure the Internet Connection Firewall to Allow Remote Control 106
Advanced DriveLock Agent Settings 107

Part VI Auditing DriveLock Operations 110

1 Configuring Event Message Transfers 111
Configuring event transfer destinations 112
Configure the event log destination 115
Configure SMTP server settings 116
Configure SNMP server settings 117
Configuring Enterprise Service connection settings 118
Anonymizing Event Data 118
Optional settings 122

Part VII Locking Drives and Devices 124

1 Locking Drives 125
Configuring Drive Locking In Basic Configuration Mode 127
Enabling Drive Locking 127
Configuring Basic Whitelist Rules 131
Configuring Advanced Drive Locking Settings 135
General Drive Locking Settings 135
Global Security Settings for Controlling Drives 135
Configuring End User Messages 137
Configuring User Notification Messages for Locking Drives 137
Configuring Custom Usage Policy Texts and Options 138
Configuring File Digest Generation 140
Volume Identification Files 140
Shadowing Configuration 142
Drive Monitoring Using S.M.A.R.T. 142
Advanced Global Settings for Controlling Drives 143
Enabling Drive Locking 143
Creating Drive Rules 146
Vendor/Product ID Rule 147
Network Drives Rule 150
WebDAV-Based Network Drives 152
Drive Size Rule 153
Base Rule 155
Terminal Services Rule 156
Creating a Rule Based on a Template 156
Common Settings for Drive Whitelist Rules 157
User Permissions 158
Controlling and Auditing File Access 158
Time Limit Settings 159
Settings for Computers 161
Network Settings 162
User and Group Validation 162

Administration Guide 7.7 3 © 2018 DriveLock SE

Administration Guide

Assigning Drive Letters 163

Defining Custom Notification Messages 164
Additional Options 167
Specifying Commands 169
Locking and Controlling Recording to CDs/DVDs 171
Creating Whitelist Templates 173
Organizing Drive Whitelist Rules 174
Creating File Filters 176
Defining File Types 177
Defining File Type Groups 180
Creating a New File Filter Template 182
Using a File Filter Template 191
Using File Filter Templates with Encrypted Drives (Encryption 2-Go) 192
Using Media Authorization 193
Monitoring Data Transfers by Using Shadowing 196
Configuring Global Shadowing Settings 196
General Settings 197
Client Options for Shadowing 198
Shadowing Exceptions 199
Server Upload Settings for Shadowing 200
Shadowing Time Limitations 201
Network Limitations 202
Encryption 202
Configuring Shadow Copies in Drive Whitelist Rules 203
Viewing Shadow Copies 206
2 Locking Devices 210
Configuring Device Locking Using Basic Configuration Mode 211
Configuring Advanced Device Locking Settings 221
General Device Locking Settings 221
Configuring User Notification Messages for Locking Devices 221
Advanced Global Settings for Controlling Devices 223
Enabling Device Locking 223
Granular Control of iTunes-Synchronized Devices 227
Configuring Serial and Parallel Port Locking 232
Creating Device Rules 232
Additional Device Whitelist Rule Setting 236
User Permissions 236
Time Limit Settings 236
Settings for Computers 238
Network Settings 239
User and Group Validation 239
Additional Options 241
Using Computer Templates 242
Creating a New Computer Template 243
Creating a Computer Template Based On the Local Computer 244
Creating a Computer Template Based On a Remote Computer 244
Creating a Pre-Defined Template from the Database 245
Creating an Empty Template 245
Working with Computer Templates 246
Editing a Computer Template Device List 247
Importing New Devices into a Computer Template 248
Exporting Devices from a Computer Template 248
Defining Computer Template Permissions 249
Activating a Computer Template 249
Displaying Devices Defined By a Computer Template 250

Part VIII Configuring Network Locations and Profiles 251

Administration Guide 7.7 4 © 2018 DriveLock SE

Administration Guide

1 Configuring Global Network Profiles Settings 255

Defining Network Profile End-User Appearance 255
Disabling Simultaneous Wi-Fi and LAN Connections 256
Using Third-Party VPN Clients 257
2 Defining Network Locations 258
Active Directory Site 260
Network Location Based on IP Information 262
Network Adapters 263
Geographic Locations 263
Wireless Network SSID 265
Other Locations 265
Command Result 266
3 Creating Configuration Profiles 267
Internet Explorer Proxy Settings 268
Windows Live Messenger / MSN Messenger Settings 269
Default Printer and Group Policy Processing 270
4 Using Network Locations in Whitelist Rules 270
5 Defining User-Specific Network Profiles 271

Part IX Configuring the DriveLock Enterprise Service 273

1 Creating Server Connections in the DriveLock Management Console 274
2 Administering DES Servers 276
3 DES Operating Modes 278
Central Server 278
Linked Server 279
Changing the Operating Mode 281
4 Assigning Permissions 281
5 Configuring Maintenance Operations 282
6 Configuring Updates 283
7 Configuring Network Settings 286
Encrypting DES Connections 287
Using a Proxy Server 288
Configuring E-Mail Settings for Scheduled Reports 289
8 Using a Multi-Tenant Environment / SaaS 290
Creating a Tenant 291
Assigning Agents to a Tenant 291
Deleting a Tenant 292
Performing Active Directory Object Inventory Collection 292
Tenant-Aware Certificate Management 294
9 Viewing License Information 294
10 Customer Experience Improvement Program 295
11 Viewing the DriveLock Enterprise Service Status 296

Part X DriveLock Cloud 298

1 DriveLock Cloud Synchronization 300
2 Extended Auditing 301

Part XI DriveLock Encryption 2-Go 303

1 How DriveLock Encryption 2-Go Works 304
DriveLock Encryption Algorithms 304

Administration Guide 7.7 5 © 2018 DriveLock SE

Administration Guide

DriveLock Encryption Modes 305

2 Configuring DriveLock Encryption 306
Configuring Encryption Using Basic Configuration Mode 306
Configuring General Encryption Settings 307
Configuring Enforced Encryption 309
Configuring Password Recovery 311
Configuring Encryption Using Extended Configuration Mode 314
Configuring Global Parameters 314
Encryption Strength Settings 315
Encryption End User Appearance 321
Encrypted Drive Settings 326
End user restrictions 329
Configuring Password Recovery 335
Configuring an Administrative Password 336
Creating an Offline Recovery Certificate 340
Configuring Enforced Encryption 347
Settings Available for All Automatic Encryption Rules 348
Creating Multiple Encryption Rules 353
Creating User Selection Rules 355
3 Recovering Encrypted Containers 359
User-Initiated Password Recovery 359
Recovering Encrypted Drives and Folders 359

Part XII DriveLock File Protection 361

1 How Does DriveLock File Protection Work? 362
2 Supported Encryption Mechanisms 363
3 Configuring DriveLock File Protection 363
Creating a Master Certificate for Key Management 364
Configuring Certificate Management 365
Configuring Encryption Rules for Clients 366
Configuring encryption settings 367
Configuring the encryption user interface 368
Configuring Settings for Encrypted Folders 369
Configuring Additional Settings 370
Configuring Enforced Encryption 370
Configuring Recovery Certificates 371
Company certificate 373
4 Managing User Accounts and Certificates 373
How User Administration Works 374
Managing User Accounts 374
Managing Groups 376
Managing Certificates 377
5 Centrally Managing Encrypted Folders 379
Creating an Encrypted Folder 379
Modifying Permissions 380
6 Recovering Encrypted Folders 381
7 Reporting and Analysis 382

Part XIII DriveLock Disk Protection 383

1 How DriveLock Disk Protection Works 384
Pre-boot User Authentication 384
Misplaced or Forgotten User Authentication Credentials 385
Unattended Reboot Followed By Automatic Pre-Boot Authentication 385
Windows User Authentication 385

Administration Guide 7.7 6 © 2018 DriveLock SE

Administration Guide

Single Sign-On 385

Manual Windows Authentication 385
Recovery Files and Key Management 385
Disaster Recovery 386
2 Preparing to Deploy DriveLock Disk Protection 386
3 Configuring Disk Protection in Basic Configuration Mode 388
Creating Master Certificates 389
Installing the FDE Component 392
Configuring FDE Settings 393
4 Configuring Disk Protection in Extended Configuration Mode 396
Creating Encryption Keys 396
Using the Encryption Certificate Creation wizard 398
Exporting and Importing Encryption Certificates 401
Configuring Deployment Settings 402
New Installation 403
Updating an Existing FDE Installation 406
Configuring Pre-boot Authentication and Hard Disk Encryption 406
Configuring Pre-Boot Authentication 407
Authentication Methods and Logon Settings 407
Users 409
User synchronization 409
Emergency Logon 411
Wipe the PBA database 412
Configuring Hard Disk Encryption 415
Configuring Encryption Settings 416
Configuring the Backup of Recovery Data 418
5 Recovery Procedures 419
Viewing Diagnostics Data 419
Emergency Logon Procedure 421
Recovering Encrypted Disks 425
Creating the Files Required for Decryption 426
Creating a Recovery CD 429
Recovering (Decrypting) Disks 432
6 Uninstalling DriveLock Disk Protection 432
Uninstalling DriveLock FDE Completely 432
Decrypting Hard Disks 434
Uninstalling or Reconfiguring FDE on a Single Computer 435
7 User Logon with Pre-Boot Authentication 437
Authenticating With User Name, Password and Domain Name 437
Authenticating With Smartcard or Token and PIN 438
Windows Authentication 439

Part XIV DriveLock Antivirus 440

1 Installing DriveLock Antivirus 441
2 DriveLock with Avira Antivirus 443
Configure DriveLock with Avira Antivirus 443
Realtime Scanning Rules 444
Scheduled Scans 446
On-Demand Scanning 447
3 Configuring the DriveLock User Interface 447
4 Configuring Antivirus Updates 450
Configuring Definition Publishing and Staging 452
5 Using the Antivirus Quarantine 453
6 Uninstalling and Controlling DriveLock Antivirus on Individual Clients 454

Administration Guide 7.7 7 © 2018 DriveLock SE

Administration Guide

Part XV DriveLock WebSecurity 456

1 DriveLock WebSecurity powered by CYREN 457
2 Configure DriveLock WebSecurity 457
Global Settings 458
URL Filtering Rules 459

Part XVI DriveLock Application Control / Smart AppGuard 465

1 Basic configuration 467
Configuring the Scanning and Blocking Mode 467
Auditing and simulation 468
Whitelist mode and Blacklist mode 468
Configuring basic application rules 469
Configuring Simple Application Rules 470
2 Extended Configuration 473
Configuring the Scanning and Blocking Mode 473
Auditing and simulation 474
Whitelist mode and Blacklist mode 475
Whitelist mode 476
Blacklist mode 476
Configuring a Hash Algorithm for Hash-Based Rules 476
Configuring User Notifications 477
Special Settings 478
3 Configuring Application Rules 478
Using Application Hash Databases 478
Using Publisher Certificate Rules 482
Using File Owner Rules 484
Using Hash Rules 486
Using Special Rules 489
Other Application Rules 491
Using file path rules 491
Using Application Templates 492
Adding a single application 494
Adding a set of applications 495
4 Scanning/Blocking DLLs 495
5 Predictive Whitelisting 495
6 Configuring Common Rule Settings 497
Configuring User Settings 498
Configuring time limits 498
Configuring Computer Settings 499
Configuring network limitations 500

Part XVII Systems management 501

1 Settings 502
Client Compliance 502
Configuring Hardware and Software Inventory 502
2 Power management 504
3 Self-service groups 504
Configuring self-service groups 505
Start the self-service wizard 507

Part XVIII Using Agent Remote Control 509

1 Viewing Agents 510

Administration Guide 7.7 8 © 2018 DriveLock SE

Administration Guide

2 Performing Agent Tasks 512

Connecting to a DriveLock Agent 512
Viewing the Agent Configuration (RSOP) 512
Viewing Currently Attached Devices 515
Manually Updating the Policy 520
Displaying Inventory Data 521
Viewing the Disk Protection Status 522
Manually Uploading Disk Protection Recovery Data 523
Manually Uploading Encryption 2-Go Recovery Data 524
Viewing the Antivirus Status 524
Viewing Disk Health Information (S.M.A.R.T.) 525
Activating Tracing 526
Disconnecting from an Agent 528
3 Unlocking Agents 528
Configuring General Unlocking Settings 528
Unlocking Drives, Devices and Smartphones 528
Setting Time Limits and Suspending Restrictions 529
Temporarily Unlocking a Single Online Agent 530
Temporarily Unlocking an Offline Agent 531
User Procedure to Unlock an Offline Agent 532
Administrator Procedure to Unlock an Offline Agent 532
Temporarily Unlocking Multiple Agents 535
Configuring Default Settings for Agent Remote Control 537

Part XIX Software Deployment and Update 540

1 Manually Updating DriveLock 541
2 Publishing Software Packages 542
3 Push Installation of DriveLock 546
Per-Server Global Settings 546
Automatic Push Groups / OUs 546
Execute Push Installation 546
4 Configuring Automatic Updates 547
Configuring Fully Automatic Updates 548
Configuring Semi-Automatic Updates 549
Disabling Automatic Package Downloading 550

Part XX Using DriveLock in Terminal Server Environments 552

1 Terminal Server Connections 553
Fat Clients / Desktop Clients 553
Windows Embedded Clients 554
Virtual Clients 554
Thin Clients 554
Thin Clients by Wyse Running Linux V6 554
2 Configuring Drive Control 555
Global Permissions 555
Rules Based on Mapped Drive Letter 555
Rules Based on Hardware Characteristics 557
Using the File Filter 557
3 Using Application Control 558

Part XXI Troubleshooting and Tools 559

1 Viewing Information about Drives and Containers 560
2 Commands for Troubleshooting 561

Administration Guide 7.7 9 © 2018 DriveLock SE

Administration Guide

3 Troubleshooting Network Adapters 561

4 Creating a Trace File 562
Creating a DriveLock Driver Trace File by Using the Support Tool 562
Creating a DriveLock Driver Trace File by Using the Command Line 563
Creating a DriveLock Trace File by Using the Management Console 564
5 Manually Refreshing the Policy 565

Administration Guide 7.7 10 © 2018 DriveLock SE

Part I
Document Conventions
Document Conventions

1 Document Conventions
Throughout this document the following conventions and symbols are used to emphasize important points that you
should read carefully, or menus, items or buttons you need to click or select.

Caution: This format means that you should be careful to avoid unwanted results, such as
potential damage to operating system functionality or loss of data

Hint: Useful additional information that might help you save time.

Italics represent fields, menu commands, and cross-references. Bold type represents a button that you need to click.
A fixed-width typeface represents messages or commands typed at a command prompt.
A plus sign between two keyboard keys means that you must press those keys at the same time. For example, ALT+R
means that you must hold down the ALT key while you press R. A comma between two or more keys means that you
must press them consecutively. For example ‘ALT, R, U’ means that you must first press the Alt key, then the R key, and
finally the U key.

Administration Guide 7.7 12 © 2018 DriveLock SE

Part II
DriveLock Management Console
DriveLock Management Console

2 DriveLock Management Console

Use the DriveLock Management Console (MMC) to perform day-to-day management tasks and to configure DriveLock.
This chapter covers how to use and configure the Management Console and how to restrict access to management
functions so that only authorized administrators can use them.

2.1 Management Console Structure

The DriveLock Management Console is a Microsoft Management Console (MMC) snap-in that can be used on its own
or in conjunction with other MMC snap-ins.
After you have installed the DriveLock Management Console you can start it from the Windows Start menu under All
Programs / DriveLock / DriveLock Management-Console.

Administration Guide 7.7 14 © 2018 DriveLock SE

DriveLock Management Console

The menu bar at the top of the console contains the standard MMC menus and buttons that provide quick access to
common functions. For example, clicking the question mark opens a Help window.
The console tree on the left is used to navigate through the various functional areas of the Management Console.
Many nodes in the console tree contain subnodes that you can expand or collapse by double-clicking the node.
The right section of the Management Console displays taskpad views. Depending on the node you select in the
console tree, taskpads contain links subnodes or configuration elements. You can navigate taskpad views by
clicking the links in it.
You can right-click most nodes in the console tree and configuration areas in the classic MMC to display a context
menu from where you can configure various settings.
If you prefer the classic MMC view without taskpads you can optionally switch to that view (Classic MMC view) in
several areas of the Management Console. Use Context menu / View / Taskpad view to switch back.

With DriveLock 7.5 the taskpad view has been optically structured more clearly using an Windows 8 like design
(see the screen shots above). The functions are shown as tiles now. As far as there are no functional changes and
no principal differences caused by the new design, this manual still uses the old screen shots.

Administration Guide 7.7 15 © 2018 DriveLock SE

DriveLock Management Console

2.2 Changing the User Interface Language

Right-click DriveLock then click All tasks -> User interface language.

In the following dialog box, select the language.

A few Management Console elements, such as the menu bar and context menus are always displayed in the
language for which you installed the Management Console or the operating system language and don’t change
when you select a different language.

Click OK to proceed. The Management Console switches to the selected language.

Administration Guide 7.7 16 © 2018 DriveLock SE

DriveLock Management Console

2.3 Checking for Updates

Right-click DriveLock, then click Check for updates.

The program connects to the DriveLock Web site to check for available updates. If a newer version is available, a
notification is displayed.
You can also view the current version of all DriveLock components under Product updates and support -> Product
packages and files.

Administration Guide 7.7 17 © 2018 DriveLock SE

DriveLock Management Console

The Management Console displays the newest version of all components. To download a component, right-click it
and then click Download.

2.4 Configuring Server Connections

The DriveLock Management Console connects to the central DriveLock Enterprise Service to store information, such
as license data or centrally stored policies, and to retrieve data. To ensure that the DriveLock Management Console
can connect to the DriveLock Enterprise Service (DES) you need to configure a server connection.

Administration Guide 7.7 18 © 2018 DriveLock SE

DriveLock Management Console

To create a new server connection, right-click DriveLock, then click Choose DriveLock Enterprise Service.

If the DriveLock Management Console was able to locate the DES using DNS-SD at startup, the server name appears in
the dialog box. If the server does not appear, type the server name. If you configured the DriveLock Enterprise Service
to use a non-standard port you must also type the port number.
To connect to the DriveLock Enterprise Service using a different user account that the one you are currently logged on
with, provide the credentials of that account to use and then click OK.

The account you use to connect to the DriveLock Enterprise Service must have been assigned access permissions
in the DES. For more information about assigning permissions when installing the DriveLock Enterprise Service,
refer to the DriveLock Installation Manual. For more information about configuring permissions after
installation, refer to the chapter Configuring the DriveLock Enterprise Service.

Administration Guide 7.7 19 © 2018 DriveLock SE

DriveLock Management Console

2.5 Selecting the DriveLock Configuration Mode

The DriveLock configuration mode determines which taskpads are displayed when you create and edit DriveLock
policies. You can select Basic Configuration or Extended Configuration. Basic Configuration mode is the
recommended mode for administrators who are getting started with DriveLock. In this mode, rarely used
configuration settings are not displayed and wizards are available that guide you through the all the steps that are
required to perform most tasks.

The left picture shows a configuration page in Basic Configuration. The picture on the right shows the same page in
Extended Configuration mode.
In Basic Configuration mode, taskpad sections also display a colored header that indicates the state of the current
configuration:
· Red header: Important settings have not been configured yet

· Yellow header: Some configuration settings may not be complete or as secure as they can be and should be
reviewed
§ Green header: All settings are configured for secure operations

To disable or re-enable the Basic Configuration mode, in the policy window, in the console tree, click the top node
and then click the Basic Configuration link in the taskbar.
The first time you open a newly created policy, the Getting started window appears. Unless you are familiar with
DriveLock, select Assisted configuration to create the initial policy settings.

Administration Guide 7.7 20 © 2018 DriveLock SE

DriveLock Management Console

To open this window at a later time, select the top node of the policy, and then in the right pane click Getting started.

2.6 Configuring User Permissions to Console Nodes

You can configure the DriveLock Management Console to control which users and groups can access console
functions. To control access, configure the permissions for nodes in the console tree. The permissions you configure
in a policy are enforced by DriveLock Agents and can prevent users from installing and using the DriveLock
Management Console on client computer without being authorized to do so. For more information about DriveLock
policies, refer to the chapter Deploying DriveLock Configuration Settings.

Administration Guide 7.7 21 © 2018 DriveLock SE

DriveLock Management Console

Click Management console -> Node permissions to view a list of all node permissions. The default setting for all
nodes is Not configured. Until you change the permissions, the group “Everyone” has Change permissions to all
nodes.
To view the detailed settings of an object, double-click it.

Administration Guide 7.7 22 © 2018 DriveLock SE

DriveLock Management Console

To assign node permissions to a user or a group, click Add, and then select a group or user. Click Remove to remove
the selected account from the list.
You can assign the following access permissions:
· Invisible: The node is not displayed, and not accessible to the user.

· Read: The user can view the node and any configuration settings, but cannot change any settings.

· Change: The user can change all settings under the node.

If you assign permissions to more than one group and a user is a member of several of these groups, the permission
setting with the highest priority that applies to the user or any of the groups is enforced. For example, when both the
Invisible and the Change permissions apply to a user, the Change permission is enforced.

Each node must be configured with at least one user or group that has Change permissions. If you attempt to
remove all Change permissions settings, DriveLock displays a warning message.

Administration Guide 7.7 23 © 2018 DriveLock SE

Part III
Deploying DriveLock Configuration Settings
Deploying DriveLock Configuration Settings

3 Deploying DriveLock Configuration Settings

This section covers several methods for deploying configuration settings to client computers.
The following table provides an overview of the available deployment methods. You can use this information to help
you determine which deployment method is most appropriate for your environment:

Central Requires Uses Existing History / Scalability Quick Configuration

Configuration DES Infrastructur Versioning
e

Local Policy No No No No - No

Group Policy Yes No Yes (AD) No Very good No

Centrally Yes Yes No Yes Good Yes

Stored Policy

Configuration Yes No Yes (UNC, No Acceptabl No

File http, ftp) e

It is recommended that you become familiar with a local policy before you start deploying settings to multiple
client computers in your network.

3.1 Creating and Using a Local Policy

To configure a standalone computer with the DriveLock Agent installed, use a local policy. This configuration is only
applied to the computer on which you are running the DriveLock Management Console.
To edit the local policy, open Start -> All Programs -> DriveLock -> DriveLock Local Policy.

Administration Guide 7.7 25 © 2018 DriveLock SE

Deploying DriveLock Configuration Settings

You can configure global configuration settings, enable drive and device locking and create whitelists for drives or
devices that you have identified on your computer by using the Device Scanner. Information about specific
configuration settings can be found also in the DriveLock Administration Guide.
A local policy can be used to test a company-wide policy on a single computer before deploying it to the rest of the
network. Once you are satisfied with your configuration, you can export the settings to a file and then import them
into another policy using the following procedure.

Administration Guide 7.7 26 © 2018 DriveLock SE

Deploying DriveLock Configuration Settings

To export a configuration, in the task view click Export. In the file selection dialog box, select the target directory and
type the name of the export file. The configuration file has a .dlr extension.

To import the configuration settings into a policy, right-click DriveLock and then click All Tasks -> Import
configuration. You can also export a policy from a GPO and import it into a local DriveLock policy. In addition,
you can use the export procedure to back up your current configuration settings.

Selecting the option “Save agent configuration file” generates an Agent configuration file (.cfg). You can use the file to
deploy a DriveLock configuration when you don’t want to use Group Policy or when you deploy DriveLock in a
network without Active Directory.
To clear all configuration settings from an existing DriveLock policy, either local or GPO-based, right-click DriveLock
and then select All Tasks -> Remove configuration.

Administration Guide 7.7 27 © 2018 DriveLock SE

Deploying DriveLock Configuration Settings

You can display the settings in a local policy as a node in the console tree of the DriveLock Management Console.

Administration Guide 7.7 28 © 2018 DriveLock SE

Deploying DriveLock Configuration Settings

To display a local policy in the DriveLock Management Console, right-click the local policy, and then click Show
“Local policy” in root console. The next time you start the Management Console, the new entry appears in the console
tree:

To restore the initial settings, right-click Local policy, point to All Tasks and then click Show “Local policy” in root
console to deselect this setting.

Administration Guide 7.7 29 © 2018 DriveLock SE

Deploying DriveLock Configuration Settings

3.2 Deploying Policies by Using Group Policy

The easiest way to configure the DriveLock Agent on multiple computers in a network is by using an Active Directory
Group Policy. DriveLock can be configured by using the Group Policy Object Editor in conjunction with the DriveLock
Management Console (MMC) snap-in. This snap-in is automatically installed as part of the DriveLock installation.
DriveLock can use Group Policy to deploy settings to computers that belong to an Active Directory domain. The
DriveLock Agent running on these computers automatically applies all settings that are contained in the Group
Policy Object.
In Active Directory computers are often arranged in Organizational Units (OUs) to apply common settings to multiple
computers. For example, an OU may contain all computers in a department or business unit. A DriveLock policy can
be easily applied to all these computers by linking a Group Policy Objects containing DriveLock settings to the OU.
Another reason to use OUs is delegation of administration tasks. Assigning GPOs to an OU instead of an entire
domain or Active Directory site is a recommended practice because it allows you to maintain the appropriate
protection level for each department or business unit.
The steps for configuring settings in a GPO are identical to those for configuring a local policy. You can configure the
same parameters, create whitelists and configure networking settings.
To configure policy settings in the DriveLock Management Console, in the console tree, click “Group Policy”.

Administration Guide 7.7 30 © 2018 DriveLock SE

Deploying DriveLock Configuration Settings

To add an existing GPO or create a new GPO that will contain DriveLock settings, in the task view, click Add Group
Policy Object. In the selection dialog box, select the GPO that will contain the DriveLock settings. Select the GPO you
added and then click Edit selected GPO. The Microsoft Group Policy Object Editor opens in a new window, allowing
you to edit policy settings.

Administration Guide 7.7 31 © 2018 DriveLock SE

Deploying DriveLock Configuration Settings

The Group Policy Object Editor displays the same DriveLock configuration items in the console tree that are
available when you use a local configuration.

In DriveLock 6 or higher changes to a Group Policy configuration must be explicitly saved. To apply your
configuration changes to the group policy, click DriveLock in the left pane of the Group Policy Object Editor and
then click Save ( ) in the task view on the right.

If you open the DriveLock policy on a server running Windows Server 2008 you will find the DriveLock configuration
in a slightly different location.
The DriveLock Agent service applies configuration changes immediately after Windows receives updated Group
Policy settings from a domain controller. Depending on the time until the next scheduled Group Policy update, it may
take several minutes after you change the configuration until this update takes place. To apply changes to a GPO
immediately, manually initiate a Group Policy update. To do this, on the client computer open a command prompt
window and then type the following command:
gpupdate /force

You can find more information about how to use Group Policy to deploy a DriveLock configuration in the
technical article “DriveLock Interaction with Active Directory”, which is available on the DriveLock Web site
(www.drivelock.com). This article also contains replication traffic information and deployment tips.

3.3 Deploying Policies by Using Centrally Stored Policies

As an alternative to group policies you can distribute DriveLock settings using a Centrally Stored Policy (CSP). CSPs
are similar to group policies, but they are stored in the DriveLock database by the DriveLock Enterprise Service (DES).
Use CSPs if you don't have an Active Directory in place or if you cannot use Active Directory Group Policies for any

Administration Guide 7.7 32 © 2018 DriveLock SE

Deploying DriveLock Configuration Settings

other reason. For Managed Security Service Provider (MSSP), CSPs may also be the best choice to separate CSPs for
different tenants.
Additionally, unlike other types of policies, CSPs support versioning and change tracking and administrators can
selectively publish CSPs.
CSPs can be used in almost any network environment, including Active Directory, Novell Directory Service and
workgroups.

To use CSPs, the DriveLock Enterprise Service (DES) is required.

With DriveLock versions older than V7.5 exactly one CSP could be assigned to an Agent. The Agents knew their CSP
and asked their DES for their policy.
Since DriveLock 7.5 one or more CSPs can be assigned to computers, AD groups, OUs or even all computers and will
be merged at the agent to a resulting set of policies (RSOP) in the given order. The CSPs can belong to the default
tenant (root) or any other tenant. The DriveLock Agent only knows the DES servers, which he can ask for CSPs. This
way you can use CSPs to configure basic settings in a default CSP, cover special settings, like FDE configuration in a
CSP assigned only to laptops or special settings in CSPs for organizational units. MSSPs may maintain separate CSPs
for tenants and grant read or update permissions to the tenants. Mandatory settings in a common CSP which is the
last one in the order, will assure, that tenants cannot override the mandatory settings.

Example

Orde r, Pol i cy T e nant Purpose

1) Default_All root Default settings for all tenants
2) FDE_All root FDE settings for laptops
3) Lock_Espresso espresso Lock settings for Espresso GmbH
4) Lock_Translatte translatte Lock settings for Translatte Inc
5) Mandatory_All root Mandatory settings for all tenants

Architecture

Administration Guide 7.7 33 © 2018 DriveLock SE

Deploying DriveLock Configuration Settings

This figure shows, how CSP assignment works in principal

The agent selects one of the configured servers (DES, LDES) for CSP assignments (1), gets an order list (2) fetches the
required CSPs from the server (3) and merges the CSPs to the resulting set of policies (RSOP).

Create and configure CSPs

To create a new CSP for root or other tenants to cover your desired scenarios (e.g. FDE only for laptops) open MMC /
Policies / RightClick / New / Centrally Stored Policy.

Enter a name, select a tenant and enter a short description to explain the purpose of the new policy. If appropriate,
check use existing policy as template and select a policy you want to copy. Click OK to store the new CSP. Then a new
window will open, where you can configure the new policy.
To edit an existing CSP, right click on the CSP and select Edit.

Administration Guide 7.7 34 © 2018 DriveLock SE

Deploying DriveLock Configuration Settings

Remember to enter your license information under Global settings (as described in the chapter "Activating Your
License").

You can use the export and import functions to copy settings between different policy types, for example from a
local policy to a CSP.

When you have finished editing the policy, close the policy window. DriveLock prompts you whether you want to
save the changes you made.
· Save Only: The policy is saved but not published. It is not available to DriveLock Agents until it gets published

· Save and publish: The policy is saved and then published. Once published, it becomes available to DriveLock
Agents.

· Cancel — Discard changes: The policy is not saved and all changes are discarded. No new policy version is
created or made available to DriveLock Agents.
You can also save a policy at any time during editing by clicking the Save or Publish buttons on the toolbar.

Policy Assignment
Now assign the policies to computers, groups, OUs or even All computers, where they should apply. Open MMC /
Policy assignments / RightClick / New / <type of assignment>. In the next dialog, enter the appropriate computers,
groups or OUs, select a tenant (or all tenants) and the policy, you want to assign. Policies stored for the root tenant
can be selected for any tenant, while policies stored for any other tenant can only be selected for this tenant.

To change the order, right click an entry and move it up or down. Remember, CSPs will be merged at the agent in the
given order, the configured entries in a later policy overrides the entries of a former policy.
You may want to evaluate the resulting set of policies (RSOP) directly from the MMC. Open MMC / Policy assignments
/ RightClick / RSOP planning and enter a computer, which exists in your AD

DES Assignment
The last step is to assign a list of DriveLock Enterprise Servers (DES and/or LDES) to the agents. There are several
methods to assign CSPs / DES servers to agents depending on how you deploy the agents on the PCs.
· Software Deployment - use the deployment wizard to generate an adapted MSI package or MSI command line
to install an agent with a server list already assigned. Open MMC / Policies / RightClick / All Tasks / Deploy
centrally stored policy… . For more information about using the Deployment Wizard, refer to the DriveLock
Installation Manual.

· DriveLock Push Installation - configure the Per-Server Global Settings - select Configuration type: Centrally
stored policy (assignment) and enter the server list

· Change an existing assignment

- Using Agent Remote Control. Connect to the agent and select Agent configuration / Centrally stored policy and
enter the server list

Administration Guide 7.7 35 © 2018 DriveLock SE

Deploying DriveLock Configuration Settings

- Using the command line on an agent PC. Enter C:> Drivelock -setserver <srvlist>#<tnt> (see
Drivelock -help for more information)

· DNS-SD - if the DriveLock agent detects a DES via DNS-SD, no DES assognement is necessary. The agent will ask
this DES for policy assignments

When a DriveLock Agent uses a CSP, it checks for changes to the policy settings at startup and at a configurable
interval after that (default: 30 minutes).

3.4 Deploying Policies by Using Configuration Files

You can centrally install and configure DriveLock even in networks without Active Directory, such as networks using
Novell NetWare. In network environments without Group Policy or a DriveLock Enterprise Service you can distribute
central DriveLock configuration settings by using a configuration file. This file can be placed on a central network
drive (using a UNC path) or it can be accessed by using HTTP or FTP.
Using configuration files is similar to using Group Policy. However, user-specific configuration options are limited
when Active Directory is not available as the central user database. You can still use local users or groups in your
configuration settings. Also, you can use Novell eDirectory, if available.
You can find additional information about using DriveLock in a Novell network in the whitepaper “DriveLock –
Interaction with Novell“, which you can download from the DriveLock Web site.
Start the DriveLock Management Console (Start -> Programs -> DriveLock -> DriveLock Management Console) and then
click Policies.
Right-click “Policies” or an empty are in the details pane, and then click Create new Configuration file.

Administration Guide 7.7 36 © 2018 DriveLock SE

Deploying DriveLock Configuration Settings

DriveLock prompts you to provide the name and location of the new configuration file and then opens a new window,
displaying the policy. You can configure policy settings in this window. You can also export or import settings.

Remember to enter your license information under Global settings (as described in the chapter "Activating Your
License").

You can transfer settings between a configuration file and other policy types by using the Import configuration
and Export configuration commands.

To edit an existing configuration file to the DriveLock Management Console, in the console tree, right-click Polices
and then click Open Configuration file. In the dialog box, type the file name and location and then click Open. The
configuration file will appear in the right pane.
Right-the file, and then click Edit to open a new DriveLock Management Console window where you can edit the
settings in the configuration file.

Administration Guide 7.7 37 © 2018 DriveLock SE

Deploying DriveLock Configuration Settings

The DriveLock Management Console automatically saves changes you make to a configuration file when you
close the window.

When you have finished editing your configuration, close the window. To save the file using a different name, right-
click the top node in the console tree, and then click Save as.
Once the changes are complete, apply the configuration to client computers by copying the configuration file to the
network location from which clients retrieve their policy settings, replacing the old configuration file with the new
one.
You must configure the DriveLock Agent that you distribute to client computers to obtain its configuration settings
from the configuration file. To facilitate this process, DriveLock contains a software distribution assistant that can
create a customized MSI or MST file. You can use the DriveLock Deployment Wizard, which is described the document
“DriveLock Installation Guide”, to deploy configuration settings.
The DriveLock Agent can retrieve configuration files using any of the following methods:
· UNC: For example “\\myserver\share$\drivelock\dlconfig.cfg”

· FTP: For example “myserver/pub/drivelock/dlconfig.cfg”

· HTTP: For example “http://myserver/drivelock/dlconfig.cfg”

In environments without Active Directory (such as Novell NetWare) you must specify the location of the
configuration file during the Agent installation (as described in the DriveLock Installation Guide).

You should create an initial configuration file prior to the Agent roll-out and then specify the location of the
configuration file during setup by using the command line or a modified installation file.

The DriveLock Agent reads the configuration file during installation and then starts enforcing the policies in this file.

Administration Guide 7.7 38 © 2018 DriveLock SE

Deploying DriveLock Configuration Settings

When you use configuration files, the Agent only checks for changes to the configuration file when the DriveLock
Agent service starts or at an interval that you can configure.

When you are installing the DriveLock Agent that will use a configuration file, you need to provide the Agent with the
location of this file. The easiest way to accomplish this is by using the Deployment wizard. To start the wizard, right-
click Policies -> All Tasks -> Deploy configuration file. For more information about the deployment process, refer to the
DriveLock Installation Manual.

Administration Guide 7.7 39 © 2018 DriveLock SE

Part IV
Scanning Your Network with the Device Scanner
Scanning Your Network with the Device Scanner

4 Scanning Your Network with the Device Scanner

Before configuring rules it can be helpful to gather information about which drives and devices are currently
attached to computers on your network and which ones were preciously attached. To do this, you use the DriveLock
Device Scanner.
The Device Scanner scans computers in your network for records of current and historic device and drive usage and
saves this information in a local database. If you use the DriveLock Enterprise Service, you can also save the
scanning results in its central database. You can even scan computers where the DriveLock Agent is not installed.
When the scan has completed you can review the results for unauthorized device use or to get an overview of which
devices have been used in your network so far.

You can also use the data from a Device Scanner scan to create whitelists of allowed devices. This makes an
initial scan of your network an essential step in preparing to configure DriveLock

4.1 Using the Device Scanner

To administer DriveLock, start the DriveLock Management Console. (Start -> Programs -> DriveLock -> DriveLock
Configuration).

To start the Device Scanner, in the left pane, click Device Scanner.

Administration Guide 7.7 41 © 2018 DriveLock SE

Scanning Your Network with the Device Scanner

In the DriveLock Management Console, in the console tree, click Device Scanner, and then in the right pane, click
Start scanning.

To scan a computer you must be able to connect to it by using the RPC protocol and have permissions to read
the “HKLM\SYSTEM” registry key. Usually members of the group Domain Users have the required permissions.

Click Next.

Administration Guide 7.7 42 © 2018 DriveLock SE

Scanning Your Network with the Device Scanner

To create a list of computers to scan, click Add.

Select the computers to scan from the following options:
· Active Directory Computer or Group: Select a single computer or a group containing computers from Active
Directory.

· Active Directory Organizational Unit: Select an organizational unit (OU) containing computers from Active
Directory.

· By Name: Type a single computer name or an IP address. Names and addresses are not validated at this stage.

· IP Network: Define an IP address range. IP addresses are not validated at this stage.

· From Neighborhood: Adds all computers from the network neighborhood on your computer to the list.

Scanning your network neighborhood may take a long time and may result in a long list of computers,
depending on your network environment.

To add more computers click Add again and add additional computers until the list contains all computers you want
to scan.
To remove computers from the list, click Remove.

Administration Guide 7.7 43 © 2018 DriveLock SE

Scanning Your Network with the Device Scanner

Once you have added the computers you want to scan, click Next.

If a computer is offline or doesn’t exist, the Device Scanner skips this computer and scans the next computer after
approximately 30 seconds. To speed up this process you can configure DriveLock to send first a Ping packet to each
computer. Only computers that respond in the specified time will be scanned by DriveLock; other computers are
skipped.
You can specify user credentials to log on to the computers to be scanned, typically an administrative account. To
retrieve additional information about the computer, such as the operating system, select the “Retrieve extended
computer information” checkbox. Retrieving extended information slightly increases the time needed for scanning.
Click Next to continue.

Administration Guide 7.7 44 © 2018 DriveLock SE

Scanning Your Network with the Device Scanner

Type the location where the database file will be stored. The default is in the DriveLock installation folder: C:
\Program Files\CenterTools\DriveLock\DLDevices.sdb.
If you have the DriveLock Enterprise Service installed, you can also send the scan results to the DriveLock database
by specifying a server connection.
To start the scan, click Next.
DriveLock displays the status during the scan. Up to four computers are scanned at the same time. You can cancel
the scan at any time.
When the scan is complete, DriveLock displays the status of the scanned computers. Click Next.
To close the wizard, click Finish.

4.2 Reviewing Scan Results

You can review the scan results in the DriveLock Management Console. To do this, DriveLock needs to access the
Device Scanner database.

Administration Guide 7.7 45 © 2018 DriveLock SE

Scanning Your Network with the Device Scanner

To select a different database, click Device Scanner, and then in the right pane click Select scanning database source.

DriveLock displays the default database location “C:\Program Files\CenterTools\DriveLock\ DLDevices.sdb”. Type the
name and location of the database and then click OK.
If you have the DriveLock Enterprise Service installed, you can also send the scan results to the DriveLock database
by selecting a configured server connection.

Administration Guide 7.7 46 © 2018 DriveLock SE

Scanning Your Network with the Device Scanner

Click Statistics to view a chart that displays detailed statistics about the number of drives or devices that have been
attached to computers.
Once DriveLock has opened the database, you can select from the following categories to display the data:
· Computers

· Devices by computer

· Drives by computer

To open a category, double-click the appropriate link.

The computer listing contains the computers that were scanned and the number of the drives and devices detected
on each computer during the scan.

Click Details to view additional information about the computer.

Use the other two categories to view detailed information about the drives or devices that were detected on each
computer.

Administration Guide 7.7 47 © 2018 DriveLock SE

Scanning Your Network with the Device Scanner

Click <all> to display all devices or drives discovered during the scan.
Click the name of a computer to display the devices or drives that were ever connected to that computer.
The right pane displays the devices and vendor or product names, depending on the category you are viewing.
DriveLock also displays the date and time when the drive or device was used for the first time and when it was most
recently accessed. DriveLock determines the values for First used and Last used from the creation and modification
dates of the registry keys for the devices.
To display detailed information about a device or drive, double-click the item or select it and then click Details.

Administration Guide 7.7 48 © 2018 DriveLock SE

Scanning Your Network with the Device Scanner

Administration Guide 7.7 49 © 2018 DriveLock SE

Part V
Configuring Global DriveLock Settings
Configuring Global DriveLock Settings

5 Configuring Global DriveLock Settings

Global settings in a DriveLock policy apply to all Agents that use this policy, whether the policy settings are stored in
a Group Policy Object (GPO), a centrally stored policy or a configuration file. When using a local configuration, the
global settings apply to the local Agent only.

When using Group Policy to deploy DriveLock settings, it is recommended to use Group Policy permissions to
ensure that only authorized administrators can view or modify the DriveLock policy. If you use a configuration
file, use Windows file permissions to implement such controls. When using centrally stored policies, DriveLock
Enterprise Service permissions enforce the security of your policy settings.

5.1 Using Predefined Security Configurations

When you create the first DriveLock configuration you can start with one of the predefined security configurations
and skip configuring many individual settings. This can make it much easier and quicker to get started with
DriveLock.
If you are using a local policy for testing, open this local policy. The Getting started window appears. This window
also appears when you open a configuration file, centrally stored policy or Group Policy Object for the first time and
then click DriveLock in the console tree.

In the Getting started dialog box, select one of the pre-configured policies. A short description of the policy settings
appears below the selection. When you click Apply, DriveLock starts the Configuration Wizard, which guides you
through the steps to configure additional required settings, such as license activation and connecting to the
DriveLock Enterprise Service. Once you have completed the wizard, DriveLock applies all settings.

Administration Guide 7.7 51 © 2018 DriveLock SE

Configuring Global DriveLock Settings

For more information about license activation and configuration of a DES connection, refer to the sections
“Licensing” and ”Configuring DES connections“.

5.2 Creating Configuration Reports

DriveLock can generate a XML-based report of all configured settings that is similar to a Windows Group Policy
report. Settings that are not configured are not included in the report. You can view, save or print a configuration
report.

Click Generate report to generate a configuration report.

Administration Guide 7.7 52 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Scroll through the sections and settings and use “+” and “-“ to expand and collapse sections.
Click Save report to save a configuration report as an “*.html” file. Use Internet Explorer to open and view the
configuration report.

Click Print to print a configuration report. A new Internet Explorer window opens and displays the Print dialog box.
Select a printer and then click Print.

Administration Guide 7.7 53 © 2018 DriveLock SE

Configuring Global DriveLock Settings

5.3 Activating Your License

Every DriveLock Agent that runs on a client computer requires a valid license. You provide this license to the Agent by
adding a license file (.lic) that includes the number of licensed Agent to the DriveLock configuration. You must
activate this license once. This section contains information about how to import a license file into a DriveLock
configuration and how to activate the license.

Without a valid activated license the DriveLock Agent will not work as expected.

If you are using the DriveLock Enterprise Service (DES), it is recommended that you also transmit the license
information to the DES to activate certain features, such as the automatic downloading of virus definitions.
All DriveLock policies must be configured with a valid, activated license. If you install DriveLock, the Agent functions
without a license file for a trial period of 30 days.

The DriveLock download package includes a trial Agent license that is valid for up to 10 Agents. You can find
this license file AgentTrial.lic in the default installation folder “C:\Program Files\CenterTools\DriveLock
MMC\Tools”. Antivirus is not included in this trial license. To test Antivirus components, a separate trial
license is required. Contact a DriveLock sales partner to obtain a trial license file for these components.

The procedure to use for configuring a license varies slightly depending on whether you are running DriveLock in
Basic Configuration or Advanced Configuration mode.

Administration Guide 7.7 54 © 2018 DriveLock SE

Configuring Global DriveLock Settings

In Basic Configuration mode, in the console tree click Global configuration to open “Global settings” task view. When
no license is configured, the license section is highlighted in red. In the right pane, click Change. The license
Properties dialog box appears. The procedure for activating a license file is documented after the following
procedure.
To activate a license In Advanced Configuration mode, go to Global configuration -> Settings and then click License.

The steps for activating a license are identical in Basic configuration mode and advanced configuration.

Administration Guide 7.7 55 © 2018 DriveLock SE

Configuring Global DriveLock Settings

The General tab displays the number of licensed computers from the license file.

License is not configured in the policy must be selected, if you store the necessary licenses in another policy
which is assigned to the agent. E.g. if you store the license in a CSP with basic settings, but want to override this
settings with a special CSP for special groups or computers.

Single license information will not be merged from different policies,. If you assign a set of policies, the license
information from the last policy in order will be used.

You use the Licenses tab to administer licenses, add additional licenses or remove existing licenses, such as trial
licenses.
To add licenses from a license file, perform the following procedure:
· Click Add license file to initiate the license import process and to start the License activation wizard, which
will guide you through the activation process.

· Click Next.

· Select or type the path and file name of a valid license file and then click Open. The content of the license you
selected is displayed.

· Click Next.

Administration Guide 7.7 56 © 2018 DriveLock SE

Configuring Global DriveLock Settings

· Depending on the type of license, you may be prompted to provide additional registration information. Also,
depending on the license type, providing this information is either required or optional. Provide the
registration data and then click Next.

· You can activate the DriveLock license online or by calling the DriveLock Activation Center. For online
activation, select “Online” and then click Next. To specify a proxy server for Internet access and provide
authentication credentials to connect to this server, click Proxy. Type the name of the proxy server and, if the
proxy server requires this information, a user name and password. Click OK to proceed. The wizard connects
to the DriveLock activation server, which activates the license. Normally this process only takes a few
seconds.

You need to be connected to the Internet and be able to connect to the activation server using
TCP Port 80 for online activation.

· Optional: If no Internet connection to the Activation Server is available or you don’t want to activate online,
select “By phone” and then click Next. License activation by telephone consists of the following steps:
§ You call the DriveLock Activation Center by calling the number on the screen and read the license
key to the DriveLock representative. The representative provides you with the corresponding
activation code which you must type in the Activation code fields.

The activation code you receive is only valid for a limited time. You must type the activation code and complete
the wizard within an hour. If you don’t complete the wizard within an hour after requesting the activation code,
click Cancel and start the activation wizard again.

Ensure that the date and time settings, including the time zone, on computer where you perform the activation
are correct. Otherwise activation may not be successful.

§ After typing the activation code, click Next.

· After a successful activation you are prompted to optionally add the license to the DriveLock Enterprise
Service. Doing this activates all license options in the DriveLock Enterprise Service, such as the downloading
of virus signature updates. Type the name of the server where the DriveLock Enterprise Service is running. If
you don’t specify a server name, the wizard skips sending license information to the DriveLock Enterprise
Service.

· Click Next.

· When the license has been successfully validated, click Finish.

To add an additional licenses from a license file, click Add license key. The procedure for adding additional licenses
is identical to activating a new license, except for the following step:

· Instead of selecting a license file, type your license key in the License key field. When the license key has
been validated, click Next.

If the number of computer accounts in Active Directory exeeds the number of licensed computers specified in your
license file, DriveLock displays a warning message and you need to specify which computers are licensed to run
DriveLock. To do this, on the “Licensed computers” tab. Specify which computers are licensed to use licensed
DriveLock modules.

Administration Guide 7.7 57 © 2018 DriveLock SE

Configuring Global DriveLock Settings

To add computers, click Add. For each computer, group or OU, select the appropriate checkboxes to specify the
DriveLock options the computers are licensed to use. For example, all computers may be licensed to run the
DriveLock Agent, but you may have only purchased the FDE option for your laptop computers:
· Agent: The DriveLock Agent needs to be licensed for all lcient computers where you will install DriveLock.

· Encryption 2-Go: Client will be able to use DriveLock Encryption 2-Go (removable media encryption).

· FDE: Client will be able to use DriveLock Disk Protection.

· Antivirus: Client will be able to use DriveLock Antivirus.

· File Protection: DriveLock File Protection

The number of computers in the list cannot exceed the number of licensed computers specified in the license file. You
can select individual computers, groups of computers or an Active Directory Organizational Unit (OU) in the current
domain or a trusted domain that contains computers. DriveLock does not resolve the membership of nested groups.
To add computers, click Add. For each computer, group or OU, select the appropriate checkboxes to specify the
DriveLock options the computers are licensed to use. For example, all computers may be licensed to run the
DriveLock Agent, but you may have only purchased the DriveLock Disk Protection option for your laptop computers:
To make exceptions to the list of licensed computers, on the Excluded computers tab, add the appropriate computers
and then select the DriveLock Disk Protection checkboxes for the options the computers are not licensed to run.
Click OK to save settings.
In Basic Configuration mode the license information you configured is displayed and the sections is highlighted in
green.

Administration Guide 7.7 58 © 2018 DriveLock SE

Configuring Global DriveLock Settings

In Advanced Configuration mode, the configuration status of the licensing option changes from not configured to
display the licence type (for example, Perpetual License and options).

5.4 Agent Hardening and Global Security Settings

Agent hardening protects against users bypassing policy settings that are enforced by the DriveLock Agent.
Use Basic configuration mode to quickly configure basic security setting in a few short steps. Use extended settings
to configure more details and additional settings not available in Basic configuration mode.

5.4.1 Configuring Global Security Settings in Basic Configuration mode

Click Configure Agent self-protection. The Agent self-protection wizard starts.

Administration Guide 7.7 59 © 2018 DriveLock SE

Configuring Global DriveLock Settings

To control which users can access or stop the DriveLock service on client computers, configure permissions for the
DriveLock Agent service. For example, you could deny “Power Users” the permission to stop the service.
To change permissions for users and groups, click Edit.

Click Add or Remove to add accounts to or remove accounts from the permissions list.
Select an account to configure the permissions assigned to it, and then select the Allow and Deny checkboxes to
allow or deny the following permissions:
· Query service information (display the properties of the service)

Administration Guide 7.7 60 © 2018 DriveLock SE

Configuring Global DriveLock Settings

· Start / stop service

· Full control

You cannot revoke the permissions of the local System account. If you attempt to do this, DriveLock
automatically restores these permissions because they are required for DriveLock to function.

Click OK and then click Next.

Remote control permissions determine which users or groups are allowed to unlock Agent-controlled drives or
devices by using the “Agent remote control” feature of DriveLock.
Click Add and then select users or groups that are allowed to connect to the DriveLock Agent.
Click OK after selecting the correct user or group.

Administration Guide 7.7 61 © 2018 DriveLock SE

Configuring Global DriveLock Settings

By default, the built-in Administrators and Domain Admins groups have the permissions required to use Agent
remote control. When you configure remote control permissions, only the users and groups you add to the list
are authorized to use Agent remote control. To retain the permissions for the Administrators or Domain
Admins groups, you must add them to the list.

Click Next to proceed.

To prevent all users from stopping the DriveLock Agent, activate “Run DriveLock Agent services in non-stoppable
mode”.

Administration Guide 7.7 62 © 2018 DriveLock SE

Configuring Global DriveLock Settings

When you enable non-stoppable mode, no user can stop the DriveLock Agent, regardless of any permissions you
may have configured.

Select the option “Start DriveLock Agent in Safe Mode” to start the DriveLock Agent when the client computer is
running in Safe-Mode. When you select this option, users can’t bypass the restrictions in your policy by starting the
computer in Safe Mode.

When using DriveLock in Safe Mode, you can no longer revert to previous configuration settings by booting into
Safe Mode. This can complicate the process of restoring access to a client computer if DriveLock blocks devices
that are required to use the computer because of a configuration errors.

To enforce that communications are encrypted when you connect to an Agent by using Agent remote control, select
“Enforce secure communications (SSL)…”.
Click Finish to save the settings.
The taskpad displays a summary of the settings you configured. Review the summary to confirm that all settings are
configured as intended.
To quickly enable non-stoppable mode, in the task view, click Turn on. A confirmation that non-stoppable mode will
be enforced is displayed.

5.4.2 Configuring Global Security Settings in Extended Configuration mode

Click Global configuration and then Settings.

5.4.2.1 Permissions for the DriveLock Agent Service

Configure permissions for the DriveLock Agent service to control which users can access or stop the DriveLock

Administration Guide 7.7 63 © 2018 DriveLock SE

Configuring Global DriveLock Settings

service on client computers. For example, you could deny “Power Users” the permission to stop the service.
Click Add or Remove to add accounts to or remove accounts from the permissions list.

Select an account to configure the permissions assigned to it, and then select the Allow and Deny checkboxes to
allow or deny the following permissions:
· Query service information (display the properties of the service)

· Start / stop service

· Full control

You cannot revoke the permissions of the local System account. If you attempt to do this, DriveLock
automatically restores these permissions because they are required for DriveLock to function.

Administration Guide 7.7 64 © 2018 DriveLock SE

Configuring Global DriveLock Settings

5.4.2.2 Locking Down the DriveLock Agent

To prevent all users from stopping the DriveLock Agent, click Run DriveLock Agent services in non-stoppable mode.

To activate the lockdown, select Enable and then click Apply or OK.

When you enable non-stoppable mode, no user can stop the DriveLock Agent, regardless of any permissions you
may have configured. Also, uninstalling the DriveLock Agent is not possible while the non-stoppable mode is
active.

5.4.2.3 Running DriveLock in Windows Safe Mode

Administration Guide 7.7 65 © 2018 DriveLock SE

Configuring Global DriveLock Settings

5.4.2.4 Password to Uninstall DriveLock

To prevent users from uninstalling the DriveLock Agent when you company policy requires that Drivelock is installed
and active, configure a password that must be provided when uninstalling DriveLock on a client computer.
To set the password, click Password to uninstall DriveLock.

Administration Guide 7.7 66 © 2018 DriveLock SE

Configuring Global DriveLock Settings

When the password is set to ”Not configured”, no password is required to uninstall the Agent.
To uninstall a DriveLock Agent when the password has been configured, use the following command at the Windows
command prompt:
msiexec /x DriveLockAgent.msi UNINSTPWD= your password

The password for uninstalling only applies to the DriveLock Agent. You cannot prevent users from uninstalling of
the Drivelock Management Console by requiring a password.

Before upgrading to a newer version of DriveLock, change the password for uninstalling to “Not configured”
before updating DriveLock Agents in your network. Change the configuration again to require a password when
the update has been completed.

5.4.2.5 Agent Remote Control Settings and Permissions

To configure Agent remote control parameters and permissions, in the right pane of the Management Console, click
Agent remote control settings and permissions. The Agent remote control settings and permissions Properties dialog
box appears On the General tab you configure all Agent settings for accepting and authenticating remote control
sessions from the DriveLock Management Console.

Administration Guide 7.7 67 © 2018 DriveLock SE

Configuring Global DriveLock Settings

The default ports used for remote control are TCP port 6064 for unencrypted communications and port 6065 for
encrypted communications. To use different ports, change one or both port numbers. To enable the Agent to accept
encrypted remote control connections, select the “Enable SSL (…)” checkbox. Select the “Enforce SSL (…)” checkbox to
prevent the Agent from accepting unencrypted remote control connections.
By default DriveLock creates and uses a self-signed certificate for SSL communications. To use a different SSL
certificate instead, click “Use certificate from file”, and then click “…” to select a certificate file. If the certificate’s
private key is protected using a password, you must also type and confirm this password.
To enable Agent remote control connections from an older version of the DriveLock Management Console, select the
“Enable legacy remote control (…)” checkbox. To change the port on which the Agent accepts legacy remote control
connections from the default, TCP port 6061, type the port number.
To display a user notification message on a client computer when an administrator connects to the DriveLock Agent,
select the “Show user notification messages…” checkbox.
Select the Permissions tab to edit remote control permissions. Remote control permissions determine which users or
groups are allowed to unlock Agent-controlled drives or devices by using the “Agent remote control” feature of
DriveLock.

Administration Guide 7.7 68 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Click Add and choose the users or group which should be able to connect to the DriveLock Agent.

5.5 Configuring the Agent User Experience

You can configure the appearance of DriveLock notification messages, whether DriveLock task bar icons and menu
items are available to users and the language used for displaying notifications and menu items.
You can configure these settings easily in DriveLock Basic configuration mode. Some settings are not available in
Basic configuration mode, but you can configure these settings or make more detailed configuration changes using
the advanced settings.

Administration Guide 7.7 69 © 2018 DriveLock SE

Configuring Global DriveLock Settings

5.5.1 Configuring the Agent User Experience in Basic Configuration mode

In the task view, click Global configuration and then click Configure Agent user experience.

Administration Guide 7.7 70 © 2018 DriveLock SE

Configuring Global DriveLock Settings

· Popup window:

· Balloon message:

You can configure DriveLock to let administrators or helpdesk personnel temporarily unlock devices and removable
drives even when the computer is not connected to a network (offline). To initiate offline unlocking, a user starts a
wizard from the Windows Control Panel. Select the “Disable offline unlocking requests from Control Panel” checkbox
to not display the offline unlocking applications in the Control Panel or the context menu of the DriveLock taskbar
icon.
To prevent unauthorized unlocking of drives and devices, you should require administrators and helpdesk personnel
to type a password before they can generate an unlock code. To set this password, type it twice.

Administration Guide 7.7 71 © 2018 DriveLock SE

Configuring Global DriveLock Settings

To display contact information or other custom information in the wizard to help users obtain assistance with
unlocking drives or devices, type this text.
Click Next to proceed.

You can customize many of the user notification messages that DriveLock displays. When you configure a custom
message, the DriveLock Agent displays it instead of the built-in message. There are three different types of messages:
1. Drive messages are displayed when DriveLock blocks drives, prevents CD/DVD burning, denies file access or
unlocks access temporarily.
2. Device messages are displayed when DriveLock blocks devices.
3. Application messages are displayed when DriveLock prevents the start of an application.
To use custom drive messages, click “Drives -> Custom messages” and then click Configure.

Administration Guide 7.7 72 © 2018 DriveLock SE

Configuring Global DriveLock Settings

To use custom messages when a user inserts a drive, select the “Display custom messages” checkbox. Type the text the
DriveLock Agent displays when locking a drive. To refer to the drive letter, use the variable “%DRV%”, which will be
replaced with the actual drive letter when the message is displayed.
Click Test to verify that the custom message appears correctly. DriveLock displays the message as it will appear to
users.
Use the other sections of the General tab to configure custom messages that will be displayed to users when drive
access is restricted to read-only and when Windows requires a computer restart before a newly inserted drive can
be used.
Select the Drive access tab to configure custom messages for file access or locking of CD/DVD burners.
You can use the following variables in custom messages for drives:
• %DRV is replaced with the drive letter.
• %PATH% is replaced with the file path.
• %NAME% is replaced with the file name.
• %EXT% is replaced with the file extension.
• %REASON% is replaced with the reason why a file was blocked.
Select the Temporary unlock tab to configure custom messages when a drive or device is temporarily unlocked by an
administrator or helpdesk personnel, edit the default messages. To refer to the duration for which a drive or device
has been unlocked, use the variable “%TIME%”, which will be replaced with the actual duration when the message
is displayed.
Configure any other custom messages that you will use in your policy. After reviewing the settings, click Finish to
close the wizard.

Administration Guide 7.7 73 © 2018 DriveLock SE

Configuring Global DriveLock Settings

5.5.2 Configuring the Agent User Experience in Extended Configuration mode

5.5.2.1 Taskbar notification area settings

You can configure DriveLock to display an icon in the taskbar notification area and to display notification messages
to users when certain events occur. Global configuration settings control the style of these notification messages.
To open the Properties dialog box, under Global settings -> User interface settings, click Taskbar notification area
settings
Select how notification messages are displayed from the following two styles:
· Popup window:

· Balloon message:

When using popup windows to display messages, you can use HTML tags in the message to format the text. When
using balloon messages, the DriveLock icon is also displayed in the notification area. To display this icon even when
no notification message is displayed, select the “Display notification icon” checkbox.
Use the “Show messages for” slider to configure the duration for which the message is displayed.
Select the “Show balloon messages” checkbox to display messages as balloon messages. To display balloon
messages, you must also select the “Show notification area icon“ checkbox.
To activate the DriveLock sound that it played when a DriveLock notification is displayed, select the "Play sound
when a message is displayed" checkbox.
On the Options tab configure which items are displayed when you right-click the DriveLock taskbar icon and the
order in which they appear.
To change the order of a menu item, select the item and then click Up or Down. To remove an element, click Remove.
To add a divider, click Add. To restore the default settings, click Restore.

5.5.2.2 Offline Unlock Control Panel Settings

Administration Guide 7.7 74 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Select the “Disable offline unlocking requests from Control Panel” checkbox to not display the offline unlocking
applications in the Control Panel or the context menu of the DriveLock taskbar icon. To display contact information
or other custom information in the wizard to help users obtain assistance with unlocking drives or devices, type this
text.
To simplify the unlocking process for users and helpdesk personnel you can select the Use short (weak) request /
response codes checkbox.

Using shorter challenge / response codes makes the unlocking process less secure.

Click the Security tab to configure whether administrator or helpdesk personnel who create unlock codes that are
authenticated using a password or a certificate. If you require a certificate, the certificate and private key must be in
the local certificate store of the user who generates the unlock code.

Administration Guide 7.7 75 © 2018 DriveLock SE

Configuring Global DriveLock Settings

To use password authentication, select Use password, type the password twice and then click OK.
To use a certificate for authentication you must specify this certificate.
You can import the certificate from a file or use a certificate from the Windows certificate store on the local
computer. To import a certificate from a file, click Import from file and then select the certificate file.
To use a certificate from the certificate store, click Import from store.

Select the certificate and then click OK.

If you use a certificate to authenticate the offline unlocking, you need to provide the certificate’s private key
each time you create an offline unlocking code.

5.5.2.3 User Interface Language on Agents

You can configure the language that the DriveLock Agent uses to display encryption related-menus and other user
interface elements. This option only applies if you have activated DriveLock encryption on the Agent.

Administration Guide 7.7 76 © 2018 DriveLock SE

Configuring Global DriveLock Settings

If you select ”Not configured“ the Agent uses the default language configured in Windows or the language configured
for the current user.

5.5.3 Creating Security Awareness Campaigns

You can use DriveLock to create security awareness campaigns for employees in your organization. These campaigns
can display educational content about security issues, as well as other content, to users on a regular basis. As a
result, users will be better informed about security and can more effectively participate in protecting your data and
infrastructure.
Campaign information can be displayed either after the operating system is started or after DriveLock is started,
according to an organization’s central DriveLock configuration policy. This policy also includes the frequency and
order at which such information is displayed. Security campaign content may include plain text, graphics, videos
and Web pages.

Administration Guide 7.7 77 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Here are two examples of graphics that explain security-relevant issues.

When displaying important messages, you can require users to acknowledge that they have viewed the information.
To configure how campaign content is displayed to users in the DriveLock policy under Extended configuration ->
Global settings -> User interface settings. To view the current settings, click Agent and awareness campaign user
interface settings and then click the Awareness view tab.

You can configure the following settings:

· Display new content: When a user opens the DriveLock user interface, it initially shows the Security awareness
page new content needs to be displayed to users during the period you specify. For example, if you create 10
campaign elements and configure content to be displayed once a week, one campaign element is shown the
first time a user opens the DriveLock user interface in each of the next 10 weeks.

· Automatically show awareness information after a user logs on: Select this option to display campaign content
at logon. This ensures that the user sees the content even without opening the DriveLock user interface.
§ Only launch automatically if new content is to be shown: Content is only displayed at logon if the
user has not viewed the content before.
§ Make window stay on top of all other windows during display: The security awareness window will
cover all other windows until the user closes it. This ensures that users don’t miss important
security awareness information.

· Allow users to page through available content: Allows users to view all available campaign elements in
addition to the one that’s initially displayed.

· Show content for x seconds before allowing acknowledgment or other functions: Ensures that the content is
displayed for the specified period and helps prevent users from dismissing campaign information before they
have read it.

Administration Guide 7.7 78 © 2018 DriveLock SE

Configuring Global DriveLock Settings

· Show custom texts for acknowledgment of campaign elements: You can require users to acknowledge that they
have viewed important campaign elements and audit this acknowledgment. You can provide a customized text
that will be displayed to signify the user’s acknowledgment. To do this, select the checkbox and provide the
custom text that is displayed next to the checkbox and on the acknowledgment button in the DriveLock user
interface.

5.5.3.1 Creating Campaign Elements

In addition to configuring the settings for a Security Awareness Campaign you need to create campaign elements.
These elements define the content that is displayed to users and how it is displayed.
You create campaign elements in the DriveLock policy under Global configuration -> User interface settings -> Security
awareness campaign.

To create a new campaign element, right-click in the right pane, point to New and then click Campaign element.

Administration Guide 7.7 79 © 2018 DriveLock SE

Configuring Global DriveLock Settings

You can configure the following settings for each campaign element on the General tab:
· Description: Name of the campaign element.

· Comment: Additional, optional description or notes.

· Priority: Priority of the element relative to other elements. If several elements are available to be displayed,
the one with the highest priority is shown to the user. If multiple elements have the same priority, one of them
is randomly selected.

· Language: If you select a language, the element will only be displayed if the selection matches the user’s
display language. Language neutral elements are available to all users, regardless of which display language
they are using.

· Element is active from: Element can be displayed starting on this date.

· Element is active to: Element can be displayed until this date.

· Independent if element is active, show at least once: The element will be displayed to users at least once even
outside any valid from/to period you specified.

· User must acknowledge: Require users to acknowledge that they have viewed the campaign element.

If your policy is configured to include a Security Awareness Campaign but you create no campaign elements,
the built-in default campaign graphics are displayed to users.

On the content tab you specify which content is displayed to a user.

Administration Guide 7.7 80 © 2018 DriveLock SE

Configuring Global DriveLock Settings

RTF files only show the text part, embedded elements like pictures are ignored. Text may include some basic HTML
formatting to highlight some text. Best practise for complex content is, to use URL.
If you select a file (image, rtf, video) from the file system, you need to ensure that the file is available in the same
location on every user’s computer. To distribute files to client computers along with your DriveLock policy, first
copy the file to current policy’s Policy file storage, and then select the file from there..

5.6 Connecting to the DriveLock Enterprise Service

The DriveLock Enterprise Service (DES) is the DriveLock component that performs all centralized functions. It
performs the following tasks:
· It receives event messages from the DriveLock Agents and adds them to the DriveLock database.

· It stores files in the DriveLock database, such as files that are required for password and disk recovery
functions.

· It receives “Agent alive” messages from Agents and stores them in the DriveLock database. It also
provides the status of Agents to the DriveLock Management Console to enable monitoring of DriveLock
Agents.

· It can store information about licensed computers in the DriveLock database.

· It can store data generated by the DriveLock Device Scanner in the DriveLock database.

· It can automatically download software updates and antivirus updates (optional).

You can install the DriveLock Enterprise Service on one or more servers in your network, but you can use only one
central database. To enable the DriveLock Management Console and the DriveLock Agents to connect to the DES, you

Administration Guide 7.7 81 © 2018 DriveLock SE

Configuring Global DriveLock Settings

must configure at least one DES connection. You must also configure how data is sent and retrieved as described in
this section.

5.6.1 Configuring Event Transmission Settings in Basic Configuration mode

In Basic configuration mode you can easily configure basic event messages transfer setting and a single DES
connection. To configure additional parameters, use the available links for extended settings.

Click Global configuration and scroll down to the Agent event messages section.
To configure basic event transfer settings and one DES connection, click Configure event messaging settings.

The DriveLock Agent can log events to the Windows Application Event Log or to another event log. Select the
event log where DriveLock logs events.

To send all DriveLock Agent events to the DES, select the “Enable event forwarding to DriveLock Enterprise Service …”
checkbox. To send Agent status messages to the DES at regular intervals, select the “Report Agent status to the DES
server” checkbox and select the interval at which status messages are sent. The default interval is every 300
seconds.
To enable auditing of configuration changes, select “Report changes to DriveLock policies and other configurations”.
Click Next to continue.

Administration Guide 7.7 82 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Type the name of the server where you installed the DES. If you changed the default ports used by the server, specify
the port numbers. By default, the DES uses TCP port 6066 to receive event messages from Agents. The default ports for
connections from the Management Console to retrieve data and display reports are TCP port 6066 for unencrypted
connections and TCP port 6067 for encrypted connections. To enforce the use of encrypted connections to the DES,
select the “Enforce HTTPS” checkbox. DriveLock will automatically create an SSL certificate that will be used to
encrypt communications with the DES.

Before you select the option ”Enforce HTTPS“ you must configure additional settings for the DriveLock
Enterprise Service (DES) to ensure that the DriveLock Agent can communicate with the DES. For more
information about the required configuration, refer to the section Encrypting DES Connections.

If the connection to the DES requires logon credentials, select the “Account used by Agent to authenticate” checkbox
and type the required user name and password.
Click Finish to save the settings.
The taskpad displays the currently configured settings.
To configure more than one DES connection, click configure and then follow the steps described in the section
“Configuring DES connections”.
To configure advanced event transfer settings or event forwarding by using SMPT or SNMP, click DriveLock Agent or
Management Console and follow the steps described in the section “Auditing DriveLock Operations”.

5.6.2 Configuring DriveLock Enterprise Service Connections

Large networks may contain more than one server running the DES, for example to ensure DES availability in branch
offices or to manage network DES-related network traffic. To enable DriveLock Agents and the Management Console
to connect to the DES in such an environment, you may need to define more than one DES connection.

Administration Guide 7.7 83 © 2018 DriveLock SE

Configuring Global DriveLock Settings

To manage connections to DES servers, under Global configuration, click Server connections.

Quick Configuration: If no server connections are defined or an automatic server connection exists, DriveLock
Agents discover a DES server automatically using mDNS/DNS-SD.

To create a server connection, right-click Server connections and then click New -> Server connection.

Administration Guide 7.7 84 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Type the name of the server where you installed the DES. If you changed the default ports used by the server, specify
the port numbers. By default, the DES uses TCP port 6066 to receive event messages from Agents. The default ports for
connections from the Management Console to retrieve data and display reports are TCP port 6066 for unencrypted
connections and TCP port 6067 for encrypted connections. If clients need to connect to the DES server by using a
proxy server, select the corresponding checkbox and type the name of the proxy server in the format servername:port.

To enforce the use of encrypted connections to the DES, select the “Enforce HTTPS” checkbox. DriveLock will
automatically create an SSL certificate that will be used to encrypt communications with the DES.

Before you select the option ”Enforce HTTPS“ you must configure additional settings for the DriveLock
Enterprise Service (DES) to ensure that the DriveLock Agent can communicate with the DES.

Select one or more of the following checkboxes to specify how the connection will be used:
· Use proxy server to connect to the server – If Agents connect to the DES server via a proxy server, select the
checkbox and type the name and port of the proxy server using the format “servername:port”

· Collects DriveLock Agent events – This connection is used by the DriveLock Agent to send DriveLock Agent events
to the DES, for example when the Agent locks a device or drive.

· Collects Management Console events – This connection is used by the DriveLock Management Console to send
MMC events to the DES, for example configuration change events.

· Collects encryption recovery information – This connection is used by the DriveLock Agent to send important
encryption recovery data to the DES, such as data required to reset encryption passwords.

Administration Guide 7.7 85 © 2018 DriveLock SE

Configuring Global DriveLock Settings

· Collects hardware and software inventory data – This connection is used by the DriveLock Agent to send
hardware and software inventory data and Device Scanner data to the DES.

· DriveLock Control Center connects to this server – This connection is used by the DriveLock Control Center (DCC)
to connect to the DES, for example to create reports.
In the Comment box, type any text that helps you identify the connection.
Select the Networks tab to configure the network locations where the DES connection will be used.

Select from the following options:

· To use this connection in any network location, select “Used for any network connection”. This is the default.

· To select a previously defined network connection, click “Used in selected network location” and then select an
entry from the list.

You cannot select a specific network location for sending DriveLock Management Console events.

· To use this connection when a computer is located in an Active Directory site click “Used in Active
Directory site” and then click the “…” button select an Active Directory site. This is the easiest method to
configure separate connections for different AD sites.

· To use this connection when the computer is not in any defined network location, click “Used in
locations where no dedicated server is defined”.
Click OK to apply all settings and close the dialog box.

Administration Guide 7.7 86 © 2018 DriveLock SE

Configuring Global DriveLock Settings

5.6.3 Updating Legacy Security Reporting Center Connections

After upgrading from DriveLock 5, your configuration may contain Security Reporting Center connections that you
previously created. Such connections are labeled “legacy DriveLock SRC server” and display a different icon.
When you configure a legacy Security Reporting Center connection, DriveLock displays a warning, reminding you to
update this connection:
If you are still using the legacy Security Reporting Center, you can edit the settings, but the connection cannot be
used to connect to the DES.
To update a legacy connection, right click the connection and then click Update connection to DriveLock Enterprise
Service.

5.6.4 Configuring a DES Connection for the Device Scanner

If you installed the DriveLock Enterprise Service, you can store Device Scanner results centrally in the DriveLock
database. You can also enforce that all scan results are sent to the DES and cannot be saved locally on an
administrator’s computer.

Under Management console, click Settings, and then in the right pane, click DriveLock Enterprise connection.

Administration Guide 7.7 87 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Select “Do not allow storing…” to force all users to save their scan results to the DriveLock database, and then select
a server connection from the drop-down menu. The port used for connecting is the port the DriveLock Enterprise
Service uses to accept HTTP connections.

5.6.5 Monitoring Agents by Using the DriveLock Enterprise Service

5.6.5.1 Agent Monitoring Using the DriveLock Management Console

If you use the DriveLock Enterprise Service (DES), you can view the status of DriveLock Agents in the DriveLock
Management Console.

Administration Guide 7.7 88 © 2018 DriveLock SE

Configuring Global DriveLock Settings

To configure the Management Console to retrieve a list of Agents from the DES, right-click Agent remote control and
then click Properties.

Administration Guide 7.7 89 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Select the “Retrieve client computer list from DriveLock Enterprise Service” checkbox and then select a server
connection. To connect using a different user account than the one you are currently logged on with, provide the
credentials of that account.
Configure the option “Display as offline when last contact is more than… minutes ago” to define an interval after
which a DriveLock Agent is displayed as “offline” if it has not sent its status to the DES.
When viewing the Agent status in the Management Console, agents that are offline are identified by an icon
containing red square.
If all DriveLock Agents in your network are running DriveLock 6.0 or newer, select the Disable support for agents older
than DriveLock 6.0 checkbox. This will deactivate the use of all ports that are no longer used in current versions of
DriveLock.
In environments where the DriveLock Management Console is run on a computer that is not in the same network as
the Agent, the DriveLock Enterprise Service can proxy this connection. For example, this can be used by a Security-As-
A-Service provider to connect to an Agent in a customer’s network. Change the setting Use remote control through
DriveLock Enterprise Service (proxy) to configure how the DriveLock Management Console connects to the client for
remote control:
· Always: The connection is always established via the DriveLock Enterprise Service.

· Never: The DriveLock Management Console always connects directly to the Agent without going through the
DriveLock Enterprise Service.

· On-demand: The DriveLock Management Console attempts to connect directly to the Agent. If the connection
attempt fails, a connection via the DriveLock Enterprise Service is attempted.

5.6.5.2 Sending Licensed Computer Information to the DES

You can view additional information about the status of DriveLock Agents by using the DriveLock Control Center.
Status messages that Agents send to the DES contain information about which DriveLock components the computer is
licensed to run. To include additional computers in your network that are licensed to run DriveLock but currently
don’t have the DriveLock Agent installed in reports, you must manually add these computers to the DriveLock
database. Once the database contains all licensed computers, you can easily identify computers that are not
protected by DriveLock because no Agent is installed. To add computers to the database, you use the DriveLock
Management Console.

Before continuing, ensure that you have configured a valid DES connection for the DriveLock Management
Console and that you have completed the steps for retrieving a list of clients from the DES that are described in
the section “Agent Monitoring using the DriveLock Management Console”.

Administration Guide 7.7 90 © 2018 DriveLock SE

Configuring Global DriveLock Settings

In the console tree, under Global configuration, click Settings. In the task pane, click Add licensed computers to DES.
The DriveLock Management Console sends a list of all licensed computers to the DES using the currently active DES
connection.

If you specified that only some of the computers in Active Directory are licensed to run DriveLock, the
Management Console transmits the list of these computers to the DES. Otherwise, it sends a list of all
computers in Active Directory to the DES.

For more information about using the DriveLock Control Center to monitor clients, refer to the DriveLock Control
Center User Guide.

5.7 Configuring the DriveLock Simulation Mode

The DriveLock Simulation Mode allows you to configure and deploy a policy without impacting users. In Simulation
Mode you can monitor all DriveLock operations but the Agent does not block drives, devices or applications. You
typically use Simulation Mode after you have configured the initial DriveLock policy. After you apply this policy to
computers in Simulation Mode you can review events and talk to users to identify instances where policy settings
are not correctly applied. For example, you may find that the policy blocks access to a removable drive that a user
needs to use. If you identify such problems, you can easily correct them before users are impacted. Once you
determine that the policy works as intended, you can de-activate the Simulation Mode and DriveLock will enforce all
policy settings.
When Simulation Mode is enabled, DriveLock functions as follows:
· DriveLock doesn’t block removable drives, devices, applications and network connections.

· File filtering is disabled.

Administration Guide 7.7 91 © 2018 DriveLock SE

Configuring Global DriveLock Settings

· Events are generated normally and are sent to the Windows event log and to external systems
according to the policy settings.

· User notification messages are displayed as configured in the policy.

· Enforced encryption is enabled; unencrypted drives are encrypted as configured in the policy.

· All other functions work normally.

To configure DriveLock Simulation Mode, click Settings, scroll down and then click Simulation mode (…).

Administration Guide 7.7 92 © 2018 DriveLock SE

Configuring Global DriveLock Settings

By default, DriveLock Simulation Mode is disabled.

Select Enable to activate DriveLock Simulation Mode.
Click OK to apply the changes.

5.8 Using the DriveLock Policy File Storage

The DriveLock Policy File Storage is a protected storage area that is stored with a DriveLock configuration and
distributed to Agents. The purpose of this storage is to store files that are needed to run programs that may be
configured in various DriveLock rules, such as scripts and dictionary files. Using the Policy File Storage makes it
easy to deploy scripts or programs that are used by the DriveLock Agent to client computers. After you import files
into the storage they will be automatically delivered to the Agent together with the corresponding configuration
settings. You can use the Policy File Storage in policies that are distributed using a configuration file or Group
Policy.

Importing large files into the Policy File Storage can increase network traffic and logon times as the client
computer retrieves these files when Group Policy settings are applied to a client computer and the Policy File
Storage has not been loaded previously or has changed.

Administration Guide 7.7 93 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Click File storage to see the list of all the files included in your Policy File Storage.

Administration Guide 7.7 94 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Right-click File storage and then click New -> File to import a file into the Policy file storage. Navigate to the
directory containing the file to import and then select the file.

To view or modify a file in the file storage, right-click the file and then click one of the following:
· Extract file – Save a copy of the selected file to a destination you specify.

· Delete – Delete the selected file from the file storage.

· Properties – Display the properties of the selected file and where this file is used in your policy, for example in
a whitelist command or when a network location is detected.

Administration Guide 7.7 95 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Click Extract file to extract the selected file.

Right-click File storage and click Display system files to view information about system files that DriveLock stores
with the policy, such as encryption certificates.

System files cannot be deleted or extracted from the Policy File Storage.
Right-click File storage and click Properties to view information about the Policy file storage.
Click Reset storage to delete the current storage and create a new Policy File Storage.

Administration Guide 7.7 96 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Resetting the current file storage deletes all files in the storage, including any system files. Ensure that you have
a copy of these files before resetting the file storage. This is especially important if you use DriveLock Disk
Protection because the Policy File Storage contains files that are required for disaster recovery operations.

5.9 Using Multilingual Notification Messages

You can define separate text messages for different languages to be used in user notification messages.

To configure languages and multilingual messages, click Multilingual notification messages.

Before you can define text for messages to be used in whitelist rules you must configure which languages are
available.

Administration Guide 7.7 97 © 2018 DriveLock SE

Configuring Global DriveLock Settings

5.9.1 Defining Languages and Standard Message Texts

Right click Languages / Standard messages and then click New -> Language.

Administration Guide 7.7 98 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Select a language from the list and type an optional description.

The list contains all currently available Windows languages.

On the Drive control tab, type the standard messages to be used when DriveLock locks drives.
The variable %DRV% will be replaced by the drive letter when the message is displayed.
Click Test to verify that your message appears correctly. DriveLock displays the message as it will appear to users.

On the Drive access tab, specify file filtering and CD/DVD burning message texts.
The variables will be replaced when the message is displayed as follows:
· %DRV% will be replaced by the drive letter.
· %PATH% will be replaced by the file path.
· %NAME% will be replaced by the file name (without extension).

· %EXT% will be replaced by the file extension.

· %REASON% will be replaced by an indication, why a file has been blocked (for example, “wrong content”).

Administration Guide 7.7 99 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Click Test to verify that your message appears correctly. DriveLock displays the message as it will appear to users.
On the Devices tab, specify device messages.
The variable %DEV% will be replaced by the device name when the message is displayed.
On the Applications tab, specify application control messages.
The variable %EXE% will be replaced by the file name and path of the program when the message is displayed.
On the Temporary unlock tab, configure messages that DriveLock displays when drives or device are unlocked by an
administrator.
The variable %TIME% will be replaced by the duration for which drives or devices are unlocked. You can configure
separate message to be displayed depending on whether the duration is specified in minutes or an expiration time
applies.
Enter the information that will be displayed on the first page of the offline unlock wizard.
On the AV Actions tab, configure antivirus notification messages.
You can use the following variables in the messages you define. When a message is displayed, the variable is
replaced with the actual value or name of the referenced element:

Variable Description

%PATH% File name of the virus (including the path)

%DRV% Drive letter

%NAME% File name without extension

%EXT% File extension

%TYPE% Malware type, such as "Virus" or "Trojan"

%ACC% Detection accuracy, such as "Heuristics"

%VIRUS% Name of the Virus

%ARC% Name of the Archive if the infected file is contained in an

On the Usage policy tab, configure usage policy settings.

You can configure DriveLock to allow access to one or more removable drives only after a user clicks the Accept
button in a popup message explaining the drive usage policy, such as the following example:

Administration Guide 7.7 100 © 2018 DriveLock SE

Configuring Global DriveLock Settings

The following settings determine the information displayed in this message:

· Caption text: Text displayed in the header (for example, “Company Drive Usage Policy”)

· Usage policy text: Text displayed in the message window (for example, “All access to external…”)

· Accept button text: Text used for the accept button

· Decline button text: Text used for the decline button

Optionally you can load the usage policy text from a file (either *.txt or *rtf). You can select a file from the following
locations:
· The local file system on the computer where the Agent applies the policy settings

· The DriveLock Policy File Storage. Files in the Policy File Storage are prefixed with an asterisk (*).

The DriveLock Policy File Storage is a protected storage area that is stored with a DriveLock configuration and
distributed to Agents. For details on how to import files into the Policy File Storage and how to use these files,
refer to the section “Using the DriveLock Policy File Storage”.

To display a video file instead of text, select the “Play video” checkbox and specify a Windows video file (*.avi), that
will be displayed in the usage policy message box. You can specify a file in the he local file system on the computer
where the Agent applies the policy settings or the DriveLock Policy file storage.
On the Other tab, configure messages that DriveLock displays when an administrator establishes a remote
connection to an Agent.
The variable %USER% will be replaced by the name of the user who initiated the connection when the message is
displayed.
Click OK to apply the changes you made and to close the dialog box.

Administration Guide 7.7 101 © 2018 DriveLock SE

Configuring Global DriveLock Settings

The right pane displays a list of all languages you defined.

5.9.2 Defining Custom Message Texts for Multiple Languages

In addition to standard messages you can define multilingual messages to be used in specific whitelist rules. Before
you can define custom messages you must configure the available languages, as described in the previous chapter.

Administration Guide 7.7 102 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Right click Custom messages (Whitelist rules) and then click New -> Custom message.

Type a message description. This description will be displayed in a list in the whitelist rule from which you can
select the appropriate message for the rule.
All languages you defined are displayed. To enter the message text for a language, click the language and then click
Edit.

Administration Guide 7.7 103 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Click Test to verify that your message appears correctly. DriveLock displays the message as it will appear to users.

Repeat the procedure to define message texts for each language.

Click OK to apply the changes you made and to close the dialog box.

Administration Guide 7.7 104 © 2018 DriveLock SE

Configuring Global DriveLock Settings

The right pane displays a list of all custom messages you defined.
To use a multilingual message in a whitelist rule, select the message when you configure the rule.

Administration Guide 7.7 105 © 2018 DriveLock SE

Configuring Global DriveLock Settings

5.10 Configuring Additional Settings

To configure additional settings, go to Global configuration -> Settings and then scroll to the bottom of the taskpad.

5.10.1 Configure the Internet Connection Firewall to Allow Remote Control

To allow remote control of the DriveLock Agents on computers using the Windows Firewall that is included with
Windows XP with Service Pack 2 or later, you must configure the firewall to allow these connections. Remote control
requires that incoming connections on TCP Ports 6064/6065 (default) and the program “DriveLock” are allowed in
the exceptions list of the Windows Firewall. DriveLock can create these two rules for you.
Click Configure Internet Connection Firewall to allow remote control:

Administration Guide 7.7 106 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Select Enable and then click OK to have DriveLock creating the necessary rules for you.

Rules that were previously created by DriveLock are not removed if you later change the selection to “Disable”
or “Not configured”.

5.10.2 Advanced DriveLock Agent Settings

Use these options to optimize DriveLock Agent operations on client computers.
To open the Properties dialog box, click Advanced DriveLock agent settings.

Administration Guide 7.7 107 © 2018 DriveLock SE

Configuring Global DriveLock Settings

To prevent a user from logging on and using Windows Explorer before the DriveLock service has been started,
DriveLock has an integrated service dependency. As a result, after the DriveLock agent has been installed the logon
screen may not appear as quickly as usual. This mainly occurs on fast computers. The setting “On start-up, allow
local logon before DriveLock has completely started” let users log on to a computer sooner after starting the
computer but DriveLock rules may not be enforced immediately after the user logs on. For example, users may be
able to access removable media even though your policy doesn’t allow this access.

When Windows XP starts it displays the logon screen before the boot process is finished. Some services may
still start in the background while the user is logging on. By default, DriveLock delays the display of the logon
screen until the Agent has started and can enforce policy settings.

Click the Intervals tab to configure the intervals of certain recurring Agent tasks.

Administration Guide 7.7 108 © 2018 DriveLock SE

Configuring Global DriveLock Settings

Select “Enable periodic reloading of configuration file” to force a DriveLock Agent to periodically reload the
configuration settings from a configuration file or centrally stored policy and configure the reloading interval.
Changes to a these types of policies are only applied when the configuration file is reloaded. By default the Agent
only reloads the policy settings only when the DriveLock service is started.
Select “Enable periodic check for policy and configuration changes” to have DriveLock to check for local configuration
changes in addition to Group Policy changes. Usually, DriveLock automatically detects changes to a local
configuration or a Group Policy Object in real-time. If this real-time check does not work correctly in your
environment, select this option and then configure the interval.
Configure the setting “„Timeout when waiting for Windows Terminal Services …” to delay detection of the currently
logged-on user until all logon scripts have completed in a Terminal Services environment. Increase this interval if
you use logon scripts that take more than 15 seconds to complete.
Use the slider “Periodic check for user login changes” to configure how often DriveLock checks whether the currently
logged-on user has changed. This setting applies to computers running Windows 2000 only.

Administration Guide 7.7 109 © 2018 DriveLock SE

Part VI
Auditing DriveLock Operations
Auditing DriveLock Operations

6 Auditing DriveLock Operations

Before you can audit DriveLock operations you must enable the transfer of DriveLock events. Events can be saved to a
Windows Event Log, sent by SNMP or e-mail (SMTP) or copied to the central DriveLock database.
There are two event sources that you can configure together:
· DriveLock Agent events (source: “DriveLock”).

· DriveLock Management Console events (source: “DriveLockMMC”)

The recommended tool for analyzing DriveLock events is the DriveLock Control Center with its flexible, powerful and
easy-to-use sorting, filtering and grouping capabilities. You can also monitor DriveLock events by using an event log
consolidation tool, such as NetIQ Security Manager or Microsoft Operations Manager.
When storing event data in the central database, the events can be anonymized. This allows for compliance with
legal requirements for keeping user-related data private. When you activate this feature, user and computer names
that are part of the event data are encrypted and cannot be viewed or printed by regular administrators. Decrypting
and viewing this data can only be done with the authorization of multiple individuals. For example, you could
require a representative each from your legal department and your personnel department to perform the decryption.

6.1 Configuring Event Message Transfers

You can configure which DriveLock event messages to log and where to store them. If you configure a remote
destination and the computer is not connected to the network, all messages are temporarily stored on the local
computer.
In the DriveLock Management Console, in the console tree, click Global configuration and then click Settings.

To configure the event-message settings, click Event message transfer settings.

Administration Guide 7.7 111 © 2018 DriveLock SE

Auditing DriveLock Operations

6.1.1 Configuring event transfer destinations

To configure which events to send to which destinations, click the Events tab.

Select the types of events to log. You can select multiple destinations for the same event type.
To select or deselect all fields in a column, right-click any checkbox and then click Activate all or Deactivate all.

Administration Guide 7.7 112 © 2018 DriveLock SE

Auditing DriveLock Operations

Click Activate all to select all items in a category.

To select multiple entries in a single step, press CTRL as you highlight several rows, right-click a checkbox and then
click Activate selected.
To configure the settings for an event message, click Event properties.

Administration Guide 7.7 113 © 2018 DriveLock SE

Auditing DriveLock Operations

When defining the settings for an event you can suppress duplicate event messages so you only need to review one
event entry for identical events that occurred within a specific time period.
DriveLock can take a picture using the default webcam, if available, with any event. Configure event 554 (Camera
picture taken) to destination DriveLock Enterprise Service for reporting purposes.

Carefully think about which events should take a picture as taking many pictures may consume much
resources.

Anytime an event occurs, the DriveLock Agent can run a program or script. To activate this feature, select the “Run
program when event is recorded” checkbox and then type the command to be run. A command can be anything that
you can run from a command line, including program files, (.exe), Visual Basic scripts (.vbs) and scripts for the new
Windows PowerShell.

To start a VB script, you must type the complete path to the script file in the format “cscript C:\Program
Files\scripts\myscript.vbs”).

Click the “…”button to select a file name and to insert it at the cursor position. You can select a file name from the
following two locations:
· The file system on the local computer

· The DriveLock Policy file storage.

The DriveLock Policy File storage is a file container that is stored as part of a Local Policy, Group Policy Object
or a DriveLock configuration file. The Policy file storage can contain any file, such as a script that must be
deployed to DriveLock Agents automatically along with the configuration settings.

Files in the Policy file storage are prefixed with an asterisk (*).

Administration Guide 7.7 114 © 2018 DriveLock SE

Auditing DriveLock Operations

Select the “Run as the currently logged-on user” checkbox to have the Agent run the command by using the account of
user who is logged on when the command is run. Otherwise, the DriveLock Agent will run using the DriveLock service
credentials, which is normally the local System account.

6.1.2 Configure the event log destination

On the Event log tab you configure which event log DriveLock uses to store the events.

These settings control whether the Agent sends events to the Windows Application Event Log or to another event log.
If you don’t use the Application log, specify the size and the behavior when the log file fills up.

Administration Guide 7.7 115 © 2018 DriveLock SE

Auditing DriveLock Operations

6.1.3 Configure SMTP server settings

Select the SMTP tab to configure SMTP settings for sending event messages using e-mail.

Select “Enable SMTP event messages” to enable messages to be sent using e-mail. Provide information about your
mail server, sender, recipient, etc. For successful delivery you also need to ensure that your e-mail server will accept
messages with the settings you specify. If your mail server requires authentication you must also supply
authentication data.
To configure the content of e-mail notification messages, click Message text and complete the information in the
dialog box. Click the “>” buttons to insert placeholders in to the subject line or body of the message. You can also
select the option to send the message as HTML mail instead of plaintext.

Administration Guide 7.7 116 © 2018 DriveLock SE

Auditing DriveLock Operations

Click OK to accept the format of the message.

Click Test to send a test e-mail to the recipients you specified. After a short time a notification will appear, informing
you whether all settings were specified correctly to send e-mail messages.

6.1.4 Configure SNMP server settings

Select the SNMP tab to configure SNMP message transfer settings.

Administration Guide 7.7 117 © 2018 DriveLock SE

Auditing DriveLock Operations

Select “Enable SNMP Trap messages” to activate event log message transfer using SNMP, and then type the
destination information.

6.1.5 Configuring Enterprise Service connection settings

Click the DES tab to configure message transfers to the DriveLock Enterprise Service.

Select the “Enable event forwarding to DriveLock Enterprise Service” checkbox to activate message transfers to the
DriveLock database.
Select the “Report Agent status to DES server” checkbox and select the time interval for sending status messages. By
default, the DriveLock Agent sends status messages to the DES server every 300 seconds.
In environments with multiple DriveLock Enterprise Service installations and tenants you can select a tenant name
from a list of existing tenants. When you select a tenant, the tenant name is used for event transfers and all events
generated by Agents are associated with the selected tenant. This allows for the separation of data from multiple
tenants.

6.1.6 Anonymizing Event Data

In some jurisdictions, such as Germany, the use and storage of personally identifiable data is tightly regulated.
Regulations and legal requirements may also apply to such data when it could be used for surveillance of user
activities.
To enable organizations to comply with privacy laws, DriveLock includes functionality that can prevent an
administrator or company management from using event data to track the activities of specific users. The DriveLock
Agent can anonymize user and computer names in event data, for example data it sends to the DriveLock Enterprise
Service. This is done by encrypting these fields in events. You configure the settings for on the Data anonymization
tab.

Administration Guide 7.7 118 © 2018 DriveLock SE

Auditing DriveLock Operations

By default, the data for each DriveLock event contains the name of the computer and the name of the user. This data
is transmitted over the network if you send event data to the DriveLock Enterprise Service. You can change this by
configuring the following settings for user account data, computer account data or both:
· Encrypt information: User name and/or computer name are encrypted using one or more public keys before
data is transmitted. If needed, the data can be decrypted using the DriveLock Control Center. This setting
enables specific events to be tied to a user or group when the need for this arises at a later point.

· Do not store any information: User name and/or computer name are not transmitted. This setting completely
prevents specific events to be tied to a user or group.

Only event data that is transmitted to the DriveLock Enterprise Service can be decrypted later. Encrypted fields
in events that were transferred using SMTP or SNMP cannot be decrypted later.

If you activate encryption for one or both fields you also need to specify at least one certificate. The keys that are
associated with these certificates will be used to encrypt and decrypt user and computer fields in events.
Click Add and then select to add an existing certificate or click Create new to generate a new certificate. If you select
to create a new certificate, the Event encryption certificate creation wizard starts.

Click Next.

Administration Guide 7.7 119 © 2018 DriveLock SE

Auditing DriveLock Operations

Select a folder to which the certificate will be saved or select to store the certificate and associated private key on a
smartcard. Certificate files are always stored using the same file name, “DLEventEncrypt”. If you want to store two
certificates in the same folder you need to rename one of them before creating the second one. If you try to save a
certificate in the same folder where another identically named certificate already exists, the wizard warns you and
requires you to select a different location for the certificate files.
Click Next.
If you selected a smartcard for storing the certificate you will be prompted to insert the card and save the certificate
to it.

For technical reasons the smartcard or token you use needs to allow exporting the private key of a certificate.
Without this functionality it will not be possible to decrypt data at a later time. If you are not certain whether
your smartcard supports private key exporting, conduct a test before encrypting production data.

Store the certificate files in a secure location to ensure that they will be available when you need to decrypt
event data in the future. Is one of the certificates lost, decryption is no longer possible!

Administration Guide 7.7 120 © 2018 DriveLock SE

Auditing DriveLock Operations

Type a password that will be used to prevent unauthorized access to the certificate’s private key. Confirm the
password and then click Next.

To ensure that you will not forget the password in the future, consider storing it in a secure location, such as a
safe.

When the certificate files have been created the wizard displays a confirmation.
If you store the certificate and its keys on smartcard you are prompted for the smartcard’s PIN.
Click Finish.

Administration Guide 7.7 121 © 2018 DriveLock SE

Auditing DriveLock Operations

After you created the certificate it appears in the certificate list. You can create additional certificates. When you
configure multiple certificates, all of them are used for decrypting event data and all of them are also required for
decrypting this data. This lets you implement policies that require multiple individuals to perform the decryption.
For example, you could require someone from both the personnel department and the legal department to perform
the decryption. To do this you would need to configure two sets of certificate files and hand one to each
department’s representative.
To view additional information about a certificate, select the certificate and then click Properties.
When you create a certificate it is also stored in the certificate store of your Windows user account.

Because all certificates and associated private keys are also stored in the Windows certificate store of the user
who created them, you may need to delete one or more certificates from this store to implement a policy that
requires multiple individuals to jointly perform the decryption.

The selected fields will be encrypted as soon as you accept the settings and DriveLock Agents receive the updated
policy.
For information about decrypting event data, refer to the DriveLock Control Center Manual.

6.1.7 Optional settings

Click the Options tab to define how DriveLock processes DriveLock Enterprise Service messages when the client is
offline. Event messages can be temporarily stored locally if the DriveLock agent is unable to deliver them to the
configured destination.

Administration Guide 7.7 122 © 2018 DriveLock SE

Auditing DriveLock Operations

Select “Queue events when offline” to enable temporary storage of messages. DriveLock Agents always use an
internal memory-based queue to temporarily hold events when they are generated faster than they can be processed.
In addition, you can configure the Agent to store events in a disk-based queue when the Agent is offline and cannot
contact the DriveLock Enterprise Service. Events are automatically deleted from both queues once they have been
processed. You can configure the maximum number of messages these queues will hold. If either queue exceeds the
limit you configured, additional events are no longer forwarded to the DriveLock Enterprise Service and only written
to the local event log.
Normally each Agent transmits event data in realtime to the locations you configured. In system environments where
available network bandwidth is limited, the DriveLock Agent can collect events and send multiple events together in
batches. To activate this setting, select the Send events in batches checkbox and then configure an packet size and
interval for your network environment.

Computername
If you don't want the Windows computer name but another name to be used in events and help desk, change it in tab
Computer name. If you change the name, existing entries will still show the former name.

Administration Guide 7.7 123 © 2018 DriveLock SE

Part VII
Locking Drives and Devices
Locking Drives and Devices

7 Locking Drives and Devices

As the product name implies, the core function of DriveLock is to lock drives and devices. This section describes how
to configure all settings related to this function. Even though there are many different types of devices, DriveLock is
easy to configure and once you get used to the basics, you will be able to easily configure how to control the use of
any type of device.

7.1 Locking Drives

This manual uses a local policy to illustrate the steps required to lock all USB-connected drives, to enable the use of
selected flash drives and to introduce the functionality of file filters and shadowing. Most steps also apply to other
types of drives. Any such differences will be pointed out along the way.

Configuring Agents by using a Group Policy or a configuration file uses the same settings as those used in a
local policy. There are no differences between these methods, except in how you deploy the settings to the
Agents.

It is important to understand how DriveLock uses whitelist rules. After activating locking for a drive type, any drive
of this type is blocked (the “drive firewall” is up and running and nothing is allowed to pass through). To define any
exception to the blocking of drives you need to create whitelist rules. You must define a whitelist rule for each drive
(or groups of similar drives) that you need to use on a computer. If a drive is not recognized by the DriveLock Agent
as being listed in a whitelist rule, DriveLock blocks the drive and it can’t be used. This ensures that any new drives
that are introduced into your network by users are automatically blocked until you explicitly allow their use.
Based on this basic principle, to complete a DriveLock configuration you should first create any required whitelist
rules and then enable the locking of drives and devices.

Drives, such as USB-connected drives, are locked by default. If you install a DriveLock Agent on a computer with
no DriveLock policy configured, this default setting applies.

Whitelist rules define which drives are accessible even while other drives of the same type can remain locked. To
allow for maximum granularity without unnecessary administrative overhead, you can define drive whitelist rules
for different scopes of drives (rules are evaluated starting with rules that have a broad scope, continuing towards
more detailed rules:
· Drive Class (for example, all floppy disks)

· Size of the drive (for example, all drives larger than 128 MB)

· Vendor (for example, SanDisk)

· Product ID (for example, Ultra II 1 GB Compact Flash)

· Unique drive serial number

In addition to the scope you can specify conditions for when and where a whitelist rule applies:
· Does it apply to all computers or only to certain computers?

· In which defined network location is the rule activated?

· At what time is the rule active? (For example, only on Monday to Friday and between 9 A.M. and 6 P.M.)

· Does the rule apply to all users, or are only certain users allowed to use this drive?

· Must a user confirm a usage policy before getting access?

Administration Guide 7.7 125 © 2018 DriveLock SE

Locking Drives and Devices

· Has a drive been encrypted by DriveLock?

· Is the Antivirus service running?

· Which user is currently logged on?

· Does the drive contain malicious software?

By using scopes and conditions, you can minimize the number of rules needed to implement your policy.
To enable policy enforcement for most types of drives you also need to enable locking for the drive class (i.e. you
have to activate the “drive firewall”). This is covered in chapter “Enabling Drive Locking”.

During an evaluation of DriveLock you may enable drive locking first and afterwards define some whitelist rules
to enable specific drives. In a production environment it is recommended to create all required whitelists rules
before activating drive locking.

DriveLock settings may conflict with three Windows Group Policy settings. The symptom of this incompatibility is
that users can access USB-connected drives that are blocked by a DriveLock policy. The following three settings are
located under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options:
· Devices: Allowed to format and eject removable media. Conflicting settings: Administrators and Power Users,
Administrators and Interactive Users.

· Devices: Restrict CD-ROM access to locally logged-on user. Conflicting setting: Enabled.

· Devices: Restrict floppy access to locally logged-on user. Conflicting setting: Enabled.

DriveLock checks these Group Policy settings and creates an entry in the Windows Application Log if any of them are
present.
DriveLock recommends that you don’t change these Group Policy settings from their defaults to ensure that drive
control policies work as expected.

Administration Guide 7.7 126 © 2018 DriveLock SE

Locking Drives and Devices

7.1.1 Configuring Drive Locking In Basic Configuration Mode

DriveLock Basic configuration mode lets you easily configure basic drive locking settings.

Click Drives to switch to the drive locking task view. It has two sections:
1. Removable drive locking: used to configure the base policies for certain drive classes.
2. Whitelist rules: used to configure whitelist rules that define exceptions from the base rule for specific
devices.
Click Advanced configuration at any time to configure additional and more advanced drive locking settings. (Refer to
the chapter “Configuring Advanced Drive Locking Settings” for more details.)

7.1.1.1 Enabling Drive Locking

DriveLock can detect all types of drives which Windows recognizes as removable drives or fixed disks. This includes
the following types (classes):
· Floppy disk drives

· CD-ROM/DVD drives

· USB bus-connected drives

· FireWire (1394) bus-connected drives

· SD bus-connected drives (for example, built-in SD card readers)

· Fixed disks (for example, eSATA bus-connected drives)

· WebDAV-based drives

· Network drives and shared folders

Boot partitions and partitions containing the Windows page file are never blocked.

Administration Guide 7.7 127 © 2018 DriveLock SE

Locking Drives and Devices

If a removable drive is connected by using another interface, DriveLock treats it as the type “Other removable drive“.
DriveLock can also lock CD/DVD drives that have CD/DVD burning capabilities.

To change settings for a drive type (for example, USB bus-connected drives), click the appropriate link. You can also
use the slider in the task view to highlight one of the drive icons and then double click the highlighted icon.
A popup window appears, displaying the current configuration setting. Click Change.

Administration Guide 7.7 128 © 2018 DriveLock SE

Locking Drives and Devices

Select one of the following options:

· Allow: Any authenticated user can access this drive.

· Deny (lock) for all users: Nobody can access this drive, it is completely locked.

To filter access to files based on the file type and to audit file access you must enable file filtering and/or auditing
and then specify a template that defines the filtering and auditing settings.
Select “Filter files read from …” to enable file filtering. Select the “Audit and shadow files…” checkbox to enable
auditing and shadowing. Select one of the built-in file filter templates that are available in Basic configuration mode
to define how these functions are performed.
Select the checkbox “Require drive to be encrypted” to control whether removable drives must be encrypted.
If you select this option, DriveLock lets users only access encrypted removable drives; unencrypted drives are locked.
You can also select whether a user will be prompted to encrypt an unencrypted removable drive when the user
connects it to the computer.

If the option “Automatically encrypt unencrypted media” is selected and a user connects an unencrypted
removable drive that already contains files, you can configure whether existing files will be retained or deleted
under the settings for enforced encryption.

Administration Guide 7.7 129 © 2018 DriveLock SE

Locking Drives and Devices

In the text edit box, type the message. DriveLock will display this message regardless of the client computer’s
language setting.
Click OK to save the configuration.

A popup window appears, displaying the new settings. Click to close the window.

The colors of the drive type icons indicate the security level of your current configuration:
· Green icon: this drive type is locked for all users (high security level).

Administration Guide 7.7 130 © 2018 DriveLock SE

Locking Drives and Devices

· Yellow icon: this drive type is locked for some users and unlocked for others (medium security level).

· Red icon: this drive type is unlocked for all users (low security level).

7.1.1.2 Configuring Basic Whitelist Rules

Click Add whitelist rule to add a new whitelist rule.

Administration Guide 7.7 131 © 2018 DriveLock SE

Locking Drives and Devices

Each drive contains identifying information in its firmware, such as the manufacturer, product name and serial
number:
· Vendor ID: Name or abbreviation of the drive manufacturer.

· Product ID: Model name, as defined by the manufacturer.

If you don’t know the identifying information of a drive, you can select the drive by clicking the “…“ button next to
Vendor ID. You can use wildcards, like “?” (one character) or “*” (any number of characters) as part of the Product ID
or Vendor ID.
DriveLock will display a dialog box that you can use to select a drive that is currently attached to the administration
workstation, to a client computer, or that is listed in the Device Scanner database. DriveLock automatically adds the
serial numbers of drives you add using this method to the dialog box.

To add a locally atached drive, select this drive and then click OK.
If you need information about other drives, you can connect to a remote client computer and select a drive that is
connected it. Select on agent and then type the name of the computer to connect to. This requires that the DriveLock
Agent is installed and running on the remote computer.

DriveLock reads the hardware information for the drive from Windows. Therefore DriveLock can only display
the drives in the format in which they appear to Windows.

To establish a connection to a remote computer running Windows XP SP2 or higher with the Windows Firewall
enabled, you must configure the firewall settings to allow incoming connections from TCP Ports 6064 and 6065 and
the program “DriveLock”.

When connecting to your local computer, removable drives that are blocked are not displayed. To view any
blocked drives on your computer, select on agent and then type the name of your computer.

A convenient method to get drive information is to use the results from a Device Scanner scan that has been
completed in advance. To do this, on the Device scanner database tab, select the appropriate computer, vendor and
product ID.

Administration Guide 7.7 132 © 2018 DriveLock SE

Locking Drives and Devices

To configure user access, on the “Permissions” tab define how users can access the drive.

Select one of the following options:

Administration Guide 7.7 133 © 2018 DriveLock SE

Locking Drives and Devices

· Allow: Every authenticated user can access this drive.

· Deny (lock) for all users: Nobody can access this drive, it is completely locked.

· Deny (lock), but allow access for defined users and groups: The drive is locked, but the specified users or groups
are allowed to use the drive either in read only mode or with write permissions.
Click Add to add a user or group to the list, and then specify whether the user or group can copy files to the drive or
only read data from it. To remove a user or group from the list, select the user or group and then click Remove.

Select the checkbox “Require drive to be encrypted” to control whether removable drives must be encrypted.
If you select this option, DriveLock lets users only access encrypted removable drives; unencrypted drives are locked.
You can also select whether a user will be prompted to encrypt an unencrypted removable drive when the user
connects it to the computer.

The option “Require drive to be encrypted” is not available for CD drives.

To have the user accept a usage policy before granting access, activate the “User must accept usage policy before
rule will be applied” checkbox.
Select the “Display custom message in user notification” checkbox to display a custom notification message when a
user connects a drive matching the whitelist rule and the drive is locked.
In the text edit box, type the message. DriveLock will display this message regardless of the client computer’s
language setting.
Click OK to save the configuration.

Administration Guide 7.7 134 © 2018 DriveLock SE

Locking Drives and Devices

The task view can display up to 50 whitelist rules and some details of these rules. Click to edit an existing whitelist
rule. Click to delete a rule.

7.1.2 Configuring Advanced Drive Locking Settings

In addition to the settings available in Basic Configuration mode, you can configure more detailed settings using the
Advanced Configuration mode.

7.1.2.1 General Drive Locking Settings

Several general settings apply to drive locking.

To configure these settings, under Drives, click Settings.

7.1.2.1.1 Global Security Settings for Controlling Drives

To enable access to locked drives for members of the Administrator group, regardless of whether a drive is locked
due to a general configuration or a whitelist rule, click Always allow access to administrators.

Administration Guide 7.7 135 © 2018 DriveLock SE

Locking Drives and Devices

Select “Enable” to enable this function.

To specify which users can format or eject removable media, click Format and eject removable media.

Click Add to add users or groups to the list. To remove a user or group from the list, click the user or group, and then
click Remove.

Administration Guide 7.7 136 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.1.2 Configuring End User Messages

7.1.2.1.2.1 Configuring User Notification Messages for Locking Drives

If you enabled user notification, DriveLock displays a notification message when a drive is connected to the
computer and locked. To define the content of such messages, click Custom user notification messages.

If you have configured multilingual messages for the current language, DriveLock will display the standard
messages defined for this language instead of the message configured in this dialog box.

Select the “Display custom messages” checkbox to enable the messages specified on this dialog box. The drive locking
message is displayed each time a drive is locked by the Agent.
The messages configured on the Drive access tab are displayed each time access to a file or CD/DVD burning is
blocked.

The other two messages configured on the Temporary unlock tab are displayed when an Agent is temporarily
unlocked.
Type the message to be displayed to the user. Click the Test button to preview the notification message on your
computer.
When the message is displayed, the Agent replaces the variables as follows:

Administration Guide 7.7 137 © 2018 DriveLock SE

Locking Drives and Devices

· %DRV will be replaced by the drive letter when the message is displayed.

· %PATH% will be replaced by the file path.

· %NAME% will be replaced by the file name (without extension).

· %EXT% will be replaced by the file extension.

· %REASON% will be replaced by an indication why a file has been blocked (for example, “wrong content”).

· %TIME% will be replaced by the current time or the number of minutes, depending on how an administrator
selected the unlocking duration.

Click the Test button to preview the notification message on your computer.

You can use some HTML-tags (for example “<b>Text</b>”) to format your message.

7.1.2.1.2.2 Configuring Custom Usage Policy Texts and Options

The following settings determine the information displayed in this message:

· Caption text: Text displayed in the header (for example, “Company Drive Usage Policy”)

· Usage policy text: Text displayed in the message window (for example, “All access to external…”)

· Accept button text: Text used for the accept button

· Decline button text: Text used for the decline button

Administration Guide 7.7 138 © 2018 DriveLock SE

Locking Drives and Devices

· The DriveLock Policy File Storage

The DriveLock Policy File Storage is a protected storage area that is stored with a DriveLock configuration and
distributed to Agents. If you select a local file you must ensure that the file is located on all client computers in
the location you specify.

Files in the Policy File Storage are prefixed with an asterisk (*).Select the Show on each Agent per user x times
checkbox and select a number to ensure that the message is displayed for each user only the number of times you
select.
To display a video file instead of text, select the “Play video” checkbox and specify a Windows video file (*.avi), that
will be displayed in the usage policy message box. You can specify a file in the he local file system on the computer
where the Agent applies the policy settings or the DriveLock Policy file storage.
To prevent users from clicking “Accept” before reading the policy, select the “Enable the Accept button…” checkbox
and configure the number of seconds users have to wait before the Accept button becomes available.

Administration Guide 7.7 139 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.1.3 Configuring File Digest Generation

Each time a file is copied from or to an external drive, renamed on an external drive or deleted on an external drive,
DriveLock generates a hash value (digest) of its file name. This file name digest allows for the analysis of file
transfer and file use on multiple computers throughout your network by using the DriveLock Control Center.
These settings determine the hash algorithm that is used and whether DriveLock generates an additional hash digest
by from the entire file, including its content.

Select the digest hash algorithm from the drop down list. The MD5 hash algorithm is usually faster than any of the
SHA algorithms, but your organization may require you to use a different allgorithm.
To enable file content digest generation, select the “Generate digest from file content” checkbox and then select
whether file access will be delayed until the content hash has been generated (hash generation will take some times
for larger files) or whether DriveLock will generate the content hash asynchronously.
Click OK to save your settings.

7.1.2.1.4 Volume Identification Files

Storage media in most cases will be identified by a unique Vendor ID, Product ID and serial number. There are some
storage media, like SD Cards or no-name USB sticks with no unique ID or the unique ID is not accessible when the
storage media are connected via Thin-Clients (e.g. without DriveLock Virtual Channel) or when SD cards are used in
an USB SD card reader.
Volume identification files can be created on such storage media, giving them a unique ID for DriveLock
To enable volume identification files, go to the Policy editor and open Drives / Settings / Volume identification file
configuration

Administration Guide 7.7 140 © 2018 DriveLock SE

Locking Drives and Devices

Check Use volume identification and if a volume identification file is present the ID from the file overrides the
hardware ID of the storage media.
Security and compatibility level:
· High secure: the volume ID must correspond to the volume serial number of the partition. If the volume ID file
is copied to a different partition, the volume ID is invalid. Certain ICA based clients (Citrix Clients) do not
send the volume serial number to Windows, then the volume ID cannot be verified by DriveLock.

· Medium secure: the volume ID must correspond to the size of the partition. The volume ID is invalid, if the
volume ID file is copied to a partition of different size.

· Low secure: a volume ID file can be copied to any other partition. DriveLock will accept the volume ID
independent from volume serial number and volume size. Only use this option if your thin client does not
send the volume serial number and not the volume size.
The volume information file includes all three security levels. Always start with high and reduce it only, if required.
Existing volume information files remain valid if the security level is changed.
If the option Automatically create volume identification files is checked, a volume ID file will be created and filled with
the hardware ID values as soon as an external storage media is connected to DriveLock on a FAT Client (not on a Thin
Client).
Volume ID files are encrypted with a default key or with a key generated from a defined custom encryption password.
All existing volume ID files will become invalid if you change this password.

Volume ID files are hidden for normal users (attributes hidden, system)

Administration Guide 7.7 141 © 2018 DriveLock SE

Locking Drives and Devices

How to manually create volume identification files

Open MMC / Operating / Create volume identification file and enter the appropriate values to manually create a
volume ID file e.g. for SD cards

7.1.2.1.5 Shadowing Configuration

For information about how to configure file shadowing, refer to the section “Configuring Global Shadowing ”

7.1.2.1.6 Drive Monitoring Using S.M.A.R.T.

Many hard drives use S.M.A.R.T. (Self-Monitoring, Analysis and Reporting Technology) to report drive health,
temperature and other drive status information and to issue alerts when a drive is about to fail. DriveLock can
monitor the S.M.A.R.T. status of drives that support this technology. You can enable the monitoring and configure the
monitoring interval under Extended configuration -> Drives -> Settings -> Hard drive self-monitoring (S.M.A.R.T.)
configuration. To enable monitoring, select the checkbox and then select the monitoring interval.

Administration Guide 7.7 142 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.1.7 Advanced Global Settings for Controlling Drives

To define the following additional settings, click the corresponding links in the taskpad:
· Audit device insertion / removal / lock: When activated, DriveLock generates an audit event each time a drive is
connected, removed or locked.

· Unlock drives when service is stopped: When enabled, stopping the DriveLock service temporarily unlocks all
drives.

· Disable file filtering while drives are temporarily unlocked: When enabled, the Agent suspends file filtering when
an administrator temporarily suspends drive locking.

If you disable file filtering when you unlock all drives, this overrides any settings for controlling file filtering while
drives are unlocked.

7.1.2.2 Enabling Drive Locking

DriveLock can detect all types of drives which Windows recognizes as removable drives or fixed disks. This includes
the following types (classes):
· Floppy disk drives: Internal floppy disk drives

· CD-ROM/DVD drives: Internal CD-ROM/DVD drives, including burners

· USB bus-connected drives: All drivers that are connected using a USB port, including flash drives, hard drives,
CD-ROM drives and card readers

· Firewire (1394) bus-connected drives: Drives connected using Firewire

Administration Guide 7.7 143 © 2018 DriveLock SE

Locking Drives and Devices

· SD bus-connected drives: Drives connected to a built-in SD card reader, which is most frequently found in
notebook computers

· Other removable drives: All removable drives that are not included in another category, such as ZIP drives

· Fixed disks: Drives that are recognized by Windows as not removable and that don’t contain the operating
system, including drives connected using an IDE, ATAPI, SCSI, RAID, SATA or eSATA bus

· Encrypted volumes: Mounted volumes that are encrypted using DriveLock Encryption 2-Go. For more
information about encrypted volumes, refer to the chapter Encryption 2-Go.

· Network drives and shares: Network shares that are accessed using Windows networking.

· WebDAV-based network drives: Network drives that are accessed using the WebDAV protocol via HTTP or
HTTPS.

· Windows Terminal Services (RDP) client drive mappings: Refer to the chapter Using DriveLock in Terminal Server
Environments for more information about this drive type.

· Citrix XenApp (ICA) client drive mappings: Refer to the chapter Using DriveLock in Terminal Server Environments
for more information about this drive type.

Boot partitions and partitions containing the page file are never blocked by DriveLock.

To enable drive locking, open the DriveLock Management Console and then in the console tree in the left pane click
Drives -> Removable drive locking.
To open the configuration dialog box for USB drives, in the right pane click “USB bus-connected drives”.

Administration Guide 7.7 144 © 2018 DriveLock SE

Locking Drives and Devices

Use the tabs in this configuration dialog box to configure settings that apply to all USB drives connected to the
computer.

The configuration dialog is almost identical for all drive types, but not all features are available for some drive
types or look slightly different from the options for USB drives.

To enable locking of all USB drives on this computer, select “Deny (lock) for all users (default)” and then click OK.

To lock USB drives, it is not required (and not recommended) to lock down the device class “USB controller”. If
you do so, all USB-connected devices are disabled and you cannot utilize any of the fine-grained controls that
DriveLock provides for USB drives.

If you allow access to this type of drive, either for all users or for selected groups, you can also configure the type of
access. This allows you to restrict access for certain users or group to read operations only.

A note on floppy disk drives: When using read/write permissions on a floppy disk drive, DriveLock needs to
load a file filter after you insert a disk. The Windows operating system does not reliably notify applications,
such as DriveLock, of disk insertions, so DriveLock must perform this check itself. To do so, DriveLock must
check the floppy disk drive at regular intervals (so called “polling”) to determine whether a new floppy disk has
been inserted. Unfortunately, this checking may cause the drive to emit a clicking sound. To avoid this, either do
not use any file filter rules for floppy disk drives or deactivate floppy disk drive polling (under Advanced Drive
Setting, visible in classic MMC view only). If you deactivate polling, the file filter does not work correctly on
some floppy disk drives.

To specify which drive letters are assigned to drives of this type that are connected to a computer, on the “Drive
letters” tab select one or more drive letters from the list.

Administration Guide 7.7 145 © 2018 DriveLock SE

Locking Drives and Devices

You can also specify drive letters in a whitelist rule.

Configuring user access permissions and the settings on other tabs are covered in the section “Common Settings for
Drive Whitelist Rules”.

7.1.2.3 Creating Drive Rules

You can use four types of drive whitelist rules:

· Vendor/Product ID rule: Applies to a drive based on its manufacturer, model or serial number (for example a
Kingston 1 GB USB flash drive with a specific serial number)

· Network drives rule: Configuration of a specific network share

· WebDAV-based network drives rule: Settings for a network drive accessed over an HTTP/HTTPS connection

· Drive size rule: Applies to a drive based on its size

· Base rule: Applies to any of the five main drive types (use this type of rule to specify time limit or computer
restrictions for all drives of the same type)

· Terminal services rule: Applies to specific drive letters in a terminal server client session, including mapped
local drives on thin clients.
Rules are processed in the following order, from highest priority to lowest priority:
· Vendor/Product ID rule (a rule with a serial number has a higher priority than one without a serial number)

· Drive size rule

· Base rule

· General locking setting

Administration Guide 7.7 146 © 2018 DriveLock SE

Locking Drives and Devices

The following sections describe the various rule components. The section “Common Settings for Drive Whitelist
Rules” describes common settings that are available when configuring certain types of whitelist rules.

7.1.2.3.1 Vendor/Product ID Rule

Right-click Drive whitelist rule and then click New -> Vendor/Product ID rule.
In the following dialog box, specify the drive to unlock or control. Type the vendor ID and product ID of the device if
you know them. You can also specify an optional list of serial numbers to make the rule apply to only certain drives
of the same model.

Administration Guide 7.7 147 © 2018 DriveLock SE

Locking Drives and Devices

Each drive contains information in its firmware about itself, such as the manufacturer, product name and serial
number:
· Vendor ID: Name or abbreviation of the drive manufacturer

· Product ID: Model name, as defined by the manufacturer

If you don’t know the identifying information of a drive, you can select the drive by clicking the “…“ button next to
Vendor ID. You can use wildcards, like “?” (one character) or “*” (any number of characters) within the Product ID or
Vendor ID.
DriveLock will display a dialog box that you can use to select a drive that is currently attached to the administration
workstation, to a client computer, or that is listed in the Device Scanner database. DriveLock automatically adds the
serial numbers of drives you add using this method to the dialog box.

Administration Guide 7.7 148 © 2018 DriveLock SE

Locking Drives and Devices

To add a locally attached drive, select this drive and then click OK.
If you need information about other drives, you can connect to a remote client PC and select one of the drives
installed on it. Select on agent and then type the name of the computer you want to connect to. This requires that the
DriveLock Agent is installed and running on the remote computer.

DriveLock reads the hardware information for the drive that is maintained by the Windows operating system.
Therefore DriveLock can only display the drives in the format in which they appear to Windows.

When connecting to the local computer, blocked removable drives are not be displayed. If you also want to
view any blocked drives, select on agent and then type the name of the local computer.

A more convenient way to get drive information is to use the results from a Device Scanner scan that has been
completed in advance. To do this, on the Device scanner database tab, select the appropriate computer, vendor and
product ID.

Administration Guide 7.7 149 © 2018 DriveLock SE

Locking Drives and Devices

Settings on other tabs are described in the section “Common Settings for Drive Whitelist Rules””.

7.1.2.3.2 Network Drives Rule

Use a network drives rule to control access to network shares.

Right-click Drive whitelist rule and then click New -> Network drives rule.

Administration Guide 7.7 150 © 2018 DriveLock SE

Locking Drives and Devices

Type the name of the server and the share or click “…” to browse the network for the share.

Settings on other tabs are described in the section “Common Settings for Drive Whitelist Rules”.

Only a subset of drive configuration options is available when configuring whitelist rules for network drives.

Administration Guide 7.7 151 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.3.3 WebDAV-Based Network Drives

Use a WebDAV rule to control access to network shares that are accesses using HTTP or HTTPS..

Right-click Drive whitelist rule and then click New -> WebDAV-based network drives rule.

Administration Guide 7.7 152 © 2018 DriveLock SE

Locking Drives and Devices

Type the URL of the share, starting with http:// or https://.

Settings on other tabs are described in the section “Common Settings for Drive Whitelist Rules”.

Only a subset of drive configuration options is available when configuring whitelist rules for network drives.

7.1.2.3.4 Drive Size Rule

Use a drive size rule to control drives based on their capacity.

Right-click Drive whitelist rule and then click New -> Drive size rule.

Administration Guide 7.7 153 © 2018 DriveLock SE

Locking Drives and Devices

Specify the drive size, and under “Activate this rule on drives connected to the following buses” select one or more of
the bus types that the drives you want to control are attached to.

If you activate the rule for ATA/SCSI it also applies to local hard drives. If you lock a local hard drive by mistake,
you must start the computer in Safe Mode and reverse the configuration setting. This requires that the
DriveLock Agent is not configured to start in Safe Mode.

Settings on other tabs are described in the section “Common Settings for Drive Whitelist Rules”.

Administration Guide 7.7 154 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.3.5 Base Rule

Right-click Drive whitelist rule and then click New -> Base rule.
Use a base rule to define exceptions for all drives of the same type. Use this rule to specify time limits, computer
restrictions or network restrictions for a type of device. Base rules are appropriate if the rules don’t need to be
device-specific or based on drive size.

Administration Guide 7.7 155 © 2018 DriveLock SE

Locking Drives and Devices

Select the drive or connection type to specify which drive type the rule applies to.
Settings on other tabs are described in the section “Common Settings for Drive Whitelist Rules”.

7.1.2.3.6 Terminal Services Rule

For information about Terminal Services rules, refer to the chapter "Using DriveLock in Terminal Server
Environments".

7.1.2.3.7 Creating a Rule Based on a Template

If you need to create several similar whitelist rules, for example for the same type of flash drive but with different
user settings, a whitelist template can save a lot of time. Instead of creating each rule step-by-step, selecting the
same configuration settings each time, you can base each rule on a whitelist template that contains the common
settings for all rules. Refer to the chapter “Creating Rule Templates” for details on how to create a whitelist template.

Administration Guide 7.7 156 © 2018 DriveLock SE

Locking Drives and Devices

Right-click Drive whitelist rule and then click New -> Rule from template.
Select a whitelist template. A new whitelist rule is created containing all settings from the template. Add all required
additional settings.
Settings on other tabs are described in the section “Common Settings for Drive Whitelist Rules”.

7.1.2.4 Common Settings for Drive Whitelist Rules

The tabs “Permissions”, “Time limits”, “Computers”, “Networks”, “Users”, “Drive letters”, “Messages”, “Options” and
“Commands“ are available for most types of drive whitelist rules and therefore described in this section.
Settings on the “Filter / Shadow” tab are described in the sections “Using a File Filter Template” and “Configuring
Shadow Copies in Drive Whitelist ” of this manual.

Administration Guide 7.7 157 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.4.1 User Permissions

To configure user access, on the “Permissions” tab define how users can access the drive.

Select one of the following options:

· Allow: Every authenticated user can access this drive.

· Deny (lock) for all users: Nobody can access this drive, it is completely locked.

7.1.2.4.2 Controlling and Auditing File Access

On the Filter/Shadow tab you can configure which files users can access and how this access is audited. By default
file filter, auditing and shadowing settings are inherited from the corresponding settings for the drive type. You can
instead configure different settings that apply to the current whitelist rule.

Administration Guide 7.7 158 © 2018 DriveLock SE

Locking Drives and Devices

To use different settings for the whitelist rule, deselect the checkbox “Use the filter settings configured under
Removable drive locking” and then select “Filer files” and/or “Audit files”.
Click Add to add one or more previously created filter templates. Click Delete to remove the selected template from
the list. Click and to move the selected template up or down.
When DriveLock applies this whitelist, it evaluates all filter templates in the list, starting from top. The first template
matching all specified criteria (“file size”, “exceptions”, “user and groups”, “computer” or “networks”) is applied, any
templates that follow are ignored. The following example illustrates this process: You created two templates: The
first template applies to administrators and does not filter files. The second template applies all users and blocks
access to program files. If administrator attempts to access a program file, DriveLock applies first template and
access is granted. If a user who is not an administrator, DriveLock ignores the first template and instead applies the
second template, blocking access to the program file.

7.1.2.4.3 Time Limit Settings

If you want a rule to be active only during a certain time (for example only on Wednesdays or on weekdays between
9 A.M. and 5 P.M.) you can specify time limits for the rule. You can also specify start and end dates for a whitelist
rule.

Administration Guide 7.7 159 © 2018 DriveLock SE

Locking Drives and Devices

First select the appropriate time block or blocks by clicking one or more rectangles, an entire column or a row, and
then click “Rule active“ or “Rule not active“.

Administration Guide 7.7 160 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.4.4 Settings for Computers

On the “Computers” you specify the computers on which a whitelist rule is applied.

Select from the following options:

· Activate this rule on all computers

· Activate this rule only on the specified computers

· Exclude specified computers from this rule

Click Add to add more computers to the list.

Administration Guide 7.7 161 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.4.5 Network Settings

On the Network settings tab you specify whether the rule is applied only in certain network locations.

Select from the following options:

· Activate this rule in all network locations

· Activate this rule only in the specified network locations

· Exclude the specified network locations from this rule

Click Add to add more defined network locations to the list.

7.1.2.4.6 User and Group Validation

On the Users settings tab you specify whether the rule is applied only to certain users and user groups.

User and group validation is different from user permissions defined on the Permissions tab. Validation only
determines whether a rule is applied to a user. If the rule is applied, DriveLock then allows or denies access
based on the rule’s permission settings.

Administration Guide 7.7 162 © 2018 DriveLock SE

Locking Drives and Devices

Select from the following options:

· Activate this rule for all users

· Activate this rule only for specified users or user groups

· Exclude specified users or user groups from this rule

Click Add to add more users or user groups to the list.

7.1.2.4.7 Assigning Drive Letters

Use this option to define which letters are assigned to a drive when it is connected to the computer.
If you select multiple drive letters the DriveLock Agent automatically assigns the first available drive letter from the
list.

Administration Guide 7.7 163 © 2018 DriveLock SE

Locking Drives and Devices

Be careful not to select drive letters that are currently in use, such as drive letters used for network shares or
home directories.

7.1.2.4.8 Defining Custom Notification Messages

You can define a custom user notification message for each whitelist rule. Unless specified otherwise, DriveLock will
display this message when it denies access to a drive because of the whitelist rule.

Administration Guide 7.7 164 © 2018 DriveLock SE

Locking Drives and Devices

Administration Guide 7.7 165 © 2018 DriveLock SE

Locking Drives and Devices

Multilingual messages contain separate messages in multiple languages for the same notification. Before you can
use such a message, you must define it in the Global configuration section of the policy. When you select a
multilingual notification message, DriveLock displays the text in the language of the currently logged-on user.
Click the message and then click OK.
If you use this type of notification message, DriveLock displays a speech bubble icon near the top left corner of the
text edit field.
To also display the message when a user connects a drive and the rule allows access, select the “Also display
message when access is granted” checkbox. To not display any notification message when this rule is activated,
including any default language message that you defined for all drives, select the “Display no message when rule is
activated” checkbox.
To not generate any audit events when this rule is activated, select the corresponding check box.
To have the user accept a usage policy before granting access, activate the “User must accept usage policy before
rule will be applied” checkbox. To also require a password, type and confirm the password that a user needs provide
to access the drive.

Administration Guide 7.7 166 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.4.9 Additional Options

Select the “Require drive to be encrypted” checkbox to control whether removable drives must be encrypted.
If you select this option, DriveLock lets users access only encrypted removable drives; unencrypted drives are locked.
You can also select whether a user will be prompted to encrypt an unencrypted removable drive when the user
connects it to the computer.
If you select the “Strict checking for encrypted media” checkbox, DriveLock treats a removable drive as being
encrypted only if it contains no files other than the following three:
· *.DLV (required): A DriveLock encrypted container file. The drive must contain exactly one encrypted container
file to be treated as an encrypted drive by DriveLock.

· DLMobile.exe (optional): The DriveLock Mobile Encryption Application.

· Autorun.inf (optional): A file that instructs Windows to start the Mobile Encryption Application when the drive
is inserted.
If the option “Automatically encrypt unencrypted media” is selected and a user connects an unencrypted removable
drive that already contains files, you can configure under the settings for enforced encryption whether any existing
files are retained or deleted.

Due to technical limitations, the option “Require drive to be encrypted” is not available for CD drives, network
drives and WebDAV drives.

Administration Guide 7.7 167 © 2018 DriveLock SE

Locking Drives and Devices

Select “Require media authorization on this drive” to only unlock a drive when it contains authorized media. Refer to
the section “Using Media Authorization” for more information about this feature.

To enable the display of a usage policy each time a CD or DVD is inserted, you need to
select the Require media authorization on this drive option. Without selecting this
option the usage policy is only displayed when a CD/DVD drive is attached to the
computer.

Some devices register with Windows as multiple drive types. For example, U3 drives appear both as a removable
drive and a CD-ROM drive with identical manufacturer, model and serial number information. To configure unique
settings for only one of these drives, select the drive types to which the whitelist rule will not be applied. For
example, to apply a whitelist rule only to the removable disk component of a U3 device, deselect the CD/DVD-ROM
checkbox. With this setting DriveLock will apply the general rules to the CD/DVD-ROM drive, or you can create a
separate whitelist rule for the CD drive.
Select the Scan for viruses before granting access checkbox to have the integrated DriveLock Antivirus component scan
the drive for any malicious software before giving a user access to the drive. This can increase security because
drives that contain any malware will remain inaccessible. This option requires that your DriveLock license contains
the Antivirus component.
To verify certain system settings on the client computer before granting access, select the “Verify system details
before granting access to the drive” checkbox. Click Add to add system verifiers.

Type the display name in the Description field and then select from the following test types:
· To check whether a Windows service is running, select “Windows service is started” and then select a
Windows service from the drop-down list.

· To check whether a DriveLock file system filter is attached to the drive, select “File system filter is attached to
the drive”.

· To run a custom command, select “Custom command returns success”. A command can be any program that
you can run from a command line, including program files, (.exe), Visual Basic scripts (.vbs) and Windows
PowerShell scripts, that signals successful execution with a return code of 0.
Custom commands can be located in the file system on the client computer or the DriveLock Policy File Storage .
·

Administration Guide 7.7 168 © 2018 DriveLock SE

Locking Drives and Devices

The DriveLock Policy file storage is a file container that is stored as part of a Local
Policy, Group Policy Object or a DriveLock configuration file. The Policy File Storage
can contain any file, such as a script that must be deployed to DriveLock Agents
automatically along with the configuration settings.

Files in the Policy File Storage are prefixed with an asterisk (*). You must use the Policy File Storage path variable
along with any file stored in the Policy File Storage.
Click OK to save the action.

7.1.2.4.10 Specifying Commands

DriveLock can run a command that you specify each time one of the following events occur for a drive that a rule
applies to:
· A drive is connected to the computer and is locked by the Agent

· A drive is connected to the computer and is not locked by the Agent

· A drive is disconnected from the computer

A command can be any program that you can run from a command line, including program files, (.exe), Visual Basic
scripts (.vbs) and scripts for the new Windows PowerShell.
Common examples for actions you can perform by using a script are: Every time a specific external hard disk is
connected to the computer, a backup script copies files from the internal hard disk to the external drive without
requiring any user interaction. A PowerShell script can copy images from a digital camera to a network share
automatically each time a camera is connected to the computer.

Administration Guide 7.7 169 © 2018 DriveLock SE

Locking Drives and Devices

To start a VB script, you must type the complete path to the script file (for example, “wscript C:\Program
Files\scripts\myscript.vbs”).

You can use variables in commands and scripts that the Agent replaces with the actual values when running the
command:

%LTR% Letter assigned to the drive

%NAME% Display name of the drive

%SIZE% Size of the drive

%USER% Name of the user who is logged on

%SERNO% Serial number of the drive

%HWID% Hardware ID of the drive

%PRODUCT% Product ID of the drive

%VENDOR% Vendor ID of the drive

%FILESTG% Path to a file in the Policy file storage

To insert a variable into the command line, at the cursor position where you want the variable to appear, click “<”
and then click the variable to insert.
Click the “…”button to select a file name and insert it at the cursor position. You can select a file from the following
locations:

Administration Guide 7.7 170 © 2018 DriveLock SE

Locking Drives and Devices

· The file system on the local computer

· The DriveLock Policy File Storage

The DriveLock Policy File Storage is a file container that is stored as part of a Local Policy, Group Policy Object
or a DriveLock configuration file. The Policy File Storage can contain any file, such as a script that must be
deployed to DriveLock Agents automatically along with the configuration settings.

Files in the Policy file storage are prefixed with an asterisk (*).You must use the Policy File Storage path variable
along with any file stored in the Policy File Storage.
You can also specify whether the command is run using the identity of the local System account or the account of the
user who is logged on at the computer when the command is run.

7.1.2.5 Locking and Controlling Recording to CDs/DVDs

To lock CD/DVD devices you configure settings for the CD/DVD drive class as described in the chapter “Enabling
Drive Locking”.
Often recording software bypasses Windows file system drivers to burn CDs or DVDs. DriveLock includes a system
driver that is linked into CD/DVD drives as a lower filter to prevent bypassing normal file drivers in most cases.

Supported recording software includes Roxio (WinOnCD), Nero, Windows (IMAPI) and Infra-Recorder.

To allow some users to use recording software, while blocking others, configure the user permissions in a whitelist
rule (or for the drive class) and allow or deny write access for specific groups.

You can also configure CD/DVD writing settings in a whitelist rule.

Administration Guide 7.7 171 © 2018 DriveLock SE

Locking Drives and Devices

By default, the CD/DVD tab is disabled in whitelist rules. To enable the CD/DVD tab in a whitelist rule, right click the
whitelist rule and then click Show CD/DVD options.

The configuration options for the CD-ROM class and whitelist rules are identical.
By default, DriveLock hides the recording device (soft blocking), and recording software usually will recognize the
drive as non-recordable CD/DVD-ROM drive. Activate the “Disable soft blocking (…)” checkbox to deactivate soft
blocking.

Administration Guide 7.7 172 © 2018 DriveLock SE

Locking Drives and Devices

If you disable soft blocking (or when a recording software like Roxio bypasses the soft blocking capabilities of
DriveLock), the user will get an “access denied” message when trying to write to a CD/DVD.

Select the “Do not display user messages” to prevent user messages from being displayed when soft blocking is
active.
To disable Windows recording capabilities regardless of user permissions, select the “Disable Windows XP built-in
CD writing (…)” checkbox.
To enable administrators to recognize DriveLock soft blocking, select one or both of the “User / support staff
notification” checkboxes. DriveLock will change the hardware revision or vendor information, respectively.
For compatibility reasons you can turn off soft and hard blocking of CD/DVD recording completely by selecting the
two compatibility option checkboxes.

7.1.2.6 Creating Whitelist Templates

A whitelist template is a drive whitelist rule that can be used as template for other whitelist rules. You can create
whitelist templates for the following rule types:
· Vendor/Product ID rule: Applies to a drive based on its manufacturer, model or serial number (for example a
Kingston 1 GB USB flash drive with a specific serial number).

· Network drives rule: Configuration of a specific network share

· WebDAV-based network drives rule: Settings for a network drive accessed over an HTTP/HTTPS connection

· Drive size rule: Applies to a drive based on its size.

· Basic rule: Applies to any of the five main drive types (use this type of rule to specify time limit or computer
restrictions for all drives of the same type).

· Terminal services rule: Applies to drive letters in a terminal server client session, including mapped local
drives on thin clients.
Templates can’t be used directly to control drive use, but you can create whitelist rules based on a whitelist template
(refer to the chapter “Creating a Rule Based on a Template” for details).

Administration Guide 7.7 173 © 2018 DriveLock SE

Locking Drives and Devices

Right-click Whitelist template, click New and then select the type of whitelist rule to create a template for.
Follow the steps described in the chapter “Creating Drive Rules” to create the template.

7.1.2.7 Organizing Drive Whitelist Rules

You can organize whitelist rules using folders and sub-folders just as you would organize files using directories.

Right-click Drive whitelist rule and then click New -> Folder.

Administration Guide 7.7 174 © 2018 DriveLock SE

Locking Drives and Devices

Type the name of the new folder and then click OK.

To create a new rule in a specific folder, right click the folder and then select the rule type, for example New ->
Vendor/Product ID rule.

Administration Guide 7.7 175 © 2018 DriveLock SE

Locking Drives and Devices

To move an existing whitelist rule to another location, right click the whitelist rule and then click All tasks -> Move.

Select the destination folder and then click OK.

7.1.2.8 Creating File Filters

Use file filters to control access to specific file types in removable media rules and drive whitelist rules. File filters
control which types of files users can read or write. For example, you can create a file filter template with read
permissions for .jpg files and write permissions for .doc files. A single file filter template can include multiple
permissions entries to match your security requirements.
DriveLock can check the headers of files to ensure that a file’s extension matches the file type that’s indicated by the
extension. For example, it can check whether a file with a .doc extension is really a Microsoft Office file and not a
graphics file that a user renamed. Note that some file formats share the same file header such as some Microsoft
Office, while others have no file header at all or a variable file header.

Administration Guide 7.7 176 © 2018 DriveLock SE

Locking Drives and Devices

After you have configured a file filter template, you can use it in a drive class or a drive whitelist rule.

7.1.2.8.1 Defining File Types

DriveLock includes built-in file type definitions for many common file formats. You can define file types for
additional file extensions by defining the content of these files.

Before you can use built-in definitions you must generate a list containing the file extensions that are recognized by
Windows on your computer. To create this list, right-click File type definitions and then click All Tasks -> Create built-
in definitions.

Administration Guide 7.7 177 © 2018 DriveLock SE

Locking Drives and Devices

To create a new file type, right-click File type definitions, and then click New -> File type definition.
To change the definition of a file type in the list, double-click it.

Click Add to add one or more file extensions to the file type definition.
Click the Type definition tab.

Administration Guide 7.7 178 © 2018 DriveLock SE

Locking Drives and Devices

DriveLock can validate a file by checking its content or by using a custom Dynamic Link Library (DLL). Such custom
DLLs contain code that you design to check the contents of a file.
Click Add, Remove or Edit to edit the list of content check conditions.

A content check conditions contains an offset (a hexadecimal value) and a content value that you can specify as text
or as hexadecimal byte values. For the condition to match, the content must be present at the specific location in the
file. DriveLock automatically calculates the length. Click OK to save changes.
Configure whether a file must match all conditions or only one of them needs to be validated.
To use a Dynamic Link Library that you have developed, type the full path for the DLL file and the function name.

The DLL file must be stored locally on the disk. You can’t use an UNC path or the Policy File Storage as a location.

Click OK to save the changes.

Administration Guide 7.7 179 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.8.2 Defining File Type Groups

Use file type groups containing two or more file type definitions to add multiple file types to a rule in a single step.
You can create your own groups in addition to the built-in file type group definitions, which cover many common
scenarios, such as video files and images.

Before you can use a built-in group definition you must generate the group list. To create this list, right-click File
type groups and then click All Tasks -> Create built-in definitions.
To change the definition of a file type group in the list, double-click it.

Administration Guide 7.7 180 © 2018 DriveLock SE

Locking Drives and Devices

To create a new file type group, right-click File type groups, and then click New -> File type group.

In the description field, type a group name. Click Add to add existing file types to the group. Select a file type and
click Remove to remove the selected type from the list.

Administration Guide 7.7 181 © 2018 DriveLock SE

Locking Drives and Devices

To select more than one file type, press and hold the CTRL key, and then click each file type. Click OK to add the
selected file types to the list.
Click OK to save the file type group.

7.1.2.8.3 Creating a New File Filter Template

In the console tree, expand Drives, right click File filter templates and then click New -> Template

Administration Guide 7.7 182 © 2018 DriveLock SE

Locking Drives and Devices

In the description field, type a name for the template. If desired, type a comment.
Click the Read filter tab.

Administration Guide 7.7 183 © 2018 DriveLock SE

Locking Drives and Devices

The file extensions specified on this page are checked when a file is copied or read from a drive.
To allow all file extensions, select “Allow all files”. To allow only certain file types, select “Allow only defined
extensions”. To block certain files, select “Do not allow defined extensions”.
Click Add -> File extensions to add one or more file extensions to the list. To add a file type group to the list, click
Add and then select the group.
Select or type or the appropriate file extension, and then click OK to add the file extension to the list.

Administration Guide 7.7 184 © 2018 DriveLock SE

Locking Drives and Devices

To specify files without an extension, type a period (.) instead of an extension. For example, this may be
required for files created by Microsoft Excel 2003 and earlier. These versions of Excel save a file by first creating
a temporary file without an extension and then creating a file with the extension .xls.

Click the Write filter tab.

Administration Guide 7.7 185 © 2018 DriveLock SE

Locking Drives and Devices

The file extensions specified on this page are checked when a file is copied or written to a drive.

Administration Guide 7.7 186 © 2018 DriveLock SE

Locking Drives and Devices

To allow all file extensions, select “Allow all files”. To allow only certain file types, select “Allow only defined
extensions”. To block certain files, select “Do not allow defined extensions”.
Click Add to add one or more file extensions to the list.
Click the Audit tab.

The file audit settings define when an audit event is generated. Configure the audit settings to match your audit
policy.
Audit events can be sent to the Windows Event Log and, if configured, to the DriveLock database.

File auditing can impact system performance. Also some user actions may generate multiple audit events. For
example, opening a Word document may generate three separate events because Word reads the file, writes
some information to it (last time accessed) and then reads the file again.

Settings on the tabs Shadow and Exceptions are explained in the section “Configuring Shadow Copies in Drive
Whitelist Rules”
Click the Other tab.

Administration Guide 7.7 187 © 2018 DriveLock SE

Locking Drives and Devices

Select one of the “… deny access to files larger than“ checkboxes and specify a size to prevent read and/or write access
to large files.
To enable DriveLock to apply the file filter to compressed archive files (ZIP and RAR), additional options exist for
reading and writing such files. To enable DriveLock to apply the file filter settings to files in contained in an archive,
select one or both of the “…scan archives” checkboxes.
To block access to compressed archives that contain other compressed archives, select one or both of the “Block
nested archives” checkboxes.
To block access to password-protected archives, select one or both of the “Block password-protected archives”
checkboxes.

Scanning compressed archive files on network and WebDAV drives is currently not supported.

Click the Computers tab.

Administration Guide 7.7 188 © 2018 DriveLock SE

Locking Drives and Devices

Select from the following options:

· Activate this template on all computers

· Activate this template only on the specified computers

· Exclude the specified computers from this template

Click Add to add more computers to the list.

Click the Networks tab.

Administration Guide 7.7 189 © 2018 DriveLock SE

Locking Drives and Devices

Select from the following options:

· Activate this template in all network locations

· Activate this template only in the specified network locations

· Exclude the specified network locations from this template

Click Add to add more defined network locations to the list.

Click the Users tab.

Administration Guide 7.7 190 © 2018 DriveLock SE

Locking Drives and Devices

Select from the following options:

· Activate this template for all users

· Activate this template for the specified users

· Exclude the specified users from this template

Click Add to add more users or user groups to the list.

Select the Usage tab to view the drive whitelist rules that use the current template.
Click OK to save the template.

7.1.2.8.4 Using a File Filter Template

Use a filter template to configure filter settings for one of the drive classes or a drive whitelist rule.
To assign a filter template to a class rule, open the Properties dialog box for the rule, and then click the
Filter/Shadow tab.
Select “Filter files…” to apply the file filter settings in the selected filter template(s). Select the “Audit and shadow
files…” checkbox to enable the auditing and shadowing settings.

Administration Guide 7.7 191 © 2018 DriveLock SE

Locking Drives and Devices

You can also use file filters in whitelist rules. By default a whitelist rule uses the filter settings you configured for the
corresponding drive class. To configure a different filter, clear the “Use the filter settings …” checkbox, and then
select the “Filter files…” and/or “Audit and shadow files …” checkboxes.
Click Add to add one or more previously created filter templates. Click Delete to remove the selected template from
the list. Click and to move the selected template up or down.
When DriveLock applies this whitelist, it evaluates all filter templates in the list, starting from top. The first template
matching all specified criteria (“file size”, “exceptions”, “user and groups”, “computer” or “networks”) is applied, any
templates that follow are ignored. The following example illustrates this process: You created two templates: The
first template applies to administrators and does not filter files. The second template applies all users and blocks
access to program files. If administrator attempts to access a program file, DriveLock applies first template and
access is granted. If a user who is not an administrator, DriveLock ignores the first template and instead applies the
second template, blocking access to the program file.

7.1.2.8.5 Using File Filter Templates with Encrypted Drives (Encryption 2-Go)

An additional step is required to use a file filter template for removable drives that have been encrypted using
DriveLock removable media encryption (Encryption 2-Go). When you configure a file filter for the removable drive,
this filter only applies to any unencrypted portion of the drive, which users are commonly not allowed to access.
Once the encrypted container on such a drive is mounted using a drive letter, DriveLock treats it as belonging to the
class Encrypted volumes, even though the physical drive may be connected using a USB port.
For a file filter template to apply to an encrypted volume, you need to enable filtering and/or auditing and select the
template on the Filter Shadow tab under Drives -> Removable drive locking -> Encrypted volumes.

Administration Guide 7.7 192 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.9 Using Media Authorization

Use the Authorized Media option to unlock specific media even though CD/DVD drives are locked. For example, you
can allow the use of a DVD containing training videos while blocking the use of all other DVDs.
When creating a new “Authorized Media” rule for a permitted disk, DriveLock calculates a unique identifying “hash
value” from the CD and unlocks the disk when this value matches the hash value of an authorized disk. Because the
hash value changes when any data on the disk changes, you can use media authorization only for disks that are not
writeable, but not for writable removable drives such as USB flash drives. Therefore “Authorized Media” rules
should only be used for read-only media (CDs/DVDs).
To create a new authorized media rule, in the console tree, expand Drives, and then click Authorized media.

Right-click Authorized Media and then click New -> Authorized media.
The New authorized media Properties Dialog box opens.

Administration Guide 7.7 193 © 2018 DriveLock SE

Locking Drives and Devices

Type a description and an optional comment describing the Authorized Media rule.
DriveLock includes two predefined rule types, Audio CD and Video CD/DVD. Use these rules to authorize the use of
audio and video disks, respectively. To create a custom rule for a specific disk, click Specific media. Click Read media
information to calculate the hash value of the disk you want to allow.

Select the drive with the CD or DVD you want to allow, and then click OK.

Administration Guide 7.7 194 © 2018 DriveLock SE

Locking Drives and Devices

DriveLock reads the media information and adds it to the rule.

Settings on other tabs are described in the section “Common Settings for Drive Whitelist Rules”.
Click OK to save the rule.

Administration Guide 7.7 195 © 2018 DriveLock SE

Locking Drives and Devices

To quickly lock or unlock the selected rule for all users, right-click a configured rule and then click All Tasks -> Lock
(or Unlock).

7.1.2.10 Monitoring Data Transfers by Using Shadowing

Shadowing creates copies of files transferred to or from removable media to allow administrators to review what
data users accessed. DriveLock can store these shadow copies on client computers and a server. You can define
which files DriveLock shadows.

If shadowing is enabled for CD/DVD recording devices, DriveLock creates an ISO image file each time a CD or
DVD is recorded and saves the image in the location you configured.

7.1.2.10.1 Configuring Global Shadowing Settings

Define global shadowing in the settings for drive locking.

Click Shadowing configuration to configure the settings for shadowing.

Administration Guide 7.7 196 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.10.1.1 General Settings

By default DriveLock stores shadow copies in the C:\ProgramData\CenterTools DriveLock\ShadowFiles folder. To

select a different location, select “Fixed location” and then type the name and path of the shadow files folder. By
default, only the Administrator account has full access to the shadow files folder.
Use the “Storage limitations” option to specify the maximum size of files to be shadowed or the maximum storage
space used by shadow copies. By default, only individual files of up to 5 MB are shadowed and no more than 100
MB of hard disk space is used for shadow copies. To reduce the impact of shadowing on performance you can limit
shadowing to the first part of each file. Configure how many KB of data of each shadowed file DriveLock retains. If
you only retain portions of files you will not be able to open shadow copies using regular applications but you can
use an editor to view enough information to identify the original file.
Configure in which order files are deleted when the maximum storage space has been reached and how often the
cleanup process runs on client computers, or select a period after which shadow copies of files are automatically
deleted. These settings only relate to storage space on client computers; you must remove files in a central storage
location (network share) manually. The default for running the local cleanup process is every five minutes.

Administration Guide 7.7 197 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.10.1.2 Client Options for Shadowing

Use the “Options” tab to control access to shadow copies.

When you select the “Create a local shared folder on clients” checkbox, DriveLock shares the local shadow files folder
on the client and assigns permissions to that folder. By default, the built-In Administrators group is assigned Full
Access permissions to access the files on the computer over the network. Users and Power Users are assigned
permissions to read the data.
After copying shadowed files to a central location, the DriveLock Agent deletes the local shadow copies. To retain the
files on the client after they are uploaded, select the “Do not delete files after uploading to central location”
checkbox.

Administration Guide 7.7 198 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.10.1.3 Shadowing Exceptions

Use the “Exceptions” tab to exempt certain processes or users from file shadowing.

You can define processes and users or groups that are excluded from shadowing by selecting the corresponding
settings. The main purpose of such exclusions is to avoid the creation of shadow files each time a virus scanner or
other automated process accesses a file.
Click Add or Remove to configure processes, users or groups to exclude from shadowing.

Specify a program file or select one of the pre-defined applications and then click OK.
To also exempt users or processes from file filtering, select the corresponding checkbox.

Administration Guide 7.7 199 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.10.1.4 Server Upload Settings for Shadowing

Define settings for uploading shadow copies of files to a central location on the “Server upload” tab.

DriveLock can copy shadowed files to a central network location so that administrators can review shadowed files
from a single location. To configure server uploads, type the UNC path of the shared folder that will store the files
and the credentials of a user account that can write to that folder. You must also specify the interval at which the
DriveLock agent copies files to the central location.

Administration Guide 7.7 200 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.10.1.5 Shadowing Time Limitations

You can define the times when shadow copies are generated on the “Time limits” tab.

Select the appropriate time block or blocks by clicking one or more rectangles, an entire column or a row, and then
click “Rule active“ or “Rule not active“.

Administration Guide 7.7 201 © 2018 DriveLock SE

Locking Drives and Devices

7.1.2.10.1.6 Network Limitations

On the Network settings tab you specify whether shadowing is applied only in certain network locations.

Select from the following options:

· Activate this rule in all network locations

· Activate this rule only in the specified network locations

· Exclude the specified network locations from this rule

Click Add to add more network locations to the list.

7.1.2.10.1.7 Encryption

In analogy to Anonymizing Event Data you may want to protect the shadow copies against access from non
authorized persons. DriveLock always encrypts the shadow copies before uploading with an internal key.
Additionally you can protect that key either by a password or by the public keys of one ore more certificates (Four-
Eyes-Principle). If you do so, you need to enter the password or the corresponding private keys of the certificate each
time you open the shadow copy storage.

Administration Guide 7.7 202 © 2018 DriveLock SE

Locking Drives and Devices

If you loose the keys, you can no longer access the content of the shadow copies.

7.1.2.10.2 Configuring Shadow Copies in Drive Whitelist Rules

To activate file shadowing you must create a file filter template. Refer to the section “Creating a New File Filter
Template” for more information about creating file filter templates.
In a file filter template specify which files DriveLock creates a shadow copy of.

Administration Guide 7.7 203 © 2018 DriveLock SE

Locking Drives and Devices

Configure whether DriveLock shadows no files, all files, or files written to or read from removable media. You can
additionally limit shadowing to specific file extensions or exclude files with specific extensions from shadowing.

You can create a separate file filter template specifically for the creation of shadow copies.

After configuring a shadowing template, assign it to a class of drives or a drive whitelist rule.
To assign a template to one of the drive classes (for example USB-connected drives), in the Properties dialog box for
the drive class, select the “Filter / Shadow” tab.

Administration Guide 7.7 204 © 2018 DriveLock SE

Locking Drives and Devices

To activate shadowing, select “Audit and shadow files …” and then add a shadowing template.

Administration Guide 7.7 205 © 2018 DriveLock SE

Locking Drives and Devices

To activate shadowing settings for a whitelist rule that differ from the general settings you configured for drives,
deselect “Use filtering settings …”, select “Audit and shadow files …” and then select a shadowing template.

7.1.2.10.3 Viewing Shadow Copies

You can view shadowed files by using the DriveLock Management Console. In the console tree, expand Operating and
then click Shadowed files.

Administration Guide 7.7 206 © 2018 DriveLock SE

Locking Drives and Devices

Right-click Shadowed files and then click Choose folder/agent.

Type the UNC path of the central location where shadow copies are stored or type the name of a DriveLock Agent
computer with locally stored shadow copies. Click OK to to view all shadow copies in the selected location.

Administration Guide 7.7 207 © 2018 DriveLock SE

Locking Drives and Devices

After connecting to the location you specified the DriveLock management console displays the shadow copies in the
right pane.

To view the properties of a shadow copy, double-click it or right click it and then click Properties.

Administration Guide 7.7 208 © 2018 DriveLock SE

Locking Drives and Devices

Click “Extract shadowed files” to copy the shadowed file to another location, such as your administration
workstation. If you configured a password or certificates to protect the shadow copies, now please authenticate with
the corresponding key.

Administration Guide 7.7 209 © 2018 DriveLock SE

Locking Drives and Devices

To view information about the location where shadowed files are stored, right-click Shadowed files and then click
Properties.

The number of files in the shadow location and the timestamp of the oldest and newest file are displayed.
To customize the display of shadow files in the Management Console, configure the maximum number of files to
display and for how long the Management Console will try reading shadow files before timing out.
Click OK to close the dialog box.

7.2 Locking Devices

This manual uses a centrally stored policy to illustrate device locking. The example used shows how to control the
use of Windows Mobile devices, and how to allow connecting a specific Windows Mobile device to a computer.
Most steps also apply to other types of devices. Differences that may exist for other device types will be pointed out
along the way.

Configuring Agents by using a Group Policy or a configuration file uses the same settings as those used in a local
policy. There are no differences between these methods, except in how you deploy the settings to the Agents

It is important to understand that DriveLock uses whitelist rules. After activating locking for a class of devices, any
device of this class is blocked (the “device firewall” is up and running and nothing is allowed to pass through). To
define any exception to the blocking of devices you need to create whitelist rules. This means that you must define a
whitelist rule for each devices (or groups of similar devices) that you need to use on a computer. If a device is not
recognized by the DriveLock Agent as being listed in a whitelist rule, DriveLock blocks the device and it can’t be used.
This ensures that any new devices that are introduced into your network by users are automatically blocked until
you explicitly allow their use.
Based on this basic principle, to complete a DriveLock configuration you should first create any required whitelist
rules and then enable the locking of devices.

Administration Guide 7.7 210 © 2018 DriveLock SE

Locking Drives and Devices

Whitelist rules define which devices are accessible even while other devices of the same type can remain locked. To
allow for maximum granularity without unnecessary administrative overhead, you can define device whitelist rules
for different scopes of devices (rules are evaluated starting with rules that have a broad scope, continuing towards
more detailed rules.
You can define device whitelist rules for the following scopes:
· Device class (for example, all Bluetooth transmitters)

· Device bus (for example, all PCI network cards)

· Hardware ID (for example, a specific smartcard reader model)

In addition to the scope you can specify conditions for when and where a whitelist rule applies:
· Does it apply to all computers or only to certain computers?

· In which defined network location is the rule active?

· At what time is the rule active? (For example, only on Monday to Friday and between 9 A.M. and 6 P.M.)

· Does the rule apply to all users, or are only certain users allowed to use this device?

By using scopes and conditions, you can minimize the number of rules needed to implement your policy. (Computer
templates can also be used to create policy rules. Computer templates are covered in chapter “Using Computer
Templates”.)
To enable policy enforcement for most types of devices you also need to enable locking for the device class (i.e. you
have to activate the “device firewall”). This is covered in chapter “Enabling Device Locking”.

During an evaluation of DriveLock you may enable device locking first and afterwards define some whitelist
rules to enable specific devices. In a production environment it is recommended to create all required
whitelists rules before activating device locking.

7.2.1 Configuring Device Locking Using Basic Configuration Mode

The procedures for locking devices are similar to those for locking drives. By default, DriveLock doesn’t monitor any
devices other than drives, serial ports and parallel ports. You need to explicitly configure DriveLock to monitor
devices belonging to any device classes it recognizes. When you enable locking of a device class, all devices of this
class, including all devices connected to type of controller or port you lock, are blocked, except those that are
allowed by a whitelist rule.
DriveLock distinguishes between controllers, ports and devices. You can lock the following types of controllers and
ports:
· Serial (COM) and Parallel (LPT) ports

· Bluetooth transmitters (interface)

· Infrared interfaces

· USB controllers

· FireWire (1394) controllers

· PCMCIA controllers

You can lock the following types of devices:

· Windows Mobile handheld devices and Smartphones

· Palm OS handheld devices and Smartphones

Administration Guide 7.7 211 © 2018 DriveLock SE

Locking Drives and Devices

· Scanners and cameras

· Modems

· Printers

· Network adapters

· Smartcard readers

· Audio, video, and game controllers

· Blackberry devices

· Virtual devices (VMware)

· Mobile phones

· Human interface devices (for example, keyboards and mice)

· Media player devices

· Biometric devices

· Software protection devices (dongles)

· Secure Digital Host controllers

· Tape drives

· PCMCIA and flash memory devices

· IEC 61883 (AVC) bus devices

· Windows Media Center Extender devices

· Windows SideShow devices

· Sensor devices

Administration Guide 7.7 212 © 2018 DriveLock SE

Locking Drives and Devices

Use the small arrows and to toggle the display of device type details.
To change settings for a device type (for example, Bluetooth radios), click the appropriate link. You can also use the
slider in the task view to highlight one of the device icons and then double click the highlighted icon.

A popup window appears, displaying the current configuration setting. Click Change.

Administration Guide 7.7 213 © 2018 DriveLock SE

Locking Drives and Devices

The configuration dialog box is identical for all device types, except for serial and parallel ports. For information
about locking serial and parallel ports, refer to the section “Configuring Serial and Parallel Port Locking”.

To activate locking of devices in the selected class, select the “Enable locking and auditing devices of this type”
checkbox.

Administration Guide 7.7 214 © 2018 DriveLock SE

Locking Drives and Devices

When DriveLock locks a device, a yellow exclamation mark is displayed next to it in Windows Device Manager.

You can also specify whether events for devices in this class are audited. If selected, the DriveLock Agent sends event
messages to destinations you defined, such as the Windows Application Log and the DriveLock Enterprise Service.
To exempt system devices, such as network miniport drivers or UBS hubs from device locking, select the
corresponding checkbox. To avoid configuring whitelist rules for such “software” devices, this option is enabled by
default. If you disable this option, you must define whitelist rules for all system devices that are required for normal
computer operations.
Click OK to save your settings.

Click Add whitelist rule to configure a new whitelist rule for this device class.

Administration Guide 7.7 215 © 2018 DriveLock SE

Locking Drives and Devices

In the description field, type a name for the rule. To record additional information about the rule, you can type a
comment in the Comment field.
Define the scope of the rule by identifying the device. To specify all devices of the selected type that are connected to
a specific hardware bus, select Bus and then select the bus from the dropdown menu.
When you specify a bus in a whitelist rule, the rule is activated when any device in the selected class (for example,
Windows Mobile handhelds and Smartphones) is connected to the computer using the selected bus.

Example: To enable all PCI network cards in a computer, create a new whitelist rule for network adapters and
select “PCI” as the identifier. This enables all internal network adapters connected to the PCI bus while locking
all network adapters that are connected to an external bus, such as PCMCIA and USB.

For more granular device control you can create rules for devices with a specific hardware ID and compatible IDs.
Each device has a unique hardware ID. In addition Windows maintains a list of compatible hardware IDs. Windows
uses this hardware ID and any compatible IDs to find a driver for the device when it is connected to a computer.
Most hardware IDs can also contain a revision number that is assigned by the manufacturer but which is not used
when selecting the device driver. If a hardware ID contains a revision number, Windows uses one of the compatible
IDs that does not contain the number.
You can find the hardware ID in the Registry. It may also appear in Event Log messages. Type this hardware ID in the
corresponding field of the dialog box.

Ensure that there are no empty spaces before or after the hardware ID.

To easily determine the hardware ID, click “…” next to the hardware ID field and then locate the device in the list of
installed devices, the Windows hardware database, or in Device Scanner scan results.

Administration Guide 7.7 216 © 2018 DriveLock SE

Locking Drives and Devices

Click Refresh to display recently connected devices. Palm or Windows Mobile-based handheld computers are
usually connected to the computer while the HotSync or ActiveSync process is running.
In the list of installed devices, you can select “Hide system devices” to hide all Windows system devices. By default,
these devices are not locked. (You can change this by deselecting the option “Do not lock system devices” in the
device class configuration dialog box).
Select a device from one of the lists and then click OK.
To configure user access, click the “Permissions” tab and then specify which users can use the device.

Administration Guide 7.7 217 © 2018 DriveLock SE

Locking Drives and Devices

Select one of the following options:

· Allow: Any authenticated user can use this device.

· Deny (lock) for all users: Nobody can use this device, it is completely locked.

· Deny (lock), but allow access for defined users and groups: The device is locked, but the specified users or
groups are can use the device.
Click Add to select a user or group to add to the list. To delete an entry from the list, select the entry, and then click
Remove.
Click OK to save the whitelist rule.

Administration Guide 7.7 218 © 2018 DriveLock SE

Locking Drives and Devices

A popup window appears, displaying the new settings. Click to close the popup window.

The colors of the device type icons indicate the security level of your current configuration:
· Green icon: this device type is locked for all users (high security level)

· Yellow icon: this device type is locked for some users and unlocked for others (medium security level)

· Red icon: this device type is unlocked for all users (low security level)

Administration Guide 7.7 219 © 2018 DriveLock SE

Locking Drives and Devices

Scroll down in the taskpad to the Network settings section.

Click Change to configure whether Wi-Fi connections are disabled when the computer is connected to a wired
network.

Select the checkbox to disable cross-network links. Click Finish to save the settings.

Administration Guide 7.7 220 © 2018 DriveLock SE

Locking Drives and Devices

7.2.2 Configuring Advanced Device Locking Settings

Additional settings are available for controlling devices. To configure these settings, go to Devices -> Settings.

7.2.2.1 General Device Locking Settings

To configure general settings for locking devices, click Settings.

7.2.2.1.1 Configuring User Notification Messages for Locking Devices

By default, DriveLock displays a notification message when a device is connected to the computer and locked. To
modify the content of these messages, click Custom user notification messages.

If you configured multilingual messages for the current language, DriveLock will display the messages you
defined for this language instead of the messages configured in this dialog box.

Administration Guide 7.7 221 © 2018 DriveLock SE

Locking Drives and Devices

Select “Display custom messages” to enable the messages specified on this dialog box. The device locking message is
displayed each time a device is locked by the Agent.
Type the message to be displayed to the user. When the message is displayed, the Agent replaces the variable
“%DEV%” with the actual name of the locked device.
Click the Test button to preview the notification message on your computer.

You can use certain HTML-tags, such as “<b>Text</b>”, to format a message.

Administration Guide 7.7 222 © 2018 DriveLock SE

Locking Drives and Devices

7.2.2.1.2 Advanced Global Settings for Controlling Devices

To define the following additional settings, click the corresponding links in the task view:
· Restart devices when logged-on user changes: When activated, each time a new user logs onto the system,
DriveLock restarts all devices.

· Audit device restart: When activated, DriveLock generates audit events each time a device is restarted.

Available options for configuring each of global settings are Enable, Disable, and Not configured.

7.2.2.2 Enabling Device Locking

Procedures for locking devices are similar to those for locking drives. By default, DriveLock doesn’t monitor any
devices other than drives, serial ports and parallel ports. You need to explicitly configure DriveLock to monitor
devices belonging to any device classes it recognizes. When you enable locking of a device class, all devices of this
class, including all devices connected to type of controller or port you lock, are blocked, except those that are
allowed by a whitelist rule.
DriveLock distinguishes between controllers, ports, devices and smartphones. You can lock the following types of
controllers and ports:
· Serial (COM) and Parallel (LPT) ports

· Bluetooth transmitters (interface)

· Infrared interfaces

· USB controllers

· Firewire (1394) controllers

· PCMCIA controllers

You can lock the following types of smartphones:

· Apple iTunes-synchronized devices

Administration Guide 7.7 223 © 2018 DriveLock SE

Locking Drives and Devices

o iTunes software restrictions

· Palm OS handheld devices and Smartphones

· Windows Mobile handheld devices and Smartphones

· BlackBerry devices

· Nokia mobile phones

You can lock the following types of devices:

· Scanners and cameras

· Modems

· Printers

· Network adapters

· Smartcard readers

· Audio, video, and game controllers

· Virtual devices (VMware)

· Human interface devices (for example, keyboards and mice)

· Media player devices

· Biometric devices

· Software protection devices (dongles)

· Secure Digital Host controllers

· Tape drives

· PCMCIA and flash memory devices

· IEC 61883 (AVC) bus devices

· Media Center Extender devices

· Windows SideShow devices

· Sensor devices

To enable device locking, in the DriveLock Management Console, in the console tree, click Local policy -> Devices ->
Device class locking.

Administration Guide 7.7 224 © 2018 DriveLock SE

Locking Drives and Devices

Click Controllers and Ports, Devices or Smartphones to display the list of all device classes in that category.

Administration Guide 7.7 225 © 2018 DriveLock SE

Locking Drives and Devices

Double-click a device class (such as Human Interface Devices) to open the configuration dialog box for that class.

Administration Guide 7.7 226 © 2018 DriveLock SE

Locking Drives and Devices

Machine Learning
For many device types you may activate Machine Learning. If activated for the first time the devices which are
connected at installation time are learned in a local whitelist and will be allowed during boot time in the future.
Devices of the same type which are connected later will be blocked. In the example above, a BAD-USB Stick which
simulates to be a keyboard will be blocked. To relearn the local whitelist, run drivelock -
recreatebootdevs from the command line.
The configuration dialog box is identical for all device types, except for serial and parallel ports. For information
about locking serial and parallel ports, refer to the section “Configuring Serial and Parallel Port Locking”.

When you lock a device, the Windows Device Manager displays a yellow warning icon next to it.

Also, in the configuration dialog box, you can specify whether events for devices in this class are audited. If selected,
the DriveLock Agent sends event messages to destination you defined, such as the Windows Application Log and the
DriveLock Enterprise Service.
To exempt system devices, such as network miniport drivers or UBS hubs from device locking, select the
corresponding checkbox. To avoid configuring whitelist rules for such “software” devices, this option is enabled by
default. If you disable this option, you must define whitelist rules for all system devices that are required for normal
computer operations.

7.2.2.3 Granular Control of iTunes-Synchronized Devices

For iTunes-synchronized devices granular control options are available. This differs from other device classes,
which only let you allow or deny access. This granularity lets you control the use of mobile Apple devices, such as
iPhones and iPods and monitor data transfers between computers and such devices. This functionality is in addition
to the restrictions you can configure in iTunes itself, such deactivating Apple TV.

Administration Guide 7.7 227 © 2018 DriveLock SE

Locking Drives and Devices

You can configure restrictions on these devices under Extended configuration -> Devices -> Device class locking ->
Smartphones -> Apple iTunes-synchronized devices. On the Filter/Audit tab, select which of the following data types
will be blocked during synchronization:
· Music

· Videos

· Pictures

· Applications

· Audio books

· eBooks (and PDF files)

· Contacts

· Calendars

· Mail accounts

· Bookmarks

· Notes

Select the Audit all transferred files and data to create audit events for all data transfers. This functionality is similar
to file auditing for drives.

To restrict data transfers using iTunes, click Extended configuration -> Devices -> Device class locking -> Smartphones -
> iTunes software restrictions. Select Set to value and then select any of the following options:
· Device synchronization

§ Require encrypted device backups

Administration Guide 7.7 228 © 2018 DriveLock SE

Locking Drives and Devices

§ Disable registering new devices

§ Disable automatic device synchronization

· Software updates

§ Disable checking for iTunes updates

§ Disable checking for App updates

§ Disable checking for device firmware updates

· Media functions

§ Disable podcasts

§ Disable iTunes store

§ Disable explicit content

§ Disable Internet radio

§ Disable iTunes ministore

§ Disable loading album artwork

§ Disable plugins

§ Disable opening streams

§ Disable Apple TV

§ Disable diagnostics

§ Disable sharing

§ Disable home sharing

§ Disable iTunes Ping!

§ Allow access to iTunes U

You can configure custom user notifications on the “Messages” tab.

Administration Guide 7.7 229 © 2018 DriveLock SE

Locking Drives and Devices

Select the “Display custom message in user notification” checkbox to activate the user notification message for the
whitelist rule.
In the text edit box, type the message. DriveLock will display this message regardless of the client computer’s
language setting. If you use this type of notification message, DriveLock displays a key icon near the top left corner
of the text edit field.
If you have defined multilingual messages you can select this message type instead. To select a multilingual
message, click the “down arrow” button and then on the drop-down menu click “Select multilingual message”.
Multilingual messages contain separate messages in multiple languages for the same notification. Before you can
use such a message, you must define it in the Global configuration section of the policy. When you select a
multilingual notification message, DriveLock displays the text in the language of the currently logged-on user.
Click the message and then click OK.
If you use this type of notification message, DriveLock displays a speech bubble icon near the top left corner of the
text edit field.
To also display the message when a user connects a drive and the rule allows access, select the “Also display
message when access is granted” checkbox. To not display any notification message when this rule is activated,
including any default language message that you defined for all drives, select the “Display no message when rule is
activated” checkbox.
To not generate any audit events when this rule is activated, select the corresponding check box.
To have the user accept a usage policy before granting access, activate the “User must accept usage policy before
rule will be applied” checkbox. To also require a password, type and confirm the password that a user needs provide
to access the drive.
Click OK to accept the settings.

Administration Guide 7.7 230 © 2018 DriveLock SE

Locking Drives and Devices

Click iTunes software restrictions to specify which iTunes functions user can access and how iTunes will be
configured on users’ computers.

Select “Set to value” and then select each setting that you want to enable and clear all settings you want to disable.
Click OK to accept the settings.

Administration Guide 7.7 231 © 2018 DriveLock SE

Locking Drives and Devices

7.2.2.4 Configuring Serial and Parallel Port Locking

You can lock serial (COM) and parallel (LPT) ports for all users or allow access only for selected users and groups.
Additional granularity and whitelist rules are not available for these types of ports.

Select from the following options:

· Allow: All authenticated users can access the ports.

· Deny (lock) for all users: Nobody can access the ports, they are completely locked.

· Deny (lock), but allow access for defined users and groups: The ports are locked, but the specified users or
groups are allowed to use the ports.
To add an entry, click Add and then select a user or group. To remove an entry, select the user or group and then click
Remove.

Palm OS and Windows CE devices that are connected using a serial port can only be controlled by blocking
serial ports altogether. You can’t control such devices by using the device classes “Windows CE Handhelds and
Smartphones” or “Palm OS Handhelds and Smartphones” because Windows can’t identify which specific
devices are connected to a serial port.

7.2.2.5 Creating Device Rules

You configure whitelist rules for devices the same way as drive whitelist rules. The following example illustrates
how to create a whitelist rule for a modem.

Administration Guide 7.7 232 © 2018 DriveLock SE

Locking Drives and Devices

In the console tree, expand Devices, expand Device whitelist rules, expand Modems, right-click Modems, and then
click New -> Device or bus.
In the “New whitelist rule Properties” dialog box, configure the settings for locking the device.

Administration Guide 7.7 233 © 2018 DriveLock SE

Locking Drives and Devices

In the description field, type a name for the rule. To record additional information about the rule, you can type a
comment in the Comment field.
Define the scope of the rule by identifying the device. To specify all devices of the selected type that are connected to
a specific hardware bus, select Bus and then select the bus from the dropdown menu.
When you specify a bus in a whitelist rule, the rule is activated when a device in the selected class (for example,
Modems) is connected to the computer using the selected bus.

Example: To enable all PCI network cards in a computer, create a new whitelist rule for network adapters and
select “PCI” bus as the identifier. This enables all internal network adapters connected to the PCI bus while
locking all network adapters that are connected to an external bus, such as PCMCIA and USB.

If no predefined device bus matches your needs, specify a new adapter type by typing the bus identifier in the
corresponding field.
In some cases whitelist rules can conflict with each other. In such cases, DriveLock uses the following rules to
determine whether a drive is locked or access is allowed:
· Bus locked and device allowed -> device allowed

· Bus locked and device locked -> device locked

· Bus allowed and device locked -> device locked

· Bus allowed and device allowed -> device allowed

If a device or bus is locked by one rule and access is allowed by another, access to the device or bus is allowed.
Rules that are defined by using computer templates are processed the same way as manually created whitelist rules.
For more granular device control you can create rules for devices with a specific hardware ID and compatible IDs.
Each device has a unique hardware ID. In addition Windows maintains a list of compatible hardware IDs. Windows
uses this hardware ID and any compatible IDs to find a driver for the device when it is connected to a computer.
Most hardware IDs can also contain a revision number that is assigned by the manufacturer but which is not used
when selecting the device driver. If a hardware ID contains a revision number, Windows uses one of the compatible
IDs that does not contain the number.
To specify a device, type its hardware ID in the corresponding field. You can find the hardware ID in the Windows
Event Log or in the registry of the computer.

Ensure that no blank spaces precede or follow the hardware ID.

To determine the hardware ID more easily, click “…” next to the hardware ID field and then use the built-in hardware
database or Device Scanner scan results to find the device.

Administration Guide 7.7 234 © 2018 DriveLock SE

Locking Drives and Devices

Select currently installed local devices or connect to an Agent running on another computer to obtain a list of
devices currently connected to that computer.
Click Refresh to display recently connected devices. Palm or Windows Mobile-based handheld computers are
usually connected to the computer while the HotSync or ActiveSync process is running.
Select “Hide system devices” to hide all Windows system devices, which are not locked by default (as determined by
the option “Do not lock system devices” in the device class configuration dialog box).
Additionally, click the Hardware database or Device Scanner database tabs and then select a device from the list.
The hardware database contains information about all devices for which drivers are included with the operating
system. DriveLock provides access to this list to make it easy to configure devices, but DriveLock has no control over
this list. You can add devices to the hardware database by using an INF file that contains information about the
device. Such .INF files are typically included with device drivers that hardware manufacturers include with their
products.
To import new device data from an .INF-file into the database, click Import.

Administration Guide 7.7 235 © 2018 DriveLock SE

Locking Drives and Devices

Select whether to import data from a single file or from all .INF-files in a directory, and then select the file or
directory.

7.2.2.6 Additional Device Whitelist Rule Setting

7.2.2.6.1 User Permissions

To configure user access, click the “Permissions” tab and then define how user can access the device.

Select one of the following options:

· Allow: Any authenticated user can use this device.

· Deny (lock) for all users: No user can use this drive, it is completely locked.

7.2.2.6.2 Time Limit Settings

If you want a rule to be active only during a certain time (for example only on Wednesdays, or on weekdays between
9 A.M. and 5 P.M., you can specify time limits for the rule. You can also specify start and end dates for a whitelist
rule on the “Time limits” tab..

Administration Guide 7.7 236 © 2018 DriveLock SE

Locking Drives and Devices

First select the appropriate time block or blocks by clicking one or more rectangles, an entire column or a row, and
then click “Rule active“ or “Rule not active“.

Administration Guide 7.7 237 © 2018 DriveLock SE

Locking Drives and Devices

7.2.2.6.3 Settings for Computers

The “Computers” tab lets you define the computer(s) on which a whitelist rule is applied.

Select from the following options:

· Activate this rule on all computers

· Activate this rule only on the specified computers

· Exclude specified computers from this rule

Click Add to add more computers to the list.

Administration Guide 7.7 238 © 2018 DriveLock SE

Locking Drives and Devices

7.2.2.6.4 Network Settings

On the Network settings tab you configure whether the rule is applied only in certain network locations.

Select from the following options:

· Activate this rule at all network locations

· Activate this rule only at the specified network locations

· Exclude the specified network locations from this rule

Click Add to add more defined network locations to the list.

7.2.2.6.5 User and Group Validation

On the Users settings tab you specify whether the rule is applied only to certain users and user groups.

Administration Guide 7.7 239 © 2018 DriveLock SE

Locking Drives and Devices

Select from the following options:

· Activate this rule for all users

· Activate this rule only for specified users or user groups

· Exclude specified users or user groups from this rule

Click Add to add more users or user groups to the list.

Administration Guide 7.7 240 © 2018 DriveLock SE

Locking Drives and Devices

7.2.2.6.6 Additional Options

Select the “Display custom message in user notification” checkbox to activate the user notification message for the
whitelist rule.
In the text edit box, type the message. DriveLock will display this message regardless of the client computer’s
language setting. If you use this type of notification message, DriveLock displays a key icon near the top left corner
of the text edit field.
If you have defined multilingual messages you can select such a message instead. To select a multilingual message,
click the “down arrow” button and then on the drop-down menu click “Select multilingual message”.
Multilingual messages contain different messages in multiple languages for the same notification. Before you can
use such a message you must define it in the Global configuration section of the policy. When you select a
multilingual notification message, DriveLock displays the text in the language of the currently logged-on user.
Click a message and then click OK.
If you use this type of notification message, DriveLock displays a speech bubble icon near the top left corner of the
text edit field.
To display the same message when a user connects a drive and the rule allows access, select the “Also display
message also when access is granted” checkbox.
To not display any notification message when this rule is activated, including any default language message that
you defined for all drives, select the “Display no message when rule is activated” checkbox.
To not generate any audit events when this rule is activated, select the corresponding check box.

Administration Guide 7.7 241 © 2018 DriveLock SE

Locking Drives and Devices

7.2.2.7 Using Computer Templates

Use computer templates to allow access all standard devices on a computer model.
Access to devices that you include in a computer template is always allowed without requiring you to create
separate device whitelist rules for them.
You can base a computer template on devices in the DriveLock hardware database or on the devices currently
connected to your own computer. The built-in hardware database already contains information about many popular
and widely deployed computer-models.

You can also create a template based on device types. Use this method to define a collection of devices that you
want to allow or deny access to, such as a pool of scanners.

To display all devices that are allowed because of templates you have configured along with any whitelist rules,
right-click Device whitelist rules and then click Show template rules. Use the rule icon to distinguish between the
two types of rules.

Administration Guide 7.7 242 © 2018 DriveLock SE

Locking Drives and Devices

7.2.2.7.1 Creating a New Computer Template

To create a new computer template, right click Computer templates and then click New -> Template.

Administration Guide 7.7 243 © 2018 DriveLock SE

Locking Drives and Devices

7.2.2.7.1.1 Creating a Computer Template Based On the Local Computer

Select Local System as the template source and then click OK.

Type a name for the computer template (for example the computer name or type).
Click the Device tab to have DriveLock detect all devices that are currently connected to your computer and add them
to the device list.
Refer to the section “Working with Computer Templates” for information about how to add additional devices and
configure permissions.

7.2.2.7.1.2 Creating a Computer Template Based On a Remote Computer

The steps for creating a computer template from a remote computer are almost identical to those for creating a
template from local information.
To create a template based on a remote computer, the DriveLock Agent must be installed and running on that
computer.
Select Remote agent on computer, type the name of the remote computer, and then click OK.

To establish a connection to a remote computer running Windows XP SP2 or later with the Windows Firewall
enabled, you must configure the Windows Firewall to allow incoming connections from TCP Ports 6064 and
6065 (default) and access by the program “DriveLock”.

Click the Device tab to have DriveLock detect all devices that are currently connected to your computer and add them
to the device list.

Administration Guide 7.7 244 © 2018 DriveLock SE

Locking Drives and Devices

Refer to the section “Working with Computer Templates” for information about how to add additional devices and
configure permissions.

7.2.2.7.1.3 Creating a Pre-Defined Template from the Database

Use a pre-defined template from the hardware database to create a new template that is based on built-in
information or information based on a previous scan.

Check Pre-defined template from database and then click OK to open the hardware database.

Select the existing template that you want to use, and then click OK.
DriveLock reads the template information from the database and adds them to the template’s device list.
Refer to the section “Working with Computer Templates” for information about how to add additional devices and
configure permissions.

7.2.2.7.1.4 Creating an Empty Template

Check Create empty template and then click OK to create a new empty template. You can add device information to
this template later.

Administration Guide 7.7 245 © 2018 DriveLock SE

Locking Drives and Devices

On the device tab no device are listed.

Refer to the section “Working with Computer Templates” for information about how to add additional devices and
configure permissions.

7.2.2.7.2 Working with Computer Templates

Unless you created an empty template, DriveLock has automatically added devices to the template, either from the
local computer, a remote computer or the built-in hardware database.
Use the device list to edit, add or delete listed devices.

The type “info only” indicates that DriveLock recognizes the device but cannot lock this type of device.

Administration Guide 7.7 246 © 2018 DriveLock SE

Locking Drives and Devices

7.2.2.7.2.1 Editing a Computer Template Device List

Select a device and then click Properties to change its description, device class or type (bus or single device).

Configuring the properties of a device that is part of a template is similar to configuring a device whitelist rule. See
the section “Creating Device Rules” for more information about configuring devices by using whitelists.
Click Disable to deactivate the selected device in the current template. The device remains in the template but is
locked. You can later simply re-activate the device, if required.
Click Add or Remove to add devices to or remove devices from a template. This procedure is identical to adding a
device to or removing a device from a whitelist rule (see the section “Creating Device Rules” for more information).

Administration Guide 7.7 247 © 2018 DriveLock SE

Locking Drives and Devices

7.2.2.7.2.2 Importing New Devices into a Computer Template

To import devices into a template, click Import and then select a source to import device data from.

You can import device information from a local computer, a remote computer or the hardware database by
performing the same steps as those for selecting a template source when creating a new template.
To import devices from an .INF file, for example an .INF supplied by a device manufacturer, click From file and then
select the file to import device information from.

7.2.2.7.2.3 Exporting Devices from a Computer Template

Click Export to save a device list to an .INI-File or to your hardware database.

Ensure that the template has been named and saved before exporting its data to the hardware database.

To save device data in the hardware database, click To hardware database and then select a manufacturer from the
list. The data will be associated with that manufacturer in the database.

Administration Guide 7.7 248 © 2018 DriveLock SE

Locking Drives and Devices

Click OK to proceed.
To export the current device list to an .INI-file, select To file and select a file name.

7.2.2.7.2.4 Defining Computer Template Permissions

By default a template allows access to all the devices in it for all users. To change this, click the Permissions tab of
the template.

Check “Deny (lock), but allow access for defined users and groups” to allow access to the devices in the template only
to specific users. Click Add to add users and groups who are allowed to use the devices. Click Remove to remove the
selected user or group from the list.

7.2.2.7.2.5 Activating a Computer Template

To enable a computer template, on the General tab, select “Activate template” and then click OK. Once the template
has been activated, DriveLock allows access to all devices in it, according to the template settings you defined.

Administration Guide 7.7 249 © 2018 DriveLock SE

Locking Drives and Devices

7.2.2.7.2.6 Displaying Devices Defined By a Computer Template

This option displays all computer template rules you created along with the whitelist rules for the corresponding
device class. To enable the display of template-based rules, right-click Device and then click Show template rules.
Template rules are identified by an icon with a yellow cogwheel.
You can’t edit whitelist rules created by a template directly. Instead, to modify or delete such a rule, edit the
corresponding template.

Administration Guide 7.7 250 © 2018 DriveLock SE

Part VIII
Configuring Network Locations and Profiles
Configuring Network Locations and Profiles

8 Configuring Network Locations and Profiles

DriveLock allows you to configure setting and rules for computers based on the network the computer is connected
to. This functionality is especially useful for laptop computers and other mobile computers because they often
connect to various in multiple locations, such as an office, at home or at a customer’s site.
Connections to unmanaged networks create new security threats and risks because you don’t control these networks.
While you can enforce that all employees must use your internet gateway to access the Internet while the computer
is connected to your company’s network, you can’t maintain this control when a sales engineer connects his laptop
to his private network at home. When a corporate computer is connected to an unmanaged network you can’t rely on
the security components, such as firewalls and antivirus software being in place. As a result, your security policy
and standard mobile computer configuration must be restrictive enough to be effective when a computer is
connected to either a managed or an unmanaged network. Often these added security measures can make it more
difficult to perform business task while a computer is connected to your network.
DriveLock lets you define whitelist rules that are applied depending on the network a computer is connected to. For
example, you can block a network adapter whenever a computer attempts to connect to a network other your
corporate network (although this particular policy may be overly restrictive in most environments). You can also use
DriveLock to automatically configure some common computer settings based on the current network to make it
easier for users to roam between networks. These settings include the Internet Explorer network configuration,
Windows Messenger settings and the default printer. DriveLock can also initiate a Group Policy update whenever it
detects that the network has changed.
You can use network profiles in conjunction with DriveLock Application Control. This lets you allow or deny
programs depending on the current network environment. For example, you can prevent users from using Skype or
Microsoft Messenger while at work, but allow them to use these programs at home or while traveling.
Network profiles can also be used for configuring antivirus scan engine settings. For example, you can set scanning
heuristics to a higher level when client computers are connected to unknown networks to scan more aggressively for
malware.
You define network locations and configuration policies by using the DriveLock Management Console or the Group
Policy Object Editor.

Administration Guide 7.7 252 © 2018 DriveLock SE

Configuring Network Locations and Profiles

This section covers how DriveLock identifies networks and how to use network locations to define policies.

When a network cable is disconnected during sleep or hibernation mode and the computer doesn’t connect to a
network after resuming, DriveLock does not connect that the computer is offline until you restart the
computer.

Once you have configured network locations, you can use them in whitelist rules, including drive rules, device rules
and Application Launch Filter rules.
When configuring whitelist rules, click the “Networks” tab and select one of the options.

Administration Guide 7.7 253 © 2018 DriveLock SE

Configuring Network Locations and Profiles

“Rule is activated at any network location” is the default selection when you create a new whitelist rule.

If you change the default settings, add at least one existing network location. To add a network location, click Add,
select one or more locations, and then select whether the rule is active in these locations.

Administration Guide 7.7 254 © 2018 DriveLock SE

Configuring Network Locations and Profiles

8.1 Configuring Global Network Profiles Settings

There are three global network profile settings that are not specific to any particular network profile. Two of these
settings define how network profiles appear to users and the third specifies whether Wi-Fi connections are allowed
while a computer is connected to a wired network. You can find more information about private network profiles in
the section “Defining User-Specific Network Profiles”.

8.1.1 Defining Network Profile End-User Appearance

Select Taskbar notification area setting to configure whether users are alerted to network connection changes and
how these notifications are displayed.

Administration Guide 7.7 255 © 2018 DriveLock SE

Configuring Network Locations and Profiles

To hide network profiles completely, deselect Show notification area icon. When this option is selected, icons defined
in network profiles are be displayed as tray icon in the taskbar. You can also select whether the icon is also
displayed or only when a message is displayed.
Use the slider to select for how long messages are displayed.

8.1.2 Disabling Simultaneous Wi-Fi and LAN Connections

DriveLock can disable a wireless network adapter while the computer is connected to a wired LAN to prevent the
bridging of network, which can endanger the security of your company’s network.
To prevent bridging between wired and wireless networks, select Disable Wi-Fi connections when computer is
connected to a LAN and then select Enable.

Administration Guide 7.7 256 © 2018 DriveLock SE

Configuring Network Locations and Profiles

8.1.2.1 Using Third-Party VPN Clients

When you select the option to disable Wi-Fi connections while connected to a LAN and you use a third-party VPN
client (i.e. not the VPN client built into Windows) to connect to a corporate LAN, an additional configuration step is
required.
Many third-party VPN clients appear in Windows as a virtual network adapter and are indistinguishable to
DriveLock from wired network connections. When a user connects to the corporate network using such a VPN client,
DriveLock detects that a LAN connection exists and disables the Wi-Fi connection if your configuration prohibits
simultaneous connections. If the VPN connection was established over a Wi-Fi network, the VPN connection will fail.
To prevent this from happening you need to create an exception for the VPN client’s virtual network adapter.
To do this, right-click Network profiles -> Locations / Sites, point to New and then click Network adapter.

Administration Guide 7.7 257 © 2018 DriveLock SE

Configuring Network Locations and Profiles

In the Properties dialog box, on the Adapter tab, configure the following settings:
Select a method to uniquely and reliably identify the VPN client’s virtual network adapter. If the virtual network
adapter is installed on the local computer, you can import its current settings. Otherwise, you need to select one or
more of the following checkboxes and define the associated settings:
· Interface name: Name of the network connection. This is not very reliable as network interfaces can be
renamed.

· Network adapter name: Name of the network adapter. This name generally doesn’t change.

· Adapter type: Type of the virtual network adapter. The type varies based on the VPN client’s vendor.

To ensure that DriveLock correctly identifies the adapter, select one or both of the following checkboxes:
· Do not detect this network location as LAN connection: DriveLock does not identify the connection as a LAN
connection and any rules that apply to LAN connections are not applied.

· Do not detect this network location as Wi-Fi connection: DriveLock does not identify the connection as a Wi-Fi
connection and any rules that apply to Wi-Fi connections are not applied.

8.2 Defining Network Locations

To configure settings and assign whitelist rules based on a network connection, you must define how DriveLock
identifies networks. You can define the following types of locations:
· Active Directory site

· Network location (based on IP address information)

· Network adapter

· Geographic location

Administration Guide 7.7 258 © 2018 DriveLock SE

Configuring Network Locations and Profiles

· Wireless network SSID

· Special location

· Command result

To define a network location, right-click Location/Sites, point to New, and then click the type of network to define.
For each type you must select an associated configuration profile from the dropdown list.

If you have not created any configuration profiles yet, don’t select a profile at this time. Instead, finish creating
locations and then specify profiles later by double-clicking each network location to open the configuration
dialog box and selecting the appropriate profile.

You can also select an icon to be displayed in the computer’s system tray when the computer is connected to the
network you are defining.
When you configure a network location you must specify what the DriveLock Agent will do when the computer is
connected to the location. Select one of the actions on the “Action” tab:

Administration Guide 7.7 259 © 2018 DriveLock SE

Configuring Network Locations and Profiles

Use caution when configuring Agents to disable network connections. If you inadvertently configure DriveLock
to block network connection until manual intervention, you must manually undo this configuration on each
computer because remote control connections to that computer are no longer possible.

8.2.1 Active Directory Site

When you select an Active Directory site, the location is determined by using the name of site that the computer is
currently connected to.

Administration Guide 7.7 260 © 2018 DriveLock SE

Configuring Network Locations and Profiles

Import the current settings by clicking Import current settings. DriveLock uses the current site information from
Active Directory and automatically completes fields “AD Site name” and “Domain GUID”. To specify a different site,
type the name of that site, or click “…”, to select the appropriate site from Active Directory.
Select an icon to display in the system tray when the connection is detected by the DriveLock Agent.

Administration Guide 7.7 261 © 2018 DriveLock SE

Configuring Network Locations and Profiles

8.2.2 Network Location Based on IP Information

To define a network location based on an IP address range, click Network location on the context menu.

Type the name of the location and select a symbol to be used for the taskbar icon. On the “IP settings” tab, configure
the location by providing its IP information.

Administration Guide 7.7 262 © 2018 DriveLock SE

Configuring Network Locations and Profiles

You can import the network setting from one of the current network connections or type the information. Select one
or more address criteria, such as the IP address range, the name of the primary DNS domain, the default gateway
address or the DHCP server address.

8.2.3 Network Adapters

Network locations based on the network adapter are normally used to identify third-party VPN client connections.
For more information about defining such network locations, refer to the section "Using Third-Party VPN Clients".

8.2.4 Geographic Locations

You can create network locations that are based on a computer’s external IP address. When you define such a
location, DriveLock attempts to detect the computer’s public IP address, compares the result to its local GEO-IP
database, and then assigns the computer to the country that the address is registered in.
To identify a client computer based on the country where it is located, right-click Extended configuration -> Network
profiles -> Locations / Sites, point to New and then click Geographical location.

Administration Guide 7.7 263 © 2018 DriveLock SE

Configuring Network Locations and Profiles

Type a description of the location and then select one or more countries. Once you have configured a geographic
location, you can use it like any other network location in DriveLock rules or to prevent network connections while a
computer is in the location you defined.
For example, to ensure that notebook computers can only communicate over a network while they are traveling
inside the United States or Canada, create a network location that contains these two countries and, on the Action
tab, select Allow this connection. Then create another rule for the Other location “No defined network location is
active” and, on the Action tab, select Disable network connection until next reboot.

To detect the network location based on a computer’s public IP address, DriveLock needs to have an active
Internet connection.

Administration Guide 7.7 264 © 2018 DriveLock SE

Configuring Network Locations and Profiles

8.2.5 Wireless Network SSID

If your network can be determined by using a Wireless-LAN SSID, click Wireless network SSID on the context menu.

Type the SSID name as shown above.

8.2.6 Other Locations

Use “other location” in the following scenarios:
· To define settings that apply when the computer is offline and not connected to any network

· To define settings that apply the computer is connected to an unknown network

You can select an icon for this connection from the dropdown list.

Administration Guide 7.7 265 © 2018 DriveLock SE

Configuring Network Locations and Profiles

8.2.7 Command Result

In some situations network detection that is based on Active Directory information or an IP address range may not
be accurate or dependable enough to meet your security requirements. In such cases you can create a custom script
or program to determine the network. Such a script or program must return the environment value “1” if the network
is detected. For example, a script could check whether certain servers or services are available, or it could examine
the computer’s security configuration before allowing it to connect to your company’s network.

Administration Guide 7.7 266 © 2018 DriveLock SE

Configuring Network Locations and Profiles

A command can be any program that can run from a command line, including program files, (.exe), Visual Basic
scripts (.vbs) and scripts for the new Windows PowerShell.

To start a VB script you must enter the complete path to the script file (“cscript c:
\programing\scripts\myscript.vbs”).

8.3 Creating Configuration Profiles

DriveLock can use a network configuration policy in conjunction with a network location to change certain computer
settings automatically after identifying a network. Such a policy defines how the following types of settings are
configured:
· Internet Explorer LAN settings

· Windows Live Messenger / MSN Messenger settings

· Default printer

DriveLock can also refresh the Group Policy for the computer and the user when it detects a network location change,
execute a program or run a script.

Right-click Configuration profiles and then click New -> Configuration profile.

Administration Guide 7.7 267 © 2018 DriveLock SE

Configuring Network Locations and Profiles

In the Profile description field, type a name for the profile and type an optional descriptive comment.

8.3.1 Internet Explorer Proxy Settings

In the network profile settings dialog box, click the Proxy tab.

Administration Guide 7.7 268 © 2018 DriveLock SE

Configuring Network Locations and Profiles

To configure proxy server settings for Internet Explorer, select the “Adjust proxy settings” checkbox, and then import
the current settings from Internet Explorer or enter other settings. (See the Internet Explorer documentation for more
information about how to configure Internet Explorer proxy settings.)

8.3.2 Windows Live Messenger / MSN Messenger Settings

Click the MSN Messenger tab and then select the “Adjust MSN Messenger settings” checkbox to enable automatic
configuration of Messenger settings, and then select the appropriate settings, or import the setting from your local
Messenger configuration.
Type a status message and select an image to be displayed to your Messenger contacts. To change the display
picture, select Change display picture and then click “…” to the right of the field to select an image file.
(Refer to the Windows Live Messenger and MSN Messenger documentation for more information about how to
configure these programs.)

Administration Guide 7.7 269 © 2018 DriveLock SE

Configuring Network Locations and Profiles

8.3.3 Default Printer and Group Policy Processing

To change the default printer, click the “Other” tab and then select the Change default printer checkbox.

Select a printer from the dropdown list.

To refresh the Active Directory Group Policy for the compute or user after a connection to the network has been
detected, select the corresponding checkboxes.
DriveLock can run a command each time it detects a new network connection. A command can be any program that
you can run from a command line, including program files, (.exe), Visual Basic scripts (.vbs) and scripts for the new
Windows PowerShell.

To start a VB script, you must type the complete path to the script file (for example, “cscript C:\Program
Files\scripts\myscript.vbs”).

Click the “…” button to select a file name and to insert it at the current cursor position. You can select a file name
from two locations:
· The file system on the local computer

· The DriveLock Policy file storage.

The DriveLock policy file storage is a file container stored as part of a Local Policy, Group Policy Object or
DriveLock Configuration file. It can contain any file, such as a script that will be deployed to the DriveLock
Agents automatically along with the configuration.

Files selected from the Policy file storage are prefixed with an asterisk (*).

8.4 Using Network Locations in Whitelist Rules

Once you have configured network locations, you can use them in whitelist rules, including rules that control the use
of drives, devices or applications.
To use a network location in a whitelist rule, on the rule’s Network tab, select one of the following options:

Administration Guide 7.7 270 © 2018 DriveLock SE

Configuring Network Locations and Profiles

· Rule is active in any network connections

· Rule is active only in selected network connections

· Rule is active on all networks, except the ones selected

Rule applies to all network connections is the default setting for all new whitelist rules.

If you change the default network setting for a whitelist rule, ensure that you add at least one network connection.
Use the Add and Remove buttons to edit the network list.

8.5 Defining User-Specific Network Profiles

Administrators can use network locations and configuration profiles to enforce company policies on mobile
computers. Some of the settings enforced by the DriveLock Agent are not designed for security but automate the
configuration of network settings for users. If you want to enable users to select these configuration settings
themselves, you can allow them to specify their own private network profiles to automate changes to their
configuration settings.

Administration Guide 7.7 271 © 2018 DriveLock SE

Configuring Network Locations and Profiles

To allow users to define their own user-specific network profiles, on the “Network profiles” node, click Allow user to
configure private network profiles, and then click Settings

Select whether or not users can configure their own profiles.

Refer to the DriveLock User Guide for information about managing user defined profiles.

Administration Guide 7.7 272 © 2018 DriveLock SE

Part IX
Configuring the DriveLock Enterprise Service
Configuring the DriveLock Enterprise Service

9 Configuring the DriveLock Enterprise Service

The DriveLock Enterprise Service (DES) is the central component of a DriveLock installation. It processes event
messages from clients, stores the event data in a database and creates connections between the events. It also acts
as an interface for all database queries by DriveLock Agents and the DriveLock Management Console and it stores
important Agent data, such as data that is required to recover encrypted data.
When DriveLock is managed by a service provider offering “security as a service”, the DriveLock Enterprise Service
acts as a conduit between the service provider and the customer, providing various proxy functions.

9.1 Creating Server Connections in the DriveLock Management Console

The DriveLock Management Console needs to connect to the DriveLock Enterprise Service for various tasks, such as
retrieving licensing information and centrally stored policy settings. To enable this functionality you need to
initially create a server connection in the DriveLock Management Console.

To configure DES settings, right-click the top node in the DriveLock Management Console (DriveLock) and then click
Choose DriveLock Enterprise Service.

Administration Guide 7.7 274 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

If the DriveLock Management Console detected a DES server during startup using DNS-SD, the detected server appears
in the dialog box. If no server is displayed, type the name or address of the server. If you changed the ports on the
DES server from their defaults you also need to type the port numbers.
To authenticate to DES using a different account that the one you are logged on with, you can provide the name and
password of the account that will be used for the authentication.

The account that is used to authenticate to the DES server needs to have been assigned permissions the
required to administer DES. You can assign these permissions users and groups during the installation of the
DriveLock Enterprise Service or by configuring the DES settings after the installation. These tasks are described
in the DriveLock Installation Manual and the section “Assigning Permissions” in this manual.

Click OK to save the server connection.

Administration Guide 7.7 275 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

9.2 Administering DES Servers

To configure DES settings use the DriveLock Enterprise Services node in the DriveLock Management Console.

Click Servers to display a list of all DES servers that have been registered in the DriveLock database manually or by
using DNS-SD.

Administration Guide 7.7 276 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

DES servers are automatically added the first time the DES service starts and connects to the database. The column
Server type displays each DES server’s operating mode (Central server or Linked server). You can configure settings
separately for each server in the list after selecting it from the list. Most settings are configured only on the central
server and are not available for linked servers.
Double-click the name of a server to view or change its settings. You can disable automatic server discovery using
DNS-SD on the Options page.

Administration Guide 7.7 277 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

To disable automatic discovery, select the checkbox Disable automatic server discovery (DNS-SD). Once automatic
discovery has been deactivated, the server will no longer announce itself on the network and all clients must be
configured with the correct DES server connection.

Connectors
You may configure connections to various third-party software. E.g. if you configure the SNMP connector, the DES
sends all events to an external monitoring system via SNMP V1. Ask your DriveLock consultant for more information.

9.3 DES Operating Modes

The DriveLock Enterprise service can run in one of two modes:
· Central DriveLock Enterprise Service

· Linked DriveLock Enterprise Service:

Most DriveLock environments use only the central DriveLock Enterprise Service. Linked DES servers are typically only
used in very large, distributed environments or hosted services environments.

9.3.1 Central Server

The first DES server that belongs to the same infrastructure is always a central server with a connection to a
database. Additional DES servers are always installed as linked servers. They don’t access the database directly but
rather interact with it via the Central server.
One of the main functions of a Central DES server is to process event data and store it in a database. Because
processing of events can take some time, events are first stored in a local cache and processed in the background
before they are written to the database. This ensures quick responses to clients even when a large number of events
are received from clients or in environments with a very large number of clients (20,000 or more).

Administration Guide 7.7 278 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

By default the cache holds up to 20,000 events. If the cache is full, new event messages from Agents are rejected.
When an Agent is notified that an event message has been rejected, it will try to send it again at a later time. The DES
processes events in the cache in the background and will receive new event messages once there is available space
in the cache. You can change the cache size on the Options tab of each server.

When the DriveLock Enterprise Service is stopped, any event data remaining in the cache is by default saved to
the file %PROGRAMDATA%\CenterTools DriveLock\SavedCache.db3. This event data is processed when the
service is started again.

9.3.2 Linked Server

The Linked Server mode is designed for branch offices that are connected to a central location over a slow WAN link.
A linked server can compress event data and send it to the central Server at configurable times. This reduces the
amount of bandwidth used for event reporting and ensures that no bandwidth is consumed during peak usage times.
Linked serves are also used in hosted “Security as a Service” installations.
A linked server can perform the following functions:
· Process all events and upload them to central server according to schedule

· Process Agent Alive status messages and upload them to the central server according to schedule

· Accept recovery data (Encryption 2-Go and FDE) and forward it to the central DriveLock Enterprise Service
immediately

· Accept inventory data from DriveLock 7 Agents and forward it to the central DriveLock Enterprise Service
immediately

· Retrieve antivirus definitions from the central DriveLock Enterprise Service and make them available to Agents

Administration Guide 7.7 279 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

· Retrieve installation packages stored on the central DriveLock Enterprise Service and make them available to
Agents

· Retrieve Centrally Stored Policies from the central DriveLock Enterprise Service and make them available to
Agents

· Edit Centrally Stored Policies with the DriveLock Management Console (tenant specific)

· Upload Active Directory user and group data to the central DriveLock Enterprise Service. For more information
about this process, refer to the section “Performing Active Directory Object Inventory Collection”.

· Accept Agent remote control requests from the central DriveLock Enterprise Service and route them to the
correct Agent (Agent Remote Proxy).
The DriveLock Control Center and the Device Scanner cannot use a linked DriveLock Enterprise Service to access any
DES data. Instead, these programs must connect to the central DriveLock Enterprise Service. Also, a linked server
cannot process inventory data from DriveLock Agents older than version 7.0.

On the General tab, specify the interval at which the linked server uploads event data to the central server. The
default is every hour.
On the Options tab you can configure the number of events per batch upload to the central server. This is the
maximum number of events that are cached on the linked server before it starts uploading the events to the central
server. If this number is too low, it may take a long time until events are uploaded and will be included in reports.
For a small branch office where only few events are generated, this number may need to be reduced from the default
of 20,000 to 10,000 or even less.

Once the cache holds the number of events you have configured, the event data is compressed and saved as a
file in the folder %PROGRAMDATA%\CenterTools DriveLock\Storage.

The central DES server stores event data it receives from other DES servers in the folder %PROGRAMDATA%
\CenterTools DriveLock\ReceivedStorage. It then decompresses the data in the background and adds it to the
database.

Administration Guide 7.7 280 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

9.3.3 Changing the Operating Mode

The operating mode of a DES server is set after the DES installation by the Database Installation Wizard. To change
the operating mode at a later point, you need to run the wizard again.

Select the option Linked DriveLock Enterprise Service. For more information about installing the DriveLock Enterprise
Service, refer to the DriveLock Installation Manual.

9.4 Assigning Permissions

To ensure that only authorized persons can change DriveLock Enterprise Service settings or create Centrally Stored
Policies, access control is enforced whenever the DriveLock Enterprise Service is accessed. Only authorized users
can make any changes. Permissions are assigned separately for each server. In a typical configuration with only a
central DriveLock Enterprise Service, permissions only need to be configured for that server.

The user who initially configures the DriveLock Enterprise Service needs to have the permissions to perform this
task. The installation wizard prompts for a user or group that will be initially assigned the required when you
install or upgrade the DriveLock Enterprise Service. For more information, refer to the DriveLock Installation
Manual.

You can view or change access permissions in the DriveLock Management Console under DriveLock Enterprise Services
-> Servers -> <server name> on the Permissions tab.

Administration Guide 7.7 281 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

You can add new users and assign Allow or Deny permissions for configuring the server and centrally Stored
Policies. Available permissions are Read, Change and Full Control.

Ensure that at least one user or group is assigned Full Control permissions in both categories. If you accidentally
remove all permissions, contact DriveLock technical support.

9.5 Configuring Maintenance Operations

Database maintenance is important to reduce the growth of the database size and to optimize database indexes to
provide optimal performance even when large amounts of data are being processed. You configure how these
functions are performed in the Properties dialog box of the central DES server on the Schedules tab.

Administration Guide 7.7 282 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

You should configure database maintenance settings for the DriveLock Enterprise Service only if you are using
an Express version of Microsoft SQL Server. If you are using any other version of Microsoft SQL Server or
Oracle, DriveLock recommends that you configure database maintenance task manually by using stored
procedures on the server. For information about the steps required to configure maintenance tasks to be
performed by the database server, contact DriveLock technical support or refer to the technical article
available on the DriveLock Web site www.drivelock.com.

To limit the growth of the DriveLock database, the DriveLock Enterprise Service server can automatically delete old
event data. You should configure database cleanup to delete event data that is no longer needed to create reports or
forensic analysis or after you have archived your data using third-party tools.
To enable database cleanup and automatically delete old event data, select the Enable automatic database
maintenance checkbox. If maintenance tasks are performed by your database server, deselect this checkbox.
If you are configuring the DriveLock Enterprise Service to perform maintenance, specify how often this task will be
performed and the length of time for which to retain data. By default, the DES deletes events that are older than 30
days every day at 5:00 A.M. To improve the performance when creating reports, database indexes need to be updated
on a regular basis. By default, this operation is performed at 3:00 AM every day.
Modify the settings for database maintenance to change the frequency of maintenance tasks and the age after which
events are deleted from the database.

9.6 Configuring Updates

You can configure the DriveLock Enterprise Service to periodically download newly available DriveLock software
packages and virus definitions from the Internet. You can specify how often the DriveLock Enterprise Service will look
for new updates. You can also specify how many virus definition sets the DriveLock Enterprise Service will store. As

Administration Guide 7.7 283 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

new updates are downloaded, older versions are automatically deleted. Check only the virus definitions for the AV
product you have licensed.

Administration Guide 7.7 284 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

Administration Guide 7.7 285 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

You can also specify whether newly downloaded definitions and packages are automatically made available to
Agents in staging or production networks.

9.7 Configuring Network Settings

Network settings are configured independently for the Central DriveLock Enterprise Service and any Linked DriveLock
Enterprise Service.
By default, a DES server listens on TCP port 6066 for unencrypted connections and port 6067 for SSL-encrypted
connections. If required in your network, you can change these ports on the Networking tab.

Administration Guide 7.7 286 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

To ensure consistent communications across your network, all DriveLock Enterprise Service servers should be
configured to use the same ports.

If you change the port that the DES uses, this change must also be reflected in the Agent configuration under
Extended configuration -> Global Configuration -> Server Connections.

9.7.1 Encrypting DES Connections

By default, communications between DriveLock Agents and the DES are unencrypted. To enforce encryption using SSL,
select the Use SSL for connections from Agent to the server checkbox on the Network tab. To ensure consistent
communications across your network, all DES servers should be configured to use the same encryption
configuration.

Administration Guide 7.7 287 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

If you change the encryption settings for the DES, this change must also be reflected in the Agent configuration
under Global Configuration -> Server Connections.

9.7.2 Using a Proxy Server

To download product updates and virus definitions to a DES server, an Internet connection is required. If your
network connects to the Internet using a proxy server you need to configure each DES server to use the appropriate
proxy server on the Network tab.

Administration Guide 7.7 288 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

If required, configure the following settings:

· Proxy address: Type the name or address of the proxy server. If the proxy server does not use port 80, you also
need to add the port in the format server:port, for example proxy.example.local:8080.

· Use proxy server for connections to the Internet: Select this checkbox to connect via a proxy server.

· Authenticate to the proxy server: Select this checkbox if the proxy server requires authentication. Provide the
user name and password that is used to connect to the proxy server and then select the authentication type.
The proxy server must support the authentication type you select:
§ Basic: Authentication data is sent in clear text.

§ NTLM: Authentication data is encrypted.

§ Windows: Windows integrated authentication. Authentication data is encrypted. The service

account under which the DES service is running is used to authenticate and the user name and
password in the dialog box is ignored.

9.7.3 Configuring E-Mail Settings for Scheduled Reports

You can use the DriveLock Control Center to configure scheduled reports that are automatically generated and sent
via e-mail. These reports are generated by the DES. To enable the sending of such reports you need to specify how the
DES server connects to a mail server using the SMTP protocol. You configure these settings on the SMTP tab.
To specify the mail server, type its name in the SMTP server box. If the mail server does not use TCP port 25 for SMTP,
also specify the appropriate port.
If the mail server requires authentication for sending SMTP e-mail, type the required credentials in the User name
and Password boxes. Type the name and e-mail address that will be used as the sender for messages containing
reports in the E-mail sender name and E-mail sender address boxes. Typically an internal e-mail address is used for
this purpose.

Administration Guide 7.7 289 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

For more information about creating scheduled reports, refer to the DriveLock Control Center manual.

9.8 Using a Multi-Tenant Environment / SaaS

DriveLock and the DriveLock Enterprise Service can be used in a Software as a Service (SaaS) environment where a
single service provider administers DriveLock for multiple customers. This can be an external service provider or an
internal IT organization that provides services to several independent departments. In a SaaS infrastructure, the
customers or departments are referred to as tenants. When you configure DriveLock for a multi-tenant environment,
a single DES receives event and recovery data from Agents belonging to several tenants and then stores the data from
each tenant in a separate database.
Because data from multiple tenants is kept separate and access permissions can be configured separately for each
tenant, a service provider can easily provide outsourced DriveLock services for multiple customers while
maintaining the security of each customer’s data. For example, you can make each customer’s data available only to
that customer and ensure that it cannot be viewed by other customers. To accomplish this, a linked DriveLock
Enterprise Service must be installed at each customer site. Each linked server is connected to the central DriveLock
Enterprise Service of the service provider. A separate tenant is created for each customer installation to logically
keep the data from each customer separate and to ensure that customer can only view their own data.
To enable the linking of events to the correct tenant, a dedicated linked DES server must be installed for each tenant.
This can be a linked DES server that connects to a central DES server. A typical infrastructure might include the
following:
· Server 1 (central DES, standard tenant “root”)

· Server 2 (Linked DES, connecting to Server 1, standard tenant “Customer A”

§ DriveLock Agents of Customer A connect to Server 2 using tenant name “Customer A”

· Server 3 (Linked DES server connecting to Server 1, default tenant “Customer B”

§ DriveLock Agents of Customer B connect to Server 3 using tenant name “Customer B”

You configure the DES server’s standard tenant name on the General tab of the DES server’s Properties dialog box.

Administration Guide 7.7 290 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

9.8.1 Creating a Tenant

If you finished creating a new tenant, a new database is created for the tenant with the tenant name appended
to the name of the initial DriveLock database. For example, if you selected the default name DRIVELOCK for the
database when you installed the DES, the databases for the tenant CUSTOMER will be named
DRIVELOCK_CUSTOMER and DRIVELOCK_CUSTOMER-DATA.

If you use an Oracle database, the Oracle users and table spaces DRIVELOCK_CUSTOMER and
DRIVELOCK_CUSTOMER_DATA must be created by the Oracle administrator before you create the new tenant. As
user name enter DRIVELOCK and its password.(all Oracle users must have the same password).

The default client “root” exists in all DES installations. To create additional tenants, under DriveLock Enterprise
Services right-click Tenants point to New and then click Tenant.
Type the name of the new tenant. This name cannot contain any special characters.
Provide the credentials of a user who has the permissions to create a new database on the database server that is
used by DES.
At the database server now the two new databases reps for Oracle the database schemes are created.

9.8.2 Assigning Agents to a Tenant

To enable DES to assign data from DriveLock Agents to the correct tenant you also need to assign DriveLock Agents to
a tenant.

If you don’t assign an Agent to a tenant, it is automatically assigned to the default tenant “root”.

Administration Guide 7.7 291 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

To assign an Agent to a tenant, in your policy under Global configuration -> Settings -> Event message transfer settings.
On the DES tab, select the Use non-default tenant name checkbox and then select the tenant that Agents will be
associated with.

9.8.3 Deleting a Tenant

To delete a tenant and the associated database, under DriveLock Enterprise Services -> Tenants, right-click the tenant
and then click Delete tenant.

When you delete a tenant, the associated database is also deleted. This database contains all event data
associated with the tenant and recovery data for Encryption 2-Go and Disk Protection. Without this data,
encryption recovery will no longer be possible for any clients associated with the tenant.

When you delete a tenant you also need to remove any existing Agent assignments for this tenant under Extended
configuration -> Global configuration -> Settings -> Event message transfer settings on the DES tab.

If you use an Oracle database, provide the Oracle credentials instead of Windows credentials.

9.8.4 Performing Active Directory Object Inventory Collection

When you assign permissions to in a policy, you can normally only select from users and groups in your own
domain or trusted domains. To assign permissions in policies that will be used in non-trusted domains additional
steps are required to make the user and group information available. For example, this will allow a service provider
without direct access to a tenant’s Active Directory to edit permissions in a tenant’s policies.
To make user and groups from non-trusted domains available, a DriveLock Enterprise Service can retrieve the
required information about users and groups and store them in the DriveLock database for use within a
configuration.

Administration Guide 7.7 292 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

When you run the DriveLock Management Console on a computer in the same domain where the configuration
will be used, there’s no need to first retrieve Active Directory data because the DriveLock Management Console
can directly access Active Directory. However, there may be some performance benefits to using inventoried
data, especially in large Active Directory environments.

To enable Active Directory object inventory collection, you need to enable this option in the Properties of the central
DriveLock Enterprise Service. Because inventory collection is a repeating task, this setting is displayed on the
Schedules tab.

Once the Enable Active Directory object inventory option has been enabled, the DriveLock Enterprise Service starts a
process every 24 hours to enumerate all users and groups in the current domain and synchronizes this data with the
existing data in the DriveLock database. If you are using different tenants, data is separated by tenant.

Administration Guide 7.7 293 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

After the first inventory collection has been performed you can use inventory data in the DriveLock Management
Console. To do this, in the console tree right-click DriveLock Enterprise Service [<Servername>] and then click
Properties. Here you can enable the loading from Active Directory object inventory data from the server. You can
also enable the loading of data once a day and view the last time the data was retrieved.

9.8.5 Tenant-Aware Certificate Management

In case your tenants use DriveLock File Protection and the DriveLock Certificate Management to manage the user
certificates, you can use the master certificate assigned to tenant root to sign all user certificates of all your tenants.
If you want to separate the certificate management for your tenants, you have to enable the tenant-aware certificate
management at the DriveLock Enterprise Server. Then the master certificates are stored in the tenants database.
At MMC / Drivelock Enterprise Services open the server Properties, tab Options and check enable tenant aware
certificate management.
For all suitable tenants open the tenant Properties, tab Certificate mgmt and check Enable key and certificate
management.
If you enable or disable tenant-aware certificate management while user certificates already exist, the exiting
certificates are still valid, as long as the master certificate they are signed with, exists.
For more information about certificate management, see: Configuring DriveLock File Protection

9.9 Viewing License Information

When you create a new DriveLock policy and add license information to it you can also transfer this license data to
the DriveLock Enterprise Service. This is required to activate some DriveLock Enterprise Service functionality for
supporting certain features, such as the downloading of virus definitions.
You can maintain the current licensing information on the DES on the central DES’s Licenses tab.

Administration Guide 7.7 294 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

All licenses that are stored by the DriveLock Enterprise Service are displayed. Select a license to view details about it.
Click Remove to delete the license data from the database.

9.10 Customer Experience Improvement Program

DriveLock maintains a Customer Experience Improvement Program that collects statistical data about the speed and
frequency of commonly used DriveLock tasks. The data is collected anonymously, uploaded to DriveLock and used to
improve DriveLock. No personal data is collected, transmitted or stored by DriveLock.
You are given the option to participate in this program during the installation of DES. To later opt out of the program,
under DriveLock Enterprise Services -> Servers, in each server’s Properties dialog box, on the Options tab, deselect the
Enable Customer Experience Improvement Program uploads checkbox.

Administration Guide 7.7 295 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

9.11 Viewing the DriveLock Enterprise Service Status

DES includes a status monitor application that can display the DES status in the Windows system tray. The color of
the icon (green, yellow, red) indicates whether the service is running and can be contacted. While the service is
starting it may take several minutes before the status changes to green.
To start the status monitor, click Start -> All Programs -> DriveLock -> DriveLock Enterprise Service Status.
Double-click the icon to open the DES Info window where you can view the current server, database and antivirus
settings.

Right-click the icon in the system tray to display a menu from where you can perform additional tasks, such as
starting or stopping the service.

Administration Guide 7.7 296 © 2018 DriveLock SE

Configuring the DriveLock Enterprise Service

Administration Guide 7.7 297 © 2018 DriveLock SE

Part X
DriveLock Cloud
DriveLock Cloud

10 DriveLock Cloud
The DriveLock Cloud Service provides a secure connection for DriveLock Agents, which temporarily have no direct
network connection to the DriveLock Enterprise Service (DES) but are connected to a public network. To be able to use
the the DriveLock Cloud Service you must register your company / tenant first.
Open the DriveLock Management Console and select DriveLock Cloud / Register your company in DriveLock Cloud.

In the following forms fill in the company and user account data and select the tenants, you want to register. When
the data was sent to the server you will get back an account activation code via email. Enter the activation code and
finish the registration..

Administration Guide 7.7 299 © 2018 DriveLock SE

DriveLock Cloud

If you closed the activation window, you can open it again with Activate your account. Be aware, the the
activation code is valid for one hour only.

Login to the DriveLock Cloud again, to add additional user accounts or tenants for synchronization or to administer
the existing ones.

10.1 DriveLock Cloud Synchronization

Once you have registered you company / tenant, you can activate the DriveLock Cloud synchronization for events in
your DriveLock policy. If activated and the DriveLock agent cannot connect to the DES, it try's to send an event to the
DriveLock Cloud first. If also the DriveLock cloud cannot be connected, it queues the event locally and try's to send it
later. The DES regularly moves the corresponding events from the DriveLock Cloud to the assigned DriveLock tenant
database.
In the policy open Global Configuration / Settings / Tenant/DriveLock Cloud synchronization and check Enable. A sync
token will be generated to uniquely identify the events of the corresponding tenant.

Administration Guide 7.7 300 © 2018 DriveLock SE

DriveLock Cloud

10.2 Extended Auditing

If DriveLock Cloud synchronization is enabled, administrators of DriveLock File Protection (DFP) folders may switch
on Extended Auditing for an encrypted folder. Then for this folder, DriveLock events will be sent to the DriveLock
Cloud, even if the folder is connected using the DriveLock Mobile Application for Windows, the DriveLock Privat
version or a DriveLock installation owned by another company. Extended auditing is useful, if you share a DFP folder
with external partners to monitor the access to the data room.

Administration Guide 7.7 301 © 2018 DriveLock SE

DriveLock Cloud

DriveLock versions less then V7.6.3 cannot mount folders with extended auditing on.

Administration Guide 7.7 302 © 2018 DriveLock SE

Part XI
DriveLock Encryption 2-Go
DriveLock Encryption 2-Go

11 DriveLock Encryption 2-Go

DriveLock has advanced encryption capabilities that allow you to encrypt sensitive information easily, quickly and
securely.
DriveLock Disk Protection (FDE) encrypts entire hard drives in computers and also includes preboot authentication.
DriveLock FDE is covered in detail in a separate chapter of this manual.
DriveLock Encryption 2-Go lets you securely encrypt external drives or storage media, such as USB flash drives or SD
cards. You can also use DriveLock Encryption 2-Go to securely and irreversibly delete sensitive data using one of
several standard methods.
This chapter describes how to configure settings that determine how DriveLock Encryption 2-Go functions, including
the encryption parameters it uses. The use of encrypted external drives and media is described in the DriveLock User
Guide.
With DriveLock 7.5.8 or higher you may either
· use the Container based (DriveLock Encryption 2-Go) as it was default in former DriveLock versions or

· use the File based (DriveLock File Protection) encryption as it was possible only with the DriveLock File
Protection add-on or

· use Container based and File based in parallel and let the user decide.

In the DriveLock policy open Encryption / Settings / Available encryption methods and select the desired option.
To use DriveLock File Protection with network shares, you still need a DriveLock File Protection license.
For more information about DriveLock File Protection see chapter DriveLock File Protection.

11.1 How DriveLock Encryption 2-Go Works

You can create and manage encrypted drives that consist of container files (encrypted archives). Access to encrypted
drives is secured by passwords. Each encrypted drive can be accessed by typing a user password that is unique to
the drive. In addition, a centrally configured administrative password enables data recovery, providing access to the
data when a user’s password is not available. An alternative password recovery procedure, which is available in
DriveLock Version 5.5 R2 and later, enables offline password recovery.
Encryption converts data to a format that makes it appear like random data to anyone who does not have the
password that’s required to decrypt the data. When you create an encrypted drive, all files and all empty space on
that drive is encrypted. The encryption algorithm you select when you create the drive determines how data on it is
encrypted.
On computers with modern processors that include hardware-based encryption (AES NI), DriveLock File Protection
takes advantage of this functionality for approximately 4 times better performance.

11.1.1 DriveLock Encryption Algorithms

DriveLock supports the following encryption algorithms:
· AES (recommended) - The Advanced Encryption Standard (AES) is a symmetric encryption mechanism that was
chosen by the National Institute of Standards (NIST) as successor to DES and 3DES in October 2000. It is also
called the Rijndael algorithm for its developers Joan Daemen and Vincent Rijmen.

· Triple DES - Triple DES (3DES) is a symmetric encryption method based on the older DES (Data Encryption
Standard) but works with twice the key length (112 bit) of its predecessor. Data is encrypted using three
successive DES operations. Because of the key length, 3DES is regarded as a relatively safe method for
encrypting most data, unlike DES, which is more susceptible to brute- force attacks.

Administration Guide 7.7 304 © 2018 DriveLock SE

DriveLock Encryption 2-Go

· Blowfish - This is a fast algorithm offering exceptional performance, especially on 32-bit-systems. One
advantage of Blowfish is its variable key length (32 to 448 bits). Blowfish was first introduced in 1994 and is
considered very secure.

· Twofish - Twofish is the entry in the AES competition by Counterpane Systems (the company of renowned
cryptography expert Bruce Schneier). This algorithm uses a block size of 128 bits and can utilize key lengths
from 128 to 256 bits. Twofish is extremely fast: on a Pentium-class CPU each byte is encrypted using only 18
CPU cycles. Twofish has been tested extensively without finding any weaknesses.

· CAST 5 - CAST is a symmetric block cipher with a block length of 64 bits and a key length from 40 to 128 bits.
The CAST algorithm is named after its developers and a patent application for it was filed in 1996. Because of
its higher speed compared to DES, CAST is well-suited for real time applications. When used with key lengths
from 80 to 128 bit, the algorithm is referred to as CAST 5.

· Serpent - Serpent is a symmetric key block cipher that was a finalist in the Advanced Encryption Standard
(AES) contest, where it came in second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and
Lars Knudsen. Like other AES submissions, Serpent has a block size of 128 bits and supports a key size of 128,
192 or 256 bits. Serpent was widely viewed as taking a more conservative approach to security than the other
AES finalists, opting for a larger security margin. The Serpent cipher has not been patented. It is completely in
the public domain and can be freely used by anyone without restrictions.
DriveLock doesn’t store passwords. Instead it calculates a unique value (hash) that allows it to determine whether
the password you type to access an encrypted drive is correct. DriveLock can use the following hash algorithms to
perform this calculation:
· SHA-1 - This algorithm was developed by NIST (National Institute of Standards and Technology) in
cooperation with the NSA (National Security Agency) as the secure signing hash function of the digital
signature algorithm (DSA) for the Digital Signature Standard (DSS). Published in 1994, Secure Hash Standard
(SHS) specifies a secure hash-algorithm (SHA) with a hash value of 160 bits for messages with a size of up to
264 bits. SHA is similar to the MD4 algorithm developed by Ronald L. Rivest. There are three SHA versions,
SHA-0, SHA-1 and SHA-2. The SHA-2 family uses an identical algorithm with a variable digest size. that
Depending on this digest size, the algorithm is called SHA-224, SHA-256, SHA-384 or SHA-512.

· RIPEMD-160 - RIPEMD-160 was developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel and
published 1996. It is an improved version of RIPEMD (based on MD4) and comparable to SHA-1 in security
and speed. This algorithm is less likely to contain security holes because is development process was more
open than that of SHA-1.

· WHIRLPOOL – Whirlpool is a cryptographic hash function designed by Vincent Rijmen (co-creator of the
Advanced Encryption Standard) and Paulo S. L. M. Barreto. The hash has been recommended by the NESSIE
project. It has also been adopted by the International Organization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) as part of the joint ISO/IEC 10118-3 international standard.
To perform encryption operations DriveLock uses an embedded FIPS 140-2 validated cryptographic module
(Certificate #1051) running on a Windows platform per FIPS 140-2 Implementation Guidance section G.5 guidelines.

11.1.2 DriveLock Encryption Modes

With DriveLock you can create two types of encrypted drives:
· Drives that are physically represented as a container file.

· Drives that map to an entire existing drive partition.

A DriveLock container file has a DLV extension. You can save a container file on any type of storage device or on a
network share. To use a container, DriveLock mounts it and assigns it a pre-defined or user-selected drive letter, so
you can use it like any other drive in Windows.

Administration Guide 7.7 305 © 2018 DriveLock SE

DriveLock Encryption 2-Go

A DriveLock partition is a normal drive partition that has been completely encrypted by DriveLock. You can encrypt
any partition, including floppy disks, ZIP drives, USB or Firewire-connected hard disks, USB flash drives and other
mass storage devices.

Some types of storage media don’t allow the creation of an encrypted partition. If you encounter such a drive,
contact the manufacturer for more information.

Local drives cannot be encrypted using the methods described here. To encrypt a local drive, use DriveLock Disk
Protection instead.

11.2 Configuring DriveLock Encryption

Before you can use DriveLock container-based encryption, an administrator must configure some general encryption
parameters.

11.2.1 Configuring Encryption Using Basic Configuration Mode

When DriveLock Basic configuration mode is enabled, you can configure all basic encryption setting in the Basic
configuration mode encryption task view. Click Encryption to open the encryption setting page.

Use the four sections to configure the following types of settings:

· General settings for encryption of removable media

· Settings that will be used when enforcing encryption of removable media

· Generation of a password recovery certificate and settings to enable password recovery for removable media.

· Settings for DriveLock Disk Protection. (These settings are described in the chapter “DriveLock Disk Protection”
of the DriveLock Administration Guide.)

Administration Guide 7.7 306 © 2018 DriveLock SE

DriveLock Encryption 2-Go

11.2.1.1 Configuring General Encryption Settings

General encryption settings control the options that are available to users when they manually encrypt a drive, burn
an encrypted CD or DVD or create an encrypted container file.

Click Configure general settings to configure all basic settings for encrypting removable drives and media. The
General encryption settings wizard starts.

On the Encryption algorithms page you select the encryption algorithm, the password hash algorithm and the
algorithm used to securely delete files.
Select each algorithm by using the drop down lists.

Administration Guide 7.7 307 © 2018 DriveLock SE

DriveLock Encryption 2-Go

For a description of the available algorithms, refer to the section “DriveLock Encryption Algorithms”.
Click Next to continue.

If your organization requires the use of FIPS 140-2 validated algorithms for encryption operations, you can
configure the use of these algorithms on the Encryption options page.
By default FIPS-mode is disabled (Off). Users can select to use the FIPS 140-2-validated algorithms for encryption or
select to use non-FIPS 140-2-validated algorithms.
When you enable FIPS-mode, select from the following two settings:
· On: Use this setting if you need to access encrypted media (or container files) that were encrypted using non-
FIPS algorithms. When you encrypt a new container, only FIPS validated algorithms are used.

· On (disable non-FIPS cryptography): Use this setting to ensure that DriveLock only use FIPS 140-2-validated
algorithms for both reading existing and creating new encrypted drives (and container files). Any container
that was encrypted using a non-FIPS-validated algorithm cannot be accessed.
To speed up the process of creating an encrypted volume, select the “Allow quick-format of encrypted containers”
checkbox. This prevents the DriveLock Agent from pre-initializing and encrypting all space in newly created
encrypted volumes. Instead, only the required space is initially encrypted. Selecting this option can significantly
reduce the time required for initial encryption, but some existing unencrypted data may remain accessible until it is
overwritten by files that are added to the encrypted device at a later time.

Quick format results in a noticeable decrease of the encryption time only on computers running Windows 7.

Click Next to continue.

Administration Guide 7.7 308 © 2018 DriveLock SE

DriveLock Encryption 2-Go

To ensure that users select secure passwords, on the Password complexity page you can define the minimum
complexity required for these passwords. This complexity requirement should match your organization’s guidelines
for data security. The password complexity is dynamically calculated based on the characters used in the password
and the password length.
To configure a custom password complexity policy instead, select “Use password policy” and then complete the
appropriate settings.
A password complexity policy contains all requirements an encryption password must meet when a drive (or
container file) is created or when an encryption password is changed. This includes the minimum number of
characters, special characters and numbers the password must contain.
If your password policy requires the use of characters that are either a number or a special character, select the
“Treat numbers as special characters” checkbox and then select the number of special characters. When you select to
treat numbers as special characters, any value specified for numbers is ignored.
Click Finish to complete the wizard.
To configure additional encryption settings, in the Encryption task view, click Advanced configuration.

11.2.1.2 Configuring Enforced Encryption

Administration Guide 7.7 309 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Click Configure enforced encryption settings to configure all basic settings for enforced encryption.

Select the encryption algorithm and the password hash algorithm by using the drop down lists.
To speed up the process of creating an encrypted volume, select the “Allow quick-format of encrypted containers”
checkbox. This prevents the DriveLock Agent from pre-initializing and encrypting all space in newly created
encrypted volumes. Instead, only the required space is initially encrypted. Selecting this option can significantly
reduce the time required for initial encryption, but some existing unencrypted data may remain accessible until it is
overwritten by files that are added to the encrypted device at a later time.

Administration Guide 7.7 310 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Quick format results in a noticeable decrease of the encryption time only on computers running Windows 7.

Select the checkbox Preserve existing data to encrypt a removable drive without deleting the data that’s currently
stored on it. Instead, DriveLock creates a temporary container in the user’s profile on the computer’s hard drive,
copies all existing files from the drive to this container and then moves this container to the removable drive.
Select the checkbox Copy Mobile Encryption Application to unencrypted portion to have DriveLock copy the Mobile
Encryption Application to a removable drive that is encrypted using enforced encryption. The Mobile Encryption
Application provides access to encrypted media on computers where DriveLock is not installed, such as an
employee’s home computer.
Select one of the following options to determine whether some unencrypted space will remain available on the disk:
· Use complete drive for encrypted container: No unencrypted space remains available on the drive after
encryption. By default, when enforcing encryption, DriveLock attempts to use all available disk space to create
an encrypted container. However, due to file system limitations, often a small amount of disk space remains
unencrypted. DriveLock fills this space by creating a hidden system file to ensure that no unencrypted data
can be saved to the drive.

· Leave unencrypted space on drives: To allow users to save some unencrypted data on the drive when it is
connected to a computer where DriveLock is not running, select this option and then specify the size of the
unencrypted space in megabytes or as a percentage of the drive’s size.
Click Finish to close the window.
To configure additional encryption settings, in the Encryption task view, click Advanced configuration.

11.2.1.3 Configuring Password Recovery

If you configure password recovery, you can enable users who forgot an encryption password to reset the password.
If password recovery is configured you can also reset a password to gain access to a drive that was encrypted by a
user who has left your organization.

Administration Guide 7.7 311 © 2018 DriveLock SE

DriveLock Encryption 2-Go

To perform offline recovery of encryption passwords you have to create a master certificate and the corresponding
public/private key pair before the first encrypted container is created. Click Create new certificate to create a new
certificate. This starts the Recovery Certificate Creation wizard.

Click Next.

Specify the folder where to save the certificate and associated private key as a file or select the option to them on a
smart card.

Administration Guide 7.7 312 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Click Next.
If you selected to store the certificate on a smart card, further steps are required. Details depend on the smart cart
used.

Store the file containing the private key of the master certificate in a secure location. The private key is required
to perform all password recovery operations.

Type the password that will be required to access the certificate’s private key. To ensure that you typed the password
correctly, you have to type it twice. To continue, click Next.

Administration Guide 7.7 313 © 2018 DriveLock SE

DriveLock Encryption 2-Go

If you forget the password for accessing the private key you will no longer be able to recover passwords for
encrypted containers. To prevent this from happening, store a copy of this password in a secure location, such as
a safe.

DriveLock creates the certificate. The wizard notifies you when the process is complete and the certificate and
associated keys have been stored in the selected location.
If you selected to store the certificate and keys on a smart card, Windows prompts you to enter the PIN for the smart
card.
Click Finish.
When the master certificate has been created, the taskpad reflects the new state (Configured).

Once encrypted drives and containers have been created using a certificate, you must not create a new
certificate. Doing so would replace the existing certificate, making it impossible to recover previously encrypted
containers.

DriveLock also stores the certificate in the local certificate store of the user who created the certificate.
To configure additional encryption settings, in the Encryption task view, click Advanced configuration.

11.2.2 Configuring Encryption Using Extended Configuration Mode

Click Encryption and then click Removable media (container based) encryption to display the encryption
configuration page.

11.2.2.1 Configuring Global Parameters

Global settings control the options that are available to users when they manually encrypt a drive, burn an
encrypted CD or DVD or create an encrypted container file.
Click Settings to configure the global parameters for encryption.

Administration Guide 7.7 314 © 2018 DriveLock SE

DriveLock Encryption 2-Go

11.2.2.1.1 Encryption Strength Settings

Enforcement of FIPS 140-2 validated cryptography

Administration Guide 7.7 315 © 2018 DriveLock SE

DriveLock Encryption 2-Go

If your organization requires the use of FIPS 140-2 validated algorithms for encryption operations, you can
configure the enforcement of this requirement on the Encryption options page.
By default FIPS-mode is disabled (Off). Users can select to use the FIPS 140-2-validated algorithms for encryption or
select to use non-FIPS 140-2-validated algorithms.
When you enable FIPS-mode, select from the following two settings:
· On: Use this setting if you need to access encrypted media (or container files) that were encrypted using non-
FIPS algorithms. When you encrypt a new removable drive (or container file), only FIPS validated algorithms
are used.

Encryption algorithms
Select the encryption algorithm to be used. The available algorithms are described in the section “DriveLock
Encryption Algorithms”.

Hash algorithms
Select the hash algorithm to be used. The available algorithms are described in the section “DriveLock Encryption
Algorithms”.

Administration Guide 7.7 316 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Method to securely delete files

Select the algorithm to be used for securely deleting files. The available algorithms are described in the section
“DriveLock Encryption Algorithms”.

Administration Guide 7.7 317 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Minimum required password complexity for encrypted drives

To ensure that users select secure passwords, you should define the minimum complexity that is required for these
passwords. This complexity requirement should match your organization’s guidelines for data security. The
password complexity is dynamically calculated based on the characters used in the password and the password
length.
To configure a custom password complexity policy instead, select “Use password policy” and then configure a
custom policy (for more information, refer to the following section.

Password complexity policy

A password complexity policy contains all requirements an encryption password must meet when a drive (or
container file) is created or when an encryption password is changed. This includes the minimum number of
characters, special characters and numbers the password must contain. DriveLock can also prevent users from
creating a password that exists in a dictionary you specify (password dictionary validation).

Administration Guide 7.7 318 © 2018 DriveLock SE

DriveLock Encryption 2-Go

If your password policy requires the use of characters that are either a number or a special character, select the
“Treat numbers as special characters” checkbox and then select the number of special characters. When you select to
treat numbers as special characters, any value specified for numbers is ignored.
A dictionary can be a dictionary file in the OpenOffice format or a text file that contains a single word on each line.
DriveLock includes OpenOffice dictionaries for English, German, Dutch and French. You can find these .diz-files in
the DriveLock installation folder on the administration computer where you installed the DriveLock Management
Console (for example “DictEnglish.diz”).

If you specify a custom file, ensure that this file exists on all Agent computers in exactly the same location, as the
Agents looks for this file in the location you specify.

You can also place dictionary files into the policy file storage and select “Policy file storage…” as the dictionary
location. Files located in the policy file storage are identified by an asterisk (“*”) in front of the file name and are
copied to the client automatically. For more information about the policy file storage, see the corresponding chapter
in the document “DriveLock Administration Guide”

When you use a dictionary to validate your passwords, keep in mind that passwords containing any part of a
word contained in the dictionary are not allowed (for example if the dictionary contains “it”, passwords such as
“hit”, “with” or “glitter” are not allowed).

Configuring Lockout Settings

To prevent attempts to determine the password of an encrypted container by attempting to open it using a large
number of character combinations (brute force attack), you can prevent a container from being opened after a
configurable number of invalid attempts. The lockout can be for a period that you configure or DriveLock can lock
the drive indefinitely. The following settings are available:

Administration Guide 7.7 319 © 2018 DriveLock SE

DriveLock Encryption 2-Go

· Prevent access to container (lock out) after access attempts with invalid password: Select this checkbox to enable
lockout.

§ Number of invalid attempts: Specify the number of invalid access attempts after which a container
will be locked.
§ Lock access for x minutes: Specify the number of minutes for which the container will be locked.

§ Lock access indefinitely: Select this checkbox to lock all access to the container after the maximum
number of invalid access attempts has been reached. To gain access to the container again, you
need to perform a password recovery operation.

The lockout functionality requires the use of container files (.DLV) that were created or updated by a client
running the DriveLock 7.0 Agent (or higher). DriveLock automatically updates the settings for a container file
created by an earlier version of the Agent after it is mounted for the first time using the DriveLock 7.0 Agent (or
higher).

The current version of the Mobile Encryption Application (MEA) is required to access encrypted containers for which
lockout has been configured. To enable automatic updating of the MEA on existing encrypted drives, change the
following setting to Disable (default): Extended configuration -> Encryption -> Removable media encryption -> Settings ->
Do not automatically upgrade Mobile Encryption Application to newer version during enforced encryption.

Allow quick-format of encrypted containers

To speed up the process of creating an encrypted volume, select “Enable”. This prevents the DriveLock Agent from pre-
initializing and encrypting all space in newly created encrypted volumes. Instead, only the required space is initially
encrypted. Selecting this option can significantly reduce the time required for initial encryption, but some existing

Administration Guide 7.7 320 © 2018 DriveLock SE

DriveLock Encryption 2-Go

unencrypted data may remain accessible until it is overwritten by files that are added to the encrypted device at a
later time.

Quick format results in a noticeable decrease of the encryption time only on computers running Windows 7.

11.2.2.1.2 Encryption End User Appearance

Context menus available in Windows Explorer

You can configure which commands are displayed in the context menus that appear when a user right-clicks an
encrypted drive or container file in Windows Explorer. When this option is set to “Not configured”, all available
commands are displayed.

Start menu configuration

You can configure whether DriveLock commands are available from the Start menu and how they are arranged. When
this option is set to “Not configured”, the commands can be accessed from the default location “Start – All Programs –
DriveLock”.

Administration Guide 7.7 321 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Available Start menu items

This option defines which commands are available from the Start menu. When this option is set to “Not configured”,
all commands appear in the Start menu.

Administration Guide 7.7 322 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Menu items available from the taskbar icon

This option defines which commands are available when right-clicking the DriveLock taskbar icon. When this option
is set to “Not configured”, all commands can be accessed from the taskbar icon.

Order of menu items in taskbar icon

You can configure which items are displayed when you right-click the DriveLock taskbar icon and the order in which
they appear.

Administration Guide 7.7 323 © 2018 DriveLock SE

DriveLock Encryption 2-Go

To change the order of a menu item, select the item and then click Up or Down. To remove an element, click Remove.
To add a divider, click Add. To restore the default settings, select Not configured.

User contact information for offline password recovery

A user who has forgotten or misplaced the password for an encrypted volume can initiate a recovery process by
starting the password recovery wizard from the Start menu or the taskbar. Because the recovery process requires
assistance from an administrator or helpdesk employee, the user may need contact information, such as the
helpdesk telephone number. Use this menu item to add any contact information to be displayed when a user initiates
a password recovery.

Administration Guide 7.7 324 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Select Set to fixed value and then type the text to be displayed.

Enabling extended functionality for „Change password“

When a user no longer remembers the personal password for accessing an encrypted container or drive, the user
can start a wizard that allows the changing of the personal container password. You can also configure DriveLock to
let the user perform any of the following additional actions:
· Allow removal of administrative password: When the user sets a personal password, the user can remove the
administrative password. The result is an encrypted container that can only be accessed by providing the
personal password.

· Allow removal of user password: When administrative password has been configured, the user can remove
personal password. The result is an encrypted container that can only be accessed by providing the
administrative password. When removing the personal password, the user has to enter the existing personal
password for authorization.

· Allow setting user password when an administrative password is defined: When an administrative password has
been set, a user can add an additional personal password without needing to know an existing password.

Administration Guide 7.7 325 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Select Set to fixed value and then select the checkboxes for the options you want to enable.

11.2.2.1.3 Encrypted Drive Settings

Encrypted drive file system

Configure this option to set the file system for new encrypted drives to FAT or NTFS.
When you select FAT, DriveLock automatically uses FAT32 when the size of the drive is larger than 40 MB. For
smaller drives DriveLock uses FAT.

Administration Guide 7.7 326 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Encrypted drive cluster size

Configure this option to set the cluster size that is used for new encrypted drives.

Administration Guide 7.7 327 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Available drive letters for mounting encrypted drives

Configure this option to select the drive letters that can be assigned to encrypted volumes when they are mounted on
a computer. If you don’t configure this option, a user can assign any available drive letter to an encrypted volume
and DriveLock offers the next available drive letter as the default choice.

This setting is especially useful to prevent problems when network drive letters conflict with those that Windows
previously assigned to removable drives.
Enforce drive letter when mounting encrypted drives

Configure this option to always assign a single drive letter to encrypted volumes when they are mounted on a
computer. When you configure this option, only one encrypted drive can be connected at a time and the drive letter
you selected is assigned.

Administration Guide 7.7 328 © 2018 DriveLock SE

DriveLock Encryption 2-Go

11.2.2.1.4 End user restrictions

No history for mounted volumes

Configure this option to prevent client computers from storing information about which encrypted volumes users
mount.

Administration Guide 7.7 329 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Do not allow creation of Mobile Encryption disks

The Mobile Encryption Application (MEA) is a standalone program that lets you access encrypted drives on a
computer without the DriveLock Agent. When a user creates a Mobile Encryption disk by selecting the corresponding
option on the DriveLock menu, DriveLock copies the MEA and an auto-start file (Autorun.inf) to the drive. Enable this
option to prevent the copying of the MEA and Autorun.inf to drives.

Administration Guide 7.7 330 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Password recovery methods for encrypted volumes

DriveLock offers two methods for gaining access to an encrypted container when the user password for the container
is no longer available:
· Offline recovery using a challenge/response mechanism:

A user can start a wizard to reset the password using a recovery code that is provided by an administrator or
helpdesk personnel. The recovery code can be provided over the telephone and a connection to the corporate
network is not required.
· Online recovery using a locally installed certificate:

If you activate this option you can reset the password without the challenge/response procedure. To perform such a
password reset, the appropriate recovery certificate and private key must be available on the computer where the
recovery procedure is performed.

Administration Guide 7.7 331 © 2018 DriveLock SE

DriveLock Encryption 2-Go

To configure the recovery method to be used, select Set to value and then select one or both checkboxes indicating
recovery methods to be used.
Only allow encrypted containers created with current DriveLock licenses

Usually an Agent can open any volume that was encrypted by using DriveLock, regardless of where the volume was
created. For example, a DriveLock Agent at a company’s headquarters using one DriveLock license can open an
encrypted volume that was created at a subsidiary using its own DriveLock license.

Administration Guide 7.7 332 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Select Enable to only allow the use of encrypted volumes that were created by Agents using the same license as the
one in the current configuration. If enabled, a volume encrypted with a different license can’t be opened and
decrypted.

Do not allow opening encrypted containers with Mobile Encryption Application

The DriveLock Mobile Encryption Application is used to access encrypted drives or container files on computers
without the DriveLock Agent installed.

Administration Guide 7.7 333 © 2018 DriveLock SE

DriveLock Encryption 2-Go

To prevent any access to encrypted volumes using the DriveLock Mobile Encryption Application, select Enable.
Volumes that are created after you activate this setting can’t be opened by the DriveLock Mobile Encryption
Application.

Do not automatically upgrade MEA to newer version during enforced encryption

DriveLock automatically checks whether the Mobile Encryption Application (MEA) on a removable disk is up-to-date.
By default DriveLock automatically updates MEA on a removable drive to most recent version.

Administration Guide 7.7 334 © 2018 DriveLock SE

DriveLock Encryption 2-Go

To prevent automatic updating of the MEA, select Enable.

11.2.2.2 Configuring Password Recovery

You can configure DriveLock to use one or two password recovery mechanisms: an administrative password used for
online recovery of encryption passwords and a recovery certificate for offline recovery. This section describes how
to configure each of these mechanisms.
To be access an encrypted volume when the encryption password is no longer available, you must have configured
password recovery before the encrypted volumes was created.

If you don’t configure at least one of the recovery methods you will not be able to get access to the data on an
encrypted volume if the encryption password for the volume is not available, for example, if a user forgets the
password. Having no recovery mechanism may be a desired configuration in certain high-security environments,
but using encryption without enabling password recovery significantly increases the risk of losing access to the
data

To use a challenge/response mechanism for offline password recovery, the DriveLock Enterprise Service (DES) must
have been installed and configured.
When an encrypted container is created, for example when you enforce encryption of USB-connected drives, the
DriveLock Agent creates the recovery data locally and then sends it to the DES. An administrator can later access the
recovery data from the DES. The recovery procedures are described in detail in the section “Recovering Passwords
for Encrypted Containers”.

If the DES is offline, recovery information will be uploaded as soon as the server becomes available again. It may
take up to 30 minutes until all recovery data has been completely synchronized.

Administration Guide 7.7 335 © 2018 DriveLock SE

DriveLock Encryption 2-Go

11.2.2.2.1 Configuring an Administrative Password

In addition to the encryption password, which is unique to each encrypted volume, you can configure a central
administrative password. You use the administrative password to access an encrypted drive if a user cannot
remember his or her password or if the password is not available for any other reason. You can use the
administrative password to access the encrypted drive or reset the existing user password. DriveLock recommends
that you use a very strong password or passphrase as the administrative password.

Navigate to Container password recovery in the console tree. Administrative passwords are identified by the symbol
.
By default a single administrative password exists. This password is used for all encrypted containers that are
configured for administrative password recovery. This password has the lowest priority and cannot be deleted.
Double-click Administrative password to configure the password.

Administration Guide 7.7 336 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Type the password, and then click OK.

Consider using the following guidelines when choosing an administrative password:
· Use a combination of characters from the at least three of the following categories: Numbers (0 to 9).,
uppercase letters (A to Z), lowercase letters (a to z) and special characters (+"*ç%&/()=?è!éà£;:_,.-$¨^# etc.)

· The password cannot be guessed by anyone.

· The password or parts of it don’t appear in any dictionary

· The password should be as long as feasible. Passwords that are shorter than 15 characters generally don’t
provide sufficient long-term protection for stored data. If you find it too difficult to remember a long, complex
password, consider using a passphrase instead.

For maximum security it is strongly recommended that you use a very strong password or passphrase as the
administrative password. Use the strength indicator in the password dialog box to determine whether the
password is strong enough to meet your requirements.

If you forget the administrative password you will no longer be able to recover passwords for encrypted
containers. To prevent this from happening, store a copy of the administrative password in a secure location,
such as a safe.

You can create additional administrative passwords to be used for specific users, computers or network profiles.
For example, you can use a different password for encrypted containers created by management than for those
created by other users. You can also utilize multiple administrative passwords to enable various scenarios for
mounting encrypted drives without prompting the user for a personal password. For example, you could enable
automatic mounting of managers’ flash drives without prompting for the drive’s password, while administrative
assistants will be required to provide the drive’s password.

Administration Guide 7.7 337 © 2018 DriveLock SE

DriveLock Encryption 2-Go

To create an additional administrative password rule, right-click Container password recovery, point to New and
then click Administrative password rule.
Type a strong password.

On the Options tab, select which when the rule will be used:
· Any type of encryption

Administration Guide 7.7 338 © 2018 DriveLock SE

DriveLock Encryption 2-Go

· Encryption by users (using command line or GUI)

· Enforced or automatic encryption

On the tabs Computers, Networks and Users, select which of these entities the rule will be used for.
Click OK to save the rule. The new rule is displayed in the right pane. The first rule you create is assigned the priority
of 1. The initial priority of additional rules is always one higher than the highest existing priority.

Administration Guide 7.7 339 © 2018 DriveLock SE

DriveLock Encryption 2-Go

To change the priority of a rule, right-click it and then click Move down or Move up.

If you delete an administrative password that was used for encrypting containers, password reset or automatic
mounting will no longer be possible using this password.

11.2.2.2.2 Creating an Offline Recovery Certificate

To use offline recovery you have to create a master certificate and the corresponding public/private key pair before
creating the first encrypted container.
To enable advanced recovery scenarios you can create multiple recovery key pairs and use different recovery keys
for certain users, computers or networks. This lets you authorize different administrators or helpdesk personnel to
only recover encryption passwords for certain encrypted containers but not for others. For example, you could use
one encryption certificate for encrypted containers used by management and a different certificate for containers
created by all other users. You would then provide the private key for the first certificate only to enterprise
administrators, enabling them to recover passwords for management. The second private key would be shared with
helpdesk personnel, enabling them to recover passwords for all other users.
Before users encrypt containers, ensure that you have at least created one set of recovery key with the priority Lowest
to enable password recovery.

Administration Guide 7.7 340 © 2018 DriveLock SE

DriveLock Encryption 2-Go

When you recover the password of an encrypted container you have to provide the private key of the recovery
certificate that was specified in the policy when the container was encrypted.

Recovery certificates are identified by the symbol .

By default a single certificate-based recovery policy exists. This policy is used for all encrypted containers that are
configured for certificate-based password recovery. This certificate has the lowest priority and cannot be deleted.
Double-click Administrative password to configure the password.
To create a master certificate, double-click Certificate-based container recovery,
If you have not previously created a recovery certificate, no certificate information is displayed.

Administration Guide 7.7 341 © 2018 DriveLock SE

DriveLock Encryption 2-Go

To create the certificate, click Certificate file and then click Create new. This starts the Recovery Certificate Creation
wizard.

Click Next.

Administration Guide 7.7 342 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Specify the folder where to save the certificate file to or select the option to save the certificate and associated
private key on a smart card.
Click Next.
If you selected to store the certificate on a smart card, further steps are required. Details depend on the smart cart
used.

Ensure to back up the certificate file in a secure location, such as a safe. The certificate and private key are
required to recover access to encrypted volumes when a user password is no longer available.

Type the password that will be required to access the private key that is stored with the certificate. To ensure that
you typed the password correctly, you have to type it twice. To continue, click Next.

Administration Guide 7.7 343 © 2018 DriveLock SE

DriveLock Encryption 2-Go

DriveLock creates the certificate. When the process is complete and the certificate and associated keys have been
stored in the selected location, the wizard notifies you that this has happened.
If you selected to store the certificate and keys on a smart card, Windows prompts you to enter the PIN for the smart
card.
Click Finish.

DriveLock displays the file name of the certificate you created.

Once you have created the certificate and the first encrypted container using this certificate was created, you
must not create a new certificate. Doing so would replace the existing certificate and you would not be able to
recover previously encrypted containers.

To view the details of the certificate, click Properties.

DriveLock also stores the certificate in local certificate store of the user who created the certificate.
The certificate’s public key is also stored in the file storage of the local DriveLock policy.
If you stop the wizard before the certificate has been created or if an error occurred while running the wizard,
DriveLock displays an error message and you need to run the wizard again to create the certificate.
If you created encrypted containers using a previous version of DriveLock, you can add certificate-based recovery
data to these containers. To do this, select the Add recovery information to existing containers that do not contain
recovery information checkbox. If this checkbox is selected, each time a container is mounted, DriveLock checks
whether the container already contains recovery data. If no recovery data exists, DriveLock creates this data, adds it
to the container and sends it to the DriveLock Enterprise Service.

Administration Guide 7.7 344 © 2018 DriveLock SE

DriveLock Encryption 2-Go

If you are not using the DriveLock Enterprise Service or if you don’t want to store recovery data in the DriveLock
database, select the No offline recovery checkbox. If you disable offline recovery, you must have physical access to a
container to recover the data stored in it.

To create an additional recovery rule, right-click Container password recovery, point to New and then click
Encryption recovery rule.

Administration Guide 7.7 345 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Because you have not yet created a recovery certificate, no certificate information is displayed. Create a new
certificate.
On the Options tab, select which when the rule will be used:
· Any type of encryption

· Encryption by users (using command line or GUI)

· Enforced or automatic encryption

Administration Guide 7.7 346 © 2018 DriveLock SE

DriveLock Encryption 2-Go

If you delete a certificate that was used for encrypting containers, password reset or automatic mounting will
no longer be possible using this certificate.

11.2.2.3 Configuring Enforced Encryption

Activate enforced encryption with DriveLock Encryption 2-Go in the policy at:
Encryption / Settings / Enforced Encryption Method
Check DriveLock Encryption 2-Go.
You also may use DriveLock File Protection to enforce encryption (see Configuring Enforced Encryption with File
Protection).
Before USB-connected drives are automatically encrypted using DriveLock enforced removable media encryption, you
have to configure some general settings, including the encryption algorithms to be used, whether existing data will
be preserved when a drive is encrypted and some other settings. You can configure multiple sets of encryption
settings and then assign different settings for certain users, computers or networks. This may be desirable when you
need to use different encryption algorithms for certain groups of users. For example, you could enforce the use of
AES (FIPS mode) to encrypt drives used by management and use AES for drives encrypted by all other users. To do
this, first create one enforced encryption rule that specifies AES with the Lowest priority. Then create another
enforced encryption rule specifying AES (FIPS mode) and filter the second rule to only apply to the user group
Management.
To enable Encryption 2-Go, at least one set of enforced encryption settings with the priority Lowest must have been
created. Once you have created one or more enforced encryption rules you also need to specify the option Enforce
encryption in any drive rules for drives you want to encrypt automatically.
To enable automatic encryption of removable drives you must configure the settings that are used to automatically
encrypt removable drives that users connect to a computer.

Administration Guide 7.7 347 © 2018 DriveLock SE

DriveLock Encryption 2-Go

11.2.2.3.1 Settings Available for All Automatic Encryption Rules

Click Enforce encryption and then double-click Default enforced encryption settings.
A default set of enforced encryption settings that is assigned the lowest priority is always available and cannot be
deleted. Before you can use enforced encryption you need configure the default settings or create a custom
encryption rule.
Configure the following settings that DriveLock will use when automatically encrypting a removable drive.

Administration Guide 7.7 348 © 2018 DriveLock SE

DriveLock Encryption 2-Go

The description is displayed in the DriveLock management Console and helps you distinguish between different
rules. The Comment field is also used to identify encryption rules.
The next two settings are only used if you also enable users to select an encryption rule and the current rule is one of
the choices to be offered.
In the field “User interface text to display in selection dialog” type the text that is displayed on the button in the policy
selection dialog box. (For more information about selecting an encryption policy, refer to the section “Creating User
Selection Rules”.) If you have preconfigured multilingual notification texts you can select these texts by clicking the

button.
If you want to use the encryption rule in a User Selection Rule, you need to select the “Do not automatically use this
rule” checkbox. Selecting this option ensures that the encryption settings are not immediately enforced when a drive
is connected. Instead a user is presented with a dialog box for selecting an encryption rule. Only after the user has
selected an encryption rule will the settings in this rule be enforced.
Configure the following on the Settings tab:

Administration Guide 7.7 349 © 2018 DriveLock SE

DriveLock Encryption 2-Go

· Use administrative password, don’t prompt user

Select this option if you want DriveLock to mount and create encrypted drives without prompting users for a
password. To use this setting, you must first configure an administrative password. Users do not have the
option to specify their own password. If you select this option, you can use encrypted drives on all computers
that are configured with the same administrative password, but you are not able to access any encrypted drive
using the Mobile Encryption Application.

· Prompt user for personal password

Select this option if you want DriveLock to prompt for the password of the encrypted drive when the computer
detects an encrypted drive or when initially encrypting a drive. If you select this option, you can use encrypted
drives using the Mobile Encryption Application.
§ Attempt to mount administrative password first: If you have configured an administrative
password, you can also select the option to try mounting drives using the administrative
password first. If you select this option, users are not prompted for a password when using an
encrypted drive on any computer that is configured with the same administrative password. Users
are still prompted for the password when accessing an encrypted drive by using the Mobile
Encryption Application.
§ Disable any administrative password for new containers: As soon as a user sets a personal
password, DriveLock deletes the administrative password. Once the administrative password has
been deleted, access to the encrypted data is only possible by providing the personal password.

· Users can disable administrative password for new container

Select this option to allow users to create “private” encrypted containers with no access using the
administrative password. If you also select the “Use administrative password, don’t prompt user” setting, a user
must select “private” when creating the container before being able to type the encryption password.

Administration Guide 7.7 350 © 2018 DriveLock SE

DriveLock Encryption 2-Go

When no administrative password has been configured and offline recovery of removable drives has been
disabled, recovering a forgotten password is NOT possible.

· Use entire drive for encrypted container / Fill technically remaining empty space on drives

Select Use complete drive for encrypted container to use all available space on a drive when creating an encrypted
contain. When a drive contains data that will be encrypted, DriveLock needs to estimate how much space is
available for the encrypted container when it will be copied to the removable drive.
§ Fill any remaining empty space on drives: To ensure that the container size doesn’t exceed the
available space, normally a small amount of unencrypted space remains available on the drive
after the process completes. Select this checkbox to have DriveLock fill this remaining space with
a hidden system file to ensure that users can’t inadvertently copy data to the unencrypted space
when using the drive on a computer where encryption is not enforced.
§ Leave empty space of x KB: In some Windows 7 environments a few kilobytes of space must remain
available for the operating system to access a drive. Select this option and specify the size of this
empty space to enable access in such environments.

· Leave unencrypted space on drives

Select this option to leave unencrypted space on a drive that is encrypted. Enter a number and then select
whether the number refers to the size of the unencrypted space in megabytes or a percentage of the total
available space.
Select the “Encryption” tab.

The following encryption settings are available:

· Encryption algorithm: Select the encryption algorithm that is used to encrypt drives when your policy enforces
media encryption.

Administration Guide 7.7 351 © 2018 DriveLock SE

DriveLock Encryption 2-Go

· Hash algorithm: Select the password hash algorithm that is used to encrypt drives when your policy enforces
media encryption.

· File system: Select NTFS or FAT as the file system that is used on encrypted drives when your policy enforces
media encryption.

· Cluster size Select the cluster size that is used for the file system on encrypted drives when your policy
enforces media encryption.

· Volume label: Type a volume label that is assigned to encrypted drives when your policy enforces media
encryption.

· Perform quick-format: To speed up the process of creating an encrypted volume, select the “Perform quick-
format” checkbox. This prevents the DriveLock Agent from pre-initializing and encrypting all space in newly
created encrypted volumes. Instead, only the required space is initially encrypted. Selecting this option can
significantly reduce the time required for initial encryption, but some existing unencrypted data that remain
accessible until it is overwritten by files that are added to the encrypted device at a later time.

Quick format results in a noticeable decrease of the encryption time only on computers running Windows 7.

Select the Volume creation tab.

The following settings for volume creation are available:

· Preserve existing data: Select this checkbox to create an encrypted removable drive without deleting the data
that’s currently stored on it. Instead, DriveLock creates a temporary container in the user’s profile on the
computer’s hard drive, copies all files from the drive to this container and then moves this container to the
removable drive.

· Copy Mobile Encryption Application to unencrypted portion: Select this checkbox to have DriveLock copy the
Mobile Encryption Application to removable drives when a drive is encrypted and your policy enforces media

Administration Guide 7.7 352 © 2018 DriveLock SE

DriveLock Encryption 2-Go

encryption. You use the Mobile Encryption Application to access encrypted removable media on computers
where DriveLock is not installed, such as an employee’s home computer.

· Create auto run file (AUTORUN.INF): Select this checkbox to automatically copy the default autorun.inf to the
removable drive. This file facilitates the launching of the Mobile Encryption Application when the drive is
connected to a computer that is not running DriveLock.

· Use customized auto run settings: To change the content of the autorun.inf file, select the “Use customized auto
run settings” checkbox and then type the contents of the custom file in the text box.

· Use custom local temporary folder during volume creation: Select this checkbox and specify a folder that exists
on each client computer for DriveLock to create temporary container files in this folder. By default, temporary
container files are created in the local user profile.

· Hide encrypted container file: When you select this option, the container file EEDATA.DLV is marked as hidden.

Click OK to accept the settings.

11.2.2.3.2 Creating Multiple Encryption Rules

To create an additional enforced encryption rule, right-click Enforced encryption, point to New and then click
Enforced encryption rule.

Administration Guide 7.7 353 © 2018 DriveLock SE

DriveLock Encryption 2-Go

The settings on the Settings, Encryption and Volume creation tabs are identical to those available for the default rule.
On the tabs Computers, Networks and Users, select which of these entities the encryption rule will be used for.
Because these setting work the same way as in other DriveLock rules, such as drive locking rules, they are not
described in detail here. Selecting users to whom a rule applies is most frequently used to assign different enforced
encryption settings to different groups of users.
Click OK to save the rule. The new rule is displayed in the right pane. The first rule you create is assigned the priority
of 1. The initial priority of additional rules is always one higher than the highest existing priority.

Administration Guide 7.7 354 © 2018 DriveLock SE

DriveLock Encryption 2-Go

To change the priority of a rule, right-click it and then click Move down or Move up.

11.2.2.3.3 Creating User Selection Rules

You use User Selection Rules to enable users to select the encryption and usage options for an encrypted drive. The
settings in the rule determine the appearance of a dialog that is displayed when a user connects a drive and which
encryption rules a user can select in this dialog box. The following graphic is an example of such a dialog box:

Administration Guide 7.7 355 © 2018 DriveLock SE

DriveLock Encryption 2-Go

To create a user selection dialog box, perform the following steps:

To create a user selection rule, right-click Enforce encryption and then click New -> User selection rule.

Type a name and an optional comment. Next, click the Messages tab.

Administration Guide 7.7 356 © 2018 DriveLock SE

DriveLock Encryption 2-Go

Specify the text to be displayed in the top area of the selection dialog box.

You can type each of the three text elements or click the button to select from multilingual notification texts that
you have previously created.
Select the checkbox “Hide welcome page in wizard (after selection of encryption method)” to not display the Welcome
page of the encryption wizard if the option selected by the user causes this wizard to start.

Administration Guide 7.7 357 © 2018 DriveLock SE

DriveLock Encryption 2-Go

To configure which encryption rules are available to users, click the Selectable rules tab.

In the top section of the dialog box you can add up to three previously created encryption rules that will be
displayed to users. The order in which you add the rules determines the order in which they will be displayed in the
selection dialog box.

The selection dialog box can contain a maximum of three choices of encryption rules in addition to the option
“Allow selection of ‘No access to volume’”. The option “Allow selection of ‘Access volume without encryption’”
counts as one of these choices. If you select this option you can only add two custom encryption rules.

If you enable the option “Allow selection of ‘Access volume without encryption’” and the user selects this option, the
user will have full read and write access to the drive even if the applicable drive locking rule grants no access or
only read access. When enabling this option it is recommended to also select the “Show usage policy before
unlocking the volume” checkbox to display a usage guideline to the user before access to the drive is granted.
The option “Allow selection of ‘No access to volume’” is essentially equivalent to a Cancel button. If the user selects
this option, no automatic encryption settings are enforced and the user is granted to type of access that has been
defined in the applicable whitelist rule for the drive. The same access restrictions are enforced if a user cancels the
encryption wizard without completing it.
On the tabs Computers, Networks and Users, select which of these entities the user selection rule will be used for.
Because these setting work the same way as in other DriveLock rules, such as drive locking rules, they are not
described in detail here. Selecting users to whom a rule applies is most frequently used to present different
encryption choices and display messages to different groups of users.
To change the priority of a rule, right-click it and then click Move down or Move up. To delete a rule, right-click it
and then click Delete.

Always ensure that a user selection rule has a higher priority (lower number) than the first enforced encryption
rule.

Administration Guide 7.7 358 © 2018 DriveLock SE

DriveLock Encryption 2-Go

To display a graphic, such as a company logo, in the top right corner of the selection dialog box, create a bitmap file
of 48 pixels x 48 pixels and name it DLWizardLogo.bmp. Add this file to DriveLock File Storage. When DriveLock
detects the presence of this file, it automatically replaces the standard logo with it.

11.3 Recovering Encrypted Containers

If a user forgot the password for an encrypted container, or if the password is not available for another reason, you
can use one of recovery mechanisms provided by DriveLock to gain access to the data stored in the encrypted
container. To use the first recovery method, mount the container using the administrative password and then access
the data. The second recovery method is certificate-based recovery, which has the following advantages:
· Password recovery is possible even when you don’t have physical access to the encrypted container. You can
create a recovery code that enables a user to change the password. This recovery code can be provided to the
user by telephone.

· To recover a password you don’t need to provide the administrative password to a user or helpdesk employee,
and the person performing recovery does not need to have physical access to the encrypted container.

· You can manually distribute the required public/private key pair certificate into the private certificate store
of the Administrator or helpdesk employee who will recover encrypted containers. For security reasons the
certificate should also be marked to not be exportable from the store.
The challenge/response procedure that is used for offline password recovery is similar to the procedure that is used
to give temporary access to locked drives and devices. First, the user who needs to access data in the encrypted
container runs a wizard to create a challenge code. Then an administrator or helpdesk employee uses the DriveLock
Management Console to create the corresponding response code. Finally, the user types the response code into the
wizard. After the wizard validates the response code, the user is prompted to provide a new password.

11.3.1 User-Initiated Password Recovery

The steps a user needs to perform to recover a forgotten password are described in the DriveLock User Guide.

11.3.2 Recovering Encrypted Drives and Folders

The administrator’s part of the recovery process is identical for encrypted drives (containers) and folders.

Recovery may become necessary when a user has lost access to encrypted drives or folders because of forgetting a
password or losing access to a certificate’s private key. Administrators or helpdesk personnel can perform an
offline recovery operation in conjunction with the user that uses a challenge/response mechanism to restore access.
The challenge/response mechanism validates both the challenge (request code) that DriveLock creates for the user
and the corresponding response code that is generated by the person performing the recovery. Only when both codes
are valid for the drive or folder to be recovered, can access to the data be restored (for example enabling the user to
select a new encryption password). The user generates the challenge code using a wizard and provides this code to
an administrator. The administrator checks that the request code is valid and then generates a response code that is
in turn validated by the wizard running on the client computer.
To perform offline recovery, an administrator needs to perform the following steps:
1. In the DriveLock Management Console (MMC) at Operating / section Encryption recovery resp.
in the DriveLock Control Center (DCC), functional area Helpdesk open
Container-based encryption recovery or Encrypted folder recovery.
2. Type the challenge code that was provided by the user.

Administration Guide 7.7 359 © 2018 DriveLock SE

DriveLock Encryption 2-Go

3. Click Next resp. Find. The wizard locates the challenge code in the DriveLock database. If more than one hit
is shown, select the appropriate folder or container.

4. Next you have to provide the recovery certificate (from certificate file DLDlvRecover.pfx, smard card or
certificate store) and where required the password.
5. Next a response code is generated and displayed. Provide this response code to the user and finish the
wizard

If you lost the private key of a certificate that was used for encryption, a recovery/password reset will no longer
be possible.

Administration Guide 7.7 360 © 2018 DriveLock SE

Part XII
DriveLock File Protection
DriveLock File Protection

12 DriveLock File Protection

DriveLock File Protection is a centrally managed, transparent data encryption solution that is completely integrated
into the DriveLock Management Console.

To use DriveLock File Protection you need a license for all computers where you use this type of encryption.

DriveLock File Protection is a file and folder encryption product. Unlike container-based encryption (such as
DriveLock 2-Go), DriveLock File Protection encrypts designated files. When a file is encrypted, its entire contents are
encrypted but the file structure and file name remain unchanged. This ensures that encrypted files appear in
Windows Explorer the same way as unencrypted files. Also, other programs, such as backup or defragmentation
utilities, treat encrypted files the same as any other file. Only when you try to view the contents of a file, for example,
if you open it in Microsoft Word, does the encryption become apparent.

12.1 How Does DriveLock File Protection Work?

The way DriveLock File Protection works is rather straightforward: First, a folder is marked as “encrypted”, which
indicates that all data in this folder is to be encrypted. Next, authorized users are designated for whom DriveLock
File Protection will automatically and transparently encrypt and decrypt files as they are read and saved.
On a computer where DriveLock File Protection is active, it checks every time a folder is accessed whether that folder
is marked as encrypted. When such a folder is detected, the current user’s permissions are validated and encryption
or decryption is automatically performed in the background as files in the folder are accessed.
You can exempt specific processes, such as backup programs or file synchronization operations, from the automatic
encryption and decryption to prevent any impact on existing system maintenance routines.
To authenticate users, DriveLock File Protection can use the following two methods:
· Passwords: To access files in an encrypted folder, a user must provide a password.

· Certificates: Authentication uses a certificate from the user’s certificate store in Windows or from a smart
card or token.
To use certificates for authentication, an existing Public Key Infrastructure (PKI) is not required. Instead you can use
the certificate functionality built into DriveLock itself.

If you organization already has an existing PKI and uses it to issue user certificates, you can use this PKI to
authenticate users for DriveLock File Protection.

All encryption and decryption operations take place in the background and are completely transparent to users. On
computer with modern processors that include hardware-based encryption (AES NI), DriveLock File Protection takes
advantage of this functionality for approximately 4 times better performance.
Administration of the encryption of centralized file resources, such as shared folders and network-attached storage
(NAS), can be performed by IT administrators using the DriveLock Management Console. Administrators can delegate
the permissions to perform these tasks to others. This enables designated individuals to administer permissions for
their departments and also makes it possible to remove the permission to decrypt certain sensible files even from
administrators.
In addition to centrally managed folders, users can also create their own encrypted folders and securely store data
in them. This can include folders on flash drives and on cloud storage providers, such as Dropbox. As with centrally
managed folders, permissions to access data in such individual encrypted folders can be given to additional users.

Administration Guide 7.7 362 © 2018 DriveLock SE

DriveLock File Protection

This manual describes the administration of centrally managed folders. The DriveLock User Manual describes
the use of individual encrypted folders.

12.2 Supported Encryption Mechanisms

DriveLock supports the following encryption algorithms:
· AES (recommended): The Advanced Encryption Standard (AES) is a symmetric encryption mechanism that was
chosen by the National Institute of Standards (NIST) as successor to DES and 3DES in October 2000. It is also
called the Rijndael algorithm for its developers Joan Daemen and Vincent Rijmen.

· Triple DES: Triple DES (3DES) is a symmetric encryption method based on the older DES (Data Encryption
Standard) but works with twice the key length (112 bit) of its predecessor. Data is encrypted using three
successive DES operations. Because of the key length, 3DES is regarded as a relatively safe method for
encrypting most data, unlike DES, which is more susceptible to brute- force attacks.

· IDEA: The IDEA algorithm (International Data Encryption Algorithm) was developed in 1990 by James L.
Massey and Xueija Lai as a joint project between ETH Zurich and Ascom Systec AG. IDEA is a symmetric key
block cipher that uses 128-bit keys. During encryption, clear text is broken into 64-bit blocks and the key is
divided into 16-bit fragments. Encryption is performed by combining the logical function XOR, the addition of
modulo 216 and the multiplication by module 216+1. The combination of these three operations, chosen from
different algebraic groups, is designed to ensure a high degree of security.
Hash algorithms are used to validate passwords or private keys without storing the passwords or key material
themselves. DriveLock supports the following hash algorithms:
· SHA-1: This algorithm was developed by NIST (National Institute of Standards and Technology) in cooperation
with the NSA (National Security Agency) as the secure signing hash function of the digital signature algorithm
(DSA) for the Digital Signature Standard (DSS). Published in 1994, Secure Hash Standard (SHS) specifies a
secure hash-algorithm (SHA) with a hash value of 160 bits for messages with a size of up to 264 bits. SHA is
similar to the MD4 algorithm developed by Ronald L. Rivest. There are three SHA versions, SHA-0, SHA-1 and
SHA-2. The SHA-2 family uses an identical algorithm with a variable digest size. Depending on this digest size,
the algorithm is called SHA-224, SHA-256, SHA-384 or SHA-512.

· RIPEMD-160: RIPEMD-160 was developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel and
published 1996. It is an improved version of RIPEMD (based on MD4) and comparable to SHA-1 in security
and speed. This algorithm is less likely to contain security holes because is development process was more
open than that of SHA-1.

· WHIRLPOOL: Whirlpool is a cryptographic hash function designed by Vincent Rijmen (co-creator of the
Advanced Encryption Standard) and Paulo S. L. M. Barreto. The hash has been recommended by the NESSIE
project. It has also been adopted by the International Organization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) as part of the joint ISO/IEC 10118-3 international standard.

12.3 Configuring DriveLock File Protection

Before you can use DriveLock File Protection you need to determine your exact requirements and perform the
configuration steps that match these requirements.
You need to determine the following requirements:
· How will you administer the user certificates that will be used for authentication?

· What settings will apply to the encryption and decryption of data?

Administration Guide 7.7 363 © 2018 DriveLock SE

DriveLock File Protection

· What functionality will be available to users on their computers?

· What will be the folder structure that you will use for storing encrypted data and files?

For administering user certificates you can use the following methods:
· Certificates are managed by the user - a personal (self signed) certificate can be created using the DriveLock
Application.

· Certificates are administered using DriveLock. The Certificates (public key) are stored by DriveLock in a
database.

· User certificates are administered in an existing PKI using Microsoft Active Directory without any involvement
by DriveLock.

· User certificates are administered in a third-party Windows compatible-environment without any

involvement by DriveLock.
Certificate management using DriveLock is described in the section “Managing User Accounts and Certificates”.
How to configure the various options for encryption and decryption and the configuration of user options is
described in the section “Configuring Encryption Rules for Clients”.
How to create and administer centrally managed encrypted folders is described in the section “Centrally Managing
Encrypted Folders”.

12.3.1 Creating a Master Certificate for Key Management

Before you can create and manage any user certificates using the DriveLock Enterprise Service, you need to create or
import a master certificate for tenant root or per tenant. This master certificate will be used to sign all user
certificates that you will issue.
You may use ther master certificate of tenant root for all tenants or create a master certificate for each tenant.
Open DriveLock Enterprise Services / Server / double-click <Server Name> / Options and
check or uncheck Enable tenant-aware certificate management.
To create a master certificate for DriveLock File Protection:
1. Öffnen Sie DriveLock Enterprise Services / Tenants
right-click <tenant name> / All Tasks / Configure root certificate.
The Configure certificate management wizard appears.
2. Click Next.
3. To use an existing certificate, select “Existing Master Certificate” and then click “…” to select a certificate
file. When prompted, type the password used to protect the private key, click Next and then continue with
Step 5 of this procedure.
To create a new, self-signed certificate, select “Create new master certificate” and then click Next.
4. Provide all required information for the new master certificate, as shown in the following dialog box, and
then click Next.

Administration Guide 7.7 364 © 2018 DriveLock SE

DriveLock File Protection

5. DriveLock stores the certificate in its database. When this process has completed, click Finish. If the process
fails, review the reasons for this failure, and after eliminating the cause, run the wizard again.

When the master certificate has been created and the wizard has finished, certificate and key management is
initialized on the server running the DriveLock Enterprise Service and the DriveLock Enterprise Service is
restarted.

12.3.2 Configuring Certificate Management

Creating or designating a master certificate automatically activates the certificate and key management
functionality of the DriveLock Enterprise Service. You can deactivate or reactivate this functionality at any time.
Another setting used for certificate management is the configuration of how DriveLock File Protection issues the
creation and renewal of user certificates. The following two methods are available:
· A user certificate is automatically generated and issued when a user applies for a certificate. (Default)

· An administrator must approve user certificates before they are issued to users.

To change settings for certificate management, perform the following procedure:

1. Navigate to DriveLock Enterprise Service / double-click <tenant name> / Certificate mgmt.

Administration Guide 7.7 365 © 2018 DriveLock SE

DriveLock File Protection

2. To activate certificate management, select the “Enable key and certificate management” checkbox.
3. To require an administrator to validate and approve all user certificates, select the “Certificate requests must
be manually approved by an administrator” checkbox.
4. To save the settings, click Apply.

12.3.3 Configuring Encryption Rules for Clients

You configure policies for encryption and decryption of data and the behavior of DriveLock File Protection on a
client computer in a DriveLock policy. The process of creating and distributing DriveLock policies is described in the
chapter “Distributing DriveLock Configuration Settings”.
To open an existing policy, in the DriveLock Management Console perform the following steps:
1. In the navigation pane, click Policies.
2. In the details pane, right-click an existing policy and then click Edit.
3. After the policy opens in a new window, in the navigation pane of that window, click Encryption -> File
Protection.
You can perform the following tasks:
· Configuring encryption settings

· Configuring the encryption user interface

· Configuring settings for encrypted folders

· Configuring additional settings

Administration Guide 7.7 366 © 2018 DriveLock SE

DriveLock File Protection

· Creating recovery certificates

· Configuring Enforced Encryption

12.3.3.1 Configuring encryption settings

To configure encryption settings, in the navigation pane, click File Protection and then click Settings.
To configure the various settings, click the appropriate option in the details pane:
· Encryption algorithm for encrypted folders: Select the encryption algorithm to be used for encrypting data. (For
more information about the available algorithms, refer to the section “Supported Encryption Algorithms”.)

· Hash algorithm for passwords for encrypted folders: Select the algorithm to be used for creating password
hashes. (For more information about the available algorithms, refer to the section “Supported Hash
Algorithms”.)

· Minimum password complexity for encrypted folders: Configure the required password complexity to match
your organization’s IT policy. Password complexity is computed from the types of characters that are used
and the length of the password. To define a custom requirement for password complexity, click Password
complexity policy and then define the policy.

· Password complexity policy: Select the required number of characters in a password that need to be in each of
the available categories. If your organization’s policy treats numbers and special characters as belonging to
the same category, select the “Treat numbers as special characters” checkbox.

A dictionary can be a dictionary file in the OpenOffice format or a text file that contains a single word on each line.
DriveLock includes OpenOffice dictionaries for English, German, Dutch and French. You can find these .diz-files in

Administration Guide 7.7 367 © 2018 DriveLock SE

DriveLock File Protection

the DriveLock installation folder on the administration computer where you installed the DriveLock Management
Console (for example “DictEnglish.diz”).

If you specify a custom file, ensure that this file exists on all Agent computers in exactly the same location, as the
Agents looks for this file in the location you specify.

You can also place dictionary files into the policy file storage and select “Policy file storage…” as the dictionary
location. Files located in the policy file storage are identified by an asterisk (“*”) in front of the file name and are
copied to the client automatically. For more information about the policy file storage, refer to the chapter “Using the
DriveLock Policy File Storage”.

12.3.3.2 Configuring the encryption user interface

To configure how the encryption interface appears to users, navigate to File Protection and then click Settings.
To configure any of the following settings, click the item and then complete the steps described for each of them:
· Available context menus in Windows Explorer: To configure the context menus that are available to a user who
right-clicks an encrypted folder, click Set to value and then select from the available options. When you select
Not configured, all menu entries are displayed.

· Start menu configuration: To configure where menu items that are available to users appear on the Windows
Start menu, click Set to fixed value and then select from the available options. When you select Not
configured, menu items are displayed under All Programs -> DriveLock File Protection.

· Available Start menu entries: To configure which commands are available from the Start menu, click Set to
value and then select the items that will be available to users. When this option is set to “Not configured”, all
commands appear on the Start menu.

· Menu items available from the taskbar icon: To configure which commands are available when right-clicking
the DriveLock taskbar icon, click Set to value and then select the items that will be available. When this
option is set to “Not configured”, all commands can be accessed from the taskbar icon.

· Order of menu items in taskbar icon: To configure the order in which commands are displayed when right-
clicking the DriveLock taskbar icon, click Set to fixed value. To change the order of the menu items, select an
item and then click Up or Down. To remove an item, select the item and then click Remove. To add a separator
line, click Add. When this option is set to “Not configured”, the items are displayed in the default order.

· User contact information for offline password recovery: A user who has forgotten or misplaced the password for
an encrypted volume can initiate a recovery process by starting the password recovery wizard from the Start
menu or the taskbar. Because the recovery process requires assistance from an administrator or helpdesk
employee, the user may require contact information, such as the helpdesk telephone number. To add any
contact information to be displayed when a user initiates a password recovery, click Set to fixed value and
then type the contact information. When this option is set to “Not configured”, no contact information is
displayed.

· Format for user display names: To configure the format in which user names are displayed when administering
permissions for encrypted folders, click Set to fixed value. When this option is set to “Not configured”, names
are displayed in the format [Last name], [First name].

Administration Guide 7.7 368 © 2018 DriveLock SE

DriveLock File Protection

· Do not show popup messages for automatic folder mounting: To disable the display of popup messages when
connecting to encrypted folders, click Enable. When this option is set to “Disable” or “Not configured”, popup
messages are displayed.

· Do not allow users to save encrypted folder passwords: To prevent users from saving passwords, click Enable.
When this option is set to “Disable” or “Not configured”, users can select the “Save password” option to save a
password and have it entered automatically the next time the users connects to the encrypted folder.

· Encrypted folder password saving options: Select whether and how users are allowed to save passwords of
encrypted folders. Options are deny, allow or allow - current session only. If you select current session only, the
password will be deleted, when the user logs off, but it will be valid for all folders secured with the same
password. This eases working with multiple encrypted folders keeping security high.

12.3.3.3 Configuring Settings for Encrypted Folders

To configure encryption settings, navigate to File Protection and then click Settings.
To configure any of the following settings, click the item and then complete the steps described for each of them:
· Encrypted volume password recovery methods: To select which password recovery methods are available to
users, click Set to value and then select the methods you want to be available. When this option is set to “Not
configured”, all recovery methods are available to users.

· Interval for checks for certificate revocation: To configure the interval at which DriveLock checks whether a user
certificate has been revoked, click Set to fixed value and then select a time interval. When this option is set to
“Not configured”, DriveLock checks every 24 hours whether a certificate has been revoked.

· Access to encrypted files in locked folders: To configure the action DriveLock File Protection performs when a
user does not have permissions to encrypt or decrypt a file, click Set to fixed value and then select from the
following options. When this option is set to “Not configured”, access is denied.
§ Deny: Users without DriveLock permissions are not allowed to access encrypted folders even if the
user has the required Windows permissions. The Windows “Access denied” message is displayed.
§ Allow for administrator: Users without DriveLock permissions can only access files if they are
members of the Administrators group.

When you enable access without DriveLock permissions, the folder is treated for these users like any other
Windows folder. Files are not decrypted when they are read and not encrypted when users write to them. This
can cause problems when both user with and without DriveLock permissions write to the same files. When a
user with DriveLock permissions accesses a file in an encrypted folder, DriveLock attempts to decrypt the file,
preventing the user from reading it. When such a user writes to an unencrypted file, the file’s contents may be
rendered unusable.

· Automatic mount of encrypted folders: To configure the behavior of DriveLock File Protection when connecting
to an encrypted folder, click Set to fixed value and then select from the following options. When this option is
set to “Not configured”, the option “On (show wizard if needed)” applies.
§ On (show wizard if needed): DriveLock File Protection attempts to open the folder by using a user
certificate from the local certificate store or a previously saved password. If the user does not
have the required permissions or enters a wrong password, a window opens, prompting the user
to select the authentication method. This option is appropriate when you don’t allow users to
save their passwords or you use certificates that are not stored in the local certificate store, such
as certificates on smart cards or tokens.

Administration Guide 7.7 369 © 2018 DriveLock SE

DriveLock File Protection

§ Fully automatic only, do not show wizard: DriveLock File Protection attempts to open the folder by
using a user certificate from the local certificate store or a previously saved password. If the user
does not have the required permissions or enters a wrong password, the user is treated as not
authorized.
§ Off: Connections to an encrypted folder are not automatically established. The user is treated as
not authorized until he or she right-clicks the folder and authenticates using the menu item Mount
encrypted folder.

12.3.3.4 Configuring Additional Settings

To configure additional encryption settings, navigate to File Protection and then click Additional settings.
To configure any of the following settings, click the item and then complete the steps described for each of them:
· Files and paths excepted from encrypted folder autoregistration: To designate folders that DriveLock will never
attempt to mount automatically, click Set to configured list. Then edit the list of folders by clicking Add,
Remove or Edit.

· Backup process names (access to encrypted data): To designate programs that need to access encrypted folders
without having DriveLock permissions to decrypt data, click Set to configured list. Then edit the list of
programs by clicking Add, Remove or Edit. Type program names without the path (for example, backup.exe).
The program files for Dropbox, OneDrive and Google Drive are already automatically included.

Long filenames are not supported by the driver for recognizing backup processes. Enter the first seven
characters instead. E.g. BACKUP.EXE (real 8.3 filename) but MYBACKU for MyBackupBackupAndRestore.exe.

12.3.3.5 Configuring Enforced Encryption

To force encryption of external drives, you can also use DriveLock File Protection instead of container encryption
(see DriveLock Encryption 2-Go). For large drives, this will speedup the initialization, as no container has to be
created first, but only the files will be encrypted while copied to the folder. Additionally you can create up to three
folders with different permissions, e.g. one using an company certificate for all employees, one with user name and
password for the owner and one unencrypted folder.

Use enforced encryption with DriveLock File Protection

1. Activate enforced encryption with DriveLock File Protection in the policy at:
Encryption / Settings / Enforced Encryption Method
Check DriveLock File Protection. Then for all new unencrypted drives, which have enforced encryption activated
in a rule, the file- and folder encryption will be used instead of the container encryption.
Check Let the user decide if your users should have the option to use either file- and folder based or container
based encryption.
2. Configure the encryption settings in Enforce Encryption.
With right mouse click you create one resp. more new encryption rules for different user groups.
a. In the configuration dialog, tab General, enter a short description for the new rule
b. In tab Volume Creation you check, whether to preserve existing data and to be copied/encrypted to the
configured folder and if the Mobile Encryption Application shall be copied to the drive. If you don't select to
preserve existing data, all data on the drive will be deleted, before it will be encrypted.
c. In tab Settings define the permission and encryption settings and assign a name for the encrypted folder. In
extended settings, you can name additional folders and check which folder shall receive the data to be
preserved.

Administration Guide 7.7 370 © 2018 DriveLock SE

DriveLock File Protection

d. In tabs Computer, Networks and Users you define for whom and where the rule shall apply.
e. Apply a priority for the rule. The rule with the highest priority where the conditions apply, will be executed.

User selection of encryption rules (optional)

In the same manner you create new User Selection Rules and there add encryption rules, if users shall select the
appropriate encryption rules by them self. Apply a proper priority to ensure, that this user selection rules are
executed before encryption rules.

Did you check Let the user decide, then first the encryption method dialog will appear and afterwards the rules
selection dialog. Take care to check the options, which are available in both dialogs only once.

12.3.3.6 Configuring Recovery Certificates

To use offline recovery you have to first create a master certificate and the corresponding public/private key pair
before creating the first encrypted container.
To enable advanced recovery scenarios you can create multiple recovery key pairs and use each of them for a
different group of users, computers or networks. This lets you authorize different administrators or helpdesk
personnel to only recover encryption passwords for certain encrypted containers but not for others.

Example: Especially in large IT environments you might use one encryption certificate for files encrypted by
management and a different certificate for files encrypted by all other users. You would then provide the private
key for the first certificate only to enterprise administrators, enabling them to recover passwords for
management. The second private key would be shared with helpdesk personnel, enabling them to recover
passwords for all other users.

To configure the settings for the recovery of encrypted folders, navigate to File Protection and then click Encrypted
folder recovery.

If you use multiple encryption certificates and you recover an encrypted file, you have to provide the private key
of the recovery certificate that was specified in the policy when the file was encrypted.

Recovery certificates are designated by the symbol.

By default a single certificate-based folder recovery policy exists. This policy has the lowest priority and cannot be
deleted.

Administration Guide 7.7 371 © 2018 DriveLock SE

DriveLock File Protection

To create a default recovery certificate, perform the following steps:

· Double-click Certificate-based folder recovery.

· Click Certificate file and then click Create new. This starts a wizard that creates a new recovery certificate.

· Click Next.

· Specify the folder where you want to store the certificate and the associated private key as files or select a
smart card to store the certificate and private key on.

· Click Next.

· If you selected to store the certificate and private key on a smart card, further steps are required. Details
depend on the smart cart used.

Ensure to back up the certificate files in a secure location, such as a safe. The certificate and private key are
required to recover access to encrypted folder when regular access is no longer possible.

· Type the password that will be required to access the private key that is stored with the certificate. To ensure
that you typed the password correctly, you have to type it twice. To continue, click Next.

If you forget the password for accessing the private key you will no longer be able to recover encrypted files. To
prevent this from happening, store a copy of this password in a secure location, such as a safe.

· DriveLock creates the certificate. When the process is complete and the certificate and associated keys have
been stored in the selected location, the wizard notifies you that this has happened.

· If you selected to store the certificate and keys on a smart card, Windows prompts you to enter the PIN for the
smart card.

· Click Finish.

DriveLock displays the file name of the certificate you created.

Once you have created the certificate and the first encrypted folder using this certificate was created, you must
not create a new certificate. Doing so would replace the existing certificate and you would not be able to
recover previously encrypted files.

To view the details of the certificate, click Properties.

DriveLock also stores the certificate and its private key in local certificate store of the user who created the
certificate.The certificate’s public key is also stored in the file storage of the local DriveLock policy.
If you stop the wizard before the certificate has been created or if an error occurred while running the wizard,
DriveLock displays an error message and you need to run the wizard again to create the certificate.
If you previously created encrypted folders without a default recovery certificate, you can add certificate-based
recovery data to these folders. To do this, select the “Add recovery information to existing folders” checkbox. If this
checkbox is selected, each time a folder is mounted, DriveLock checks whether the container already contains
recovery data. If no recovery data exists, DriveLock creates this data, adds it to the container and sends it to the
DriveLock Enterprise Service.
If you are not using the DriveLock Enterprise Service or if you don’t want to store recovery data in the DriveLock
database, select the “No offline recovery – do not upload recovery information to DES” checkbox. If you disable offline
recovery, you must have physical access to a file to recover the data stored in it.
To create an additional recovery rule, right-click Encrypted folder recovery, point to New and then click Encryption
recovery rule.

Administration Guide 7.7 372 © 2018 DriveLock SE

DriveLock File Protection

Because you have not yet created a recovery certificate, no certificate information is displayed. To create a new
certificate, follow the steps for creating a default recovery certificate.
On the tabs Computers, Networks and Users, select which of these entities the rule will be used for. Information on
these tabs is applied in the same way as in other DriveLock rules, such as those for device control and application
control and thus is not described in detail here.
Click OK to save the rule. The new rule is displayed in the right pane. The first rule you create is assigned the priority
of 1. The initial priority of additional rules is always one higher than the highest existing priority.
To change the priority of a rule, right-click it and then click Move down or Move up.

If you delete a certificate that was used for encrypting folders, recovery will no longer be possible using this
certificate.

12.3.3.7 Company certificate

Encrypted folders containing a company certificate can be mounted by any user, who has access to the
corresponding private key in the windows certificate store. If so, when the user mounts an encrypted folder,
DriveLock first checks, whether the folder can be decrypted using the company certificate. Then the folder will be
mounted without any further user interaction. Otherwise, the user will be asked for his credentials.
DriveLock does not create company certificates but allows you to import the public key of any certificate (*.cer) you
own. DriveLock does distribute the private key (*.pfx) to the windows certificate store (user account or computer
account). You have
Technically a company certificate is very similar to a recovery certificate and configured in the same way (see
chapter before).
Create a company certificate
To add a new company certificate in a policy open Encryption / File Protection / Encrypted folder recovery / New /
Company certificate... / General and add a description and certificate.
Check Enabled to use the certificate when creating / updating encrypted folders.
Open tab Options and check the desired type of encryption.

For evaluation purposes you may use e.g. a DriveLock Recovery certificate as a company certificate.
Import the DLFfeRecovery.cer to the policy and the DLFfeRecovery.pfx to the Windows certificate store

Update a company certificate

DriveLock does not care about the expiration date of a company certificate but still allows you to access and create
encrypted folders. Nevertheless you may add new company certificates to your policy at any time and you may
remove the expired certificates from your policy.

If you remove the (expired) private key from the Windows certificate store, you can no longer access the
encrypted folders using this key. If this has been the only key for a folder, a new company certificate cannot be
added any more.

12.4 Managing User Accounts and Certificates

Before you can administer users and their certificates you need to configure several settings. These settings are
described in the sections “Creating a Master Certificate for Key Management” and “Configuring Certificate
Management”.

Administration Guide 7.7 373 © 2018 DriveLock SE

DriveLock File Protection

12.4.1 How User Administration Works

User administration in DriveLock File Protection allows you to issue and administer certificates for users without
the need for an existing public key infrastructure (PKI).
The integrated user administration is not required if:
· You already have a Microsoft Active Directory environment and you are administering user certificates using
this infrastructure

· You are already using a PKI that is compatible with Microsoft Windows

· You want to use exclusively passwords for encryption authentication. (Note that these passwords are
different from Windows passwords.)

One main advantage of using user certificates for authentication with DriveLock File Protection is that encryption
and decryption processes can be performed completely transparent to users and without requiring users from
changing anything about how they access and use files and folders. Each time an encrypted folder is accessed,
DriveLock File Protection checks whether the user’s certificate store contains a user certificate and automatically
uses this certificate for authentication.
To make it easy for administrators to use certificates without having to become familiar with the details of a public
key infrastructure (PKI), all functionality for quick and easy administration of users and their certificates is
integrated into DriveLock File Protection. Users can apply for their own certificates, these applications can be
automatically approved and stored in the user’s certificate store. Administrators can add or remove users, modify,
revoke and delete certificates and import existing certificates from Active Directory or other sources.

In DriveLock File Protection a user and the user’s certificate are closely linked. Every DriveLock File Protection
user needs a certificate and each certificate is linked to one user. When a user requests a certificate, DriveLock
automatically creates a corresponding user account. Similarly, if an administrator creates a user account,
DriveLock File Protection automatically creates a certificate for the user.

The DriveLock PKI does not store and manage the privat key of a user's certificate. Users should export the
certificate including the private key (PFX file) from the windows certificate store using the DriveLock Application
and keep it in safe place. They have to import it again to the windows certificate store to access their encrypted
folder from a different computer

12.4.2 Managing User Accounts

You use the DriveLock Management Console to administer user accounts. To perform user administration tasks,
navigate to DriveLock File Protection and then click Users and Groups.

The details pane displays an overview of all user accounts that are stored in the DriveLock database.

Administration Guide 7.7 374 © 2018 DriveLock SE

DriveLock File Protection

By default, user accounts are arranged alphabetically by object name. To change the sort order, click the header of
the column you want to sort by. To change between ascending and descending sorting, click the same column header
again.

When administering user accounts, you cannot generate new certificates for users. Only a user can create his
or her own certificate. However, you can import existing user certificates from another PKI and associate them
with DriveLock File Protection users. The process for creating user certificates is described in the DriveLock
User Manual.

To import an existing certificate for a user, perform the following procedure:

· In the navigation pane, right-click User or right-click an empty area in the details pane.

· In the context menu, point to New and then click one of the following:

§ User from Active Directory: Select this option to add a user that already has a user certificate
stored in Active Directory. The standard Windows object picker dialog box appears, letting you
select the Active Directory user.
§ User from certificate: If you have access to a user’s certificate in a certificate file (*.cer), you can
select this certificate file.

· When the certificate has been read from Active Directory or the file, the User account’s Properties window
opens.

· DriveLock File Protection automatically copies user information that is contained in the certificate. You can
add any missing information, such as e-mail address or department.

Administration Guide 7.7 375 © 2018 DriveLock SE

DriveLock File Protection

· Optional: In multi-tenant environments with multiple DriveLock Enterprise Service servers you can specify the
tenant that the user is associated with. To do this, select the appropriate tenant in the Tenant box. In all other
environments, leave this setting unchanged.

· Optional: You can add a display picture to the user account. This picture will be displayed at various points
when selecting a user. Displaying a picture can help select the correct user, especially when multiple users
share the same name. To add a picture, click Display picture, select the appropriate image file and then click
Open. If the file can be used as a display picture, the picture will be displayed in the top left corner of user
account’s Properties dialog box.

· Click OK to create the user account and save any modifications you made. The user account will be displayed
in the details pane.

When a user creates or applies for a certificate, the corresponding user account is automatically created.

To view or modify a user account, double-click the account entry in the details pane.

· The Centrally managed folders tab displays all centrally managed folders that the user is authorized to access.

· The Certificates tab displays all certificates associated with the user that are stored in the DriveLock database.

To delete a user, right-click the user and then click Delete user.

For more information about centrally managed folders, refer to the section “Centrally Managing Encrypted
Folders”. For more information about managing certificates, refer to the section “Managing Certificates”.

12.4.3 Managing Groups

DriveLock File Protection Groups are a set of DriveLock File Protection users. DriveLock groups can be assigned to
centrally managed encrypted folders. Each time when DriveLock users are added or deleted from a DriveLock group,
in the background the DriveLock Enterprise Server adds or removes the corresponding DriveLock users to/from all
centrally managed folders, where the DriveLock group is assigned to.

This is a different behavior as for windows (AD) groups. While permissions of AD groups are assessed at
access time, as groups cannot own certificates and cannot authenticate, DriveLock must assign the
corresponding users to the folders. There might be a delay of approximately 15 minutes until this is done.

To create a new group, right click Users and groups / New.

You may either create a new DriveLock Group and then add the desired DriveLock users or you may import an
existing Group from Active Directory (AD). If you import a group from the AD, the members from the AD group are
added to the DriveLock group under the following conditions:
· the AD user already exists as DriveLock user => the user will just be added to the DriveLock group

· the AD user owns a valid certificate => a new DriveLock user will be created and then be added to the
DriveLock group

· the AD user does not own a valid certificate => a notification will be shown and the user will not be added

In the properties dialog of the new group on tab General enter or adapt the group name and select the right Tenant.
On tab Users add or adapt users of the select tenant and check at least on user as Group administrator. Click OK to
save the new group.

Administration Guide 7.7 376 © 2018 DriveLock SE

DriveLock File Protection

Once created, only the group administrators may add additional users and grant or revoke administrator
permissions to users using the DriveLock Application. For more information see the DriveLock User Manual.

Open the properties dialog of a DriveLock group to get information about users who are members of the group and
about the managed folders the group is assigned to. As DriveLock Administrator exceptionally you may remove users
and managed folders from the group in case the group administrator is not available.

12.4.4 Managing Certificates

To manage certificates, in the DriveLock Management Console navigate to DriveLock File Protection and then click
Certificates.

DriveLock File Protection uses three categories of certificates that are displayed separately:
· Certificate requests: This includes user requests for certificates or certificate renewals that an administrator
has not yet approved or denied.

Approving certificates only needs to be performed if you configured the setting to require administrator
approval in the DriveLock Enterprise Service. If administrator approval is not required, this list of certificate
requests will always be empty. For more information about certificate approval, refer to the section
“Configuring certificate management”.

· Active certificates: This includes all certificates that are stored in the DriveLock database that have not been
revoked. You can view certificates, export a certificate’s public information, delete and revoke a certificate.

· Revoked certificates: This list displays all certificates that have been revoked by an administrator. Certificate
revocation marks a certificate as invalid, for example when a user leaves the organization or if a private key
has been compromised. By retaining these certificates but marking them as revoked you can ensure that they
can no longer be used to decrypt data, even if they are still within their validity period. You can view revoked
certificates, export a revoked certificate’s public information and cancel a revocation marking the certificate
as active again.
To administer a certificate, select on the certificate lists to view all certificates in a category. The details pane
displays data about the certificates.
By default, certificates are arranged alphabetically by object name. To change the sort order, click the header of the
column you want to sort by. To change between ascending and descending sorting, click the same column header
again.
To manage certificate requests, perform the following procedure:
· In the navigation pane, click Certificate requests.

Administration Guide 7.7 377 © 2018 DriveLock SE

DriveLock File Protection

· Right-click the certificate request to manage.

· To approve the request and issue a certificate, click All tasks -> Approve request. The certificate is issued, the
request is removed from the list and the certificate is added to the list of active certificates.

· To deny the request and not issue a certificate, click All tasks -> Deny request. The request is removed from the
list and deleted.
To revoke an active certificate, perform the following procedure:
· In the navigation pane, click Active certificates.

· Right-click the certificate to revoke and then click All tasks -> Revoke

· Select the reason for the revocation from the list.

· Optional: In the Comment field, type a detailed description of the reason for revoking the certificate.

· Click OK to revoke the certificate. The certificate is moved to the Revoked certificates list.

To cancel a certificate revocation and re-activate the certificate, perform the following procedure:
· In the navigation pane, click Revoked certificates.

· Right-click the certificate to revoke and then click All tasks -> Cancel revocation

· Select the reason for the revocation from the list.

· Click Yes to re-activate the certificate. The certificate is moved to the Active certificates list. To stop the
procedure and leave the certificate marked as revoked, instead click No.
To export a certificate, perform the following procedure:
· In the navigation pane, click Active certificates or Revoked certificates.

· Right-click the certificate to export and then click Export certificate

· Select the folder where the certificate will be stored and type the name of a file (*.cer) that will store the
certificate and associated public key.

You can use a file that holds a certificate to authorize the certificate’s owner to access an encrypted folder. This
procedure is described in the DriveLock User Manual.

To delete a certificate, perform the following procedure:

· In the navigation pane, click Active certificates.

· Right-click the certificate to delete and then click All tasks -> Delete certificate

· Click Yes to delete the certificate. The certificate is deleted and removed from the list. To stop the procedure
and keep the certificate, instead click No.

Deleting a user certificate does not delete the user from the DriveLock database. However, once a user’s
certificate has been deleted you can no longer authorize the user to access centrally managed encrypted
folders. Any existing DriveLock File Protection permissions remain in place when a certificate is deleted as long
as the certificate still exists in the user’s certificate store. To revoke any previously granted permissions, revoke
the certificate instead of deleting it.

Administration Guide 7.7 378 © 2018 DriveLock SE

DriveLock File Protection

12.5 Centrally Managing Encrypted Folders

To centrally manage encrypted folders you use the DriveLock Management Console. To manage such folders,
navigate to DriveLock File Protection -> Centrally managed folders.
The details pane displays a list of all centrally managed folders from the DriveLock database and the status of each
folder.
By default, certificates are arranged alphabetically by UNC path. To change the sort order, click the header of the
column you want to sort by. To change between ascending and descending sorting, click the same column header
again.
In the “Centrally managed folders” area you can create and delete encrypted folders and view or modify permissions
for existing encrypted folders (provided that you have permissions as a folder administrator).
When creating a new centrally managed folder, consider the following points:
· Folders that already exist cannot be centrally managed and encrypted. The reason for this is that typically
servers are not running the DriveLock File Protection service, which would need to encrypt any existing files.
Also, possible conflicts during the encryption of existing data might not be correctly resolved (for example, if
some files are already encrypted or if a large file is remotely accessed by a user at the same time it is being
encrypted).
Users that are authorized for access when the folder is created are automatically given administrator permissions
for this folder. Administrator permissions enable a user to grant permissions to additional users or to remove
permissions. You can use this behavior delegate administration rights and responsibilities for a folder when it is
created. For example, you can delegate administration of a departmental folder to a designated employee in that
department.

12.5.1 Creating an Encrypted Folder

When creating a new encrypted folder you need Windows Write permissions for the parent folder.

To create a new encrypted folder, perform the following procedure:

· In the navigation pane, right-click Centrally managed folders or right-click an empty area in the details pane
and then click New -> Centrally managed folder.

Administration Guide 7.7 379 © 2018 DriveLock SE

DriveLock File Protection

· Type or select the UNC path of the new encrypted folder.

· Optional: In multi-tenant environments with multiple DriveLock Enterprise Service servers you can specify the
tenant that the encrypted folder belongs to. To do this, select the appropriate tenant in the Tenant box. In all
other environments, leave this setting unchanged.

· Confirm that the UNC path is correct and then click Next.

· Select users who will be assigned administrative permissions for the folder. To search for a user, type at least
three letters of the person’s name in the search filed. Only those users in the DriveLock database with names
containing the text you typed will be displayed. Alternatively, click Search to manually search for a user.

· Click Next. The new folder is created and the permissions are assigned. You will be notified whether the
procedure completed successfully.

· Click Finish.

12.5.2 Modifying Permissions

You can configure access permissions for encrypted folders from the DriveLock Management Console, the DriveLock
user interface or the context menu in Windows Explorer. To change these permissions you need to have
administrative permissions for the folder.
To change the access permissions as an administrator in Windows Explorer, right-click the encrypted folder and
then click Properties and users of encrypted folder.
To change the access permissions as an administrator using the DriveLock Management Console, perform the
following procedure:
· Navigate to Centrally managed folders.

· In the details pane, right-click the encrypted folder and then click Manage folder or double-click the folder,
and then on the Users tab, click Manage.

Administration Guide 7.7 380 © 2018 DriveLock SE

DriveLock File Protection

· If a dialog box is displayed, prompting you to authenticate before you can view the folder’s properties, click
Authenticate and select the certificate that is required to access the folder.

· Select the Users tab.

· To add a user, click Add. To remove a user, click Delete.

· To add a user from Active Directory, perform the following procedure:

§ Select the option Windows user (with certificate).

§ To select the user, click “…” and then select the user from Active Directory.

§ Click Finish. The user is added as a regular user without administrative permissions.

· To add a user from the DriveLock database, perform the following procedure:

§ Select the option DriveLock File Protection user (with certificate).

§ Click Next.

§ Select one or more users from the DriveLock database..

§ Click Finish. The user is added as a regular user without administrative permissions.

· Click OK to close the dialog box.

12.6 Recovering Encrypted Folders

Administration Guide 7.7 381 © 2018 DriveLock SE

DriveLock File Protection

are valid for the drive or folder to be recovered, can access to the data be restored (for example enabling the user to
select a new encryption password). The user generates the challenge code using a wizard and provides this code to
an administrator. The administrator checks that the request code is valid and then generates a response code that is
in turn validated by the wizard running on the client computer.
The procedure a user must complete to initiate recovery are described in the DriveLock User Manual.
The procedure an administrator or helpdesk employee must perform to complete recovery is identical as for
drives/containers and described in Recovering Encrypted Drives and Folders.

12.7 Reporting and Analysis

You can generate reports and statistics by using the DriveLock Control Center. For more information about these
tasks, refer to the DriveLock Control Center Manual.

Administration Guide 7.7 382 © 2018 DriveLock SE

Part XIII
DriveLock Disk Protection
DriveLock Disk Protection

13 DriveLock Disk Protection

DriveLock Disk Protection aka DriveLock FullDisk Encryption (FDE) can automatically encrypt and decrypt multiple
hard disk partitions. All data encryption is transparent to the end user, the operating system and applications.
When encrypted data is being read, DriveLock FDE decrypts it “on the fly”— the data immediately becomes available
to the user or applications. All data written to the disk is automatically encrypted. As a result, normal system
operations remain unaffected.

Some screen shots may still show DriveLock Full Disk Encryption instead of DriveLock Disk Protection

13.1 How DriveLock Disk Protection Works

In today’s computing environment, hard disk drives have become mass repositories of proprietary information. The
widely used Windows operating system provides adequate data privacy for stand-alone or networked computers in
most operating environments. However, Windows does not sufficiently protect the data on a computer’s hard disk
against disclosure when the computer is lost or stolen. Unless additional data protection measures are taken,
anyone with access to the hard drive can read all data on it.
To mitigate this data security risk, DriveLock has integrated a system security and data encryption solution.
DriveLock Disk Protection (FDE) provides the following functionality:
· Hard Drive Encryption
Strong data encryption of all sectors on the hard drive ensures that no unauthorized access to any data is
possible.

· Pre-boot User Authentication

DriveLock FDE authenticates users before the operating system starts. Upon successful authentication the pre-
boot process retrieves a computer-specific key that is used to decrypt the disk sectors that store the operating
system files and all other files on the encrypted drive as they are accessed. Users can authenticate using their
Windows logon credentials, smartcards or tokens.

· Single sign-on or manual Windows authentication

DriveLock FDE provides automatic Windows domain user authentication following successful pre-boot
authentication so users don’t need to authenticate twice. Manual Windows authentication is available as an
alternative.

· Emergency pre-boot logon Recovery

Recovery of logon data is possible for users who don’t have access to their pre-boot credentials. This includes
procedures for users who forgot their passwords or don’t have their smartcard or token with them, as well as
the introduction of new uses who have never logged onto the computer before.
§ Disaster Recovery Tools

§ DriveLock FDE provides disaster recovery tools to decrypt an encrypted disk in case of disk
failure.

13.1.1 Pre-boot User Authentication

To start an encrypted operating system partition, DriveLock FDE must get access to the disk decryption key before the
operating system starts. This key is used to decrypt the disk sectors containing all files on an encrypted hard drive,
including all operating system files and temporary files.
DriveLock FDE prevents unauthorized access to the decryption keys by using Pre-boot User Authentication. The
decryption key itself is encrypted using a unique key that is derived from the user credentials. After successful pre-

Administration Guide 7.7 384 © 2018 DriveLock SE

DriveLock Disk Protection

boot authentication, the disk key is decrypted and used to provide access to the disk so that the operating system
can start. DriveLock FDE maintains its own Pre-boot User Database to authenticate users.
The Pre-boot User Database has the following characteristics:
· Maximum number of credential (users or certificates) — 2,000

· User name length — 1 to 20 characters

· Password length — up to 127 case-sensitive characters (same maximum length as Windows passwords, no
minimum length)

DriveLock FDE can authenticate users with passwords on standalone computers and computers belonging to a
Windows domain. Smartcards and tokens with a PIN can also be used to authenticate.

13.1.1.1 Misplaced or Forgotten User Authentication Credentials

DriveLock FDE provides a mechanism for helpdesk personnel to enable logon for users who can’t access their
authentication credentials. This may include users who have misplaced their smartcard or token or who forgot their
Windows password.
DriveLock FDE provides automated procedures for handling these pre-boot authentication scenarios.

13.1.1.2 Unattended Reboot Followed By Automatic Pre-Boot Authentication

Various system administration functions not related to DriveLock FDE may at times require an unattended computer
restart, followed by automatic pre-boot authentication. DriveLock FDE enables this functionality by using a special
user account. A command line program is required to use this functionality. Please contact the DriveLock support
team for detailed information about this procedure.

13.1.2 Windows User Authentication

13.1.2.1 Single Sign-On

You can configure DriveLock FDE to automatically log users on to Windows using their domain or local Windows
credentials following successful pre-boot authentication. This chaining of authentication processes is called single
sign-on. Single sign-on simplifies the user experience as users only need to authenticate once.

13.1.2.2 Manual Windows Authentication

As an alternative to the single sign-on mode, you can configure DriveLock FDE to present the standard Windows
authentication screen each time the operating system starts, allowing the user to first authenticate during the pre-
boot phase, and then manually authenticate using different Windows credentials.

13.1.3 Recovery Files and Key Management

Prior to installing DriveLock FDE, you must create a recovery file set. These files are required to perform recovery of
disk data in case of a disaster and to perform emergency logon procedures. The recovery file set consists of the
following files:
· Master Security Certificate — The DLFDEMaster.cer file contains the Master Security Certificate with the public
key that is used to encrypt a backup copy of the computer’s disk encryption key. The DLFDEMaster.pfx file also
contains the corresponding private key that is required to gain access to this disk encryption key. Access to
this key is required if you need to decrypt a damaged hard disk. The DLFDEMaster.pfx file is intended to be
private. It should be securely stored and only accessible to individuals who are authorized to perform
disaster recovery. The corresponding DLFDEMaster.cer file contains the public key component of the Master
Security Certificate. It does not contain confidential information and is used during each DriveLock FDE
installation.

Administration Guide 7.7 385 © 2018 DriveLock SE

DriveLock Disk Protection

· Recovery Support Certificate — The DLFDERecovery.cer file contains the Recovery Support Certificate with a
public key that is used to control access to the pre-boot authentication database. The DLFDERecovery.pfx file
contains the corresponding private key that is required to gain access to the pre-boot authentication
database when creating emergency logon credentials for users. The DLFDERecovery.pfx file is intended to be
private. It should be securely stored and only accessible to individuals who can perform password recovery,
such as helpdesk and support personnel. The corresponding DLFDERecovery.cer file contains the public key
component of the Recovery Support Certificate. It does not contain confidential information and is used
during each DriveLock FDE installation.

· Recovery Envelope — A unique RecoveryEnvelope.env file is created for each client computer when you install
DriveLock FDE. It contains recovery data that is specific to the computer and is required for emergency logon
procedures or disk decryption, in conjunction with the appropriate private key. If you save the recovery
envelop to a shared folder instead of the DriveLock database, the client computer name is included in the file
name in the following format: <computer name>_RecoveryEnvelope.env.

13.1.4 Disaster Recovery

For standalone installations, disaster recovery preparation begins with periodic system data backups. DriveLock
FDE creates recovery files that can be used to later decrypt a disk that has become damaged or that cannot be
accessed normally for other reasons. The recovery files must be stored off the client system to be available in case
of system failure. This backup file set is used in conjunction with the Master Security Certificate to perform disk key
recovery.
DriveLock FDE includes a command line recovery tool to perform disaster recovery tasks such as data decryption.
This recovery tool is included in the DriveLock FDE installation and is generally used only by system administrators.

13.2 Preparing to Deploy DriveLock Disk Protection

Review the sections below and ensure that you have performed the appropriate procedures prior to installing
DriveLock FDE.
Best practices for preparing to deploy DriveLock FDE include:
· Defragment all drives that will be encrypted by DriveLock FDE.

· Repair any existing disk errors.

· Ensure that the data storage on each computer is well organized and that no further rearranging of any
partitions will be required later. Use Windows Disk Management as needed to configure all partitions and
disk mirroring before installing DriveLock FDE.

· Run CHKDSK /f and the hard disk manufacturer’s diagnostic utility to ensure file system health on all
drives you intend to encrypt. Repair any bad sectors, as DriveLock FDE cannot encrypt such sectors.

· Back up all important data prior to disk encryption.

· If you are using the DriveLock Application Launch Filter in whitelist mode, deactivate it during the FDE
installation to prevent the blocking of required applications.
Utilities provided by a hard disk’s manufacturer are typically the most robust tools for repairing disk errors.
DriveLock recommends that the FDE deployment steps are performed in the following order:
1. Plan for recovery operations: Become familiar with the recovery mechanism, recovery scenarios and learn
about the methods for securely storing recovery files. Making recovery files available is required to restore
access to a computer when a user has forgotten a pre-boot password or when a hard disk has become
damaged.

Administration Guide 7.7 386 © 2018 DriveLock SE

DriveLock Disk Protection

2. Encrypt hard disks in a test environment: The DriveLock FDE components have been extensively tested to
work on a wide range of desktop and laptop computers. However, to ensure a smooth deployment in your
production environment, it is also recommended that you first test FDE on test computers that are
representative of the computer models used in your organization. Such testing may reveal, for example,
possible incompatibility with old or brand-new hardware.
3. Generate and back up the encryption certificates: Before using Disk Protection you must generate the central
certificates that are needed for all recovery scenarios. The certificates are automatically stored by
DriveLock. Because of the importance of these certificates for recovery operations, DriveLock recommends
that you also manually back up these certificates to an additional secure location.

4. Determine the deployment schedule: Create a plan for deployment before starting the process. To minimize
downtime and to ensure adequate support for users, a deployment in several stages may be appropriate.
5. Deploy FDE by configuring the deployment and recovery options in your DriveLock policy: You can initiate the
deployment by installing the Disk Protection component on the client computers without enabling pre-boot
authentication or encryption. After successful installation each client computer generates its own recovery
data and stores it as a “recovery envelope”. This recovery envelope is required for all recovery operations.
6. Review the Event Log to confirm that the installation succeeded and that the recovery information was
uploaded to the DriveLock database or saved in a central location: Ensure that the recovery envelope files
for all computers are stored centrally and not on the client computers themselves. Storing the recovery
envelopes in the DriveLock database automates this process. When you store recovery envelopes in the
DriveLock database you can use the DriveLock Control Center to easily confirm whether the recovery
envelopes have been created and can be retrieved.

7. Configure and activate pre-boot authentication: Pre-boot authentication is the only point where users notice
that FDE has been deployed. When pre-boot authentication has been enabled, users are prompted for
authentication immediately after the computer is started and the logon screen that is displayed looks
different from the Windows logon screen. Before activating pre-boot authentication you should create a
central emergency logon account if you intend to use this account for scenarios such as initial
authentication or technical assistance. An emergency logon account does not need to be a domain account.

Administration Guide 7.7 387 © 2018 DriveLock SE

DriveLock Disk Protection

8. Help users become familiar with pre-boot authentication: Users may require some initial training to use the
new logon mechanism. Also, users and administrators should become familiar with the procedures for
emergency logon recovery.
9. Configure and activate encryption: Activation of disk encryption should be the last step of the FDE
deployment. Once encryption has been activated, each client computer starts encrypting the hard disk in the
background. This process requires some system resources, and until encryption is complete regular
computer operations will be slower than normal. Users may notice this impact on performance, particularly
when running applications that require high disk or processor resources. When the encryption process has
completed, the client computer generates a unique disk recovery file that is required to decrypt any data on
the drive.
10. Review the Event Log to confirm that the installation succeeded and that the recovery information was
uploaded to the DriveLock database or saved to a file: Ensure that the disk recovery files for all computers
were generated and stored in a location other than on the client computer itself. Storing the recovery disk
recovery files in the DriveLock database automates this process. When you store these files in the DriveLock
database you can use the DriveLock Control Center to easily confirm whether the files have been created and
can be retrieved.

DriveLock strongly recommends backing up the recovery data. Recovery files are required to perform a recovery
process for a computer where FDE is installed. If you use the DriveLock Enterprise Service to store recovery
data, back up the entire DES database (default database name "DriveLock").

13.3 Configuring Disk Protection in Basic Configuration Mode

To start configuring Disk Protection, in the console tree click Encryption and then navigate to the Disk Protection
section at the bottom of the taskpad.

Administration Guide 7.7 388 © 2018 DriveLock SE

DriveLock Disk Protection

13.3.1 Creating Master Certificates

Click Create master certificates to create new encryption certificates and keys.

Click Next.

Administration Guide 7.7 389 © 2018 DriveLock SE

DriveLock Disk Protection

Specify the location to save the certificate files to or select a smartcard as the storage location.
Click Next. If you selected a smartcard, you will be prompted to insert and select the smartcard. If you chose to save
the files in a folder, you are prompted for passwords to protect the private keys of the certificates.

To enable role separation for different recovery scenarios, two separate certificates are generated. Users with
access to the Master certificate will be able to perform emergency disk recovery operations. Users with access to the
Recovery certificate will be able to perform password recovery operations.
Type the passwords for both the master and recovery certificates and confirm each password by typing it again.
Click Next to continue.

Store the encryption certificate files and their passwords in a safe location, as they are needed in conjunction
with the Recovery Files Set for user password and data recovery. Without the certificate files and their
passwords, data recovery will not be possible.

Administration Guide 7.7 390 © 2018 DriveLock SE

DriveLock Disk Protection

The wizard notifies you when it has finished creating the certificates. If you selected a smartcard, you will be
prompted for the PIN that is required to access the smartcard.
Click Finish.

When the encryption certificates have been created the DriveLock Management Console displays the creation time
and date.
The certificates are also added to the private certificate store of the user who created them.

Administration Guide 7.7 391 © 2018 DriveLock SE

DriveLock Disk Protection

The two public keys are also stored in the DriveLock File Storage.

Once the certificates have been created and DriveLock FDE has been installed on client computers, you can no
longer create new certificates. The reason for this is to prevent the old certificates from being overwritten,
which would make recovery impossible.

If you cancelled the certificate creation wizard or if the certificate creation failed, DriveLock displays an error
message and you must start the certificate creation process again.

13.3.2 Installing the FDE Component

When a computer where the DriveLock Agent is running is licensed to use FDE, the Agent automatically installs all
components and services that are required for FDE on this computer. To license a computer or group of computers to
use FDE, under Global configuration -> License click Change. In the Properties dialog box, on the Licensed computers
tab, add the computer or group and then select the FDE checkbox for the computer or group.

Administration Guide 7.7 392 © 2018 DriveLock SE

DriveLock Disk Protection

To ensure that FDE is not installed on a computer, on the Excluded computers tab, add the computer and then select
the FDE checkbox for the computer.
In contrast with previous versions of DriveLock, FDE installation is entirely determined by a computer’s license
status.

If you can’t select the FDE checkbox, your; license may not include the FDE option. To update your license,
contact your DriveLock sales partner.

To remove the FDE component from a computer, remove it from the list of computers that are licensed to use
FDE. Once a computer is no longer licensed to use FDE, the DriveLock Agent will automatically uninstall the FDE
component.

13.3.3 Configuring FDE Settings

Before encrypting disks using FDE you need to configure how disks will be encrypted, where to save recovery data
and how users will authenticate.
Open Encryption / DriveLock Disk Protection to configure the settings that are required for DriveLock Disk Protection.

Administration Guide 7.7 393 © 2018 DriveLock SE

DriveLock Disk Protection

To enable pre-boot authentication on client computers, select the “Enable pre-boot authentication” checkbox.

As soon as the DriveLock Agent detects the new configuration settings, pre-boot authentication is activated and
takes effect the next time the computer is restarted. Ensure that all other required parameters in this dialog box
have been configured and that users are aware of the change. DriveLock displays the following message to the
user when pre-boot authentication is first activated.

To disable DriveLock FDE without uninstalling it, clear the “Enable pre-boot authentication” checkbox. Without pre-
boot authentication, all features of DriveLock FDE, including disk encryption, are disabled. If you clear this checkbox
you can make still changes to other settings in this dialog box, but changes do not take effect until DriveLock FDE is
re-enabled by selecting the “Enable pre-boot authentication” checkbox.
To gain access to a computer protected by DriveLock FDE, both pre-boot and Windows authentication are mandatory.
In single sign-on mode, a user needs to log on only once to authenticate both during pre-boot authentication and to
Windows. This option is only available when at least one authentication method is enabled for both pre-boot and
Windows authentication.
Select the ”Enable Single Sign-on for Windows“ checkbox to enable single sign-on mode.
By default DriveLock FDE adds any user who has successfully logged on to Windows to the pre-boot authentication
database. Clear the “Automatically add Windows user to pre-boot authentication on logon” checkbox if you don’t
want Windows users to be automatically added.
Emergency logon settings are available when authentication is enabled at the pre-boot level:
· Allow emergency logon with user name – When enabled, this option lets a user initiate the emergency logon
with user name procedure. This procedure is used when a user has forgotten the pre-boot authentication
password. It also applies to local Windows or domain accounts that have been added to DriveLock FDE but
who have not been assigned an initial password. Emergency logon with user name enables one-time-only pre-
boot access to the system.

This feature requires that a user was authenticated by pre-boot authentication on the computer at least once or
that the user was added to the pre-boot authentication database by an administrator. A user who is not in the
pre-boot authentication database must initiate the emergency logon without username procedure.

Administration Guide 7.7 394 © 2018 DriveLock SE

DriveLock Disk Protection

· Single Sign-on after emergency logon – When enabled, this option allows the user to automatically
authenticate to Windows immediately after the successful completion of the emergency logon with username
procedure.

· Allow emergency logon without username – When enabled, local Windows or domain users may initiate the
emergency logon without username procedure. This allows for one-time-only pre-boot access to the system
for users who don’t have a pre-boot user account. This procedure also adds the user to the pre-boot
authentication database. Once the user logs on to Windows, the Windows password is automatically
synchronized with the pre-boot authentication database. This synchronization enables future pre-boot
authentication using the Windows password.

Click Next to proceed.

· IDEA - The International Data Encryption Algorithm (IDEA) is a block cipher designed by Xuejia Lai and James
Massey of ETH Zurich and was first described in 1991. The algorithm was intended as a replacement for the
Data Encryption Standard. IDEA is a minor revision of an earlier cipher, PES (Proposed Encryption Standard);
IDEA was originally called IPES (Improved PES). IDEA operates on 64-bit blocks using a 128-bit key, and
consists of a series of eight identical transformations (a round) and an output transformation (the half-
round). The processes for encryption and decryption are similar.

· DES - The Data Encryption Standard (DES) is a cipher selected as an official Federal Information Processing
Standard (FIPS) for the United States in 1976 and which has subsequently enjoyed widespread use
internationally. The algorithm was initially controversial with classified design elements, a relatively short
key length, and suspicions about a National Security Agency (NSA) backdoor. DES consequently came under
intense academic scrutiny which motivated the modern understanding of block ciphers and their
cryptanalysis. DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit
key size being too small. This algorithm should only be used in environments with low security requirements.

Administration Guide 7.7 395 © 2018 DriveLock SE

DriveLock Disk Protection

· KeyBackup.zip – A ZIP files that contains the recovery files for disk decryption procedures

DriveLock FDE creates the recovery files and sends them to the location you configured immediately after the
Agent has finished installing DriveLock FDE on a client computer.

The recovery files should be stored in the DriveLock Enterprise Service database or in a central shared folder. It is
not recommended to store these files on the local computer because of security and recovery considerations.

If you store the files on a central shared folder, the following file names are used:
<computer>_RecoveryEnvelope.env and <computer>_Backup.zip

13.4 Configuring Disk Protection in Extended Configuration Mode

13.4.1 Creating Encryption Keys
Before you can install DriveLock FDE, you must create central encryption certificates and the corresponding keys.
These certificates are required to create the individual disk encryption key on each computer and to secure user data
in the pre-boot authentication database. You also need access to these certificates to perform key recovery and
emergency logon procedures. The encryption keys are described in detail in the section “Recovery Procedures”.
· Master Security Certificate — The DLFDEMaster.cer file contains the Master Security Certificate with the public
key that is used to encrypt a backup copy of the computer’s disk encryption key. The DLFDEMaster.pfx file also
contains the corresponding private key that is required to gain access to this disk encryption key. Access to
this key is required if you need to decrypt a damaged hard disk. The DLFDEMaster.pfx file is intended to be
private. It should be securely stored and only accessible to individuals who are authorized to perform
disaster recovery. The corresponding DLFDEMaster.cer file contains the public key component of the Master
Security Certificate. It does not contain confidential information and is used during each DriveLock FDE
installation.

Without the encryption keys and the corresponding passwords you will not be able to recover any data or help
users who don’t have access to their credentials log on.

When you start DriveLock FDE for the first time the encryption certificates and keys have not been created yet.

Administration Guide 7.7 396 © 2018 DriveLock SE

DriveLock Disk Protection

Click generate to create new encryption certificates and keys.

You can also start the wizard by clicking Encryption certificates and then, on the next screen, click Create certificates.

DriveLock Disk Protection

13.4.1.1 Using the Encryption Certificate Creation wizard

Click Next.

Store encryption certificate files in a safe location, as they are needed in conjunction with the Recovery Files Set
for user password and data recovery.

DriveLock Disk Protection

Click Next to continue.

The wizard notifies you when it has finished creating the certificates. If you selected a smartcard, you will be
prompted for the PIN that is required to access the smartcard.

Click Finish.

DriveLock Disk Protection

The two public keys are also stored in the DriveLock File Storage.

DriveLock Disk Protection

If you cancelled the certificate creation wizard or if the certificate creation failed, DriveLock displays an error
message and you must start the certificate creation process again.

13.4.1.2 Exporting and Importing Encryption Certificates

After you have created the encryption certificates you can export the public keys from the DriveLock Policy File
storage.

Only import the master and recovery certificates if you are certain that this is the appropriate action. For
example, you might install certificates when restoring a policy or then cloning a policy. Changing the certificates
after they have been used to install and configure FDE on client computers is not supported and may prevent
you from performing most recovery tasks

In the DriveLock Management Console, click Master certificates.

DriveLock Disk Protection

To export the two certificate files, click Manage certificates and then on the drop-down menu click Export master
certificates. Select a directory to save the files to.
You can also import previously created certificates (public keys) into the DriveLock Policy File storage. To import the
two certificate files, click Manage certificates and then on the drop-down menu click Import master certificates.
Select the directory containing the certificate files.

13.4.2 Configuring Deployment Settings

DriveLock Disk Protection

If you can’t select the FDE checkbox, your; license may not include the FDE option. To update your license,
contact your DriveLock sales partner.

13.4.2.1 New Installation

After you created the recovery certificates you can configure DriveLock FDE deployment settings.
Before configuring the settings for a new installation, determine where DriveLock will store the computer-specific
recovery envelope files that are needed for emergency logon. To specify the storage location, click Hard Disk
encryption settings, and then follow the procedure in the section “Configuring the Backup of Recovery Data”.

DriveLock Disk Protection

To configure the deployment settings, in the right pane of the DriveLock Management Console, click Deployment
settings.
Select the tab User interface to configure additional settings.

To not display information messages on the client computer while DriveLock FDE is installed, clear the “Display
notification area icon while configuring the system” checkbox. You can also configure whether an icon appears in the
computer’s system tray while a disk is being encrypted.

DriveLock Disk Protection

You can select whether information messages are automatically confirmed after being displayed for a specified
number of minutes. Because the installation of Disk Protection requires a computer restart, you can also configure
whether this restart will be delayed or must be performed manually.
If you selected to not automatically restart the computer, you can also specify a program or script that is started
when the installation has completed. There are also two script specific options which can be set:
· Run as the currently logged-on user -> The specified script will run under the credentials of the currently logged
on user. By default it runs as local system.

· Run also after deinstallation -> The script will not only run after installation but also after deinstallation.

Select the tab Options to configure additional settings.

It is possible to use a customized background image (format PNG, max. 32 MB, best resolution 1024x768) on the pre-
boot authentication screen. This image needs to be configured before FDE installation and can’t be changed later.
Select the Use custom background image in pre-boot authentication checkbox. Then select the file from the policy file
storage or from the file system.
If you select the Disable 32-bit pre-boot authentication checkbox, an older 16-bit version of the PBA will be used. This
may be required for compatibility with certain hardware.
Select the Do not automatically install Disk Protection on licensed Agents checkbox to not have the Agent install the FDE
components automatically. FDE will be available only on those computers where you manually install the FDE
package.
When the Agent gets its new configuration settings and prepares for installing DriveLock FDE, the Agent displays the
following message to the currently logged on user:

DriveLock Disk Protection

Click OK or Apply to save the settings, or click Cancel to discard any changes you made.
The envelope file is created and sent to the location you configured immediately after the Agent has finished
installing DriveLock FDE on a client computer. Therefore make sure you have configured the corresponding recovery
settings. (Refer to the section “Configuring the Backup of Recovery Data” for details.).
You can override the installation policy by configuring the following registry key on a
computer:HKEY_LOCAL_MACHINE\SOFTWARE\CenterTools\DLStatus
If this registry key (DWORD) contains the value NoFDEInstallation and the value is set to 1, DriveLock FDE will not be
installed on the computer even if installation is specified in the policy.
You can also use the command-line commands dlfdecmd enabledelayinst and dlfdecmd disabledelayinst to create
or remove this registry value.

13.4.2.2 Updating an Existing FDE Installation

After the DriveLock Agent has been updated, an existing DriveLock FDE installation will be updated automatically and
without re-encryption to the most current version. After updating the FDE components, a reboot may be required.

13.4.3 Configuring Pre-boot Authentication and Hard Disk Encryption

Once you have deployed DriveLock FDE to client computers you can configure drive encryption and pre-boot
authentication settings.

You can activate and configure pre-boot authentication before you begin to encrypt hard drives on client
computers. This can help divide the deployment process in larger environments or help users get familiar with
the new logon procedure.

DriveLock Disk Protection

13.4.3.1 Configuring Pre-Boot Authentication

Click Pre-boot authentication settings to open the configuration dialog box.

13.4.3.1.1 Authentication Methods and Logon Settings

To enable pre-boot authentication on client computers, select the “Enable pre-boot authentication” checkbox.

DriveLock Disk Protection

As soon as the DriveLock Agent detects the new configuration settings, pre-boot authentication is activated and
takes effect the next time the computer is restarted. Ensure that all other required parameters in this dialog
box have been configured and that users are aware of the change. DriveLock displays the following message to
the user when pre-boot authentication is first activated.

To disable DriveLock PBA (without de-cryption), clear the “Enable pre-boot authentication” checkbox.

Attention: although the hard disk remains encrypted, the security will be decreased, as Windows boots, before
an authorized user has been authenticated. DriveLock recommends to disable the PBA only for test and
maintenance reasons.

If you clear this checkbox you can make still changes to other settings in this dialog box, but changes do not take
effect until DriveLock FDE is re-enabled by selecting the “Enable pre-boot authentication” checkbox.
To gain access to a computer protected by DriveLock FDE, both pre-boot and Windows authentication are mandatory.
You can require users to use one or more authentication methods for pre-boot authentication and Windows logon,
based on the settings you configure. These authentication methods are described in detail below.
To make an authentication method available to users, select the Windows checkbox, the Pre-boot checkbox, or both,
to match the security requirements of your organization. You must select at least one check box each for Windows
and pre-boot authentication.

Do not configure DriveLock FDE to allow only tokens and smart cards for Windows logon unless your network is
configured for certificate-based logon. If users don’t have tokens or if required drivers are not installed and the
computer is locked, it can’t be unlocked using a password. If DriveLock FDE is configured to only allow token
logon, ensure that valid tokens have been distributed to users and that they can be used for pre-boot
authentication, Windows logon and unlocking computers.

· Local user access – Enabled by default. This method lets users authenticate by typing a local Windows user
name and password and selecting the computer name.

· Domain user access (with password) – This method lets users authenticate by typing a Windows domain user
name, password and selecting the domain name.

· Domain user access (with token) – This method lets Windows domain users authenticate by using a smartcard
or token with a PIN.

· Shared Key access – This method lets users perform pre-boot authentication by using a shared key token (non-
PKI). If this option is selected, at least one Windows authentication method must also be selected.
In single sign-on mode, a user needs to log on only once to authenticate both during pre-boot authentication and to
Windows. This option is only available when at least one authentication method is enabled for both pre-boot and
Windows authentication.
Select the ”Enable Single Sign-on for Windows“ checkbox to enable single-sign on mode.
To protect the authentication database against automated brute-force attacks, DriveLock FDE can lock out a user
after a configurable number of failed logons for a number of minutes. Adjust the values to match your organization’s
security policy. By default the failed logon attempt counter applies to all users. To maintain a separate counter for
each user, deselect the checkbox Count failed logons globally for all users.
If you use certificates for authentication you can also configure how many days before the expiration of a certificate
DriveLock FDE notifies the user of the upcoming expiration.

DriveLock Disk Protection

13.4.3.1.2 Users

DriveLock FDE can hold up to 2000 sets of credentials in its pre-boot authentication database. You can manually add
users to this database. A pre-boot authentication user does not need to correspond to a specific Windows user
account. If required, you can configure separate credentials that are used for pre-boot authentication only, for
example an account to be used for emergency logon.

By default DriveLock FDE adds any user who has successfully logged on to Windows to the pre-boot authentication
database. Clear the “Automatically add Windows user to pre-boot authentication on logon” checkbox if you don’t
want Windows users to be automatically added.
Use the Add, Remove or Edit buttons to change or remove existing users or to add new users to the database.

After you have entered the information and confirmed the password, click OK to save the user.

13.4.3.1.3 User synchronization

DriveLock distinguishes 4 different types of pre-boot users.

Added by Description
DlFdeUser Users added locally via DlFdeUser.exe
Policy Users added in the policy - will be synced/removed according to policy changes
WinLogon Users added by the windows logon - the password will by synced after each successful login to
windows

DriveLock Disk Protection

AD sync Users synchronized from AD groups - will be removed, if removed from the AD group resp. the
user synchronization, the password will by synced after each successful login to windows

The command DlFdeUser.exe can remove users of the other types, but they will be added again at the next time, when
the user logs on to windows resp. the policy is executed.

AD User Synchronization
Users, who want to login the first time to a PC protected by DriveLock Disk Protection with Pre-Boot Authentifcation
(PBA) are not yet synced to the PBA database with their Windows credentials (WinLogon user). They have to
authenticate at the PBA either with a pre-configured DlFde- or ar Policy user or someone else authenticates at the
PBA to show the Windows logon dialog.
If you want to pre-configure the PBA to contain users from your AD, you must enable the AD User synchronization.
In the policy open Encryption / Disc Protection / Pre-Boot authentication settings / User synchronization and check
Synchronize Active Directory users to pre-boot authentication. Add the appropriate users and/or groups, which you
want the users to be synced to the PBA database.

As an initial password you can either use a fixed password, which is identical for all users, the user name or any of
the available Active Directory property values.

The given password is used at creation time only, but not synced/changed for users already existing in the PBA
database. As soon as a user of type AD sync logs on to windows, the initial password will be replaced by his
windows password locally.

The AD sync users are synced each time, when the policy is executed. If you add or remove users from the configured
AD groups they will be added/removed to/from the PBA database of all related PCs with the next synchronization.

DriveLock Disk Protection

Although the PBA database can hold up to 2,000 credential sets, we recommend to use not more than 500
users for AD user synchronization. If you want to configure more systems, you may use separate policies
assigned to different computer groups.

13.4.3.1.4 Emergency Logon

Emergency logon parameters specify which logon procedures are available for users when they are not able to log
on by using normal procedures. For example, this includes users who forgot their password. For more information
about how to perform these procedures, refer to the section Emergency Logon Recovery Procedure.

Emergency logon settings are available when authentication is enabled at the pre-boot level and the Local user access
or Domain user access check boxes are selected.
· Allow emergency logon with user name – When enabled, this option lets a user initiate the emergency logon
with user name procedure. This procedure is used when a user has forgotten the pre-boot authentication
password. It also applies to local Windows or domain accounts that have been added to DriveLock FDE but
who have not been assigned an initial password. Emergency logon with user name enables one-time-only pre-
boot access to the system.

This feature requires that a user was authenticated by pre-boot authentication on the computer at least once
or that the user was added to the pre-boot authentication database by an administrator. A user who is not in
the pre-boot authentication database must initiate the emergency logon without username procedure.

DriveLock Disk Protection

for users who don’t have a pre-boot user account. This procedure also adds the user to the pre-boot
authentication database. Once the user logs on to Windows, the Windows password is automatically
synchronized with the pre-boot authentication database. This synchronization enables future pre-boot
authentication using the Windows password.

· Allow emergency logon for token users – This option is available only if at least one of the following pre-boot
authentication method options is selected: Domain user access (with token) or Shared Key access. If this
option is enabled, smartcard and token users who have misplaced a token or forgotten the PIN are permitted
to initiate the “Emergency logon for token users” procedure. This procedure allows for a one-time-only pre-
boot access to the computer without having to use a token.

13.4.3.1.5 Wipe the PBA database

Wiping the PBA database is equivalent to destroying the data of a single PC. The wipe removes all users from the PBA
database. No more logon is possible. As no disk key is available anymore, the disks cannot be decrypted. To get
access again an administrator has to perform a disk recovery as described in Recovering Encrypted Disks.
There are three different ways to wipe the PBA database.

User Wipe
Imagine, a user has sensitive data on his laptop. He is forced by somebody, to enter his credentials in the PBA. He
will do so. Instead of being logged in will get a disk error. If he reboots the logon screen will not be shown any more.

Instead of his true password the user has entered the password plus a defined suffix. This triggers the DriveLock PBA
to immediately delete the PBA database.
To configure the user wipe in the policy open Encryption / Disc Protection / Pre-Boot authentication settings / User-
wipe. Check Enable user-initiated wipe and enter the password suffix.

DriveLock Disk Protection

Self Wipe
The self wipe has primarily two use cases. Either you want to protect the data of a lost PC which does not connect to
the DES any more and/or you want to force mobile users to connect regularly to your company network.
To configure the self wipe in the policy open Encryption / Disc Protection / Pre-Boot authentication settings / Self-
wipe, check Enable self-wipe when computer is offline and configure the appropriate settings as described in the
dialog.

DriveLock Disk Protection

At the end of the configured days offline, the DriveLock agent deletes the PBA database.

Initiating a Remote Wipe

To initiate a remote wipe, in the DriveLock Management Console (MMC) select Operating / section Disk Protection
recovery and tools / Remote wipe. You are prompted to provide the private key of the recovery certificate
(DlFdeRecovery.pfx) and to select the computer you want to wipe. In the next dialog Confirm the remote wipe
request. The settings that you configure on this page are applied to the client you selected the next time it connects
to the DES. To enable remote wiping of computers that are not connected to your internal network, the DES server
must be accessible from the Internet.

DriveLock Disk Protection

Configure the following settings as shown in the dialog.

Check Remove existing remote wipe instruction, if you want to revoke a previous remote wipe instruction (if the PBA
database has not yet been wiped).

13.4.3.2 Configuring Hard Disk Encryption

This chapter contains information on how to configure DriveLock FDE, how it stores emergency recovery information
centrally, and how Agents save this data.

Click Hard disk encryption settings to open the Properties dialog box.

DriveLock Disk Protection

13.4.3.2.1 Configuring Encryption Settings

To globally enable hard disk encryption, select the “Encrypt local hard disks on Agent computers” checkbox.
You can select from several encryption algorithms. DriveLock can use the following algorithms:
· AES - The Advanced Encryption Standard (AES) is a symmetric encryption mechanism that was chosen by the
National Institute of Standards (NIST) in October 2000 as the successor to DES and 3DES. It is also called the
Rijndael algorithm for its developers Joan Daemen and Vincent Rijmen.
· IDEA - The International Data Encryption Algorithm (IDEA) is a block cipher designed by Xuejia Lai and James
Massey of ETH Zurich and was first described in 1991. The algorithm was intended as a replacement for the Data
Encryption Standard. IDEA is a minor revision of an earlier cipher, PES (Proposed Encryption Standard); IDEA was
originally called IPES (Improved PES). IDEA operates on 64-bit blocks using a 128-bit key, and consists of a series
of eight identical transformations (a round) and an output transformation (the half-round). The processes for
encryption and decryption are similar.
· DES - The Data Encryption Standard (DES) is a cipher selected as an official Federal Information Processing
Standard (FIPS) for the United States in 1976 and which has subsequently enjoyed widespread use internationally.
The algorithm was initially controversial with classified design elements, a relatively short key length, and
suspicions about a National Security Agency (NSA) backdoor. DES consequently came under intense academic
scrutiny which motivated the modern understanding of block ciphers and their cryptanalysis. DES is now
considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small. This
algorithm should only be used in environments with low security requirements.
· Triple DES - Triple DES (3DES) is a symmetric encryption method based on the older DES (Data Encryption Standard)
but works with twice the key length (112 bit) of its predecessor. Data is encrypted using three successive DES
operations. Because of the key length, 3DES is regarded as a relatively safe method for encrypting most data,
unlike DES, which is more susceptible to brute- force attacks.

DriveLock Disk Protection

Select an encryption algorithm by using the drop-down menu.

By default DriveLock FDE encrypts all local hard disks. To configure encryption separately for each local hard disk,
select the “Configure encryption settings per drive” checkbox and then click Settings.
If your organization’s policy requires compliance with Federal Information Processing Standard (FIPS) standard
140-2, select the “Enable FIPS compliant encryption library” checkbox. If this option is not selected, DriveLock instead
uses a secure, Common Criteria EAL-2 approved, non-FIPS library that provides better performance for encryption
and decryption operations and, if supported by your computers, automatically activates the hardware support AES
NI (Intel® Advanced Encryption Standard (AES) Instructions Set).

To display a warning message at Windows logon that informs users when disks are not completely encrypted,
select the “Display warning when disks are not fully encrypted” checkbox. This warning message is displayed
immediately after the Windows logon has completed.

DriveLock FDE maintains a record of some BIOS interrupt vector addresses. This allows DriveLock FDE to detect
attacks that depend on changing the interrupt vector address. When DriveLock FDE detects a discrepancy between
the BIOS interrupt vector address and the copy it stored previously, it displays an error message. Select the
corresponding check boxes to automatically update the stored copy of the interrupt vector addresses after the user
has been notified.

When an interrupt vector address changes for legitimate reasons, for example after updating the BIOS, the
warning message is still displayed. The System Protection settings provide a mechanism to accept a legitimate
change by updating DriveLock FDE’s copy of the disk, keyboard, and clock tick interrupt vector addresses.
Execute the command “dlfdecmd enableresetsp” (dlfdecmd is installed in your DriveLock installation folder) to
update system protection quickly.

To deactivate the check for hardware changes altogether, deselect all interrupt vector address checkboxes.

DriveLock Disk Protection

13.4.3.2.2 Configuring the Backup of Recovery Data

To configure where the client’s recovery disk keys will be stored, click the Recovery tab.

The recovery disk keys consist of two files:

· Recovery.env – The envelope file for emergency logon recovery

· KeyBackup.zip – A ZIP files that contains the recovery files for disk decryption procedures

DriveLock FDE creates the envelope file and sends it to the location you configured immediately after the Agent
has finished installing DriveLock FDE on a client computer. The ZIP file containing the disk recovery files is created
and copied only after all drives have been completely encrypted.

The recovery files should be stored in the DriveLock database or in a central shared folder. It is not recommended to
store these files on the local computer because of security and recovery considerations.

If you store the files on a central shared folder, the following file names are used: <computer>_
RecoveryEnvelope.env and <computer>_backup.zip.

If the file server requires credentials for logon, specify them on the Recovery tab.

You must type domain user names in the format <domain>\<user>.

Verify that you have stored these recovery files for all your client computers, as they are required to perform
any of the recovery procedures described in this manual. If you use the DriveLock database to store the
recovery files, you can easily confirm which recovery files are available. You can find more information about
using the DriveLock Control Center to view recovery information in the DriveLock Control Center manual.

DriveLock Disk Protection

13.5 Recovery Procedures

DriveLock FDE contains tools for two types of recovery scenarios:
· Emergency logon procedures

· Recovering encrypted disks

The emergency logon procedures are used when a user can’t log on to the pre-boot authentication database, for
example, because of a forgotten password or PIN. Disk recovery is used when a local disk drive becomes
inaccessible, for example, when data sectors of the drive have become corrupt or you cannot logon to Windows
anymore.
To start the recovery wizard, open the DriveLock Management Console, select Operating -> Agent remote control,
right-click Agent remote control and then click Disk Protection recovery.

13.5.1 Viewing Diagnostics Data

When DriveLock Disk Protection is installed, the DriveLock Agents sends the installation log file to the DriveLock
Enterprise Services. You can retrieve this file from the DriveLock database to find out more details, if a FDE
installation has failed.

DriveLock Disk Protection

Select “Retrieve diagnostic information” and select “DriveLock Enterprise Service”. Click Next.

To search for Agents registered in the DriveLock database, type the computer name or part of the name and then click
Find. DriveLock FDE displays all registered computers that contain the text you typed as part of their names. To view
a list of all registered computers, don’t type any text and the click Find.
Select the appropriate computer from the list and then click Next to continue.

DriveLock Disk Protection

Click “…” to select the path where to store the diagnostic file. Click Next to retrieve the file from the DriveLock
database.
After the file has been retrieved, click Finish.
A ZIP file containing the diagnostic information is created in the location you specified.

13.5.2 Emergency Logon Procedure

There are three types of emergency logon procedures:
· Emergency logon with username

· Emergency logon without username

· Emergency logon for token users

You can configure which of these procedures are available to users during pre-boot authentication. Refer to the
section “Configuring Emergency Logon Parameters” for details on how to configure these settings.

DriveLock Disk Protection

Select Emergency logon.

If you configured DriveLock FDE to send the client’s recovery disk keys to the DriveLock database, select DriveLock
Enterprise Service (DES). To specify a file as the location of the required recovery disk keys, select Recovery files
(copied from the agent computer).
Click Next to continue.

To perform emergency logon procedures you need to access the private key of the recovery certificate. To access a
private key that was stored in a file, specify the path where the file DLFDERecovery.pfx file is located and type the
password that is used to protect the private key. To access a private key that was stored on a smartcard, select
“Smart card”.
If you previously imported the certificate and private key into your local certificate store, select “Windows certificate
storage”.

DriveLock Disk Protection

If you lost access to the private key, recovery is no longer possible.

Click Next to continue.

If you selected a smartcard, you will be prompted to insert the smartcard. Details depend on the smartcard you are
using.
If you selected the option to retrieve recovery information from the DriveLock database, the following dialog box
appears.

To search for Agents registered within the DriveLock database, type the computer name or part of the name and then
click Find. DriveLock FDE displays all registered computers that contain the text you typed as part of their names. To
view a list of all registered computers, don’t type any text and the click Find.
Select the appropriate computer from the list and then click Next to continue.
If you selected to retrieve recovery information from a file, the following dialog box appears:

DriveLock Disk Protection

Type the path for the location of the recovery file or click the “…” button to open the file selection dialog box.

Each client computer has its own envelope file, which must be used for emergency logon recovery procedures. If
you have configured DriveLock FDE to upload this file automatically to a central shared folder, the file name is
prefixed with the name of the client computer (for example: DE2319WX_ RecoveryEnvelope.env).

Click Next to continue.

Select the DriveLock FDE version that is installed on the client computer and the recovery information provided by
the user.
If the user has logged on to pre-boot authentication before, use the emergency logon with username procedure. To
start this procedure, at the pre-boot authentication screen the user must type the user name, select the domain,
place the cursor in the password field, and then press SHIFT-F10.

DriveLock Disk Protection

If the user has never logged on to the pre-boot authentication at any time or PIN authentication is used, use the
emergency logon without username procedure or emergency logon for token user procedure. To start this
procedure, at the pre-boot authentication screen the user must place the cursor in the “User ID” or “PIN” field and
then press SHIFT-F9.

In the DriveLock Management Console, type the user name (if user has pressed SHIFT-F10) and the recovery code
provided by the user.

Ensure that the user has entered the correct information in the Username and Domain fields and the cursor has
been placed in the password field, before pressing SHIFT-F10.

Select the version of DriveLock FDE that is installed on the computer.

Click Next to generate a response code for the user.
If you selected a smartcard, you will be prompted for the PIN that is required to access the smartcard.
If an error occurs when generating the response code, DriveLock displays a warning message. If this occurs, click
Finish and then start the recovery procedure again.
If recovery was successful, DriveLock displays a response code.
The user must type this response code at the pre-boot recovery screen:

Once the user types the response code, pre-boot authentication continues and Windows starts normally.

13.5.3 Recovering Encrypted Disks

Disk recovery is necessary when local disk drives can no longer be accessed. This can occur, for example, when data
sectors of the drive have become corrupt.

DriveLock Disk Protection

To recover (decrypt) an encrypted disk you must perform the following steps:
1. Create the recovery files

2. Copy all the files that are required for decryption to a floppy disk, removable USB drive or to a recovery CD.
3. Start the computer using the recovery CD or other bootable media.
4. Use the files on the recovery media to decrypt the inaccessible hard disk.
The steps for creating a Recovery CD are described in more detail below.

13.5.3.1 Creating the Files Required for Decryption

Select Disk key recovery as the recovery type.

If you configured DriveLock FDE to send the client’s recovery disk keys to the DriveLock database, select DriveLock
Enterprise service connection (DES). To specify a file as the location of the required recovery disk keys, select
Recovery files (copied from the agent computer).
Click Next to continue.

DriveLock Disk Protection

For disk recovery procedures you need to access the private key of the recovery certificate. If the private key was
stored in a file, specify the path where the file DLFDEMaster.pfx file is located and type the password that is used to
protect the private key. To access a private key that was stored on a smartcard, select “Smart card”.
If you previously imported the certificate and private key into your local certificate store, select the option
“Windows certificate storage”

If you lost access to the private key, recovery is no longer possible.

Click Next to continue.

DriveLock Disk Protection

To search for Agents registered with the DriveLock database, type the computer name or part of the name and then
click Find. DriveLock FDE displays all registered computers that contain the text you typed as part of their names. To
view a list of all registered computers, don’t type any text and the click Find.
Select the appropriate computer from the list and then click Next to continue.
If you selected to retrieve recovery information from a file, the following dialog box appears:

Type the path for the location of the recovery file or click the “…” button to open the file selection dialog box.

Each client computer has its own disk recovery file, which must be used for emergency recovery logon
procedures. If you configured DriveLock FDE to upload this file automatically to a central shared folder, the file
name is prefixed with the name of the client computer (for example: DE2319WX_Backup.zip).

DriveLock Disk Protection

The disk recovery files are automatically generated by the DriveLock Agent when it starts encrypting hard disks.

Click Next to continue.

To allow for recovery, DriveLock FDE must generate a Disk Key File. To specify a file name and path, click the “…”
button, or type the path and file name, including the file extension (.dke).
Type a password or passphrase to secure access to this file and confirm this password by typing it again. The
password must at least contain 6 characters. You will need to provide this password during the disk recovery
operation.
Select the “Save full pre-boot authentication backup to folder” checkbox and type the path for the location of the
Backup.zip file that contains all recovery data stored in the DriveLock database for this computer. This file is
required to perform disk recovery when the decdisk utility cannot find critical data on the hard disk you are trying to
recover. For more information about disk recovery, refer to the section Recovering (Decrypting) Disks.
Click Next to generate the Disk Key File and the ZIP file (if selected).
If you selected a smartcard, you will be prompted for the PIN that is required to access the smartcard.
If the procedure was successful and a Disk Key File has been created, DriveLock displays a completion message.
Click Finish to close the wizard.
Copy the Disk Key files you created to a floppy disk, USB drive or the Recovery CD image. You will need access to the
files during the recovery operations described in the following sections.

13.5.3.2 Creating a Recovery CD

To recover data from a disk that has become inaccessible due to disk failure or failure of the operating system to
start, you need to start the computer from bootable media, such as a Recovery CD.

DriveLock Disk Protection

To create a Recovery CD, in the DriveLock Management Console, right-click Operating -> Agent remote control and
then click Disk Protection disk recovery tools.
The following options are available:
1. Recovery boot disk (ISO image): This is a bootable recovery disk that can be created quickly by burning the
ISO image to a CD. Recovery using this CD itself will take a long time because it involves decryption the
entire disk before any data on it can be accessed.
2. Windows PE-based recovery: You can use these tools in conjunction with the Windows Assessment and
Deployment Kit (Windows ADK, WADK) to create a bootable Windows PE image that you can burn to a CD or
creat a boot able USB stick. The process of creating the image takes some time, but recovery using this
method is very fast as specific files can be recovered without having to decrypt the entire disk. For more
information about this process, refer to the technical article “Disk Recovery with WinPE”, which you can
download from the Web site www.drivelock.com or from the DriveLock installation CD \Doc\EN\Additional.
The following information describes the procedures for creating a recovery boot CD (ISO image).

DriveLock Disk Protection

After selecting Recovery boot disk (ISO image), click Next.

Because the recovery tools are specific to the DriveLock FDE version installed on the client computer you are
recovering you need to select this version. You can find the version that is installed on a client by using the Helpdesk
view of the DriveLock Control Center.
Specify a folder that contains additional files that will be added to the Recovery CD. This is most often used to copy
the disk recovery file (.dke file) for the client to the CD so that it will be available during recovery. The contents of the
folder you specify will be copied to the DATA directory on the CD.
Finally, specify the path and file name for the ISO image that will be created. Click Next and then click Finish to
complete the wizard.
When the image has been created, burn a CD from it.

DriveLock Disk Protection

The Recovery CD contains all tools and drivers that are required to perform a disk recovery.

13.5.3.3 Recovering (Decrypting) Disks

Before you begin, verify that you have a Recovery CD, the encrypted *.dke file and the password that is used to
protect the disk key.
1. Insert the USB drive if you have stored the disk key on it.
2. Start the computer by booting from the Recovery CD.

3. To decrypt the disk, from the command line, run the decdisk.exe program with the /dk option and specify the
Disk Key File, for example: decdisk /dk diskkey.dke. If you stored the disk key on a USB drive, connect this
drive and provide the full path of the Disk Key File, for example: decdisk /dk e:\diskkey.dke.

4. When prompted, type the password that protects the Disk Key File.
5. When prompted, select the area of the disk to be decrypted.

6. After decrypting the disk, type fdisk /mbr to remove the DriveLock pre-boot authentication and then restart
the PC.
7. After the computer restarts, uninstall DriveLock FDE (see the chapter “Uninstalling DriveLock FDE
Completely”).
The preceding procedure requires that certain disk structures and files on the disk are undamaged. If Step 3 of the
procedure fails, for example with an error that no encrypted file system could be found, use the following procedure
instead:
1. Create a bootable USB flash drive.
2. Copy all files from the recovery CD to the flash drive.
3. Create a Backup.zip file for the client you wish to recover. Refer to the section Creating the Files Required for
Decryption for detail on how to create this file.
4. Unpack the files in the ZIP file and copy them to the USB drive.
5. Start the client computer from the USB drive and then run the following command:
decdisk /r /rp <path to unpacked contents of Backup.zip> /dk rec.dke

13.6 Uninstalling DriveLock Disk Protection

You can configure DriveLock FDE to decrypt previously encrypted hard disks on client computers, to remove pre-boot
authentication and to completely uninstall DriveLock Full Disk Encryption.
Changes to the configuration settings in a DriveLock policy typically apply to multiple computers. To remove FDE
from a single computer, follow the steps in the section “Uninstalling or Reconfiguring FDE on a Single Computer”.

13.6.1 Uninstalling DriveLock FDE Completely

To completely uninstall DriveLock FDE from a computer, remove this computer from the list of computers that are
licensed to use the FDE component.

DriveLock Disk Protection

In contrast with previous versions of DriveLock, FDE installation is entirely determined by a computer’s license
status.
When the Agent receives the new configuration settings, it performs the following steps:
1. The Agent decrypts all encrypted hard disks
2. The Agent removes pre-boot authentication from the system
3. The Agent uninstalls DriveLock FDE

If you installed the DriveLock FDE installation package DLFde_<Version>.pkg locally on the client and it is no
longer required, you must delete it manually.

DriveLock Disk Protection

13.6.2 Decrypting Hard Disks

You can configure DriveLock FDE to decrypt encrypted disk drives.

To disable encryption on client computers, click Hard disk encryption settings.

Clear the “Encrypt local hard disk on Agent computers” checkbox and then click OK.
When the Agent receives the new configuration settings, it starts decrypting all encrypted hard disks.

DriveLock Disk Protection

When you decrypt hard drives, DriveLock FDE is not uninstalled from the client computer and pre-boot
authentication remains active. If desired, you can re-encrypt drives later.

13.6.3 Uninstalling or Reconfiguring FDE on a Single Computer

To make changes to the DriveLock FDE configuration on a single computer, such as uninstalling FDE or decrypting a
disk, you make this configuration change for that computer without having to change a policy that also applies to
other computers. This is done using the Agent remote control function in the DriveLock Management Console.
First connect to the computer and then select DriveLock Disk Protection Properties from the context menu.

Click Reconfigure Agent.

DriveLock Disk Protection

Check Override policy settings - variant to the central policy you now may configure computer specific settings.
Open tab Users to see the users locally stored in the PBA. You may add or delete single users here.

DriveLock Disk Protection

13.7 User Logon with Pre-Boot Authentication

If you disabled pre-boot authentication in the System Policy settings, this section does not apply. Without pre-
boot authentication the standard Windows authentication dialog box is displayed and normal Windows logon
procedures apply.

13.7.1 Authenticating With User Name, Password and Domain Name

If the Local user access or the Domain user access (password) options are selected, the following logon screen is
shown.

DriveLock Disk Protection

The domain field lists all available domains if Domain user access (password) is allowed. If logon using local
accounts is allowed, the local computer name is also listed in the Domain field. Use the [Up-Arrow] and [Down-
Arrow] keys to scroll through the list of available domains. To prevent password guessing, you can define a lockout
policy to lock the computer after a configurable number of consecutive failed authentication attempts. To view
details of failed logon attempts and other events use the Windows Event Viewer.
A user who can no longer authenticate, for example, because of a forgotten password, the user can start the
Emergency logon with user name recovery procedure. For more information about this procedure, refer to the
section “Emergency Logon Procedure”.

13.7.2 Authenticating With Smartcard or Token and PIN

If you selected the DriveLock FDE Domain user access (token) or Shared Key Access authentication checkboxes, the
following logon screen is shown.

DriveLock Disk Protection

If the Local user access or Domain user access (password) authentication options are also enabled, pressing the
function keys to switch between the Username/Password/Domain Name logon screen and the Token/PIN logon
screen.
To authenticate from this screen a user must insert a smart card or token and type the corresponding PIN. To prevent
PIN guessing, you can define a lockout policy to lock the computer after a configurable number of consecutive failed
authentication attempts. To view details of failed logon attempts and other events use the Windows Event Viewer.
If a user doesn’t remember the correct PIN and therefore cannot logon to the system, the user can start the
emergency logon for token user procedure. For details about this procedure, refer to the section "Emergency Logon
Procedure".

13.7.3 Windows Authentication

Every time a user successfully logs on to Windows or changes the password in Windows, the user’s current
Windows password is synchronized with the pre-boot authentication database.

· Automatic – Single Sign-On Mode Is Enabled: users are automatically signed-on to Windows.

· Manual – Single Sign-On Mode Is Disabled: the Windows authentication dialog box appears.

Part XIV
DriveLock Antivirus
DriveLock Antivirus

14 DriveLock Antivirus
With DriveLock 7.6.6 DriveLock with Avira Antivirus integrates Avira Antivirus. Thus Avira customers use the
enterprise proofed DriveLock Management Console to distribute and administrate the award-winning Antivirus
solution from Avira on an enterprise level (scales for greater than 100,000 installations). DriveLock customers use
the best-in-breed Antivirus software as part of DriveLocks' comprehensive endpoint security solution as part of a
multi-layered security approach that combines multiple components and allows for unified administration of all
these components.
DriveLock with Avira Antivirus offers the following benefits:
· One of the highest detection rates in the industry

· Protection against many types of malware, including worms, Trojans and spyware

· Multi-layered detection, using heuristics, behavior-based patterns and signatures

· Extremely low resource usage

· Multiple security policies that can be activated based on the current network connection

· Completely integrated, no additional services or software distribution are required

DriveLock with Avira Antivirus is available as subscription license.

Activation is performed using the license file. No software needs to be installed in addition to the DriveLock Agent.
The former DriveLock Antivirus powered by CYREN is still integrated too and will be available for existing customers
until their license expires.

A DriveLock policy can only contain either a license for DriveLock with Avira Antivirus or a license for the
former DriveLock Antivirus powered by CYREN. As soon as a Avira license is available, CYREN Antivirus will be
removed and Avira Antivirus will be installed automatically.

14.1 Installing DriveLock Antivirus

Once a computer where the DriveLock Agent is installed is licensed to use DriveLock Antivirus, all required services
and components are automatically enabled on that computer. To license a computer, ensure that the computer, or a
group containing the computer, has the checkbox for Antivirus selected in the DriveLock policy under Global settings
-> License.

DriveLock Antivirus

If the Antivirus checkbox is not available, your license may not include the Antivirus feature. If this is the case,
please contact your sales partner.

To uninstall DriveLock Antivirus, deselect the checkbox. A DriveLock Agent that is no longer licensed to use the
Antivirus component will automatically uninstall this component after receiving the policy reflecting the
licensing change.

To facilitate migrating from a different antivirus product, DriveLock Antivirus can automatically uninstall the other
product. This option can be configured in the policy under Extended configuration -> Antivirus -> Settings -> Antivirus
engine and other product update settings. The available settings are:
· Perform automatic engine update (default): Automatically updates the DriveLock Antivirus engine and the GEO-
IP database.

· Report installed other antivirus products: If another antivirus product is detected, an event is logged. You can
review these events using the DriveLock Control Center.

· Uninstall other installed antivirus products: If another antivirus product is detected, DriveLock automatically
uninstalls it. Currently this is supported for the following programs:
§ Microsoft Forefront Client Security

§ McAfee VirusScan Enterprise

§ Trend Micro Business Security

§ F-Secure Client Security

Running multiple antivirus products on the same computer is not recommended. If DriveLock can’t install an
existing antivirus product, you must manually uninstall it.

DriveLock Antivirus

14.2 DriveLock with Avira Antivirus

DriveLock with Avira Antivirus installs the originale software package from Avira. The Avira application and tray
icon is still visible for the user for viewing purposes, but the user cannot change any settings. All configuration and
administration is done within a DriveLock policy. The DriveLock Agent sends the settings from the policy to the Avira
Agent and sends the Avira events to the DriveLock Enterprise Service (DES).

14.2.1 Configure DriveLock with Avira Antivirus

Open a policy and select Avira Antivirus
Use a wizard from the basic configuration sheet to implement a basic deployment, basic rules for scanning or a
basic user experience configuration.

To get access to the more advanced settings, open the Settings sheet.

The default scanning policy applies to both, realtime and on-demand scanning unless a more specific policy is
set.

DriveLock Antivirus

14.2.2 Realtime Scanning Rules

Add one or more realtime scanning rules to configure different behavior depending on time limits, computers,
networks or users. If no explicit scanning rule applies, the default scanning policy will be executed.

DriveLock Antivirus

14.2.3 Scheduled Scans

Configure scheduled scans, to rescan existing files in regular intervals.

DriveLock Antivirus

14.2.4 On-Demand Scanning

On-demand scanning profiles can be used in drive rules and for manual scanning:

Drive rules in the DriveLock policy can be configured to automatically perform a virus and malware scan when a
drive that the rule applies to is connected to a computer. When this is configured, users can access the drive only
after the scan has completed and only if no virus or malware was detected. This setting can be configured for all
drive types and in drive whitelist rules (for example, under Drives -> Removable drive locking -> <drive type>) on the
Options tab.
You can also assign an on-demand scanning profile to be used when a user initiates a manual scan in the DriveLock
user interface on a client computer. To configure this setting, open Avira Antivirus / Settings / User interface settings.

14.3 Configuring the DriveLock User Interface

As with other user interface elements, you can use a policy to determine which DriveLock Antivirus components are
displayed in the DriveLock user interface and which functionality is available to users. To configure these settings,
open Antivirus / Settings / User interface settings.

DriveLock Antivirus

On the General tab you can configure the following settings:

· Show notification area icon: When selected, displays an icon in the system tray that indicates whether the
virus definitions are current.

· Show context menu on notification area icon: When selected, right-clicking the status icon displays a menu for
performing certain actions, such as updating definition or scanning for viruses.

· Enable scanning for viruses using Windows Explorer context menu: When selected, an option to scan for viruses
is displayed when a user right-clicks a file or folder in Windows Explorer. You can assign a previously
created on-demand scanning profile to be used for such scans.

· Show warning when definition files are x days old. Displays a notification to the user in the system tray if
antivirus definitions are more than x days old.

· Do not show end-user information for detections: Users are not alerted when a virus or malware is detected.
The event will still be logged in the event log and/or sent to the DriveLock Enterprise Service.

· Do not show end-user information status messages: No information will be displayed for certain events, such
as the start of a scheduled scan. The event will still be logged in the event log and/or sent to the DriveLock
Enterprise Service.

· Delete files older than x days from quarantine: Automatically deletes files from quarantine that are more than x
days old.
On the Agent UI tab you can configure the following settings for the DriveLock user interface:
· Allow access to antivirus quarantine contents: The user can view quarantined items on the local computer.

· Allow restoring elements from quarantine: The user can view quarantined items on the local computer and
restore these items.

· Allow configuration of excluded files: The user can specify which files are excluded from scanning.

· Allow configuration of excluded folders: The user can specify which folders are excluded from scanning.

· Allow configuration of excluded file types: The user can specify which file types are excluded from scanning.

· Allow configuration of scanning parameters: The user can specify realtime scanning options that are different
from the policy settings and take precedence over the settings in the policy.

DriveLock Antivirus

· Allow manual definition updates from file (by user): The user can manually update antivirus definitions from a
file. This can be useful when a computer has no network connectivity and definition files are distributed
manually.

· Allow end users to disable on-access virus scanning: The user can deactivate realtime scanning.

· Allow disabling on-access virus scanning using password: The user can deactivate realtime scanning after
entering the password you configured. This ensures that those users who know the password can disable
scanning. For example, you could share the password only with technicians who work on client computers.
When the policy is applied to a client, the end user options you enabled become available to users in the DriveLock
user interface.

For additional information about the DriveLock user interface, refer to the DriveLock User Manual.
As with other DriveLock components, you can replace the text of all standard user notification messages with
customized text that you specify. To configure these settings, click Extended configuration -> Antivirus -> Settings ->
Custom user notification settings.

DriveLock Antivirus

You can use the following variables in the messages you define on the General tab. When a message is displayed, the
variable is replaced with the actual value or name of the referenced element:

Variable Description

%PATH% File name of the virus (including the path)

%DRV% Drive letter

%NAME% File name without extension

%EXT% File extension

%TYPE% Malware type, such as "Virus" or "Trojan"

%ACC% Detection accuracy, such as "Heuristics"

%VIRUS% Name of the Virus

%ARC% Name of the Archive if the infected file is contained in an

14.4 Configuring Antivirus Updates

Having access to the most current virus definitions is crucial for maximizing the detection rate of any antivirus
solution. You can configure how the DriveLock Antivirus definitions are updated on client computers under Extended
configuration -> Antivirus -> Settings -> Default scanning policy. Update settings can also be configured in Realtime
scanning rules. Settings in Realtime scanning rules take precedence over the general settings.

DriveLock Antivirus

You also can configure how often a client checks for new antivirus definitions. If a client detects that new definitions
are available, it automatically downloads and installs them. Select the update interval and then select one or more
of the following update sources that will be used by the client:
· DriveLock Enterprise Service: When configured, the DriveLock Enterprise Service (DES) makes antivirus
definitions available to clients and collects events. The same DES server can perform both functions.

· Internet: If you are not using the DES or if the DES is temporarily unavailable, clients will download updates
directly from DriveLock using the Internet.

· Custom file system path (not recommended): You can manually download virus definition updates from the
DriveLock Web site and copy them to a network share from where clients will retrieve them. To enable updates
from a network share, provide the user name (in the format domain\user) and password of an account that
has read access to the network share.

· Virus definitions can also be manually updated from a file. For information about how to enable manual
updates, refer to the section "Configuring Antivirus User Interface Settings".

Antivirus definitions are used by the virus scanner to identify infected files and malware. To ensure up-to-date
protection, the definitions must be kept current. Updates are released one to three times per day. The size of
incremental updates are approximately 350 -500 KB. The size of a full update, including an updated antivirus
engine, is about 28-35 MB.

To configure DES to synchronize Antivirus updates with the DriveLock Web site, in the DriveLock Management
Console, under DriveLock Enterprise Services -> Servers, double-click the DES server that will download updates from
the Internet.

DriveLock Antivirus

To enable the DES server to synchronize definition files, on the Update synchronization tab, select the Download
Antivirus definition updates from the Internet checkbox. You can also configure the synchronization interval and the
number of definitions to keep. Older definitions are automatically deleted.
Once update synchronization has been configured for DES, the DES server starts to download full and incremental
updates from DriveLock and makes them available to clients. If the network contains multiple DES servers, the
definitions will be automatically replicated to all other DES servers.

14.4.1 Configuring Definition Publishing and Staging

By default, new definition updates are automatically made available to clients after the DES server has received
them. Some organizations require that updates are tested before they distributed to clients. For example, you could
ensure that no false positives are detected in a small staging environment before updates are made available to all
computers in the organization.
To prevent the automatic publishing of virus definitions, deselect one or both of the following checkboxes:
· Automatically publish new updates to production environment

· Automatically publish new updates to staging environment

After you disable automatic publishing, clients will no longer automatically receive updated definitions. An
administrator must manually publish any definition update before it becomes available to client computers.

The following diagram illustrates the process of installing new virus definitions in a staging environment, verifying
functionality and then publishing the update to the production environment:

DriveLock Antivirus

To assign a client computer to the staging or production environment, run one of the following commands on the
client computer:
· drivelock.exe –setstaging -> Assigns the client to the staging environment

· drivelock.exe –setproduction -> Assigns the client to the production environment (default setting))

14.5 Using the Antivirus Quarantine

The Quarantine is a protected location on the disk to which only DriveLock has access. If configured in the policy,
DriveLock Antivirus stores infected files in the quarantine and prevents direct user access to these files. Quarantined
files can be restored, deleted or scanned again. (Quarantined files are stored in the hidden system folder C:
\vseqmtn.bin.)
To view quarantined files, establish a remote control connection to the client using the DriveLock Management
Console (Operating -> Agent remote control). After connecting, right-click the Agent and then click Antivirus
Properties.

DriveLock Antivirus

On the Quarantine tab you can view files that are currently quarantined. (Quarantined files are stored in the hidden
system directory C:\vseqrntn.bin on clients.) After selecting a file, you can perform the following actions:
· Refresh: Updates the file list from the client

· Delete: Permanently delete the file from quarantine

· Rescan: Scan the file again. The virus scanner may be able to clean a file because it uses a newer engine than
the one that was used when the file was quarantined.

· Restore: Restore the file to its original location

14.6 Uninstalling and Controlling DriveLock Antivirus on Individual Clients

You can uninstall DriveLock Antivirus on specific computers without having to change the policy. You can also
remotely initiate a definition update and initiate a scheduled scan. These actions are performed using the Agent
remote control functionality.
To perform any of these actions, first connect to a remote Agent, then right-click the Agent and click Antivirus
Properties.

DriveLock Antivirus

In the Antivirus Properties window, click Reconfigure Agent and then select any of the following checkboxes:
· Override policy settings: The settings that you select will override the current policy settings that are applied to
the Agent.
§ Install Antivirus: Select this checkbox to install DriveLock Antivirus on the computer. Deselect the
checkbox to uninstall DriveLock Antivirus. Uninstalling the Antivirus component requires the
computer to restart.
§ Enable definition file updates: Antivirus definitions are automatically updated from the source
configured in the policy. If the checkbox is deselected, definitions can only be manually updated
from a file.
§ Enable antivirus engine updates: The Antivirus engine is automatically updated from the source
configured in the policy.
§ Enable scheduled scans: When selected, scheduled scans are run at the time configured in the
policy. When deselected, no scheduled scans are run on the computer.

Part XV
DriveLock WebSecurity
DriveLock WebSecurity

15 DriveLock WebSecurity

15.1 DriveLock WebSecurity powered by CYREN

Classic Web Security is stuck in a legacy approach defined for a 1990s computing model – centralized and static.
Today Network Security Appliances protect computers as long as they are within a company’s network but struggle, if
computers are connected via public or home networks.
Contrary to the classic approach, DriveLock WebSecurity protects directly at the endpoint, independent of the type of
the network connection.
The foundation of DriveLock WebSecurity is the CYREN GlobalView™ Cloud infrastructure, the largest security
network of its kind in the world. The GlobalView™ Cloud processes over 13 Billion transactions every day and
protects 550 million users in 190 countries from Internet threats. With local, regional, and continental redundancy,
GlobalView™ Cloud provides multiple global points-of-presence, ensuring near-zero latency

DriveLock WebSecurity utilizes the CYREN GlobalView™ Cloud to check each internet connection before it allows or
denies access based on categories derived from the GlobalView™ Cloud. It blocks connections to phishing and other
malicious sites, preventing infection and loss of login/credential data. The CYREN GlobalView™ Cloud is
continuously updated with the most up-to-date information on phishing, advanced persistent threat, and other
unsafe sites.
Additionally to assessing the categories from CYREN, Domain-URLs can be added to whitelists or blacklists.

15.2 Configure DriveLock WebSecurity

To configure DriveLock WebSecurity, open or create a policy using the DriveLock Management Console. In the
navigation area select DriveLock WebSecurity.

DriveLock WebSecurity requires a valid subscription license (see "Activating Your License").

DriveLock WebSecurity

15.2.1 Global Settings

URL filtering mode (blacklist or whitelist mode)

Basically there are two different modes to operate DriveLock WebSecurity, the blacklist mode and the whitelist mode.
Blacklist mode initially doesn't block anything, until a category or domain-URL is configured in a blacklist. In
opposite, the whitelist mode blocks any access but the categories or domain-URLs configured in a whitelist.
Simulation means, that only events and user notification are generated, but access isn't really blocked. The audit
only mode just logs events according to the configuration, but does not generate user notifications. You may use
these modes to evaluate your configuration, before you activate real blocking.
To temporary deactivate DriveLock WebSecurity, switch URL filtering mode to Off, your configuration remains valid.

Always audit accessed URLs

When enabled, each accessed URL is audited, not only the ones filtered by a rule.

Categorize all URLs

When active, each reported URL is categorized, not only the ones filtered by a category rule.

Target IP addresses to ignore

Create a list of IP addresses, which should be completely ignored by DriveLock WebSecurity, no filtering and no
auditing will apply.

DriveLock WebSecurity

Ports to filter
By default, DriveLock WebSecurity listens on ports 80, 443 an 8080. If you want to filter different ports (e.g. because
you use a proxy with non standard ports), you have to enter the complete list of ports you want to filter.

In-Browser notification
By default, DriveLock WebSecurity redirects a blocked request to a built-in blocking page. You may also
· configure a redirection to another URL - enter a fully qualified URL scheme, e.g.
http://www.my_site.com/my_blocked_page

· create your own blocking page - the content may be a valid HTML page or pure text

· SSL-Websites cannot be redirected, the standard browser message is shown.

Custom user notification messages

Enter your own user notification message for blocked pages. Use the place holder %URL% to display the blocked URL
within your text.

Advanced settings
These settings should not be changed without specific reason
· Event settings - when accessing webpages multiple requests are sent to a server. To avoid multiple events to
be generated for each request, multiple access to the same server name is collected as one event for the given
time. Default is one minute (60 seconds)
To configure the WebSecurity events, in the policy open Global Configuration / Event message transfer settings
/ Events and scroll down to the section for DriveLock WebSecurity (almost at the end).

· Cache settings - the URL category of accessed websites is cached in memory for the given time to reduce the
number of requests to the CYREN GlobalView™ Cloud. Default is one day (86400 seconds)
If available and enabled, DriveLock Websecurity will first ask the DriveLock Enterprise Service (DES) about the
category of a website. The DES will cache the category too (for all agents connected). If many users work on
the same websites, this will further reduces request to the CYREN GlobalView™ Cloud. To enable the URL
category caching of the DES, in the DriveLock Management Console open DriveLock Enterprise Services /
Servers / double-click <Server Name> / Update synchronization and check Enable URL categorization.

15.2.2 URL Filtering Rules

URL filtering can be configured based on URL categories and/or URL lists. A group of categories can be configured as
a set of categories using the category group rule.
To create a new URL filtering rule, right-click
· URL category rules / New / Category group rule... or

· URL category rules / New / URL category rule... or

· URL list rules / New / URL list rule...

Double-click an existing rule to edit its properties.

Use tab General to name the rule (Description) and to select the Rule type.
In blacklist mode, whitelists rules are of higher priority than blacklist rules, thus websites matching a whitelist rule
are never blocked. In whitelist mode it is vice versa, websites matching a blacklist rule are always blocked.
Use the corresponding tabs to select Time limits, Connections, Networks, Users and Permissions the rule should be
valid for.

DriveLock WebSecurity

Use tab Messages to configure exceptions for user notifications and auditing.

URL category rules

Available Categories and categories groups are shown in the table below.
Category Group => Se curi ty Pare ntal Producti vi ty G e ne ral Use
Control

Category
Anonymizers X
Botnets X
Compromised X
Malware X
Network Errors X
Parked Domains X
Phishing & Fraud X
Spam Sites X
Advertisements & Pop-Ups X X
Child Abuse Images X X
Criminal Activity X X
Cults X X
Dating & Personals X X
Gambling X X
Hacking X X
Hate & Intolerance X X
Illegal Drug X X
Illegal Software X X
Instant Messaging X X
Nudity X X
Peer-to-Peer X X
Pornography/Sexually Explicit X X
Social Networking X X
Tasteless X X
Violence X X
Weapons X X
Alcohol & Tobacco X
Chat X
School Cheating X
Sex Education X

DriveLock WebSecurity

Category Group => Se curi ty Pare ntal Producti vi ty G e ne ral Use

Control

Category
Download Sites X
Games X
Image Sharing X
Job Search X
Shopping X
Sports X
Streaming Media & Downloads X
Arts X
Business X
Computers & Technology X
Education X
Entertainment X
Fashion & Beauty X
Finance X
Forums & Newsgroups X
General X
Government X
Greeting cards X
Health & Medicine X
Information Security X
Leisure & Recreation X
News X
Non-profits & NGOs X
Personal Sites X
Politics X
Private IP Addresses X
Real Estate X
Religion X
Restaurants & Dining X
Search Engines & Portals X
Translators X
Transportation X
Travel X

DriveLock WebSecurity

Category Group => Se curi ty Pare ntal Producti vi ty G e ne ral Use

Control

Category
Web-based Email X

URL category rules

Open tab URL categories and check one or more Category groups or URL categories the rules should filter.

URL list rules

Open tab URLs to Add, Remove or Edit URLs resp. domains the rule should filter.

DriveLock WebSecurity

You may use wildcard characters to define patterns for URLs to be filtered. Use the asterisk (*) as a substitute for
zero or more characters or the use the question mark (?) as a substitute for a single character.
Examples:
Patte rn Matche s Doe s not m atch
*.drivelock.com www.drivelock.com drivelock.com
support.drivelock.com www.bad_dri ve l ock.com

*drivelock.com www.drivelock.com
www.bad_dri ve l ock.com
bad_dri ve l ock.com

drivelock.?? drivelock.de drivelock.com

drivelock.fr drivelock.co.uk
drivelock.es

drivelock.* drivelock.de www.drivelock.com

drivelock.com
drivelock.co.uk
dri ve l ock.pishing.com

..* any subdomain.second-level second-level domain.top-level domain

domain.top-level domain

To avoid unwanted connections, be carefully with wildcard characters, especially if you use them in whitelists and
in second-level or top-level domains (see examples marked in red).

DriveLock WebSecurity does not send any content to the CYREN GlobalView™ Cloud but the domain part of an
URL to get the category back.

DriveLock WebSecurity

DriveLock WebSecurity does not read the content of encrypted connections. An open HTTPS connection will not
be blocked as soon as a rule changes, but when the connection will be open again. A refresh in the browser
normally reuses the existing connection.

Best Practice for Beginners

· Use DriveLock WebSecurity in blacklist mode (nothing is blocked per default).

· Create a blacklist to block category group Security (unsecure content).

· Create a blacklist to block unwanted categories (e.g. Shopping).

· Create a whitelist (URL list) to allow blocked but needed resources (e.g. *.amazon.com, *.amazon.de).

· Start in Simulation mode (otherwise your users may complain about blocked resources).

· Switch on Always audit accessed URLs, to audit all requests.

· Monitor the blocked/allowed/visited requests and adapt your rules accordingly.

· Switch off Simulation mode if your monitoring doesn't report unwanted blocking.

· Switch off Always audit accessed URLs to minimize audited events.

Part XVI
DriveLock Application Control / Smart AppGuard
DriveLock Application Control / Smart AppGuard

16 DriveLock Application Control / Smart AppGuard

This section contains information about how to configure and use DriveLock Application Control. This document
describes the criteria used by the Agent to determine whether an application is allowed to start and how to configure
application policies.
Application Control / Smart AppGuard are optional components.

You need either a license for DriveLock Application Control or for DriveLock Smart AppGuard. The DriveLock
Smart AppGuard license includes all features of DriveLock Application Control plus the new intelligent features
of Smart AppGuard

Application Control lets administrators control which applications can run on a computer that has the DriveLock
Agent installed. You can use several types of rules and strategies to specify which application are allowed and
which are blocked by the Application Control.
You can use the following types of application rules to specify an application:
· Hash database rule

· Publisher certificate rule

· File owner rule

· MD5 hash rule

· Special rule

File path rules and template rules are additional types that can be useful in certain situations. They are primarily
included for backward compatibility with older versions of DriveLock.
Using application hash databases is the easiest method for defining a collection of applications. Configure hash
database rules to quickly create one or more collections of applications that users are allowed to run or that are
blocked. DriveLock can automatically create a hash database by scanning all applications in directories that you
specify. For example, you can create a hash database whitelist rule by automatically scanning the complete hard
disk of a reference client computer that has all your business applications installed. When you apply this whitelist
rule to other computers in your organization, users can start all applications installed on the reference client while
any other application is blocked by DriveLock.
A more flexible approach, which provides more flexibility in an environment with frequent changes and updates, is
to use publisher certificate rules. Software publisher certificates can be used to determine which company published
an application. For example, all software products developed by Microsoft are signed with a certificate issued by
Microsoft Code Signing PCA. DriveLock products are signed with a certificate issued by VeriSign. A publisher
certificate rule can be used to verify the authenticity of a program file and then allow users to run applications
based on certain properties, such as the software publisher or the program version. For example, you can allow all
applications that were signed by Microsoft, any application signed with a certificate that was issued by VeriSign, or
a single application with a specific certificate ID. You can use wildcards in publisher certificate rules for maximum
flexibility.
Whitelist rules can also be based on file ownership. In Microsoft Windows every file has a file owner. For example,
when an administrator installs a new application, Windows assigns ownership of all files that are part of this
application to the administrator’s user account or the local Administrators group. You can create a file owner rule
to allow users to start any application that was installed by an administrator. If you deploy client software using a
service account with administrative rights, you can create whitelist rules based on this account.
An MD5 hash rule is based on a calculated value that uniquely identifies a file. This type of rule is most appropriate
for a whitelist rule or blacklist rule that covers a single application.

DriveLock Application Control / Smart AppGuard

Special rules let you easily refer to all program files on a computer that match certain common criteria, for example
whether the file is part of the Microsoft operating system, is part of DriveLock or is a .NET application. You can also
use a special rule to override a blacklist rule and allow some users, such as a service administrator, to run all
applications.
The flexibility of combining blacklist rules with whitelist rules makes the Application Control both easy to configure
and powerful enough to secure your client environment.

16.1 Basic configuration

The Basic Configuration mode of the DriveLock Management Console lets you configure the most common settings
for Application Control. To access advanced configuration settings, navigate to the appropriate subnodes in the
console tree.

To view the taskpad for the Application Control configuration, in the left pane of the DriveLock Management Console,
click Applications.

16.1.1 Configuring the Scanning and Blocking Mode

The scanning and blocking mode determines the overall operations of Application Control. Open Applications /
Settings / Scanning and Blockingmode. To select one of the operation modes, follow the steps in the following
sections. To disable the Application Control, select Off.

Scanning/Blocking DLLs is available in DriveLock Versions 7.7.8 and newer versions. Carefully read chapter
Scanning/Blocking DLLs, before using an "including DLLs" mode.

DriveLock Application Control / Smart AppGuard

16.1.1.1 Auditing and simulation

To monitor the execution of programs on computers without preventing any of these programs from starting, select
Audit-only. The DriveLock Agent creates events for all programs that are started on a computer without enforcing any
application templates or rules. This mode is most appropriate if you allow user to run any program but you need to
record which programs users run.
Use one of the two simulation modes, Whitelist (simulate) or Blacklist (simulate), to test templates or rules before
actually blocking programs. In simulation mode the DriveLock Agent creates events when an application is started
that is controlled by a template or rule, but no programs are blocked.

Use the simulation modes to identify applications that users are running before you enforce any blocking rules.
Review the local Windows event logs or the DriveLock Control Center for events that indicate that applications
were allowed to start or blocked. If the events indicate that application control does not work as intended,
modify the rules to correctly enforce the intended settings.

16.1.1.2 Whitelist mode and Blacklist mode

To activate Application Control, select Whitelist or Blacklist. In Whitelist mode, all applications, except those
allowed by your policy, are blocked. In Blacklist mode, all applications can be started except for applications that
are blocked by the rules and templates you configured.
Whitelist and blacklist rules and templates define exceptions to the overall behavior of the blocking mode. You can
create both whitelist rules and blacklist rules in either blocking mode. For more information about how rules and
templates work in each mode, refer to the sections “Whitelist mode” and “Blacklist mode”.

DriveLock Application Control / Smart AppGuard

When you select one of the blocking modes, DriveLock displays a warning message. Click Yes to activate Application
Control or click No to cancel the current operation.

16.1.2 Configuring basic application rules

To change the default application rules created during setup, in the “Basic application rule” area, click Change.

DriveLock Application Control / Smart AppGuard

Select the type of rules to use and then click Finish. DriveLock creates the corresponding special rules. For more
information about special application rules, refer to the section “Using special rules”.

16.1.3 Configuring Simple Application Rules

In Basic configuration mode you can configure publisher certificate rules and file owner rules. To create other rule
types you need to switch to the Extended Configuration task view.

Click Add publisher certificate rule… to generate a new publisher certificate rule.

DriveLock Application Control / Smart AppGuard

When you create a rule in Basic Configuration mode, the options to limit the rule to specific computers or network
locations are not available. To create rules that contain these elements you must switch to the Extended
Configuration mode.
For more information about publisher certificate rules, refer to the section “Using publisher certificate rules”.

Select one of the following options:

· Everyone: The rule applies to all users.

· Defined users and groups: The rule only applies to the users or groups you add to the list.

DriveLock Application Control / Smart AppGuard

Click Add to add a user or group to the list. To remove a user or group from the list, select the user or group and then
click Remove.
Click OK to create the rule.
To create a new file owner rule, click Add file owner rule….

When you create a rule in Basic configuration mode, the options to limit the rule to specific computers or network
locations are not available. To create rules that contain these elements you must switch to the Extended
Configuration mode.
For more information about file owner rules, refer to the section “Using file owner rules”.

DriveLock Application Control / Smart AppGuard

Select one of the following options:

· Everyone: The rule applies to all users.

· Defined users and groups: The rule only applies to the users or groups you add to the list.

Click Add to add a user or group to the list. To remove a user or group from the list, select the user or group and then
click Remove.
Click OK to create the rule.

16.2 Extended Configuration

To configure more detailed Application Control settings, navigate to the nodes below Applications in the console
tree, expand Extended configuration and then click Applications. If Basic Configuration mode is currently disabled,
click Applications instead.

16.2.1 Configuring the Scanning and Blocking Mode

Scanning/Blocking DLLs is available in DriveLock Versions 7.7.8 and newer versions. Carefully read chapter
Scanning/Blocking DLLs, before using an "including DLLs" mode.

DriveLock Application Control / Smart AppGuard

16.2.1.1 Auditing and simulation

To monitor the execution of programs on computers without preventing any of these programs from starting, select
Audit-only. The DriveLock Agent creates events for all programs that are started on a computer without enforcing any
application templates or rules.
Use one of the two simulation modes (Whitelist (simulate) or Blacklist (simulate)) to test templates or rules before
blocking programs. During simulation the DriveLock Agents creates events when applications are started that are
controlled by templates and rules, but it doesn’t prevent any programs from running.

Use the simulation modes to identify applications that users are running before enforcing any blocking rules.
Review the local Event Logs or the DriveLock Control Center for such application starts and then modify the
policy to allow programs that you initially overlooked. When the event information no longer indicates that
required programs would be blocked by your rules, you can start enforcing the policy.

Once you have enabled Whitelist or Blacklist mode, DriveLock creates an event for each blocked application. To also
audit successful application execution, click Always audit application execution (independent of blocking mode).

DriveLock Application Control / Smart AppGuard

By default auditing is disabled. Select Enable to create events for all successful application starts.

Enabling auditing of every successful program start may decrease computer performance. If events are sent to
the DriveLock Enterprise Service, it may also increase network traffic and the database size.

16.2.1.2 Whitelist mode and Blacklist mode

To activate Application Control, select Whitelist or Blacklist. In Whitelist mode, all applications except those allowed
by your policy are blocked by default. If you select Blacklist, all applications can be used except those blocked by the
rules and templates you configure.

When you select one of the blocking modes, DriveLock displays a warning message. Click Yes to activate Application
Control or click No to cancel the current operation.
In addition to the blocking mode, whitelist and blacklist rules and templates control program execution. You can
create both whitelist rules and blacklist rules in either blocking mode. The following sections describe how rules
and templates work in each mode.

DriveLock Application Control / Smart AppGuard

16.2.1.2.1 Whitelist mode

When using the whitelist mode, only applications listed in whitelist rules or templates are allowed to run.
Additionally, you can use blacklist rules to disable selected applications even though they may be included in a
whitelist template or rule. In effect, in this mode blacklists define exceptions to your whitelist rules.
In whitelist mode, the priority of rules is: Blacklist rules – whitelist rules – all others

Example: To allow all users to run all programs in the Program Files folder, create a directory rule and allow
all applications within this folder to run. To prevent one of these applications from running on one computer,
create a blacklist rule for only this application and apply it to the computer.

16.2.1.2.2 Blacklist mode

When using the blacklist mode, all applications are allowed to run unless they are listed in blacklist rules or
templates. Use blacklist rules or templates in this mode to specify the applications that users are not allowed to
start. Use whitelist rules in this mode to define exceptions to blacklist templates or rules.
In blacklist mode, the priority of rules is: Whitelist rules – blacklist rules – all others

Example: Users in your organization are not allowed to run the program “Skype”. However, your CIO must use
Skype while he is out of the office. To allow this, create a blacklist rule to block Skype for all uses. Then define a
whitelist rule allowing the Skype application and configure it to apply to only the CIO’s account.

16.2.2 Configuring a Hash Algorithm for Hash-Based Rules

To configure a hash algorithm to be used with all rules that use hash values, click Settings and then click Hash
algorithm for hash-based rules to open the Properties window.
To configure DriveLock to always use a hash algorithm, click Set to fixed value and then select the algorithm from
the list. If this is set to Not configured, the MD5 algorithm is used.

DriveLock Application Control / Smart AppGuard

16.2.3 Configuring User Notifications

You can define a custom user notification messages for each whitelist rule. Unless specified otherwise, DriveLock
will display this message when the Application Control blocks an application.

If you configured a multilingual message text for the current language, DriveLock will display the standard
messages defined for this language instead of the message configured in this dialog box. For information about
how to configure multilingual messages, refer to the DriveLock Management Console manual.

DriveLock Application Control / Smart AppGuard

Select “Display custom messages” to enable the messages specified on this dialog box. Type the message to be
displayed to the user. When the message is displayed, the Agent replaces the variables “%EXE%” with the path and
file name of the blocked application.
Click Test to display a message with the current text on your computer.
Click OK to close the window.

16.2.4 Special Settings

These settings are only visible in the classic MMC view of Application Control Settings. Do not change without advice
of DriveLock Support or DriveLock Consulting Services.
· Caching mode

· Time values are kept in cache

· Paths excluded from executable hash generation

16.3 Configuring Application Rules

16.3.1 Using Application Hash Databases

To simplify using Application Control, DriveLock can create application hash databases that you can use to easily
allow or block multiple applications. To create an application hash database, DriveLock can scan directories on
your computers, including any subdirectories, for installed applications and calculate a hash for each of them.
These hashes are then added to the hash database. You can use this procedure to create a hash database that
includes all applications on a computer. When you whitelist all applications in this database, DriveLock prevents
any programs from running that are not included or that are installed after the computer was scanned.

DriveLock Application Control / Smart AppGuard

To create a hash database, right-click Application hash databases and then click New -> Application hash database.

You base a hash database rule on an existing hash database or create a new hash database.
Yyou can also use the standalone Application Hash Database Tool to create and manage hash databases. You can
find the program file “DLExeHasher.exe” in the directory where you installed the DriveLock Management Console (C:
\Program Files\CenterTools\DriveLock).
If a hash database already exists you can view or edit it.

DriveLock Application Control / Smart AppGuard

To view or edit an existing database, click Database file, click Select existing and then select the database.
To create a new database, click Database file and then click Create new.

In the Comment (System name) box, type the name of the computer to be scanned. Recording the computer name can
make it easier to keep track the origin of a hash database when managing or merging multiple databases.
Type or select the directory to be scanned for applications.

You can scan a directory on a remote computer by specifying the UNC path for this directory.

Click OK. DriveLock starts a recursive scan of the specified directory and all subdirectories below it.

DriveLock Application Control / Smart AppGuard

Scanning a directory that contains many files can take several minutes to complete. Scanning may take longer if
the directory is located on a remote computer. If you cancel the scan, the results will not be complete.

When processing the scan results, DriveLock eliminates duplicates. As a result, identical files that are located
in more than one directory are listed only once. This has no effect on how the rule is applied because
applications are evaluated based on their hashes and not a specific location. Also, this behavior allows for
differential scanning, which only adds applications that are not already in the database.

When DriveLock has finished detecting all program files and has calculated all hashes, it adds all applications it
detected to the template and displays the previous dialog box.
In the Description field, type a description to help you identify the template later.

Click Database content to view, edit or merge the programs that are included in the database.
Click Database content and then click View / edit to view the database content.

DriveLock Application Control / Smart AppGuard

The left pane displays the folders that were scanned. Select a folder to display all programs that were found in this
folder in the right pane.
To add additional hashes, click Scan folder or Scan file. Click Delete to remove the selected application hash or
folder. To view additional information about the hash database, click Properties.
To close the hash database viewer, click Close.

You can also use the standalone Application Hash Database Tool, DLExeHasher.exe, to view, edit and merge
hash databases.

Click Database content and then click Merge to add the content of another database.
Type or select the path of the database file containing the entries to be added and then click OK.
DriveLock merges the database content and then displays the template properties again.

Even if you are using a whitelist rule based on a hash database of all installled applications to control a computer,
it is recommended that you also use some special application rules for programs that are part of the operating
system. DriveLock loads these special rules faster that data from the hash database and they are available
earlier to the DriveLock Agent when Application Control starts. For more information about special rules, refer
to the section " Using Special Rules ".

16.3.2 Using Publisher Certificate Rules

Software publisher certificates can be used to verify the publisher of software, the software version and other
attributes of a program file. Certificates are issued by a Certificate Authority (CA) that verifies a software publisher’s
identity. The publisher then signs the software with this certificate. DriveLock can check program files to verify that
they were signed using a certificate that was issued by a trusted CA and to ensure that the program file was not
modified since it was signed. Once the validity of the program file has been verified, the DriveLock Agent compares
the information in the software publisher’s certificate and the program version with the rules in your policy and
allows or blocks access according to these rules. Use publisher certificate rules to configure which information
DriveLock checks and whether programs are allowed or blocked based on this information.

DriveLock Application Control / Smart AppGuard

To create a certificate rule, right-click Publisher certificate rules and then click New -> Publisher certificate rule.

You can enter whitelist rule values manually. However, it is easier and quicker to select a program file on the
computer’s hard disk and let DriveLock extract the information from it. To extract the information, click the button
“…” and then select a program.
If the program was signed using a software publisher certificate, DriveLock automatically populates the text fields
with the data from the certificate.
In the Description field, type a description and then click OK or Apply.

DriveLock Application Control / Smart AppGuard

You can edit the data in the dialog box. You can also use wildcards (* or ?) to create rules that match multiple
certificates. The fields Subject and Issuer must contain data. Use the asterisk (*) wildcard character to create a rule
that matches all data in a certificate field.

You can only use wildcard characters at the end of a text field. Rules that contain wildcard characters in any
other position are not enforced correctly.

The unique ID can be the serial number or the certificate’s thumbprint. If use a serial number, you must select Serial
number from the drop-down menu before you click the “…” button to select a file. Otherwise the thumbprint is read
from the certificate.
When using a publisher certificate rule you can specify a version number to prevent users from running a different
version of the program or an older version of the program. For example, you can allow Acrobat Reader® version 8.1
or higher and block all older versions that may contain known security flaws. Select one of the appropriate option
from the version drop-down menu and then type a version number in the field on the left in one of the following
formats: #.# or #.#.# or #.#.#.#.
By default the rule type is set to whitelist rule. You can change it to blacklist rule by selecting this rule type from the
drop-down menu. Type a comment in the comment field to save additional information about this rule.
Click OK to close the Properties window and save the rule.

16.3.3 Using File Owner Rules

In Microsoft Windows all files, including program files, are assigned an owner. In most cases the file owner is
“SYSTEM”, the local administrators group or a user account. Each time new software is installed on the computer the
file owner attribute is set as follows:
· If the current logged-on user is a member of the local administrators group, this group becomes file owner.

· If the current logged-on user is not a member of the local administrators group, the user becomes file owner.

You can also manually set the file owner for a single file, a single folder or for a folder and all files and directories
below it.

DriveLock Application Control / Smart AppGuard

You can use file owner rules to allow users to start all applications that have a specific file owner. For example, you
can use such a rule to authorize all programs that were installed by an administrator or by a trusted installer
account, while blocking all applications that were installed by other users. When you use a file owner rule, all
applications that run without needing to be installed first are also blocked.

If your software deployment mechanism uses a dedicated installation account with administrative rights, or if
users don’t have local administrative rights, file owner rules are the easiest and most effective solution to
allow authorized applications with a minimum number of rules.

To create a file owner rule, right-click File owner rules and then click New -> File owner rule.

DriveLock Application Control / Smart AppGuard

Select Administrators group (Builtin\Administrators) to create a rule that covers all local administrators.
Click the “…” button to select a user or group from Active Directory.
To manually specify a user name or group, select User or group (by name) and type the name.
By default the rule type is set to whitelist rule. You can change it to blacklist rule by selecting this rule type from the
drop-down menu. Type a comment in the comment field to save additional information about this rule.
Click OK to close the Properties window and save the rule.

If you assign a group, the file owner must be the group, not a member of that group.

16.3.4 Using Hash Rules

A hash rule specifies a single application based on a unique hash value of the program that DriveLock compares to
the hash value of programs that users attempt to start. If the values match, the rule is applied.

DriveLock Application Control / Smart AppGuard

Right-click Hash rules and then click New -> MD5 hash rule.

To identify the application by using its file name, type the full path and file name or click “…” next to the File Name
field and then select the file.
To select a currently running application, or to select an application from the application database that is included
with DriveLock or the online database, click the “…” button next to the MD5 Hash field.

DriveLock Application Control / Smart AppGuard

You can also connect to a remote computer where the DriveLock Agent is installed to scan for programs that are
currently running on that computer.

To access the application database, click the corresponding tab.

Click OK to add the program to the rule.
Starting with DriveLock 5.5 R2 you can select applications from an online database that contains several million
applications. To select a program from this database, click the Online database tab.
DriveLock connects to the online database over the Internet. If the connection fails, an error message appears
Otherwise DriveLock displays the contents of the online database.

DriveLock Application Control / Smart AppGuard

Select the manufacturer of the application you want to add, select the application and then click OK.
When you have selected the application, DriveLock adds automatically the application name, file name and file
hash. You may also add a comment.
Click OK to complete the rule.

16.3.5 Using Special Rules

Open Applications / Applications rules / Special rules / right click New / Special rule.

DriveLock Application Control / Smart AppGuard

These special rules shall only be used as whitelist rule.

Program file is part of the Windows operating system

· includes all programs protected by the Windows System File Protection (WFP)

Include additional operation system add-ons addresses programs in:

· C:\windows

· C:\windows\system32

· C:\windows\servicing

· C:\windows\pchealth\helpctr\binaries (Help Center)

· C:\windows\application compatibility scripts

· C:\windows\explorer.exe

· C:\Program Files\Internet Explorer

· C:\Program Files\Windows Defender

The program is a component of DriveLock

· all programs in the DriveLock installation directories

The program is part of the .NET Framework

· all programs in C:\Windows\Microsoft.NET

Windows Automatic Updates are being installed

· all processes initialized by the Windows Update Agent

Program file detail information cannot be extracted

· can be used as a fallback if for any reason DriveLock is not able to access or read information details from a
specific file

Any program is started.

· can be used in conjunction with rule limitations for example, to allow access to all programs for the
Administrators group, optionally including a user approval before executing the process.

Predictive whitelisting (machine learning)

Open Applications / Applications rules / Special rules / right click New / Predictive whitelisting rule.
· This rule overwrites the global Predictive and local whitelist settings. For more information read chapter
Predictive Whitelisting.

DriveLock Application Control / Smart AppGuard

16.3.6 Other Application Rules

16.3.6.1 Using file path rules

A file path rule specifies a folder or file on the computer. When a user attempts to start this program or a program
from this folder, the rule is applied.
Right-click Other rules and then click New -> File path rule.

DriveLock Application Control / Smart AppGuard

Click “…” next to the Path field to select the file or folder, depending whether you have selected the “Check for whole
directory (not file name)” checkbox. DriveLock automatically adds information to the Description field, but you can
change this information and type an optional comment.

If you select the Check for whole directory (not file name) checkbox, DriveLock checks the entire directory for the
specified path when a program is started. This means that the rule also applies to programs that are started
from a subdirectory.

When you have selected the application, DriveLock automatically adds the application name to the Description field.
You can also add an optional comment.

You can use wildcard characters (? For a single character or * for multiple characters to make a single rule
apply to multiple programs.

16.3.6.2 Using Application Templates

Application templates can contain one or more applications that the DriveLock Agent blocks (blacklist) or allows to
be started by a user (whitelist).

Right-click Application templates and then click New -> Application template.

DriveLock Application Control / Smart AppGuard

Select the rule type and then type a description and an optional comment with more information about the template.
Click the Applications tab to configure the applications in the template.

To edit the settings for an application in the list, select the application and then click Edit. Click Remove to delete an
application from the list.

DriveLock Application Control / Smart AppGuard

16.3.6.2.1 Adding a single application

To add a single application to the list, click Add.

To identify the application by using its file name, type the full path and file name or click “…” next to the File Name
field and then select the file.
To select a currently running application or select an application from the application database that is included
with DriveLock click the “…” button next to the MD5 Hash field.

You can also connect to a remote computer running the DriveLock Agent to list the programs that are currently
running on that computer.

To establish a connection to a remote computer running Windows XP SP2 or higher on which the Windows
Firewall is enabled, you must configure the firewall settings to allow incoming connections from TCP Port 6061
(default) and the program “DriveLock”.

To access the application database, click the corresponding tab.

You can select applications from an online database that contains several million applications. To select a program
from this database, click the Online database tab.
DriveLock connects to the online database over the Internet. If the connection fails, an error message appears.
Otherwise DriveLock displays the contents of the online database.
Select the manufacturer of the application you want to add, select the application, and then click OK. When you have
selected the application, DriveLock automatically adds the application name, file name and file hash.
Click OK to add the program to the template. To add additional applications, repeat the preceding procedure.

DriveLock Application Control / Smart AppGuard

16.3.6.2.2 Adding a set of applications

To add a set of application to the list, click Import.

Use the import function to configure application templates for well-known software products that that are
included in the extensive DriveLock online database, such as Microsoft Office and Adobe Acrobat. Many of
these products contain multiple program files, and selecting the product from the database adds all of these
program files in a single step.

To select a program from the online database, click the Online database tab.
Select a vendor and product.
Click OK to import all program files that are included in the selected product or application.
DriveLock connects to the online database and imports the hash values for all program files.

16.4 Scanning/Blocking DLLs

When executable programs are scanned/blocked, DriveLock scans the executable while the Windows Operating
System is loading it into memory. Depending on the result of the scan and the rules configured in the DriveLock
policy then DriveLock allows or denies the execution of the program.
Scanning/Blocking DLLS in principle works the same way. When programs are loading DLLs, all these DLLs will be
scanned and assessed while loading. If a DLL must be blocked, the calling program will be terminated.

Scanning/Blocking DLLs requires a license for DriveLock Smart AppGuard.

If you plan to activate Application Control in whitelist mode including DLLs, make sure that you do not block any
DLLs which are required for your system to run proper.

Windows installs a lot of DLLs which neither are marked to be a part of the operation system, the .NET Framework
nor are all of these DLLs located in the windows system directory. Some DLLs might not even have a (valid) Microsoft
signature. Because of that, none of the predefined special rules will cover such DLLs.
Example:
By default some Windows versions install Microsoft OneDrive. OneDrive is installed in the user profile and is not
part of the operation system. Unfortunately OneDrive EXEs/DLLs get loaded by the Windows Explorer. The Windows
Explorer will be terminated if such executables are not whitelisted in your rule set.

Best Practice:
We strongly recommend that you configure Predictive Whitelisting before you activate blocking DLLs. In any case
start in simulation mode, validate the application control events and whitelist any DLLs your system expects to be
allowed.

16.5 Predictive Whitelisting

Machine learning is designed for computers in the industrial environments which control the manufacturing. In
difference to computers in the administration these computers have a wide variety of software and require a local
individual whitelist for Application Control. If a computer is switched into the learning mode all programs written or
executed are added to the local whitelist (hash database) automatically. When the learning is completed the local
whitelist becomes automatically active and only the programs "learned" can be executed now. To install or update
programs at a later time the learning mode can be activated temporarily during the installation or the update.

DriveLock Application Control / Smart AppGuard

Predictive whitelisting requires a license for DriveLock Smart AppGuard.

Predictive and local whitelist

Open Applications / Settings / Predictive and local whitelist.

Enable local whitelist

If the rule is applied to a computer for the first time, the DriveLock Agent starts the learning mode and if done applies
the local whitelist it has learned. If the local whitelist already exists the existing one will be used. Thus you may
switch off predictive whitelisting to deactivate it and when you switch it on again the existing whitelist will be used
again.
To check the state of the local whitelist use Agent Remote Control, connect to a computer and open Properties /
Application Control. Click relearn local whitelist to recreate the local hash database.
The local whitelist will be incrementally merged to the application database stored on the DriveLock Enterprise
Service (DES). You can select hashed applications from the global application database, when you create a hash
rule.

Enable predictive whitelisting

Predictions based on publisher certificates means, that DriveLock uses intelligent algorithms to recognize updates of
installed software although the publisher certificate is not identical. DriveLock automatically adds such updates to
the local whitelist.

Install or update new software with machine learning on

To install or update (if not recognized "predictive") programs while the local whitelist is active you have to
temporarily unlock Application Control and switch learning mode to On. Select the appropriate settings (see
example below) on the application control page of the unlock wizard. During the unlock period install or update the
new software.

DriveLock Application Control / Smart AppGuard

Autoupdate of software when machine learning is On

If you run software which includes an auto update like e.g. google chrome or foxit pdf reader and predictive
whitelisting is active you have to configure rules for the auto update process to allow the process to be run and
using the learning mode.
In your policy open Applications / Application rules / Other rules / Filename or path rules / right click New / File path
rule. The example below make the updater process of the foxit reader (C:\Program Files (x86)\Foxit Software\Foxit
Reader\FoxitUpdater.exe) to be a trusted process and enables machine learning for all executables written by
FoxitUpdater and their child processes during the update.

16.6 Configuring Common Rule Settings

You can limit how and when application rules are applied by configuring the following settings. To save the changes,
click Apply or OK.

DriveLock Application Control / Smart AppGuard

16.6.1 Configuring User Settings

To configure which users the rule applied to, click the “Permissions” tab.

Select one of the following options:

· Everyone: The rule applies to any user.

· Defined users and groups: The rule only applies to the users or groups you add to the list.

Click Add to add a user or group to the list. To remove a user or group from the list, select the user or group and then
click Remove.

16.6.2 Configuring time limits

Click the Time limits tab to configure when a rule applies. If you want a rule to be active only during a certain time
(for example only on Wednesdays, or on weekdays between 9 A.M. and 5 P.M.) you can specify time limits for the
rule. You can also specify a start and end date for a whitelist rule.

DriveLock Application Control / Smart AppGuard

First click one or more rectangles to select the appropriate time block or blocks, an entire column or a row, and then
select “Rule active“ or “Rule not active“.

16.6.3 Configuring Computer Settings

Use the “Computers” tab to select the computers to which the rule is applied.

Select from the following options:

· Activate this rule on all computers

DriveLock Application Control / Smart AppGuard

· Activate this rule only on the specified computers

· Exclude the specified computers from this rule

Click Add to add more computers to the list.

16.6.4 Configuring network limitations

Click the Networks tab to configure whether the rule is applied only in certain network locations. For more
information about network locations, refer to the DriveLock Administration Guide.

Select from the following options:

· Activate this rule in all network locations

· Activate this rule only in the specified network locations

· Exclude specified network locations from this rule

Click Add to add network locations to the list.

Part XVII
Systems management
Systems management

17 Systems management
Enter topic text here.

17.1 Settings
17.1.1 Client Compliance
This option allows you to configure, which parameters should be checked on each PC for compliance state.
If the common parameters does not fit, use Tab Commands to configure optional commands (executable or script).
Best, you add this commands to the policy file storage before and select them from there. The commands will be
executed from the Agent on any PC and must return 1 for compliant and 0 for non compliant.

The DriveLock Control Center (DCC / Helpdesk) displays the compliance state of any PC in detail.

17.1.2 Configuring Hardware and Software Inventory

The DriveLock Agent can scan the computer at regular intervals for currently connected hardware and installed
software and send this data to the DriveLock Enterprise Service. You can use this information to create reports that
show which software and patches are installed on computers in your organization.
The global settings for inventory collection determine whether the DriveLock Agent collects inventory data, which
data to collect and when.

Systems management

In the console tree, click Global configuration and then click Settings. In the task pane, click Collection of inventory
data.

Systems management

To enable the collection of inventory data, select the Enable collecting inventory data checkbox. Then select the
appropriate checkboxes to configure the types of inventory data the client will collect. Finally, configure the time
interval and starting time for the inventory data collection.

Collecting inventory data uses system resources. If you configure the Agent to scan each time the service starts,
inventory collection may be delayed by a few minutes to prevent a slow startup experience for users.

17.2 Power management

In a DriveLock Policy you may schedule actions when to sleep, pause, power off or on the computer or schedule,
when to use which windows power plan. Open Systems management / Power management / ... / New and select the
appropriate action or plan.

17.3 Self-service groups

Self-service groups are designed to allow authorized users to temporary unlock DriveLock Agents without using a
DriveLock Management Console (MMC) or a DriveLock Control Center (DCC).
If you are not familiar with unlocking Agents read chapter Unlocking Agents first. Basically unlocking with self-
service uses the same settings and mechanism.

Example:
Industrial robots need new software to be installed and the robots are protected by DriveLock Device Control (DC)
and DriveLock Application Control (AC). To be able to install the new software from an USB stick the robots have to
be unlocked temporarily.
When the machine operator plugs in the USB stick, a logon window appears where they can authenticate. If they are
authorized the unlock wizard starts and they can unlock Drives, Devices and Applications. Now they are able to run
the setup from the USB stick.

Systems management

17.3.1 Configuring self-service groups

In your DriveLock Policy open Systems management / Self-service groups to add a new group (right click / New / Self-
service group) or to edit (double click) an existing group.

Systems management

Self-service options
Here you can configure the user experience for the self-service wizard and decide which options the user gets
shown.
Tab General: enter a short description and a comment to identify this self-service group. Use the field End-user
information, to display an explanation for the user, when and how to use this rule. The text will be shown in the
wizard if more than one self-service group is configured and the user selects one of them.
Tab Self service: only device types and modules which are checked here can be unlocked through the wizard.
If you select to use the simple module selection page in the wizard the user will exactly get these options and no
advanced options will be offered. Otherwise the user gets the option to select the devices more granular and
advanced options may be offered on a next page.

Allow automated temporary unlock: This option is for experts only. Read white paper Self-Service Automatic Unlock
feature or ask DriveLock Consulting Services for more information.

Users and Computers

Windows users can be selected who are allowed to use the unlock wizard. Add computers on which these users can
unlock agents using the wizard. If you only add < local computer > the user can unlock any computer where this
policy applies and where they can start the unlock wizard locally. You may also add computers, computer groups or
OUs from the Active Directory or just enter computers By name. Then the wizard will display a list of computers
where the user can select which computers to unlock remotely either from a list or from the Active Directory
structure.

Systems management

Export/import self-service groups

Open Systems Management / Self-service groups / Right click All Tasks to export/import self-service groups to/from a
CSV file. You may use the export as template to multiply existing groups for other users and/or computers.

For the import:

· don't modify existing headers

· additional columns will be ignored

· if the value for Unique ID is empty a new entry will be created, otherwise the existing entry will be updated

· AD read permissions are required, to perform the import

Ask DriveLock consulting services for more information.

17.3.2 Start the self-service wizard

By default, the self-service wizard will not be offered to the end-users. You have to enable your required options in
the policy. Open Global configuration / User interface settings / Agent and awareness campaign user interface
settings.
· Start the self-service wizard in the DriveLock User Interface: tab General - check Unlock via self-service wizard.

· Start the self-service wizard from the start menu: tab Start menu - check Show link to self-service wizard in
start menu.

· Start the self-service wizard from the Taskbar Icon: Global configuration / User interface settings / Taskbar
notification area settings / Tab Options / Add Self-service.
You may also configure, to start the self-service wizard, when a usage policy applies (see example above).

Systems management

· In any rule (either basic rules or whitelist rules), including usage policy which the user has to accept before
the rule will be applied, you may also configure that the self-service wizard will be started as soon as the user
accepts the usage policy. In the rule open tab Messages and check Launch self service unlock after accepting
usage policy.

· If you want that other users but the one logged in to Windows shall accept the policy, check Require password
for accepting usage policy, Ask for and validate Windows password and Allow authorized user login. Click
Authorized user to edit the list of users who shall do so and check Enable "logon as user" option by default.
The self-service wizard will "run as" the authorized user.

Part XVIII
Using Agent Remote Control
Using Agent Remote Control

18 Using Agent Remote Control

You can use the DriveLock Management Console to connect to a remote computer with the DriveLock Agent running.
Available options for remote control include temporarily enabling a category of drives on a remote computer or to
updating the DriveLock configuration by forcing the Agent to update its Group Policy or configuration file settings.
When used in conjunction with the DriveLock Enterprise Service (DES), you can also control the Agent status. Agent
Remote Control lets you display inventory data or manually start a hardware and software inventory collection.
Agent remote control requires the DriveLock Management Console and is not available for the Group Policy Object
Editor you use to configure GPO–based policies. However, you can use the DriveLock Management Console to
connect to DriveLock Agents that are configured via a Group Policy.
DriveLock uses the HTTP(S) protocol to connect to remote computers. To establish a connection to a remote
computer, DriveLock must be installed and running on the client computer. To establish a connection to a computer
running Windows XP SP2 or later with the Windows Firewall enabled, you must allow incoming connections from
TCP Port 6064 (default) or 6065 (for SSL connections) and the program “DriveLock” in the firewall settings.
By default, the DriveLock Management Console uses Quick Configuration using DNSD-SD to discover all and display
all DriveLock Agents in the same network. As an alternative, you can configure the DriveLock Management Console to
get the list of all DriveLock Agents from the DriveLock Enterprise Service (DES).

18.1 Viewing Agents

By default, the DriveLock Management Console displays all Agents it discovers in the network under Operating ->
Agent remote control. The discovery is an automatic process using DNS-SD and requires no configuration.

In network environments where the use of DNS-SD is not desired or in routed networks that consist of several
segments you can configure the DriveLock Management Console to download a list of all Agents.

Using Agent Remote Control

To configure how the list of Agents is obtained, in the console tree, right-click Operating -> Agent remote control and
then click Properties.

In the Agent remote control Properties dialog box, configure the following settings:
· Retrieve Agent computer list from DriveLock Enterprise Service: Select this checkbox to have the Console retrieve
the Agent list from a DES server and then select the server connection to use for this process. The list may
include Agents that are currently offline.

· Retrieve Agent computer list using DNS-SD: Use Quick Configuration announcements to build the list of Agents.
Only Agents that are online are displayed.
Permissions: On the Permissions tab, configure access to the Remote control node in the When viewing the Agent status
in the Management Console, agents that are offline are identified by an icon containing red square.
If all DriveLock Agents in your network are running DriveLock 6.0 or newer, select the Disable support for agents older
than DriveLock 6.0 checkbox. This will deactivate the use of all ports that are no longer used in current versions of
DriveLock.
In environments where the DriveLock Management Console is run on a computer that is not in the same network as
the Agent, the DriveLock Enterprise Service can proxy this connection. For example, this can be used by a Security-As-
A-Service provider to connect to an Agent in a customer’s network. Change the setting Use remote control through
DriveLock Enterprise Service (proxy) to configure how the DriveLock Management Console connects to the client for
remote control:
· Always: The connection is always established via the DriveLock Enterprise Service.

· Never: The DriveLock Management Console always connects directly to the Agent without going through the
DriveLock Enterprise Service.

· On-demand: The DriveLock Management Console attempts to connect directly to the Agent. If the connection
attempt fails, a connection via the DriveLock Enterprise Service is attempted.

Using Agent Remote Control

18.2 Performing Agent Tasks

You can use the DriveLock Management Console to perform a number of maintenance tasks on DriveLock Agents. You
can use the Helpdesk view of the DriveLock Control Center instead of the DriveLock Management Console to perform
the same tasks. The remote control procedures and dialog boxes in the DriveLock Control Center are identical to the
ones described here.

18.2.1 Connecting to a DriveLock Agent

Before you can connect to an Agent to perform any tasks on it, you need to connect to the Agent. To do this, right-click
an Agent that is displayed in the DriveLock Management Console and then click Connect.

If the Agent is not currently displayed, right click Agent remote control and then click Connect. Type the name or IP
address of the remote computer. To encrypt communications with the Agent, select the Use SSL checkbox. To connect
using a different user account, type the credentials for the account. Click OK to connect.

To establish a connection to a computer running Windows XP SP2 or later with the Windows Firewall enabled,
you must allow incoming connections from TCP Ports 6064 and 6065 (default) and the program “DriveLock” in
the firewall settings.

After the connection has been established, you can view the current configuration and control the DriveLock Agent.

18.2.2 Viewing the Agent Configuration (RSOP)

To display the current configuration (RSOP, or Resultant Set of Policy) on a client computer, right click the computer
and then click Show RSOP.

Using Agent Remote Control

A new window opens that is similar to the DriveLock Management Console. To view details of the current settings
that are enforced by the Agent, expand the relevant node and select the configuration settings. All settings are read-
only and cannot be changed.

Click Generate report to view a configuration report that lists all current settings and all Group Policy Objects that
were applied to the computer.

Using Agent Remote Control

To search for a text string in the report. Press CTRL – F.

Click Applied Group Policy Objects to view the Group Policy Objects that have been applied to the computer by the
Windows Group Policy engine.

Right-click a GPO to view its properties or to edit it in the Group Policy Object Editor.
When you have finished viewing the Agent information, close the window.

Using Agent Remote Control

18.2.3 Viewing Currently Attached Devices

To display the drives and devices currently attached to a client computer, right click the computer and then click
Properties, or double click the computer.

Using Agent Remote Control

Use the buttons to force the client to refresh its Group Policy settings or to temporarily unlock devices.
On the Drives tab you can view all drives that are currently connected to the computer and whether they are
currently locked.

Using Agent Remote Control

Select a drive and then click Details to view more information about the whitelist rules or filters that currently apply
to the drive.

The status of this drive is displayed (for example, whether it is blocked or access is allowed).

Using Agent Remote Control

Click the Whitelist rules tab to view additional information about all whitelist rules that apply to this drive and
which whitelist rule is enforced.

Click the Filter templates tab to view additional information about file filter templates that apply to this drive and
which template is enforced.

You can use the list of whitelist rules and file filter templates to identify conflicts between competing rules or
templates when drive locking does not work as expected.

Using Agent Remote Control

Click OK to close the Properties window.

Use the other tabs to view information about currently used devices, smartphones and Group Policy Objects that
have been applied to the client computer and the status of Encryption 2-Go, Disk Protection and Antivirus.
Click OK to close the Properties window.

Using Agent Remote Control

18.2.4 Manually Updating the Policy

To manually initiate a policy update on an Agent, right-click the computer and then click Properties. In the Agent’s
Properties dialog box, on the General tab, click Refresh policy. This is equivalent to refreshing the Group Policy by
using the Windows command “gpupdate /force” or re-loading settings from a configuration file or a centrally stored
policy from the DriveLock Enterprise Service.

Using Agent Remote Control

18.2.5 Displaying Inventory Data

To display the inventory data of a computer, right-click the computer and then click Display inventory. All software
and hardware inventory data is displayed.

The data source information indicates whether the data was retrieved directly from the computer (when connected
using Agent Remote Control) or from the DriveLock database via DES.
Click the appropriate tabs to view information about drives, devices, networks, installed applications and updates.

Using Agent Remote Control

Click OK to close the window.

18.2.6 Viewing the Disk Protection Status

To view a computer’s Disk Protection status, including the status of recovery keys, right-click the computer and then
click Disk Protection properties.

In the Encryption Properties dialog box, on the General tab, you can perform the following tasks:
· Re-upload recovery keys: If the recovery key status indicates that the keys have not been uploaded to a central
location (DES or file share) or if you need to upload they keys again for any reason, click Re-upload recovery
keys.

Using Agent Remote Control

· Reconfigure Agent: You can temporarily change the Disk Protection settings for a single Agent. Most often this
is used when you perform disk recovery to prevent the Agent to immediately start encrypting the disk again.
Click Reconfigure Agent to change the following settings for the computer:

· Override policy settings: Change the selected settings.

§ Install Disk Protection: Clear the checkbox to uninstall Disk Protection from the computer. Before
Disk Protection is removed, all disks are decrypted and pre-boot authentication is disabled. This
process can take several hours.
§ Enable pre-boot authentication: Clear this checkbox to disable pre-boot authentication on the
computer.
§ Encrypt local disks: Clear this checkbox to decrypt all local disks. This process can take several
hours.
For the following options there are three settings :
§ keep the policy value , ü switch on, ¨ switch off.

On the Users tab you can view all user accounts that are currently in the pre-boot authentication database and that
can be used to authenticate when the computer starts.

18.2.7 Manually Uploading Disk Protection Recovery Data

If the uploading of Disk Protection recovery data to the DES or a file share has been enabled in your policy, this data
is automatically backed up to the specified location. If you have not configured this setting or if you notice that the
recovery data is missing for any reason (for example, when monitoring Agents using the DriveLock Control Center),
you can manually upload this data to the configured location. To do this, right-click the computer, point to All Tasks
and then click Recreate/Upload Disk Protection recovery keys.

Using Agent Remote Control

18.2.8 Manually Uploading Encryption 2-Go Recovery Data

If the uploading of Encryption 2-Go (removable media encryption) recovery data to the DES or a file share has been
enabled in your policy, this data is automatically backed up to the specified location. If you have not configured this
setting or if you notice that the recovery data is missing for any reason (for example, when monitoring Agents using
the DriveLock Control Center), you can manually upload this data to the configured location. To do this, right-click
the computer and then click Properties. On the Encryption tab the number of container recovery sets is displayed.
Click Recreate/Upload Encryption 2-Go recovery keys.

18.2.9 Viewing the Antivirus Status

To view the current Antivirus status of a computer, for example the status of definition updates, right-click a
computer and then click Antivirus properties. The same information can be accessed by clicking Antivirus properties
in the computer’s Properties dialog box on the Antivirus tab.
The Antivirus Properties dialog box displays information about the status of all antivirus components and scheduled
scans.

Using Agent Remote Control

To initiate antivirus actions on the computer, click the following buttons:

· Start definition update: Initiates a definition update on the client computer.

· Deactivate virus scanning: Deactivates scanning on the computer until you re-activate this function.

· Reconfigure Agent: Temporarily override antivirus settings on the client computer. For more information
about the available settings, refer to the chapter “DriveLock Antivirus”.

· Start scheduled scan: If you have configured scheduled malware scans, select any of these scans and then click
this button to start the scan immediately using the settings you configured for it.

· Refresh: Refresh that status information that is displayed in the dialog box.

You can view information about viruses or other malware that was detected on a client computer on the Detections
page.
You can view information about infected files that were detected on a client computer and placed into quarantine on
the Detections page. You can also select one of these files and then perform the following actions:
· Delete: Deletes the file from quarantine.

· Rescan: Rescans the file to determine whether it is still considered infected and whether it can be cleaned.
This is useful when definitions have changed since the file was placed into quarantine and the new
definitions may yield different results.

· Restore: The file is restored to its original location. If the file is still infected you are prompted to confirm this
operation.

· Refresh: Refresh that status information that is displayed in the dialog box.

18.2.10 Viewing Disk Health Information (S.M.A.R.T.)

If you enabled the monitoring of Self-Monitoring, Analysis and Reporting Technology (S.M.A.R.T.) data in your
policy, you can view the health status of hard disks on a client computer. To view this information, in the Agent’s
Properties dialog box, on the Drives page, select a drive and then click Properties. The disk’s current status is
displayed under Self-test status.

Using Agent Remote Control

18.2.11 Activating Tracing

For troubleshooting you can configure the DriveLock Agent to record detailed diagnostics information about all
operations. This is called Tracing. Tracing creates files that can help DriveLock technical support to identify the
source of problems you may encounter, such as policy settings not being applied as expected. You should activate
tracing on an Agent only for troubleshooting and de-activate it when the required data has been collected.

Using Agent Remote Control

To activate tracing on an Agent, right-click the computer and then click All Tasks -> Debug tracing.
A message appears, confirming that tracing has been activated.

To de-activate tracing on an Agent, right-click the computer and then click All Tasks -> Debug tracing.

Using Agent Remote Control

18.2.12 Disconnecting from an Agent

To close the connection to an Agent, right-click the Agent and then click Disconnect.

18.3 Unlocking Agents

You can temporarily unlock Agents to temporarily disable restrictions that are configured in your policy. This lets
you respond quickly and flexibly to users who require access to a locked drive or device. For example, even though
you disable access to all USB flash drives, a user has a legitimate need to copy a presentation to such a drive.
Unlocking lets you temporarily give the user the required access without having to reconfigure your policy.

18.3.1 Configuring General Unlocking Settings

Different steps are required to initiate the process, depending on whether you unlock a single Agent or multiple
Agents, and whether you perform online or offline unlocking. The actions that are available for each of these
methods are identical and are described in the following sections.

18.3.1.1 Unlocking Drives, Devices and Smartphones

Select the type of drive, device or smartphone to temporarily unlock. For example, to unlock USB-connected drives,
select the USB bus connected drives checkbox.

Using Agent Remote Control

When you select a class of drives or devices, such as USB-connected drives, access to all drives of this class
will be enabled. Unlocking a specific drive or device is not possible using temporary unlocking. If you need this
functionality, you need to create a whitelist rule instead.

18.3.1.2 Setting Time Limits and Suspending Restrictions

You can limit the time for which the unlocking is active and whether to disable additional restrictions while a drive
is unlocked. For example, you can enable access for the next hour and disable file auditing during this period.
You can set the time during which unlocking is active in minutes or by specifying an end time. Unlocking remains
enabled for the configured time even if a computer is restarted.
When you unlock drives, you can select the following checkboxes to temporarily additional restrictions:
· Disable filtering and auditing during unlock period: Users can read and copy files that would normally be
blocked based on file filtering rules. No auditing of file access is performed.

· Unlock encrypted portions of encrypted drives: Allow access to unencrypted portions of drives that are
encrypted using Encryption 2-Go. Commonly the Mobile Encryption Application (MEA) is stored on an
unencrypted portion of such a drive.

· Disable Application Launch Filter during the unlock period: Users can run applications that would normally be
blocked by the Application Launch Filter.

· Disable antivirus scanning during the unlock period: Realtime virus scanning is disabled during the unlock
period. This can expose the computer to infection by viruses and other malware.

Using Agent Remote Control

You can also provide the reason for unlocking the Agent. This information can be used in reports.

18.3.2 Temporarily Unlocking a Single Online Agent

Using Agent Remote Control

To temporarily suspend drive or device controls on a client computer, click Agent remote control, right click the
remote computer and then click “Unlock”. (For more information about how to connect to Agents remotely, see the
section “Connecting to a DriveLock Agent”)
Configure the unlocking settings as described in the section "Configuring General Unlocking Settings".
When you have configured all settings, click Finish to unlock the Agent. A confirmation dialog box appears.
Click OK to acknowledge the message.
If your policy is configured to notify users when an Agent is unlocked, a popup message appears on the computer
where you unlock drives or devices:

You can cancel unlocking, for example if you temporarily unlocked an online Agent by mistake.

Right click the remote computer and then click Stop unlock. A confirmation dialog box appears:
Click OK to acknowledge the message.

18.3.3 Temporarily Unlocking an Offline Agent

To unlock Agents that you cannot connect to over the network, use the following procedure. The process requires
both the user and the administrator to complete separate tasks. The user must start the “Unlock computer” wizard by

Using Agent Remote Control

selecting “Control Panel (classic view) -> DriveLock” from the Start menu. The administrator must use the DriveLock
Management Console.
The procedure for unlocking offline Agents is described below. The first part consists of the steps that a user must
complete. The second part describes the steps an administrator must complete.

18.3.3.1 User Procedure to Unlock an Offline Agent

The user procedure is described in the DriveLock User Guide.

18.3.3.2 Administrator Procedure to Unlock an Offline Agent

In the DriveLock Management Console, right-click Agent remote control and then click “Unlock offline Agent“.

Using Agent Remote Control

Type the offline unlocking password or provide the certificate that is specified in your policy.
You can import the certificate from a file or use a certificate from the Windows certificate store on the local
computer. To import a certificate from a file, click Import from file and then select the certificate file.
To use a certificate from the certificate store, click Import from store.

Select the certificate and then click OK.

Click Next to proceed.

Using Agent Remote Control

Type the computer name and the request code provided by the user, and then click Next.

Depending on the configuration, the length of the request code may vary.

DriveLock verifies the data. If the activation code was generated more than one hour ago, this is indicated under
“Code age“.

The code provided by the user for unlocking the DriveLock Agent is only valid for one hour. If this time has been
exceeded, the user has to start the “Unlock computer” wizard again.

Click Next to continue.

Configure the unlocking settings as described in the section "Configuring General Unlocking Settings".
Click Next to display an unlock code.

Using Agent Remote Control

Provide the unlock code to the user. The user will type the code in the wizard on the client computer.

Depending on the configuration, the length of the response code may vary.

Click Finish to close the wizard.

18.3.4 Temporarily Unlocking Multiple Agents

Using Agent Remote Control

To temporarily suspend drive or device controls on multiple client computers, right-click Agent remote control and
then select “Unlock multiple Agents”.

Click Add and then click “Active Directory Computer or Group” to select computers from Active Directory or click “By
Name” to type computer names. The computers you select will be added to the list.
To remove a computer from the list, click the computer and then click Remove.
Click Next once you have selected all computers to unlock.

Type the port used to connect to the Agent if you configured a non-standard port for Agent communications. To
encrypt communications with the Agent, select the Use SSL checkbox.
To connect to an Agent by using a different user account, select the “Connect to Agent as user” checkbox and type the
user name, domain and password.
Click Next to continue.

Using Agent Remote Control

Configure the unlocking settings as described in the section "Configuring General Unlocking Settings".
Click Next to unlock the computers.
After all computers have been unlocked, the results of the operation are displayed.

Click Finish to close the wizard.

18.3.5 Configuring Default Settings for Agent Remote Control

You can define the requirements and default settings for remote unlocking of Agents, either online or offline. To
configure these settings, in the DriveLock Management Console, go to Extended configuration -> Management console
-> Settings.

Using Agent Remote Control

Click Remote control / Operating settings.

Enter the maximum duration for which an administrator can temporarily unlock a DriveLock Agent remotely. To not
restrict the unlocking duration, enter 0.

Using Agent Remote Control

Select, whether to make the option “unlock an Agent until a certain point in time” available for to administrators.
To enable shorter request and response codes used for offline unlocking, select the appropriate checkbox.

Using shorter request / response codes may prevent user errors, such as typing a wrong code, but they are
weaker and more vulnerable to brute force attacks.

Select the “Enforce SSL connection for remote control” checkbox to always encrypt any remote connections between
the Agent and the DriveLock MMC. To use non-default ports for communicating with Agents, type the port numbers in
the appropriate fields.

Part XIX
Software Deployment and Update
Software Deployment and Update

19 Software Deployment and Update

With the push installation of DriveLock the Agent can be installed on all designated PCs. For a manual push
installation, you enter the names of the desired PCs manually in the DCC / Helpdesk. or, if you, in the MMC, determine
appropriate computer groups / OUs in the AD , you select the PCs for installation from the PC list in the DCC /
Helpdesk. If you, in the MMC, decide to use the automatic push installation, the configured PCs will be installed fully
automatic, synchronized with the determined groups.
Once DriveLock is installed on a client computer, automatic updates ensure that the DriveLock Agent on client
computers is automatically updated as newer versions become available. Once you enable automatic updates, the
DriveLock Enterprise Service (DES) regularly checks whether Agent updates exist and downloads them as they become
available. Client computers then download updates from the DES and install them. For more details about this
process, refer to the section "Fully Automatic Updates".

19.1 Manually Updating DriveLock

In the DriveLock Management Console, in the console tree, select Product updates and support to view or change
settings for updates and other online content.

To directly access available DriveLock installation files without visiting the DriveLock Web site, click Product
packages and files.

Software Deployment and Update

DriveLock packages are Microsoft Installer (MSI) files that install a specific DriveLock component, such as the
DriveLock Agent or the DriveLock Control Center. To download one of the available software packages, right-click it
and then click Download. Once you have downloaded a package, you can install it on a computer manually or by
using any automatic software deployment mechanism your organization employs. To view the details of a software
package, right-click the package and then click Properties.

19.2 Publishing Software Packages

To simplify the deployment of DriveLock packages in organizations that use the DriveLock Enterprise Service (DES),
DES servers can automatically download new software packages as they become available and make them available
to computers running the DriveLock Agent or other DriveLock components.
By default, DES servers download all new update packages and then make them immediately available to computers
that are in a staging network. Some organizations may prefer to have more control over the deployment process. To
enable or disable the automatic publishing of product updates, in the DriveLock Management Console right-click
DriveLock Enterprise Services -> Servers -> <server name> and then click Properties. On the Update synchronization
tab, select or deselect the following checkboxes:

Software Deployment and Update

· Automatically publish new updates to production environment (default: not selected)

· Automatically publish new updates to staging environment (default: selected)

· By default, the Download Disk Protection updates checkbox is not selected. Select this checkbox to
automatically download updates to the DriveLock Disk Protection (FDE) component. Downloaded FDE updates
are used for new installations but the FDE component on DriveLock Agents is not automatically updated.
The following diagram illustrates the typical process for updating software in a managed environment where
updates are tested in a staging environment before they are rolled out to the production network:

Software Deployment and Update

· drivelock.exe –setproduction -> Assigns the client to the production environment (default setting)

The assignment of a computer to the production or staging environment applies both to software updates and
antivirus definitions.

To determine which updates and antivirus definitions are distributed to client computers, you configure the staging
or production status of a software package or antivirus definition file. The steps for both are identical. When you
change the status of a package or definition file, the change takes effect on all DES servers.

Software Deployment and Update

The staging and production status can be one of the following:

· Published: Clients will download the package and install the update.

· Downloaded: Package has been downloaded to the DriveLock Enterprise Service but is not available to clients.

· Obsolete (downloaded): Package has been downloaded to the DES but is superseded by a newer package. The
package is not available to clients.

· Obsolete (published): Package has been downloaded to the DES but is superseded by a newer package. The
package is still available to clients until the newer version is published.

DriveLock installs a package only if the status is Published and a previous version of the same package is
already installed on the computer. For example, a published DriveLock Control Center (DCC) 7.0.9 package will
be installed on a client where version 7.0.8 of the DCC is installed but not on a client where the DCC is not
installed.

To change the status of a package, right-click the package and then click one of the following:
· Delete package: Remove the package from the DES. You can only delete packages that are not currently
published.

· Download: Download the package to the DES. Once the package has been downloaded, you need to publish it
to make it available to clients.

· Publish in staging / production: Make the package available to the staging or production environment.

· Unpublish from staging / production: Make the package unavailable to clients in the staging or production
environment.

When publishing antivirus definition updates, you only need to publish full definitions. Clients automatically
download and install incremental definition updates

Software Deployment and Update

19.3 Push Installation of DriveLock

The push installation of DriveLock supports you, to deploy the DriveLock Agent on your user's PCs.
For the push installation, the DriveLock Enterprise Server regularly checks, if all PCs from the configured AD groups /
OUs have an agent installed. If not, the administrator can select this PCs in the DriveLock Control Center DCC /
Helpdesk and initiate the installation. Alternative he can configure in the MMC, that the installations will be started
fully automatic
The manual push installation also can be started by the administrator in the DCC for particular PCs independent of
AD groups / OUs.
The push installation uses an administrative account to push a DriveLock update service (DlUpdSvc) to the PC and
start it. The DlUpdSvc downloads the published DriveLock Agent package from DES executes the installation.

The push installation only starts, if there are both, a 32-bit as well as a 64-bit agent package published for
staging and for production.

19.3.1 Per-Server Global Settings

The global settings for the push installation will be configured in the MMC independent for each DES. So the settings
for several organization can be easily separated.
Open MMC / DriveLock Enterprise Services / Agent push installation / Per-server global settings / <server name>

General
¨ Enable synchronization with Active Directory: if checked DES identifies the designated PCs form the
configured AD groups / OUs. The PCs without a DriveLock agent can be selected and installed from
DCC / Helpdesk.

¨ Enable automatic push deployment: if checked, identified PCs without a DriveLock agent will be
installed fully automatic.

Default Settings: this settings will be used for the automatic push installation and also as default for the execution
of the push installation from the DCC.
Account for installation: this account requires administrative permissions on the local PC.

¨ Install in staging environment: if enabled, the PCs to be installed will be set to staging environment.

¨ Force reboot after installation: if enabled, the PCs will be rebooted after agent installation without user
interaction.

Configuration type: select the type of policy and the policy to be used for the PCs.

19.3.2 Automatic Push Groups / OUs

Open MMC / DriveLock Enterprise Service / Agent push installation / Automatic push groups / OUs
Select the computer groups or OUs from the AD to be used for automatic push installation
Right click / New opens the dialog window.

19.3.3 Execute Push Installation

DriveLock Control Center / Helpdesk

Open DCC / Helpdesk to start a manual push installation.

Software Deployment and Update

If you want to install one or more PCs, which are not listed as known PC, open Install agent, select the appropriate
DES and enter the names of the PCs in Computer or use the Computer Selection dialog to add Computers, Groups or
OUs from the Active Directory, from an IP-Network scan or from the Network Neighborhood to the list.
If you have configured Enable synchronization with Active Directory and Automatic push groups / OUs in the MMC,
all PCs without an agent installation will be listed in Helpdesk with status not installed or installation failed. You can
filter and select this PCs. Right click / Install opens the same dialog as for Install agent with the names of the PCs
already filled in.

Install agent

Published Agent Version: shows the published versions to be installed in staging and production environment.
Advanced: The values configured in MMC / DriveLock Enterprise Services / Agent push installation / Per-server
global settings are set as default. To change this values, open the Advanced settings.
Account for installation: this account requires administrative permissions on the local PC.

¨ Install in staging environment: if enabled, the PCs to be installed will be set to staging environment.

¨ Force reboot after installation: if enabled, the PCs will be rebooted after agent installation without user
interaction.

Configuration type: select the type of policy and the policy to be used for the PCs.

Repair Settings: use only, e.g. on request of the DriveLock support, if a former installation failed and a regular update
or de-installation does not work.
¨ Force removal of installed DriveLock Agents: the DriveLock installation directory, the registry and Microsoft
Installer entries we directly deleted.

¨ Ignore other running installations: possibly still running installations will be ignored, installation will be
tried anyhow.

19.4 Configuring Automatic Updates

The DriveLock Agents can automatically update themselves and other components to newer versions:
Open Global configuration / Settings / Automatic updates.

Software Deployment and Update

Check Enable automatic updates for the components you want to be updated.
By default, a DriveLock Agent then checks the DES for newer versions of installed components within the first 60
minutes after the Agent service starts and every 60 minutes after the initial check. If a new update is available, the
client will immediately download it. To distribute downloads from multiple clients over time, by default clients wait
for a random time interval before starting the initial update check.
You can also create your own schedule and select to use your random offset for the initial update.
During the update process, DriveLock is inactive for a short period. If you want to assure that the update runs while
the system is not in use, check Perform reboot to update. Then the user can delay the update for a maximum of N
minutes. If they accept or the time is over they will be logged off and the update will be performed before the reboot.

19.4.1 Configuring Fully Automatic Updates

When you configure DriveLock for fully automatic updates, DriveLock components are automatically updated
without an administrator’s intervention when a new version is made available by DriveLock.
To ensure that fully automatic updates can work correctly, ensure that the DES is configured to automatically
download and publish software packages and that clients are configured to automatically download updates from a
DES server.
By default, DES servers automatically download all new packages from the Internet. This is configured in the
Properties dialog box of the DES server on Update synchronization tab by selecting the Download DriveLock software
updates from the Internet checkbox.

Software Deployment and Update

19.4.2 Configuring Semi-Automatic Updates

If you need more control over which packages are downloaded and made available to clients, you can disable
automatic publishing, as described in the section Publishing Software Packages, and instead manually publish the
packages and antivirus definitions you want to make available to clients.
An alternative method to configure semi-automatic updates is to configure the DES server to not check for updates.
You can then manually download updates or definition files and add only the ones you want to the DES server. To do
this, perform the following steps:
1. Disable the automatic downloading of software packages, as described in the section Disabling Automatic
Package Downloading.
2. Check for available packages and download them, as described in the section Manually Updating DriveLock.
3. Go to DriveLock Enterprise Services -> Packages and definition files -> Software packages. Right-click Software
packages and then click Upload software package. Select the package you have manually downloaded and
then click Open.

Software Deployment and Update

4. The package status Downloaded is displayed for the package. You need to publish the package before it
becomes available to clients.

19.4.3 Disabling Automatic Package Downloading

By default, DES servers automatically download all new packages from the Internet and make them available to
clients based on your publishing configuration. To disable automatic downloads, in the Properties dialog box of the
DES server on the Update synchronization tab, deselect the Download DriveLock software updates from the Internet
checkbox.

Software Deployment and Update

Part XX
Using DriveLock in Terminal Server Environments
Using DriveLock in Terminal Server Environments

20 Using DriveLock in Terminal Server Environments

DriveLock can be used in terminal server environments. The drive locking and application control components are
available in such configurations. Because terminal server sessions may allow access to drives that are connected to
USB ports on the client, DriveLock was designed to control the access to such drives inside a terminal server session.
Terminal server environments may include various forms of client connectivity. The following sections cover each of
these environments and explain various scenarios and differences between them, including any limitations of
DriveLock’s functionality.

20.1 Terminal Server Connections

The following table illustrates which drive control functionality DriveLock provides for different connection types:

Function Fat Clients Windows Virtual-clients Thin clients by Thin clients

Embedded clients Wyse running by other
Linux V6 vendors

Access control based on

Yes Yes Yes Yes Yes
users and groups

Access control based on

Yes Yes Yes Yes Yes
drive letter

Access control based on

hardware data, incl. serial Yes Yes Yes Yes No
number

File filter Yes Yes Yes Yes Yes

File filter incl. Header

Yes Yes Yes Yes Yes
inspection

File auditing Yes Yes Yes Yes Yes

Shadow copies Yes Yes Yes Yes Yes

Requires local DriveLock Plugin for Wyse

Yes Yes Yes No
Agent Linux V6

Requires DriveLock Agent Virtual client

on terminal server No No used instead of Yes Yes
terminal server

When using application control on a terminal server, the DriveLock Agent must be installed on the terminal
server itself in all environments.

20.1.1 Fat Clients / Desktop Clients

A fat client or desktop client is a regular computer running Windows XP or higher from where you initiate a terminal
server client session. When you install the DriveLock Agent on such a computer, device control is enforced at the
point where a device is connected, i.e. the client computer. Only the drives and devices that can be accessed
according to the computer’s DriveLock policy can be used inside a terminal server session.

Using DriveLock in Terminal Server Environments

If the client computer belongs to a domain, the configuration settings can be applied using Group Policy. In other
environments, centrally stored policies are recommended.

20.1.2 Windows Embedded Clients

A Windows Embedded client is a client running Windows Embedded XP, Windows Embedded Vista or Windows
Embedded 7 that establishes a connection to a terminal server. To enable drive control, the DriveLock Agent must be
included in the Windows Embedded image or installed on the client. The local DriveLock Agent controls access to
drives and devices and policy settings that are applied to it also apply inside a terminal server session.
If the client computer belongs to a domain, the configuration settings can be applied using Group Policy. In other
environments, centrally stored policies are recommended.

20.1.3 Virtual Clients

A virtual client is a virtual machine running Windows XP or higher that is running on a virtual server and is
accessed using a thin client or client software. Using a USB-mapping driver, locally attached USB devices can be
made available inside the virtual machine.
The DriveLock Agent must be installed on the virtual client. The DriveLock configuration on the virtual client
determines which drives a user can access.
If the client computer belongs to a domain, the configuration settings can be applied using Group Policy. In other
environments, centrally stored policies are recommended.

20.1.4 Thin Clients

A thin client is a specialized computer running a minimal operating system that lets users establishes client
sessions to terminal servers. To use DriveLock with thin clients you need to install the DriveLock Agent on the
terminal server. The DriveLock configuration on the terminal determines which drives a user can access inside a
terminal server session, including any mapped local USB drives.
If the terminal server belongs to a domain, the configuration settings can be applied using Group Policy. In other
environments, centrally stored policies are recommended.

20.1.5 Thin Clients by Wyse Running Linux V6

Wyse is a manufacturer of thin clients. Several models of these thin clients are running a hardened version of the
Linux V6 operating system. Drives connected to local USB ports on the thin client can be made available inside a
terminal server session.
When using such clients, DriveLock must be installed on the terminal server. The DriveLock configuration on the
terminal server determines which drives a user can access.
DriveLock has developed a plugin for Wyse Linux V6 (ICA channel only!) that can read hardware data from local USB
devices and transmit them to the terminal server using a Virtual ICA-Channel Extension. This allows for the use of
whitelist rules that are based on a USB-connected drive’s hardware characteristics, such as manufacturer, model
and serial number.

To obtain the DriveLock plugin for Wyse clients (for ICA only!), contact DriveLock technical support at
[email protected].

If the terminal server belongs to a domain, the configuration settings can be applied using Group Policy. In other
environments, centrally stored policies are recommended.

Using DriveLock in Terminal Server Environments

20.2 Configuring Drive Control

Once you have identified your client environment and connections, you can configure the rules that are required to
control access to drives. Based on the type of connection, these rules need to be configured for the client or the
terminal server.
When designing your access control rules you need to identify which types of drives to lock and which exceptions
are required. This includes how detailed the rules and exceptions need to be and whether drives need to be locked
based on users and groups, drive letter, hardware characteristics or a combination of these factors. When designing
these rules you also need to account for any client limitations. For example, rules that include hardware
characteristics (such as allowing only Kingston Data Traveler drivers) are not available for all types of clients.
In general, it is recommended to maintain separate DriveLock policies for terminal servers and clients that connect
to terminal servers, for example by using separate Group Policy settings.

20.2.1 Global Permissions

The easiest way to assign permissions to locally connected drives is to assign them to all drives, regardless of
whether they are CD-ROM drives, hard drives or USB flash drives. You can assign these permissions for each of the
following terminal server environments under Extended configuration -> Removable drive locking:
· Windows Terminal Services (RDP) client drive mappings: All drives in client sessions using Remote Desktop
Protocol (RDP). This protocol is used by Windows Terminal Services.

· Citrix Presentation Server (ICA) client drive mappings: drives in client sessions using Independent Computer
Architecture (ICA). This protocol is used by Citrix. This requires Citrix Presentation Server 4.5 (64-Bit) or XEN 5
or higher.

20.2.2 Rules Based on Mapped Drive Letter

To control drives by type (for example, USB-connected drives), you need to configure the terminal server client
session so that each drive type is always assigned the same drive letter. Depending on your environment, you may

Using DriveLock in Terminal Server Environments

need to configure this on the thin client or in a central session configuration. Once you have ensured that drive
letters in client sessions always point to the same types of local drives you can create terminal services rules that
apply to these drive letters. Each of these rules can allow or deny access for users and groups or enforce time
restrictions.
For example, if a thin client is configured to always make locally connected USB flash drives available using the
drive letter U:, you can create a terminal services rule that only lets helpdesk personnel access drive U:. In effect, this
restricts the use of all USB flash drives to helpdesk personnel.
To create a new whitelist rule that is based on drive letters, under Removable drive locking -> Drive whitelist rules,
right-click, point to New and then click Terminal services rule.

Select the appropriate drive letter and then select the protocol or protocols used in your network. You can configure
access permissions on the Permissions tab.

Using DriveLock in Terminal Server Environments

20.2.3 Rules Based on Hardware Characteristics

If the type of client connection supports rules based on hardware characteristics, such as device model or serial
number, you can create hardware-dependent whitelist rules as you would for any other DriveLock client under ->
Removable drive locking -> Drive whitelist rules -> Vendor/Product ID rule. When specifying the device that the rule will
apply to, connect to the client or terminal server (depending on the connection type) and then select the desired
drive. You can configure access permissions on the Permissions tab.

20.2.4 Using the File Filter

The DriveLock Agent includes a file filter component that can control and audit access to files based on the file type,
such as DOC or PDF. You can configure any rule to use the file filter and apply file filter templates. In general, if the
terminal server connection type allows for a local installation of the DriveLock Agent, such a configuration is
preferable because it provides better file filtering capabilities than a DriveLock Agent running on a terminal server.
For more detail about limitations, refer to the table in the section “Terminal Server Connections”.
If the type of client connection supports use of the file filter, you can enable file filtering and auditing under Drives ->
Removable Drive locking -> Windows Terminal Services client drive mappings or Citrix ZenApp (ICA) client drive mappings
on the Filter/Shadow tab.

Using DriveLock in Terminal Server Environments

20.3 Using Application Control

Because terminal servers are designed for multiple users to run applications concurrently, using DriveLock
Application Control is an important component of a terminal server security strategy. For example, you can use
Application Control to block even system programs, such as cmd.exe, wscript.exe, cscript.exe and mmc.exe for
regular users but allow administrators to access these programs.
Configuring Application Control on a terminal server is identical to the configuring it for other DriveLock clients. For
more information about this configuration, refer to the chapter DriveLock Application Control.

Part XXI
Troubleshooting and Tools
Troubleshooting and Tools

21 Troubleshooting and Tools

The complete DriveLock installation includes a command-line based diagnostic tool. Use this tool to diagnose the
devices and drives on a computer.
The command line tool “dlcmd.exe” is installed in the DriveLock installation folder. DlCmd.exe can display various
types of diagnostic information, as described in this chapter.

21.1 Viewing Information about Drives and Containers

To display information about mount points, run the following command: dlcmd -m
The command results are similar to the following example:

C:\Program Files\CenterTools\DriveLock>dlcmd -m
-------------------------------------------------------------
DriveLock 7.0.0 : Removable disk drive locker
(C) 2002,2017 DriveLock SE
-------------------------------------------------------------

Number of Mount Points : 12

Mount Point : #0
Symbolic Link: \??\Volume{a0f640c5-5bb9-11d8-8a78-806d6172696f}
Unique ID :
Device Name : \Device\HarddiskVolume1
-------------------------------------------------------------------------------
Mount Point : #1
Symbolic Link: \DosDevices\C:
Unique ID :
Device Name : \Device\HarddiskVolume1
-------------------------------------------------------------------------------
Mount Point : #2
Symbolic Link: \??\Volume{cf245242-5bb2-11d8-8650-806d6172696f}
Unique ID : \??\IDE#CdRomTOSHIBA_DVD-ROM_SD-R2002________________1E29____#5&3
77f14d&0&0.1.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Device Name : \Device\CdRom0
-------------------------------------------------------------------------------
Mount Point : #3
Symbolic Link: \DosDevices\D:
Unique ID : \??\IDE#CdRomTOSHIBA_DVD-ROM_SD-R2002________________1E29____#5&3
77f14d&0&0.1.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Device Name : \Device\CdRom0
-------------------------------------------------------------------------------
Mount Point : #4

Troubleshooting and Tools

Symbolic Link: \??\Volume{b221b196-9835-11d8-b25e-806d6172696f}

Unique ID : \??\SCSI#CdRom&Ven_Generic&Prod_DVD-ROM&Rev_1.0#2&2cbe4745&0&000#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Device Name : \Device\CdRom1
-------------------------------------------------------------------------------
Mount Point : #5
Symbolic Link: \DosDevices\L:
Unique ID : \??\SCSI#CdRom&Ven_Generic&Prod_DVD-ROM&Rev_1.0#2&2cbe4745&0&000#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Device Name : \Device\CdRom1
-------------------------------------------------------------------------------
Mount Point : #6
Symbolic Link: \??\Volume{be506ec8-9f39-11d8-b26d-806d6172696f}
Unique ID : \??\SCSI#CdRom&Ven_Generic&Prod_DVD-ROM&Rev_1.0#2&2cbe4745&0&010#
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Device Name : \Device\CdRom2
-------------------------------------------------------------------------------

21.2 Commands for Troubleshooting

To install DriveLock Event Log message sources, use the command dlcmd -r. Use this command if you encounter
“The description for Event ID ( 0 ) in Source ( DriveLock ) cannot be found…” messages in the Event Viewer.
To run the DriveLock service from a command prompt, use the command dlcmd -l. This starts the DriveLock
service, but allows you to stop the program by pressing Ctrl-C.
To release all devices, use the command dlcmd -x

21.3 Troubleshooting Network Adapters

If you configured a policy that blocks all network adapters, the client can no longer receive updates to its
configuration over the network. To recover from such a configuration mistake, modify the Windows registry and
remove the network adapter configuration.

Before modifying the registry, ensure you have a working backup in case a problem occurs. For information
about how to back up, restore and edit the registry, in Windows online help refer to “Restoring Windows
registry”. If you use Registry Editor incorrectly, you may cause serious problems that may require you to
reinstall your operating system. Use Registry Editor at your own risk. DriveLock is not responsible for any
consequences of modifying the Windows registry and does not provide support for editing the registry.

Open the Windows registry and navigate to the following registry key:
HKEY_Local_Machine\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE
To unlock all network adapters, delete the value “UpperFilters” and then restart the computer.

Troubleshooting and Tools

21.4 Creating a Trace File

DriveLock’ support staff may ask you to create a trace file, which contains detailed information about the internal
processing of DriveLock. DriveLock can generate several trace files, including the following:
· DriveLock trace file. This file is helps in analyzing general problems.

· DriveLock driver trace file. This file helps in analyzing device driver-related problems.

You can create a trace file by using a command line or the DriveLock Management Console. You can also activate
tracing by using the DriveLock Support Tool, DLSupport.exe, which is located in the folder where you installed the
DriveLock Management console.

21.4.1 Creating a DriveLock Driver Trace File by Using the Support Tool
The easiest method for creating a trace file is by running the DriveLock Support Companion on the computer that is
experiencing a problem. To start this program, run one of the following files:
· DlSupport.exe: Installed with the DriveLock Management Console. Contains the Team Viewer component for
remote access by DriveLock support.

· DlSupportAgent.exe: Installed with the DriveLock Agent. Contains no remote access component. In most cases
you will use this program

Troubleshooting and Tools

Once you have located the DriveLock Support Companion, perform the following steps:
1. Start the DriveLock Support Companion as a local administrator and then click Enable diagnostics tracing.
2. Restart the computer.
3. Reproduce the problem you are experiencing. This may require you to log on using the account of an affected
user.
4. Start the DriveLock Support Companion as a local administrator and then click Collect system information.
The DriveLock Support Companion collects data to help analyze the problem, stores it in the folder C:\Trace
and transfers it to the DriveLock support server.
Trace data contains the following information:
· All tracing files, which include detailed information about DriveLock operations

· Several registry files and hardware details

· Group Policy settings (GPresult.log)

· System information (Sysinfo.csv)

· Windows Application Log events

· Contents of the DriveLock working directory and cache

21.4.2 Creating a DriveLock Driver Trace File by Using the Command Line
To create a driver trace file, perform the following steps:
· Stop the DriveLock service.

· Open a command prompt window.

Troubleshooting and Tools

· Navigate to the DriveLock installation folder (default installation path for an administrative installation: “C:
\Program Files\CenterTools\DriveLock”, default installation path for a client-only installation: “C:\Program
Files\CenterTools\DriveLock”)

· Type the command drivelock.exe -enabledrivertracing

· Start the “DriveLock” service

· Perform the steps required to re-create any problems

· Tracing creates the file ”c:\dldevflt.log“ .

· Send this file to DriveLock support.

· To disable tracing, stop the “DriveLock“ service and then type the command
drivelock.exe -disabledrivertracing

· Start the “DriveLock” service again

21.4.3 Creating a DriveLock Trace File by Using the Management Console

To enable trace file creation by using the DriveLock Management Console, connect to the remote PC using “Agent
remote control”.

Right click the connected computer and then click “All Tasks -> Debug tracing”.
This option creates the DriveLock trace file and the DriveLock driver trace file. Trace files are created in the root
directory of the remote client computer. To disable creation of trace files, deselect “Debug tracing”.

Troubleshooting and Tools

21.5 Manually Refreshing the Policy

You can force a refresh of the Group Policy on a remote client computer or instruct it to re-load its configuration file
by using the DriveLock Management Console. To perform this task you must be connected to the remote computer.
For more information about this task, refer to the section "Using Agent Remote Control".

Administration Guide
Die in diesen Unterlagen enthaltenen Angaben und Daten, Information in this document, including URL and other Internet
einschließlich URLs und anderen Verweisen auf Internetwebsites, Web site references, is subject to change without notice. Unless
können ohne vorherige Ankündigung geändert werden. Die in den otherwise noted, the example companies, organizations, products,
Beispielen verwendeten Firmen, Organisationen, Produkte, domain names, e-mail addresses, logos, people, places, and
Personen und Ereignisse sind frei erfunden. Jede Ähnlichkeit mit events depicted herein are fictitious, and no association with any
bestehenden Firmen, Organisationen, Produkten, Personen oder real company, organization, product, domain name, e-mail
Ereignissen ist rein zufällig. Die Verantwortung für die Beachtung address, logo, person, place, or event is intended or should be
aller geltenden Urheberrechte liegt allein beim Benutzer. inferred. Complying with all applicable copyright laws is the
Unabhängig von der Anwendbarkeit der entsprechenden responsibility of the user.
Urheberrechtsgesetze darf ohne ausdrückliche schriftliche DriveLock and others are either registered trademarks or
Erlaubnis der DriveLock SE kein Teil dieser Unterlagen für trademarks of DriveLock SE or its subsidiaries in the United States
irgendwelche Zwecke vervielfältigt oder übertragen werden, and/or other countries.
unabhängig davon, auf welche Art und Weise oder mit welchen The names of actual companies and products mentioned herein
Mitteln, elektronisch oder mechanisch, dies geschieht. may be the trademarks of their respective owners.
Es ist möglich, dass DriveLock SE Rechte an Patenten bzw.
angemeldeten Patenten, an Marken, Urheberrechten oder
sonstigem geistigen Eigentum besitzt, die sich auf den fachlichen
Inhalt dieses Dokuments beziehen. Das Bereitstellen dieses
Dokuments gibt Ihnen jedoch keinen Anspruch auf diese Patente,
Marken, Urheberrechte oder auf sonstiges geistiges Eigentum, es
sei denn, dies wird ausdrücklich in den schriftlichen
Lizenzverträgen von DriveLock SE eingeräumt.
Weitere in diesem Dokument aufgeführte tatsächliche Produkt-
und Firmennamen können geschützte Marken ihrer jeweiligen
Inhaber sein.

EVERYTHING WINDOWS SERVER 2022 POWERSHELL Everything You Need To Know About Administering Windows Server 2022 PowerShell... (CARTY BINN) (Z-Library)
100% (1)
EVERYTHING WINDOWS SERVER 2022 POWERSHELL Everything You Need To Know About Administering Windows Server 2022 PowerShell... (CARTY BINN) (Z-Library)
390 pages
SPP - 7.0.5 LTS - AdministrationGuide
No ratings yet
SPP - 7.0.5 LTS - AdministrationGuide
660 pages
Everything Windows Server 2022 Everything You Need To Know About Administering Windows Server 2022 With Professional Security Hacks Tips Amp Tricks
No ratings yet
Everything Windows Server 2022 Everything You Need To Know About Administering Windows Server 2022 With Professional Security Hacks Tips Amp Tricks
272 pages
EP3005 5.0v1 Getting Started With Sophos Central Device Management
No ratings yet
EP3005 5.0v1 Getting Started With Sophos Central Device Management
32 pages
EN - Security Center Administrator Guide 5.9
100% (1)
EN - Security Center Administrator Guide 5.9
1,260 pages
CylancePROTECT Admin Guide v2.0 Rev1
33% (3)
CylancePROTECT Admin Guide v2.0 Rev1
73 pages
Netbackup-Media Manager Device Configuration Guide 5.0
No ratings yet
Netbackup-Media Manager Device Configuration Guide 5.0
147 pages
Workshop Manual
No ratings yet
Workshop Manual
54 pages
CyberLockUserGuide 7.60
No ratings yet
CyberLockUserGuide 7.60
34 pages
Seagate Nas Admin Guide Ag en Us
No ratings yet
Seagate Nas Admin Guide Ag en Us
42 pages
Intel® Anti-Theft Service: User Guide
No ratings yet
Intel® Anti-Theft Service: User Guide
32 pages
GSC Admin Guide
No ratings yet
GSC Admin Guide
59 pages
Device Lock Manual
No ratings yet
Device Lock Manual
346 pages
NIPS WebUI User Manual-6-1
No ratings yet
NIPS WebUI User Manual-6-1
691 pages
En - Security Center Administrator Guide 5.2
100% (1)
En - Security Center Administrator Guide 5.2
892 pages
DeviceLock Manual
No ratings yet
DeviceLock Manual
200 pages
Embedded Web Server - Security: Administrator's Guide
No ratings yet
Embedded Web Server - Security: Administrator's Guide
79 pages
Dell Precision™ Workstation T3400 User's Guide: Model DCTA
No ratings yet
Dell Precision™ Workstation T3400 User's Guide: Model DCTA
290 pages
Bitdefender Is 2017 Userguide en
No ratings yet
Bitdefender Is 2017 Userguide en
222 pages
ACOS 5.2.1-P6 Management Access and Security Guide: September, 2022
No ratings yet
ACOS 5.2.1-P6 Management Access and Security Guide: September, 2022
179 pages
Netapp System Manager 1.1 Quick Start Guide: January 2010
No ratings yet
Netapp System Manager 1.1 Quick Start Guide: January 2010
34 pages
DriveLock Brzi Priručnik
No ratings yet
DriveLock Brzi Priručnik
14 pages
Bitdefender EndpointSecurityToolsForWindows UsersGuide EnUS
No ratings yet
Bitdefender EndpointSecurityToolsForWindows UsersGuide EnUS
50 pages
NetBackup AdminGuide Sybase NT
No ratings yet
NetBackup AdminGuide Sybase NT
108 pages
Security Manager Help
No ratings yet
Security Manager Help
48 pages
Semp
No ratings yet
Semp
6 pages
Trellix Drive Encryption 7.4.x Product Guide 10-5-2023
No ratings yet
Trellix Drive Encryption 7.4.x Product Guide 10-5-2023
73 pages
McAfee Drive Encruption Best Practices
No ratings yet
McAfee Drive Encruption Best Practices
58 pages
System Administrator's Guide NetBackup 5.1
No ratings yet
System Administrator's Guide NetBackup 5.1
566 pages
Administrators Guide
No ratings yet
Administrators Guide
184 pages
En - Security Center Administrator Guide 5.2
No ratings yet
En - Security Center Administrator Guide 5.2
901 pages
Dell™ Sonicwall™ Directory Services Connector 4.0: Administration Guide
No ratings yet
Dell™ Sonicwall™ Directory Services Connector 4.0: Administration Guide
56 pages
Future Doctor Career Launchpad
No ratings yet
Future Doctor Career Launchpad
16 pages
Lexmark EWS WC Security AdminGuide en
No ratings yet
Lexmark EWS WC Security AdminGuide en
93 pages
System Administrator Interview Questions and Answers
100% (1)
System Administrator Interview Questions and Answers
15 pages
FortiClient EMS 7.0.7 Administration Guide
No ratings yet
FortiClient EMS 7.0.7 Administration Guide
316 pages
G8124-E Ag 8-3 PDF
No ratings yet
G8124-E Ag 8-3 PDF
526 pages
5.5 Admin
No ratings yet
5.5 Admin
1,052 pages
Geh 6865 PDF
No ratings yet
Geh 6865 PDF
18 pages
Webroot SecureAnywhere User Guide - 101411
No ratings yet
Webroot SecureAnywhere User Guide - 101411
186 pages
OMSAUG
No ratings yet
OMSAUG
126 pages
ActivIdentity SecureLogin Single Sign-On Administration Guide
No ratings yet
ActivIdentity SecureLogin Single Sign-On Administration Guide
183 pages
Quick Reference Guide: Microsoft Windows Xpe-Based Thin Clients - T5710 & T5720
No ratings yet
Quick Reference Guide: Microsoft Windows Xpe-Based Thin Clients - T5710 & T5720
72 pages
Tes Evaluasi - Self Introduction PDF
100% (1)
Tes Evaluasi - Self Introduction PDF
4 pages
English Lesson Plan Year 4
100% (1)
English Lesson Plan Year 4
14 pages
QRadar 71MR2 AdminGuide
No ratings yet
QRadar 71MR2 AdminGuide
316 pages
Questionnaire PDF
No ratings yet
Questionnaire PDF
4 pages
Dell-Data-Protection-Encryption - Administrator Guide - En-Us PDF
No ratings yet
Dell-Data-Protection-Encryption - Administrator Guide - En-Us PDF
150 pages
Sophos Central Device Encryption: Administrator Guide
No ratings yet
Sophos Central Device Encryption: Administrator Guide
26 pages
Mt233B: Kinematics: Learning Module
100% (1)
Mt233B: Kinematics: Learning Module
40 pages
DDPUser Guide
No ratings yet
DDPUser Guide
35 pages
BitLocker Design Guide
No ratings yet
BitLocker Design Guide
47 pages
Patrol Security User Guide 17344
No ratings yet
Patrol Security User Guide 17344
132 pages
Veritas Backup Exec 9.0 For Windows Servers Administartor's Guide
No ratings yet
Veritas Backup Exec 9.0 For Windows Servers Administartor's Guide
1,296 pages
SA 7.50 Administration Guide
No ratings yet
SA 7.50 Administration Guide
320 pages
Summative Exam - Grade 10 English - First Quarter
100% (1)
Summative Exam - Grade 10 English - First Quarter
3 pages
Holistic Exam 2012
No ratings yet
Holistic Exam 2012
17 pages
Cyberoam Endpoint Data Protection
No ratings yet
Cyberoam Endpoint Data Protection
2 pages
HP Client Manager User Guide
No ratings yet
HP Client Manager User Guide
57 pages
C1 Use of English Test 14
No ratings yet
C1 Use of English Test 14
8 pages
Guia de Operacion HP Serie d500
No ratings yet
Guia de Operacion HP Serie d500
42 pages
Mathematical Modeling of Inland Vessel Maneuverability Considering Rudder Hydrodynamics Jialun Liu Instant Download
No ratings yet
Mathematical Modeling of Inland Vessel Maneuverability Considering Rudder Hydrodynamics Jialun Liu Instant Download
55 pages
Sonicwall SSL-VPN 2.1 Users Guide
No ratings yet
Sonicwall SSL-VPN 2.1 Users Guide
80 pages
Supramolecular Coordination Complexes: Design, Synthesis, and Applications 1st Edition Sankarasekaran Shanmugaraju (Editor)
100% (4)
Supramolecular Coordination Complexes: Design, Synthesis, and Applications 1st Edition Sankarasekaran Shanmugaraju (Editor)
49 pages
Construction of Closet, Fence, Ceiling of Cabana and Floor Tiles of Toilet
No ratings yet
Construction of Closet, Fence, Ceiling of Cabana and Floor Tiles of Toilet
6 pages
Top Deal Arnold Grummer's Complete Guide To Easy Papermaking Ebook Full Text
No ratings yet
Top Deal Arnold Grummer's Complete Guide To Easy Papermaking Ebook Full Text
14 pages
MB Annual Report 2022 English 230705 Trang Doi
No ratings yet
MB Annual Report 2022 English 230705 Trang Doi
147 pages
Market Makers and Institutional Brokers - Switzerland
No ratings yet
Market Makers and Institutional Brokers - Switzerland
1 page
2a EDA
No ratings yet
2a EDA
16 pages
Nomophobia Essay
100% (1)
Nomophobia Essay
3 pages
Birth and Death
No ratings yet
Birth and Death
36 pages
Chapter - 3 Social Concerns
No ratings yet
Chapter - 3 Social Concerns
51 pages
Desktop and Laptop Option Best Practices
No ratings yet
Desktop and Laptop Option Best Practices
21 pages
Neil Amstrong
No ratings yet
Neil Amstrong
4 pages
Tanu
No ratings yet
Tanu
42 pages
Shewit Tekeste
No ratings yet
Shewit Tekeste
79 pages
Assignment Ish652 Human Resource Management Group 7 Ic2206d - Succession Planning Human Resource in Islam
No ratings yet
Assignment Ish652 Human Resource Management Group 7 Ic2206d - Succession Planning Human Resource in Islam
17 pages
UTOPÍA Artículo in Defense of Utopia (Lyman Tower Sargent)
No ratings yet
UTOPÍA Artículo in Defense of Utopia (Lyman Tower Sargent)
7 pages
Peter Rabbit (Comparative Literature)
No ratings yet
Peter Rabbit (Comparative Literature)
3 pages
Engineered Water Repellency For Resilient and Sustainable Pavement Systems
No ratings yet
Engineered Water Repellency For Resilient and Sustainable Pavement Systems
12 pages
Northern Area Armed Forces Hospital
No ratings yet
Northern Area Armed Forces Hospital
14 pages
5000 Words
No ratings yet
5000 Words
1 page
MOTM
No ratings yet
MOTM
3 pages
TT B.SC 1 3 Sem (FORENSIC SCI) 21012020
No ratings yet
TT B.SC 1 3 Sem (FORENSIC SCI) 21012020
1 page
State Response To Lanesborough Board of Selectmen Open Meeting Law Complaint
No ratings yet
State Response To Lanesborough Board of Selectmen Open Meeting Law Complaint
2 pages
WildFly Configuration, Deployment, and Administration - Second Edition
From Everand
WildFly Configuration, Deployment, and Administration - Second Edition
Christopher Ritchie
No ratings yet
Streamlining Cloud Infrastructure: Mastering Google Cloud Deployment Manager
From Everand
Streamlining Cloud Infrastructure: Mastering Google Cloud Deployment Manager
Peter Jones
No ratings yet
Least Privilege Security for Windows 7, Vista and XP
From Everand
Least Privilege Security for Windows 7, Vista and XP
Russell Smith
No ratings yet
Google Kubernetes Engine Essentials: Definitive Reference for Developers and Engineers
From Everand
Google Kubernetes Engine Essentials: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Minikube in Practice: Definitive Reference for Developers and Engineers
From Everand
Minikube in Practice: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet