Securing Your Endpoints
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Securing Your Endpoints as PDF for free.
More details
- Words: 26,584
- Pages: 91
safend Securing Your Endpoints
SAFEND SUPPORT KNOWLEDGE BASE DOCUMENT
February 2009
2|P a g e
Table of Contents 2. Introduction: ....................................................................................................................................................7 3. Safend Protector Client .....................................................................................................................................8 3.1. Safend Protector Client architecture ..................................................................................................................................... 8 3.2. Support logs ........................................................................................................................................................................... 8 3.3. Troubleshooting Guidelines ................................................................................................................................................... 9 3.4. Safend Protector Client Support Solutions .......................................................................................................................... 11 3.4.1.
Clients not sending logs back to the Safend Server ............................................................................................. 11
3.4.2.
Pointing the installation to the SCC file ............................................................................................................... 11
3.4.3.
Uninstalling the Safend Protector Client via startup script ................................................................................. 12
3.4.4.
Silent install of a client ......................................................................................................................................... 12
3.4.5.
The message "The Client Configuration file does not contain a valid policy." shows up when installing Safend Protector Client ................................................................................................................................................... 13
3.4.6.
Installing the Safend Protector Client with by a startup script with elevated privileges..................................... 13
3.4.7.
How to activate an ETL when using the offline access utility (when a client is not installed) – Version 3.2, 3.3 .... ............................................................................................................................................................................. 15
3.4.8.
Sonic DLA burning not supported by Safend Protector ....................................................................................... 16
3.4.9.
Cleanup utility for the Safend Protector Client ................................................................................................... 17
3.4.10.
Using the Registry To Check If A Policy Was Updated ......................................................................................... 17
3.4.11.
Client stops sending logs to the server when disabling the sprotector service .................................................. 18
3.4.12.
Bubble notifications are not displayed for Safend Protector Events ................................................................... 18
3.4.13.
Client installation fails instantly with an error message requesting to reboot ................................................... 19
3.4.14.
Safend Trigger commands - alternatives to "update policy" and "collect logs" WMI commands ...................... 19
3.4.15.
Changing the Safend Protector Client installation method ................................................................................. 20
3.4.16.
User or Computer Policy Uninstall Password ...................................................................................................... 21
3.4.17.
Changing the Safend Protector Balloon Message Display Time .......................................................................... 21
3.4.18.
Installing Safend Protector Client to a Non-Default Folder ................................................................................. 22
4. Safend Protector Management Server ............................................................................................................ 23 4.1. Safend Protector Management Server architecture ............................................................................................................ 23 4.2. Support logs ......................................................................................................................................................................... 24 4.3. Troubleshooting Guidelines ................................................................................................................................................. 24 4.4. Safend Protector Management Server Support Solutions ................................................................................................... 26 4.4.1.
How to configure the Websense integration ...................................................................................................... 26
4.4.2.
How to change the synchronization interval between AD and the Management Server ................................... 27
4.4.3.
How to use the log restore tool in versions 3.2 GA2 and 3.2 GA3 ...................................................................... 28
4.4.4.
How to use the log restore tool in version 3.2 GA1 ............................................................................................. 28
Chapter: Introduction:
1.
3|P a g e 4.4.5.
How to obtain and change the base policy in 3.3 ................................................................................................ 29
4.4.6.
How to manually remove the Management Server and Console........................................................................ 30 ............................................................................................................................................................................. 30
4.4.7. levels
How to view the lower levels of the organizational tree in 3.3 console when the directory tree has many ............................................................................................................................................................................. 32
4.4.8.
Suspension password identified as wrong when entered to the client .............................................................. 33
4.4.9.
Using the HW fingerprint tool when changing server's hardware ...................................................................... 34
4.4.10.
Time format conflict in the DB ............................................................................................................................. 34
4.4.11.
Upgrade Path from Safend Protector 2.0 to 3.3 .................................................................................................. 36
4.4.12.
Reducing the Logs Trace Level for the Safend Server .......................................................................................... 37
4.4.13.
Alerts on client installation are not received in version 3.3 SP1 ......................................................................... 37
4.4.14.
Restoring a server with Content Inspection fails ................................................................................................. 38
4.4.15.
Disabling IIS Logs (to prevent accumulation of large log files) ............................................................................ 39
4.4.16.
Role Based access does not function ................................................................................................................... 39
4.4.17.
When changing the server certificate to an organizational certificate, logs are not sent ................................... 40
4.4.18.
Changing source name when sending Safend alerts to the Event Viewer .......................................................... 41
4.4.19.
IIS diagnostics tool ............................................................................................................................................... 41
4.4.20.
User Permissions for the Safend Server .............................................................................................................. 42
4.4.21.
Unable to publish a policy and a specific error appears in the Domain Service log ............................................ 42
5. Safend DB ......................................................................................................................................................... ...................................................................................................................................................................... 44 5.1.1.
Policy not applied due to the small size of the DB column "Groups" .................................................................. 44
5.1.2.
Restoring missing MySQL index files ................................................................................................................... 45
5.1.3.
Repairing corrupted MySQL index files ............................................................................................................... 46
5.1.4.
Changing external DB user, password and authentication method (domain) while connected to Protector .... 49
5.1.5.
Replacing the DB which is used by Safend Protector Management Server ........................................................ 49
5.1.6.
When using MsSQL DB User cannot save policies, run queries, change settings or logs are not saved. ................ ............................................................................................................................................................................. 50
5.1.7.
When using MsSQL DB User cannot connect to the server ................................................................................. 50
5.1.8.
When using MsSQL DB the installation cannot create the DB ............................................................................ 51
5.1.9.
When using MsSQL DB performing DB related actions causes console freeze. .................................................. 51
6. Safend Protector Management Console .......................................................................................................... 52 6.1. Support logs ......................................................................................................................................................................... 52 6.2. Troubleshooting Guidelines ................................................................................................................................................. 52
Chapter: Introduction:
5.1. Safend Protector Client Support Solutions .......................................................................................................................... 44
4|P a g e 6.3. Safend Protector Management Console Solutions .............................................................................................................. 54 6.3.1.
When trying to log-in to the console, the error message "user is not in the authorized user group" appears ...... ............................................................................................................................................................................. 54
6.3.2.
How to login to the console without entering the password each time ............................................................. 54
6.3.3.
Cannot use WMI commands from 3.3 console if MsSQL installed with windows authentication ...................... 57
6.3.4.
Cannot open the console after upgrade to 3.3 or a fresh install, with an error message of access denied to reports folder ....................................................................................................................................................... 57
6.3.5.
When using role based permissions user can't publish policies .......................................................................... 58
6.3.6.
When using role based permissions user can't associate polices ....................................................................... 58
6.3.7. Console cannot be opened due to Local and Domain Services fail with "System.Security.Cryptography.CryptographicException - Access is denied" in the logs .................................................... 59 6.3.8.
Enabling WMI commands via Safend Protector .................................................................................................. 59
7. Safend Auditor .................................................................................................................................................. ............................................................................................................................................................... 67 7.1. Troubleshooting Guidelines ................................................................................................................................................. 67 7.2.1.
Safend Auditor Command Line Parameters ........................................................................................................ 68
7.2.2.
Enabling Safend Auditor Debugging logs Note: the logs are cryptic and no one except from a developer with the code in front of him can understand them ................................................................................................... 68
7.2.3.
Safend Auditor installation fails with DVOM registration errors ......................................................................... 69
7.2.4.
Opening ports on Windows Firewall for the Safend Auditor .............................................................................. 69
7.2.5.
Auditing a Remote Domain with the Safend Auditor .......................................................................................... 71
7.2.6.
There is no response when clicking "View Excel" ................................................................................................ 71
7.2.7.
Error received when attempting to view the Excel report of the Auditor scan .................................................. 72
7.2.8.
Auditor report with connection time and data transfer ...................................................................................... 72
7.2.9.
Local machine cannot be found in Auditor report .............................................................................................. 72
7.2.10.
Safend Auditor fails to audit certain remote machines ....................................................................................... 73
7.2.11.
Error message received when attempting to view HTML report of Auditor scan ............................................... 75
7.2.12.
Safend Auditor Graphic Report Procedure for MS Excel ..................................................................................... 75
7.2.13.
The Safend Auditor Scanning Method and Network bandwidth information..................................................... 76
7.2.14.
Where the auditor is key located in the registry? ............................................................................................... 77
7.2.15.
The Safend Auditor creates new user profiles on the audited machines ............................................................ 77
7.2.16.
The Auditor seems not to detect remote devices when working via VPN .......................................................... 78
7.2.17.
The Auditor is unreachable when right-clicking on a machine in the Clients World and choosing to Audit Devices. .................................................................................................................................................................... ............................................................................................................................................................................. 78
Chapter: Introduction:
7.2. Safend Auditor Support Solutions ........................................................................................................................................ 68
5|P a g e
8. Safend Reporter ............................................................................................................................................. 79 8.1. Safend Reporter Support Solutions ...................................................................................................................................... 79 8.1.1.
Internet Explorer Error message when running any report on Safend server 3.3 SP2 ........................................ 79
8.1.2.
Required IE settings for Safend reporter ............................................................................................................. 80
9. Safend Encryptor ............................................................................................................................................ 84 9.1. Safend Encryptor Support Solutions .................................................................................................................................... 84 9.1.1.
Internal hard disk encryption doesn't get applied to the client due to publishing backup compatible policies ..... ............................................................................................................................................................................. 84
9.1.2.
After encrypting the HD of a machine, shared folders which are located on this machine cannot be accessed from another machine ......................................................................................................................................... 85
9.1.3.
In Encryptor 2.0, how to copy the reset code & the one time access code from Encryptor login screen, .............. ............................................................................................................................................................................. 85
10.Implementation ............................................................................................................................................. 87 10.1.1.
Implementation in non directory environments ................................................................................................. 87
10.1.2.
Environment Requirements Estimates for the Safend Protector ........................................................................ 88
10.1.3.
Resolving and Identifying GPO Errors .................................................................................................................. 89
10.1.4.
Building Protector Policy per Security Group (GPO policy distribution) .............................................................. 90
10.1.5.
Enabling Verbose logging for GPO installations .................................................................................................. 91
Chapter: Introduction:
10.1. Implementation Support Solutions ...................................................................................................................................... 87
Chapter: Introduction:
6|P a g e
7|P a g e
2. Introduction: The Support knowledge base document provides common troubleshooting guidelines for Safend products. It also includes support solutions for each and every safend component. This document includes basic knowledge for which every certified safend engineer should know when managing or supporting safend products.
Chapter: Introduction:
For any further information feel free to contact us at [email protected]
8|P a g e
3. Safend Protector Client 3.1. Safend Protector Client architecture -
Safend Protector consists of User and Kernel mode components.
The “Manager” of all components is the SimonPro.exe process.
Safend runs a service on the endpoint - SProtector.exe.
The GUI process is Simba.exe.
Safend Protector Emergency Clean-up utility (SPEC) is located under “…\Windows\System32\SPEC.exe”.
3.2. Support logs
-
-
Installation Logs:
An Event Trace Log (ETL) is automatically created during the installation process in the installation directory (\program files\safend\safend protector client\)
A file called ‘Sinta.log’ is created in “…\Windows\temp\” directory
An MSI installer log can be created when installing the safend client using the following syntax: ‘msiexec /i SafendProtectorClient.msi /l* *filename+’
Client operation logs
To debug a certain issue, you need to create an ETL file and Policy XML files.
Creation of an ETL file:
Open regedit
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\Input
Add a new dword called ‘dll’ and assign it with the value 3
A file with ETL extension will be created in the installation directory (“…\program files\safend\safend protector client\”)
Reproduce the issue scenario
Change the dword value to 0
Creation of Policy XML files:
Open regedit
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\Input
Add a new dword called ‘dll’ and assign it with the value 4
From the client GUI press Policy Update
Policy XML files will be created in the installation directory (“…\program files\safend\safend protector client\”)
Change the dword value to 0
Creating a memory dump: In cases of a BSOD, a full memory dump is needed in order to investigate the cause of the issue. Configuring a full memory dump – via my computer properties advanced startup and recovery settings write debugging information select complete memory dump
Chapter: Safend Protector Client
-
9|P a g e
A BSOD memory dump can be open with the Windows Debugging Tools (windbg) to determine what was the probable cause of the BSOD.
Send the dump to Safend Support with the needed information.
3.3. Troubleshooting Guidelines -
When investigating an issue regarding the Safend Protector Client, most issues fall under the following categories:
Safend Client fails to install/uninstall
Safend Client fails to send logs back to the Safend Server.
Safend Client fails to receive/apply policies.
Safend Client handles a device incorrectly.
Safend Client conflicts with other software/BSOD.
-
Safend Client Fails to Install/Uninstall
-
When you encounter installation/uninstall issues, the following needs to be performed:
Try the installation process again.
Try the installation process on a different machine.
Try to completely remove the Safend Client using the SPEC utility and run the installation process again.
If one of the above was successful, the differences between the two attempts must be inspected. Examples of differences between installation attempts:
The new machine is in a different domain.
A specific machine had environmental issues.
There are different security configurations on the machine.
The SPEC utility removed random corruptions that were previously on the machine.
-
Safend Client Fails to Send Logs/ Receive Policies to/from the Safend Server
-
When the client is not sending logs or receiving policies the following needs to be verified:
Check that Safend Server services are running and that the websites are up.
Check the Policy web service and event web service logs for indications of the source of the problem Try to browse Safend web services: https://[ServerName]:443/SafendProtector/EventSinkWebService.cs.asmx https://[ServerName]:443/SafendProtector/PolicyWebService.cs.asmx
Chapter: Safend Protector Client
-
10 | P a g e SC commands – sc control SafendPS 222 (logs)/ 225 (policies)/ 228 (OTP)
create an ETL file
Safend Client handles a device incorrectly
When the client does not handle a device correctly, the following needs to be verified:
Search for the relevant log in the management console – how is the device identified (device type, port)?
Is it a composite device, i.e., is it identified as several devices by the OS?
Is the correct policy applied properly?
Is the policy configured properly? Was the device added/removed from the white list?
When auditing the device, does it appear correctly (as it appears in the policy)?
-
Safend Client conflict with 3rd party software / BSOD
-
When a conflict occurs between the Safend Client and 3rd party software, the following should be verified:
-
Is this a system/environment issue?
Is this the latest version/driver of the 3rd party software?
What are the exact steps that caused the issue to occur?
When a BSOD occurs with the Safend Client, the following should be verified:
Is this a system/environment issue?
Which driver was shown as the probable cause for the BSOD?
What are the exact steps that caused the issue to occur?
Create a full memory dump and send it to Safend support with the needed information.
Chapter: Safend Protector Client
-
11 | P a g e
3.4. Safend Protector Client Support Solutions 3.4.1. Clients not sending logs back to the Safend Server NEED: In some cases, installed Safend Protector Clients do not succeed in sending logs back to the Safend Server. This is usually due to environment definitions that block the log transfer to the Safend Server. RESOLUTION: In order to identify the issue and resolve it, please verify the following: a) The policy you created is applied on the Client. b) The Server is up and running (accessible by the Console). c) Try pinging the Server from the Client machine. d) Make sure the SSL port you use for the communication between the Server and the Clients (by default it is 443) is open on any firewall or port blocking application (either on the Client or on the Server). e) Try browsing (from the Client machine) to https://ServerName/SafendProtectorWS/EventSinkWebService.cs.asmx f) If all above is ok, please activate the Client logging run regedit go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector on V3.1 or HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\input on V3.2 create a new DWORD called Dll give it the value of 3. g) Run (on the Client machine) the following command – sc control SafendPS 222 h) Change the DWORD value back to 0 to stop logging, and send [email protected] the Solog*.etl file created in the \Program Files\Safend\Safend Protector Client folder.
3.4.2. Pointing the installation to the SCC file NEED:
PROBLEM: The SCC file must be on the same directory as the installation file SOLUTION: When running the client installation a parameter can be specified to access the SCC file: msiexec /i safendprotectorclient.msi /standalone="[path to SCC]"
Chapter: Safend Protector Client
To point the installation to the location of the SCC files
12 | P a g e
3.4.3. Uninstalling the Safend Protector Client via startup script NEED: When uninstalling the Safend Protector client in a large environment, a method for performing mass uninstallation is required. Below you will find instructions for executing such a method, using a GPO linked to a startup script which uninstalls the protector. RESOLUTION: Open Note Pad and enter the following text: msiexec.exe /x "\\Servername\Path\SafendProtectorClient.msi" /qn UNINSTALL_PASSWORD="Password1" Where instead of Servername\Path you enter the machine name and path to the SafendProtectorClient.msi file used for the installation, and instead of "Password1" you enter the uninstall password defined for the client. Save this file as a .bat file. In Active Directory, go to the relevant OU, click properties and create and link a new GPO which will contain the uninstall script. Once the GPO is created within the OU, right click it and select edit. In the Group Policy Management menu, go to "Computer configuration->Windows Settings->Scripts" Double click the startup script and select Add and Browse. This should open the policy's Startup folder from within the domain controller. Copy the script file to this location and click OK. Once this is done, restart the relevant machines in order for the startup script to run and remove Safend's Clients from them. keywords: command line, uninstall
Silent install of a client NEED: When using silent installation one may want to prevent a reboot following the installation RESOLUTION: The reboot is caused due to two factors: 1. Windows installer requirement of reboot following the installation 2. Safend client requirement of reboot following the installation Using the following command will suppress the reboot required by the windows installer: msiexec /i \\PathToFile\Share\SafendProtectorClient.msi /norestart REBOOT=ReallySuppress /qn */qn parameter will causes a quite installation without showing the UI Performing the following changes will suppress the reboot required by the client:
Chapter: Safend Protector Client
3.4.4.
13 | P a g e 1. Open the clientconfig.scc file for editing 2. Search for the string “installmethod” 3. Change its value from “2” to “3”
3.4.5. The message "The Client Configuration file does not contain a valid policy." shows up when installing Safend Protector Client SYMPTOMS: On rare occasions, when trying to reinstall Safend Protector Client with a different user than the original installation, the following message will show up: "The Client Configuration file does not contain a valid policy." CAUSE: The user trying to access the encryption object doesn't have the appropriate privileges. SOLUTION: In such cases, perform the following: 1. In order to run the Safend Protector Client installation as local machine please run the following command: at *time+ /INTERACTIVE “cmd” Instead of [time] write the current time + 1 minute. For example: when time is 16:08 write 16:09. 2. A local system window will open. Run the installation from there by writing the following: msiexec /I SafendProtectorClient.msi
3.4.6. Installing the Safend Protector Client with by a startup script with elevated privileges NEED:
SOLUTION: 1. Installing the Safend Protector Client with a startup script: Open Note Pad and enter the following text: msiexec.exe /i "\\Servername\Path\SafendProtectorClient.msi" /qn Where instead of Servername\Path you enter the machine name and path to the SafendProtectorClient.msi file used for the installation. make sure the folder containing the msi is shared. Save this file as a .bat file.
Chapter: Safend Protector Client
In some cases, it is not possible to implement the Safend Protector Client's installation process through a regular GPO package. In such cases, the installation must be implemented by a GPO with a start up script, and the administrator must enable elevated privileges for the end-users.
14 | P a g e In Active Directory, go to the relevant OU, click properties and create and link a new GPO which will contain the installation script. Once the GPO is created within the OU, right click it and select edit. In the Group Policy Management menu, go to "Computer configuration->Windows Settings->Scripts" Double click the startup script and select Add and Browse. This should open the policy's Startup folder from within the domain controller. Copy the script file to this location and click OK. Once this is done, restart the relevant machines in order for the startup script to run and install the Safend Client on them. 2. Granting elevated privileges to non-administrator users: following is an article by Microsoft, pertaining to this issue: Important: This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. SUMMARY: This article describes three methods by which an administrator can enable a non-administrator user to install managed Windows Installer applications. An application is called a "managed application" if elevated (system) privileges are used to install the application. A situation in which you might need to install a managed application is if you are installing an application on Windows NT or Windows 2000 and do not have administrative privileges on that computer. By using the following methods, an administrator can enable a non-administrator user to install managed applications. A) On a computer running Windows NT 4.0, Windows 2000, or Windows XP an administrator can set the AlwaysInstallElevated registry keys for both per-user and per-machine installations on the computer. If you want to make sure that all Windows Installer packages are installed with elevated (system) privileges, you must set the AlwaysInstallElevated value to "1" under the following registry keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
B) On Windows NT 4.0 or Windows 2000, an administrator can install or advertise the package on the computer for a per-machine installation (per-machine means that it will be available for all users of that computer). The Windows Installer always has elevated privileges while performing per-machine installations. The administrator uses elevated privileges to advertise the package. If a non-administrator user then installs the application, the installation can run with elevated privileges. Non-administrator users still cannot install unadvertised packages that require elevated system privileges. The following is an example of a command line used by an administrator doing a per-machine installation: msiexec -i c:\pathtofile\mypackage.msi ALLUSERS=1 Here is an example of how the administrator would advertise the package on the computer per-machine: msiexec -jm c:\pathtofile\mypackage.msi For more information, see the Help topic "Advertisement" in the Windows Installer Platform SDK: http://msdn.microsoft.com/library/en-us/msi/setup/advertisement.asp
Chapter: Safend Protector Client
WARNING: This particular method can open the computer to a security risk because once an administrator with elevated privileges has set these registry keys, non-administrator users can run installations with elevated privileges and access secure locations on the computer, such as the System folder or HKLM registry key.
15 | P a g e C) On Windows 2000, an administrator can advertise an application on a user's computer by assigning or publishing the Windows Installer package using application deployment and Group Policy. The administrator uses elevated privileges to advertise the package per machine. If a non-administrator user then installs the application, the installation can run with elevated privileges. Non-administrator users still cannot install unadvertised packages that require elevated system privileges. For more information on Group Policy, see the "Introduction to Windows 2000 Group Policy" white paper: http://www.microsoft.com/windows2000/docs/GPIntro.doc These settings can also be set via GPO and not by directly opening the registry - the settings must be applied both for Machines and Users: - Computer Configuration>Administrative Templates>Windows Components> Windows Installer: Always install with elevated privileges (enabled/disabled; this policy must be set for the machine and the user to be enforced). - User Configuration>Administrative Templates>Windows Components> Windows Installer: Always install with elevated privileges (enabled/disabled; this policy must be set for the machine and the user to be enforced) Link to Microsoft documentation: http://support.microsoft.com/default.aspx?scid=kb;en-us;q259459 Link to additional documentations for GPO configuration: http://lspservices.iupui.edu/docs/win2k/gpo_configurations.asp
3.4.7. How to activate an ETL when using the offline access utility (when a client is not installed) – Version 3.2, 3.3 NEED: On some cases the need to activate ETL for the offline access utility (Access secure data) PROBLEM: An ETL cannot be activated the ordinary way when a client is not installed, since the ETL requires the existence of a registry string that indicates what is the Client's installation path.
In order to activate the ETL when no Client is installed: 1. Connect the encrypted device to the home machine. 2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector 3. Create a new String Value called InstallDir, and assign it with the value "c:\Progrem Files\Safend\Safend Protector Client" . This creates the registry string that indicates where the Client is installed (of course, the Client is not really installed; the above mentioned path is a path created when running the Offline Access Utility) 4. Now the ETL can be activated, as usual.
Chapter: Safend Protector Client
SOLUTION:
16 | P a g e
Sonic DLA burning not supported by Safend Protector QUESTION: Is the burning format used with the Sonic DLA software supported by the Safend Protector Client? ANSWER: The Sonic DLA software uses the UDF file system (which is supported by us) and the Packet writing burning format, which is not supported. Therefore, the Sonic DLA burning format is not supported by the Safend Protector Client, which means it will be blocked if the policy applied has the check box for "Block unsupported burning formats" checked. From Roxio 09/20/07 3:10 PM Thank you for contacting Roxio Technical Support Our apologies for the earlier agent's response. Please disregard it. Drag to Disk and DirectCD have been discontinued in version 10 of our software due to compatibility concerns. You should, however, be able to manage anything that they were able to do using version 10. Please tell us what you are trying to accomplish with them so that we may suggest other means of doing so. If the information provided does not resolve your issue simply update your web ticket with a detailed explanation with the steps you have tried and any error messages you receive.
Regards, Roxio Technical Support http://support.roxio.com Thank you for your comments and we appreciate the feedback
More information will be found on : http://forums.support.roxio.com/lofiversion/index.php/t28374.html
Chapter: Safend Protector Client
3.4.8.
17 | P a g e
3.4.9.
Cleanup utility for the Safend Protector Client
NEED: In some very rare cases, the Safend Protector Client installation may fail, rendering the Safend Protector Client unable to function. in such cases, an alternate way for removing the Safend Protector Client is needed. RESOLUTION: The Safend Protector Emergency Cleanup utility - SPEC, is used to uninstall the Safend Protector Client in Cleanup Mode. Once unzipped, it is ready for use, and requires only a link to the ClientConfig.scc file and the global uninstall password. If any of these details are not available, we will be able to generate a machine-specific Cleanup key according to the Cleanup Token, provided by the utility. Please contact [email protected] and request the SPEC utility and the cleanup key for your machine's token. Remember! This is more of a last resort for cleaning up the protector when nothing else can be done. Usually, we would want to get to the bottom of why the crash happened so we will be able to improve the Safend protector to be able to cope with such situations in the future. On version 3.2 and above the Spec.exe utility is located in windows\system32 directory
3.4.10. Using the Registry To Check If A Policy Was Updated QUESTION: I would like to integrate a third party tool in order to distribute policy registry files to the end point. I would like to have an indication that the policy was indeed updated.
The registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\LastPolicyUpdate is a 4 bytes key that contains the time in which the policy was last updated. You can use this key to check for update of policies. The key "LastPolicyUpdate" is set to indicate that a policy was pulled from the GPO, without consideration of whether the content of the policy was updated. As the computer pulls policies on startup, it will show an update when the computer is restarted, even though the content of the policy is not changed.
Chapter: Safend Protector Client
ANSWER:
18 | P a g e
3.4.11. Client stops sending logs to the server when disabling the Sprotector service PROBLEM: When using local admin credentials, disabling the Sprotector service and then closing it, the safend client stops sending logs to the server. SOLUTION: The mentioned behavior of the client is according to the product design. Be advised that the only effect of the procedure on the Safend client is that he will not send logs until the next time that he will be loaded. All other parameters of the clients are set exactly as they were before the procedure. All ports, device, storage device, files and etc will act exactly as they acted before the procedure. Please notice that usually a user in an organization will not receive local admin rights on machines, so this shouldn’t be a major issue.
3.4.12. Bubble notifications are not displayed for Safend Protector Events SYMPTOM: After installing the Safend Protector Client, Event Messages (Pop Up Messages) for device/port actions, do not appear. CAUSE: Windows registry settings have disabled Balloon Tips for the machine. SOLUTION: Make sure that in the registry, under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, there is no DWORD key named EnableBalloonTips. If it exists, simply delete it.
Chapter: Safend Protector Client
Another simple way to control the balloons is by using a Microsoft's power tool called TweakUI (the tool can be downloaded from http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx). The option to allow balloon tips in TweakUI can be found in the Taskbar and Start Menu option and is called Enable balloon tips.
19 | P a g e
3.4.13. Client installation fails instantly with an error message requesting to reboot SYMPTOM: When trying to install the Protector Client, installation fails instantly and the following error message is received: Safend Protector Client Please reboot before starting the Install process If a reboot is indeed performed, the same error message is received again. Additionally, the sinta.log file (located at windows\temp folder) will contain only the following entries: [installation Date and time] = Localize installation [installation Date and time] = ********************************** [installation Date and time] = Started Install Process. [version and build number] CAUSE: A Client was installed on the machine in the past, or the Offline Access Utility was used on the machine in the past. For some reason, remnants of this were left in the system, and so the current installation process behaves as is if a Client is currently installed. SOLUTION: Running the SPEC utility will clear any remnants of a previous Client installation or Offline Access Utility use. Note that a SPEC utility of the same version or of a version above the version of the previous Client or Offline Access Utility is to be used.
3.4.14. Safend Trigger commands - alternatives to "update policy" and "collect logs" WMI commands NEED: In cases the WMI commands from the management console are not working, it is possible to trigger management commands (update policy, send logs etc.) to the Protector Client from the command line.
The SC command (supplied with Windows XP or higher) can be used to specifically trigger our process for the following actions. Send logs now! (without waiting for the interval): sc control SafendPS 222 Update policy from the GPO (similar to gpupdate /force, but specific to our product and faster): sc control SafendPS 223
Chapter: Safend Protector Client
SOLUTION:
20 | P a g e
Update policy from REG file: sc control SafendPS 225 Force InitOTP (In case Client will not accept any passwords, or server will not generate them): sc control SafendPS 228 . For Windows 2000 machines this command can be run remotely (i.e. : sc \\ComputerName control SafendPS 223).
3.4.15. Changing the Safend Protector Client installation method NEED: During the installation of the Safend Protector Client, the installer will go through a process of restarting all the devices in order to make sure its drivers are effective immediately after the installation without the need for a reboot. The default installation method might take a few minutes to complete depending on the amount of connected devices. Additionally, the administrator should consider a momentary network disconnection during this phase. In case the administrator would like to avoid this, a simple parameter may be added to the Safend Protector Client Configuration file (ClientConfig.scc). RESOLUTION: In order to configure the installation method, open the ClientConfig.scc file which is created using the Safend Protector Management Console and add the following lines: [InstallParams] InstallMethod=x where x is the option parameter as listed below: InstallMethod=0
InstallMethod=1 During the installation process, all the ports and devices are restarted. The user is not prompted to reboot, even if one of the devices has failed to restart. It is important to note that the endpoint will not be fully protected by the Safend Protector Client until the system restarts. It is the responsibility of the system administrator to schedule this system restart. InstallMethod=2 During the installation process, none of the ports or devices are restarted. At the end of the installation, the user is always prompted to reboot.
Chapter: Safend Protector Client
This is the default method (as if no parameter is added at all). During the installation process all the ports and devices are restarted. If one of the devices has failed to restart, the user is prompted to reboot.
21 | P a g e
InstallMethod=3 During the installation process none of the ports or devices are restarted. The user is not prompted to reboot. It is important to note that the endpoint will not be fully protected by the Safend Protector until the user restarts the computer. It is the responsibility of the system administrator to schedule this system restart.
3.4.16. User or Computer Policy Uninstall Password QUESTION: If I set a different Uninstall Password for the Computer policies and the User policies, Which password should I use to uninstall the Safend Protector Client? ANSWER: There are three scenarios that can be recognized in this situation: 1. The endpoint computer was installed with the Safend Protector. A COMPUTER policy was either applied or not. The current policy is applied for the logged on USER. The Safend Protector is uninstalled manually. ==> The uninstall password is the one set in the USER policy 2. The endpoint computer was installed with the Safend Protector. A COMPUTER policy was never applied. There is currently no logged on user, so the default policy, as set in the Client Configuration file is applied. (This is the situation if the uninstall process is taking place through Active Directory). ==> The uninstall password is the Global uninstall password as it is set for the COMPUTER. 3. The machine was installed with the Safend Protector. A COMPUTER policy was applied. There is currently no logged on user, so the COMPUTER policy is applied. ==> The uninstall password is the one set in the COMPUTER policy.
3.4.17. Changing the Safend Protector Balloon Message Display Time QUESTION: Can the "User Message Balloon" display time be controlled?
The parameter for the Balloon Tips display time in Windows XP can be found in the registry, in: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify. The DWORD entry called BalloonTip is set by default to the value of 3 (seconds). Change its value to control the display time of the Balloon Tips. Some information pertaining to the Balloon Tips of the Safend Protector can be controlled through the Default Agent Policy (the Default Agent Policy is a file that contains some parameters that are not hard-coded into the Protector, but are also not exposed to the user. It is possible to update the Default Agent Policy if necessary). These parameters are the number of seconds that the Protector processes wait between balloons and the number of
Chapter: Safend Protector Client
ANSWER:
22 | P a g e seconds between the last notification and the icon returning to its idle mode. In order to change the Default Agent Policy, please contact [email protected].
3.4.18. Installing Safend Protector Client to a Non-Default Folder NEED: Is it possible to install the Safend Protector Client silently as a GPO to a folder or drive which is not the default installation path? SOLUTION:
Chapter: Safend Protector Client
Yes, it is possible to install the client to a specified directory, but the installation needs to be done using a start-up script, instead of a package installation. The process is as follows: 1. For the OU on which you would like to install, go to the OU Properties, Group Policy tab. 2. Create a new Group Policy, and give it a name, then click Edit to open the Group Policy Editor 3. Go to Computer Configuration > Windows Settings and select Start-up > Script 4. Click the Show Files button and create a new text document containing the following command: msiexec.exe /i "\\
23 | P a g e
4. Safend Protector Management Server 4.1. Safend Protector Management Server architecture
The Safend server contains three services:
Safend protector DB
Safend protector domain service
Safend protector local service
These services should start when starting the server (As a default, the services are running upon server installation)
Safend server is using the IIS Application for communication between its components:
Server - Clients (Safend Protector Web Site WS)
Server - Management Consoles (Safend Protector Web Site )
The IIS web site processes are visible in the Windows task manager (W3WP).
Chapter: Safend Protector Management Server
-
24 | P a g e
4.2. Support logs -
Safend Protector Server Logging When investigating Safend Server issues, the Server trace logs will provide valuable information. Each of the different Safend Protector Server components writes a separate log file. The relevant Server logs reside under the following folders: \Program Files\Safend\Safend Protector\Management Server\logs C:\Temp\bin\log
4.3. Troubleshooting Guidelines -
Safend Protector Server Fails to Install/Upgrade/Uninstall
-
When the installation/uninstall process fails, the following needs to be verified:
Were all Safend Server prerequisites met (Please find the prerequisites at the end of the presentation)?
Are there any security hardenings that can block the installation?
Did the User used during installation have the appropriate credentials: Local administrator Domain account from your Active Directory that can control clients via WMI. We recommend using an account with domain administrator privileges.
-
-
Are there any remnants of a previously installed Server?
Verify that Safend services do not exist
Verify that Safend Web sites do not exist
Verify that Safend Protector folder does not exist under Program Files=>Safend
Under <systemroot>\program files\common files\safend unregister and delete the dll files in case they exist.
Safend Protector Server Fails to Initialize
When the Safend Protector Server fails to initialize, the following must be verified:
Were there any hardware changes to the Server computer? HW changes will change the machine fingerprint and you will need to use the HW fingerprint tool.
Verify that no security policy was applied to the machine.
Were the Server User credentials (the user supplied during installation) changed (password\permissions etc.)?
Was the Server DB user changed in any way?
Are there any errors in the event viewer logs?
When investigating an issue regarding the Safend Protector Server, most issues fall under the following categories:
Chapter: Safend Protector Management Server
When you use an external DB (MS-SQL) – DB creator credentials are required.
-
Safend Protector Server fails to install/upgrade/uninstall
-
Safend Protector Server fails to initialize.
Chapter: Safend Protector Management Server
25 | P a g e
26 | P a g e
4.4. Safend Protector Management Server Support Solutions How to configure the Websense integration NEED Installation of Safend Protector integrated with Websense. SOLUTION In all Safend versions ----------------------------To install Safend protector with Websense integration steps should be performed on both servers Websense server: 1.1 system modulesClick on configuration 1.2 Click the add button 1.3 Choose agent type: “endpoint server” 1.4 Enter Safend Server FQDN 1.5 Enter a password (this password will be used when installing Websense files on Safend’s server) 1.6 The “endpoint server” entry should be displayed in the system modules screen. 1.7 A new file called CPS.MSI should be created Safend server: 2.1 Copy CPS.exe to Safend server 2.2 Run CPS.MSI 2.3 Choose an installation directory 2.4 Select “agents only’ installation 2.5 Click on the “endpoint support” icon, then press next 2.6 Provide the IP address for the CPS server and enter the one time password defined on the CPS server (step 5 above) 2.7 Press install Websense server: 3.1 Press “deploy settings” Safend server: 4.1 Press okay 4.2 Conf.xml file will be created in the directory defined during the installation Safend console: 5.1 Open the console 5.2 Enter a license key (that includes Websense integration) 5.3 administrationgo to tools 5.4 choose the content inspection panel 5.5 check the “integrate with a 3rd Party Content Inspection Solution” checkbox 5.6 browse to the Conf.xml file
Chapter: Safend Protector Management Server
4.4.1.
27 | P a g e 5.7 Click “show details” 5.8 Click “OK” to apply the content inspection flag to all policies To verify that the policy was indeed applied check content inspection status in the client GUI Addition to Safend Protector version 3.3 and above -------------------------------------------------------------------Since in version 3.3 and above, the Safend client automatically encrypts the files sent to the server (for inspection or shadowing, inspection in this case), the files are sent encrypted to the Websense server as well. The Websense server cannot decrypt these files, and therefore they become inaccessible. Replacing a DLL on the Safend server will cause the files not to be encrypted on the client side, and therefore will prevent the problem on Websense’s side. In order to replace the relevant DLL: 1. Stop Safend Local service 2. Kill the W3WP process. If multiple instances of the process exist, all of them should be killed 3. Go to \program files\safend\safend protector\Management server\bin, replace the Backend.Server.dll file with the modified one. The modified DLL for server version 3.3 build 30270 is attached to this solution. For any other server version, a DLL should be created by Safend team. 4. Restart Safend Local service. Note: There are additional KBs describing the replacement of the Backend.Server.dll for different purposes. Be advised that the Safend R&D team should be consulted if more than one of the issues fixed by this replacement is manifested in the same server, since one replacement will cancel the other.
How to change the synchronization interval between AD and the Management Server
Note: Please be advised that changing the synchronization interval is not recommended. It can cause overload to the Management Server's machine, to Active Directory and it creates a load on the network. (This solution is only relevant for version until version 3.2 GA3)
NEED: Sometimes customers want to change the synchronization interval between AD and the Management Server. By default the interval is set to 8 hours which may not be enough. SOLUTION: The following steps should be performed on the server machine: 1. Stop Safend services - Domain, Local, Broadcast if version 3.2 is used. 2. Kill the w3wp process (check for multiple instances, kill all of them). 3. Open with notepad the following file for edit : C:\Program Files\Safend\Safend Protector\Management server\servercconfig.xml 4. Search for the following line : 5. A few lines beneath it you will find the line:
Chapter: Safend Protector Management Server
4.4.2.
28 | P a g e in hours, please use whole numbers. 6. Save the changes and close the file. 7. Start the Safend services - Broadcast if version 3.2 is used, Local; wait for the Domain service to be restarted.
4.4.3.
How to use the log restore tool in versions 3.2 GA2 and 3.2 GA3 Note: This KB article is valid only for versions 3.2 GA2 and 3.2 GA3. for version 3.2.19275 NEED: Sometimes a need to restore a Safend Log Back (SLB) arises. PROBLEM: There is no “import” option in the server for the backed up logs an external tool to the server exist to perform this action SOLUTION: Running the following command will restore all the information from a backup file to the DB. *Please note that this action will delete all the current logs from the server 1. Rename the ".slb" file to ".slb.Zip" 2. Double click and open the ".slb.zip" file 3. Change the value inside the version.txt file from 3200 to 3210 for GA2 or 3220 for GA3 and save. 4. Rename the ".slb.zip" back to ".slb" 5. Stop safend services, leave the db service running. 6. Run RestoreTool.exe restore -backupFile "[backup file+” when –backupFile is case sensitive and [backup file] points to the actual file location
4.4.4.
How to use the log restore tool in version 3.2 GA1 Note: This KB article is valid only for version 3.2.19275 NEED: Sometimes a need to restore a Safend Log Back (SLB) arises. PROBLEM: There is no “import” option in the server for the backed up logs. An external tool exists to perform this action. SOLUTION:
Chapter: Safend Protector Management Server
Note: The log restore tool cannot be used for restoration of logs from 3.2 version to 3.3 version due to a change in the log structure in 3.3.X.
29 | P a g e
Running the following command will restore all the information from a backup file to the DB. *Please note that this action will delete all the current logs from the server 1. Stop Safend services, leave the DB service running 2. In cmd, run the following: RestoreTool.exe restore -backupFile "*backup file+” Where [backup file] points to the actual file location
How to obtain and change the base policy in 3.3 Note: This solution should be done only with collaboration with Safend support. NEED: For different reasons, one would require to obtain the base policy and change it. In 3.2, the base policy is one or two XML file/s located under the server “Bin” directory - “defaultAgentPolicy.xml” and/or “defaultAgentPolicy.en-us.xml”. In version 3.3, the base policy cannot be found in the one or two XML file/s, since they do not exist; The base policy in 3.3 is a table in the database, which cannot be reached directly. SOLUTION: 1. How to Obtain the base policy: To obtain the base policy in 3.3, one should run the SPAdmin tool in the following way: a. Open Run / CMD b. Type in the following (this is case sensitive): "C:\Program Files\Safend\Safend Protector\Management Server\bin\SPAdmin.exe" -updateconfig -getfile defaultagentpolicy.en-US [EnterAnyPath]:\[EnterAnyFilename].txt c. Run the string. This will result in a .txt file in the name and path entered. This .txt is a reflection of the base policy. 2. How to change the base policy: After modifying and saving the .txt as required and with caution (again, please review KB00000177 as mentioned above), in order to apply the changes to the base policy (since this .txt is only a reflection), one should perform the following: a. Stop the Local service, kill the w3wp process. b. Open Run / CMD c. Type in the following (this is case sensitive): "C:\Program Files\Safend\Safend Protector\Management Server\bin\SPAdmin.exe" -updateconfig -setfile defaultagentpolicy.en-US [PathOfTheTxtFile]:\[TxtFilename].txt d. Run the string. e. Restart the above mentioned services
Chapter: Safend Protector Management Server
4.4.5.
30 | P a g e
4.4.6. How to manually remove the Management Server and Console NEED: Sometimes, the Safend Protector Management Server and Console need to be uninstalled. The following solution is required for scenarios in which you cannot uninstall successfully the Server and/or the Console using the Add/Remove Programs menu. SOLUTION: There are 3 methods of removing the Safend Protector Server and Console. One should use the methods in the order of appearance in this solution, so the cleanest possible removal will be achieved.
Method #2 – Using the MSIzap tool ----------------------------------------------1. Download the Msiinv tool from Microsoft MSDN, Extract it to c:\ or any other path. 2. In cmd prompt, run the following command: c:\msiinv\msiinv.exe -p > c:\msiinv_output.txt You may change the path to the msiinv.exe according to the previous section, and the path of the .txt to any other path desired. This will create a .txt file which contains a list of the programs installed on the machine according to the Windows Installer. 3. Open the c:\msiinv_output.txt , and locate the Safend Server and/or Console entries. Copy the GUID of the product code from the server and/or console entries. The GUID appears in the following format: 77BFE295-D7B74AF0-AF15-D14AF646AAE7. Make sure to copy the Product Code and not the Package Code. 4. Download and the SmartMSIZap tool 5. Extract the tool to c:\ or any other path.
Chapter: Safend Protector Management Server
Method #1 – Using the msiexec /x command -----------------------------------------------------------1. Download the Msiinv tool from Microsoft MSDN: Extract it to c:\ or any other path. 2. In cmd, run the following command: c:\msiinv\msiinv.exe -p > c:\msiinv_output.txt You may change the path to the msiinv.exe according to the previous section, and the path of the .txt to any other path desired. This will create a .txt file which contains a list of the programs installed on the machine according to the Windows Installer. 3. Open the c:\msiinv_output.txt , and locate the Safend Server and/or Console entries. Copy the GUID of the Product Code from the server and/or console entries. The GUID appears in the following format: 77BFE295-D7B74AF0-AF15-D14AF646AAE7. Make sure to copy the product code and not the package code. 4. In run/cmd prompt, run the following command: msiexec /x {Product Code} When the Product Code is the GUID you previously copied. Make sure to use the curly braces. 5. If you removed the Server/Console and need also to remove the Console/server, perform the previous section again with the proper GUID (again, make sure to use the curly braces). 6. Note that if an external DB was used with the server, the SafendProtector schema remains in the DB, as it does when uninstalling the server properly (using add/remove programs). Altering the schema can be performed by the DBA, an action that is not supported by Safend.
31 | P a g e
Method #3 – Server removal only* – "Aggressive" deletion of Safend Server components -----------------------------------------------------------------------------------------------------------------------1. Stop the Safend Services: Domain, Local, Broadcast (in 3.2 and below), DB (if internal DB is used). 2. Kill the w3wp.exe process (if more than one exists, kill all of the duplicates). 3. Delete the Safend websites: In the Internet Information Services (IIS) snap-in in the Computer Management, delete the "Safend Protector Web Site" and the "Safend Protector Web Site WS". 4. Delete the Safend services in the following order. Note that for version 3.3, the Broadcast service doesn't need to be deleted since it doesn't exist. Also note that if an external DB was used, the Safend Protector DB sevice doesn't need to be deleted since it doesn't exist. a. In cmd type: sc delete "safend.protector.admin.app.managementserver.broadcastservice" Press enter, and if the service was deleted successfully, the following line will apper: SC [DeleteService] SUCCESS. b. In cmd type: sc delete "safend protector db" Press enter, and if the service was deleted successfully, the following line will apper: SC [DeleteService] SUCCESS. c. In cmd type: sc delete "safend.protector.admin.app.managementserver.domainservice" Press enter, and if the service was deleted successfully, the following line will apper: SC [DeleteService] SUCCESS. d. In cmd type: sc delete "safend.protector.admin.app.managementserver.localservice" Press enter, and if the service was deleted successfully, the following line will apper: SC [DeleteService] SUCCESS. 5. Go to the server's installation path, and change the name of the folder "management server" to "management server old" or any other name. 6. Note that if an external DB was used with the server, the SafendProtector schema remains in the DB, as it does when uninstalling the server properly (using add/remove programs). Altering the schema can be performed by the DBA, an action that is not supported by Safend. * Method #3 does not relate to the removal of the console. The console can always be removed using method #1 or #2.
Chapter: Safend Protector Management Server
6. From cmd prompt, run the following (path may differ according to the where you extracted the tool to): c:\smartmsizap.exe /p {product_code} When the Product Code is the GUID you previously copied from the Msiinv tool. Make sure to use the curly braces. 7. If you removed the Server/Console and need also to remove the Console/server, perform the previous section again with the proper GUID (again, make sure to use the curly braces). 8. Note that if an external DB was used with the server, the SafendProtector schema remains in the DB, as it does when uninstalling the server properly (using add/remove programs). Altering the schema can be performed by the DBA, an action that is not supported by Safend.
32 | P a g e
4.4.7. How to view the lower levels of the organizational tree in 3.3 console when the directory tree has many levels SYMPTOM: In environments where the directory tree has many levels in its hierarchy, around 7 levels and above, only the few highest levels can be seen in the console when browsing in the organizational tree in the Clients world or in other places where the organizational tree is displayed. CAUSE: The component in the console that displays the organizational tree is a 3rd party component integrated into the console. This component has a performance issue that causes long delays when trying to display a directory tree that has many OUs under the root level. In version 3.3, in order to improve performance, it has been configured for the console to automatically create "virtual containers", that each contain a certain amount of OUs. These containers are relevant for the display only and are not created in the domain controller of course. In this way, the loading time of the organizational tree decreases significantly. However, due to their manner of action the virtual containers prevent the display of the lower levels of the directory tree in trees with many levels. SOLUTION: It is possible to increase the amount of OU the virtual container contains, thus virtually disabling the function of virtual containers. This is done by modifying the consoleconfig.xml file. Note that if multiple consoles are used (remote consoles), the modification should be performed for each and every console.
Chapter: Safend Protector Management Server
1. Close the console and kill the W3WP process. In case multiple instances of the process exist, kill all of them. 2. Go to C:\Program Files\Safend\Safend Protector\Management Console\ManagementConsole, open the consoleconfig.xml file for editing. 3. Search the following item:- 200
4. Change the value of "200" to a very large number, such as "100000". 5. Save the consoleconfig.xml and exit. 6. Open the console and check if the lower levels of the organizational tree are displayed now.
33 | P a g e
4.4.8. Suspension password identified as wrong when entered to the client SYMPTOM: The one time suspension password (OTP) generated from the console in order to suspend the client's action is identified as a wrong password when entered in the Client's GUI. SOLUTION: The steps below should be followed in order to identify and solve the source of this issue: 1. If the password was typed and not copied: Make sure it was entered in uppercase and not in lower case, since the suspension passwords are always in uppercase. 2. If this password was entered in lowercase twice or more in the specific client: The password in question and no other new password generated will be applied since the suspension mechanism was locked. In order to release the suspension mechanism, the OTP pool should be regenerated (InitOTP). This is done when running the following command in the client machine: sc control SafendPS 228 As an alternative to this command, in version 3.3 the OTP pool can be regenerated from the console using a WMI command from the clients world, by right-clicking the client/s and choosing "InitOTP". Please refer to "KB00000123 - Forceful Initialization of OTP (InitOTP)" for further information regarding the OTP pool initialization process. 3. If this password was always entered in uppercase in the specific client:
b. If regenerating the OTP pool didn't help, make sure the client can browse to the OTPWebService page in the SafendProtectorWS website. The address of the OTPWebService page is: https://[ServerName]/SafendProtectorWS/OTPWebService.cs.asmx A successful browsing will result in an approval page (since connection is made thru SSL). c. If The client can browse successfully to the OTPWebService page, examine and escalate the OTPWebService server log and activate an .etl while performing the command: sc control SafendPS 228
Chapter: Safend Protector Management Server
a. It is possible the OTP pool was exhausted. In order to regenerate it, use the following command: sc control SafendPS 228 As an alternative to this command, in version 3.3 the OTP pool can be regenerated from the console using a WMI command from the clients world, by right-clicking the client/s and choosing "InitOTP". Please refer to "KB00000123 - Forceful Initialization of OTP (InitOTP)" for further information regarding the OTP pool initialization process.
34 | P a g e
4.4.9. Using the HW fingerprint tool when changing server's hardware NEED: Sometimes a change to the server hardware needs to be performed. This solution also applies when changing a VM workstation. PROBLEM: Every hardware has a unique fingerprint that Safend uses for certification. When you change the server’s machine hardware, the HW fingerprint is automatically changed. The contradiction between the HW fingerprint that is stored in the Safend server configuration and the machine’s new fingerprint cause a collision that prevents the server from running. SOLUTION: After changing the hardware one should perform the following steps: • If running, stop the server’s services in the following order: Broadcast, Local and Domain. • Run the attached Hardware Fingerprint Tool (after renaming the file’s extension back to zip) in order to reset the license. • When running the HW Tool, if a message window pops up regarding an invalid key, click “no" to return to defaults, and send the new fingerprint to Safend support. • Restart the services: Broadcast, Local and Domain. • If running, kill the IIS processes: w3wp. • Reopen Safend Protector Console.
4.4.10. Time format conflict in the DB
SYMPTOM In 3.2, MS SQL environment, when trying to change a global policy settings an error message appears regarding regional time/date format. The problem also appears while trying to save a policy. While trying to enter the logging tab in the policy world the console crushes followed by an "internal error message" CAUSE One of the definitions of regional settings is different in either the console machine, server machine or MS-SQL machine. The server doesn't know how to handle different date/time formats (the problem is fixed in 3.3). SOLUTION
Chapter: Safend Protector Management Server
*note - this KB article contains changes to be done with DLL files which are part of the Safend system, applying this article incorrectly may cause the server to be dysfunctional. If you are unsure of how to do it, please contact Safend support
35 | P a g e This issue is resolved in version 3.3 and above. Also, if 3.2 GA3is used, a resolution is possible by replacing of one of the dll file. Follow these instructions:
1. When installing a new server, use GA3 installation, following the install you will need to replace the Admin.Utils.GeneralUtils.dll with the new one we gave you. 2. The dll should be replaced as follows: a. Stop the Safend services. (stopping the Safend broadcast service will stop the domain and the local as well) b. Copy the “Admin.Utils.GeneralUtils.dll” to < Safend\Safend Protector\Management Server\bin > this will overwrite the existing dll file. c. Then copy this dll file to the management console installation folders on every running console on the system ( on the web session we have only replaced the dll on the local console on the server machine) the dll should be replaced on the console installation folder as follows : - Copy the dll to < \Safend\Safend Protector\Management Console > this will overwrite the existing dll. - Copy the dll to < \Safend\Safend Protector\Management Console\ManagementConsole > this will overwrite the existing dll. d. open the command line window and go to the server bin path. e. run the following command: " SPAdmin /updateconfig /getfile globalPolicyBody <pathToFile>" (The getfile command retrieves the value of the globalPolicyBody item in the serverconfig DB table) Note: The item name is case sensitive so please Pay attention when running the command. f. A file is created with the name "temp.xml", open it and look for the problematic string -look for the word “false” and then change the problematic separators to " : " separators). Save the file g. Run the following command: " SPAdmin /updateconfig /setfile globalPolicyBody <pathToFile>" (The setfile command stores the file contents in the globalPolicyBody item in the serverconfig DB table). h. Stop Safend services, kill W3Wp processes. i. Replace the dll files in the management console and console updater. j. Turn on Safend Services
In order to replace the Admin.Utils.GeneralUtils.dll in the management console install package please perform the following: 1. Under < \Safend\Safend Protector\Management Server\consoleUpdater > you will find the console.zip file which includes the actual console install files which are use upon the console installation. 2.Extract console.zip folder to any destination. 3. After extracting console.zip please copy Admin.Utils.GeneralUtils.dll to the extracted folder. this will overwrite the existing Admin.Utils.GeneralUtils.dll. 4. Compress the extracted console folder which includes the new dll and name it console.zip. 5. Copy console.zip to < \Safend\Safend Protector\Management Server\consoleUpdater > and overwrite the existing console.zip before the change of the .dll. e. After performing all the replacements of the dll, please start the Safend server services again (start the broadcast, then the local and finally the domain service), then kill the w3wp process and then start the console. 3. Please note that this issue will only happen when there is a difference between the regional settings of at least one of the console machines or the server, and not on every environment. This fix is included in version 3.3. 4. in addition for fixing the problem after it happens using the SPAdmin tool: a. open the command line window and go to the server bin path. b. run the following command: " SPAdmin /updateconfig /getfile globalPolicyBody <pathToFile>" (The getfile command retrieves the value of the globalPolicyBody item in the serverconfig DB table) Note: The item name is
Chapter: Safend Protector Management Server
Once the change for existing components is it required to be done in the installation package so new consoles will also include this change.
36 | P a g e case sensitive so please Pay attention when running the command. c. A file is created with the name "temp.xml", open it and look for the problematic string -look for false and then change the problematic separators to " : " separators). Save the file d. Run the following command: " SPAdmin /updateconfig /setfile globalPolicyBody <pathToFile>" (The setfile command stores the file contents in the globalPolicyBody item in the serverconfig DB table). e. Stop Safend services, kill W3Wp processes. f. Replace the dll files in the management console and console updater. h. Turn on Safend Services
4.4.11. Upgrade Path from Safend Protector 2.0 to 3.3 NEED: At some customer site, version 2.0 of the Safend Protector is installed, and an upgrade path to version 3.3 is needed. RESOLUTION: No direct upgrade path is available from 2.0 to 3.2. The current options for moving from version 2.0 to 3.3 are: a) Uninstalling version 2.0 (Management Tools and Clients) and installing version 3.3 b) Upgrading version 2.0 to version 3.1 (Server and Clients), and then upgrading version 3.1 to 3.3 To upgrade your Safend Protector from V2.0 to V3.1 1. Export your current V2.0 policies manually using the Policy Builder. 2. Place the Safend Protector V2.0 datasource.smc file in the same folder in which the ManagementServer.msi file is (This is the temporary folder into which the Self Extractor opens the installation files - C:\Temp). The .smc file is placed in the System Configuration folder that you created while installing your first Management Tools in V2.0.
4. Edit the exported .spl file, and go to: ProtectorPolicy -> Body -> uiPolicy -> Security -> restrictedPorts -> deviceApproval -> detailedPolicy -> deviceTypes Add the value: <deviceType name="KeyLoggers" security="Allow" activityLogging="Log" /> At the bottom of the list. 5. Import the policies that you exported manually into Safend Protector Management Console. . 6. Upgrade the Safend Clients to version 3.1.
Chapter: Safend Protector Management Server
3. Install the Safend Protector Management Server.
37 | P a g e
4.4.12. Reducing the Logs Trace Level for the Safend Server NEED: By default the Safend Protector Server logs are set to DEBUG level, for writing every Server action, in order to have the most detailed logging for any investigation needed. In most environments, this level of logging is not necessary, and should be changed in order to reduce the server resources needed for Log writing. SOLUTION: To Reduce the Logs detail level, open serverconfig.xml for editing (the file is located at \Program Files\Safend\Safend Protector\Management Server\). For each of the Server services (domainservice, broadcastservice, localService, managementServer, eventSinkWebService, otpWebService, consoleUpdaterSite, consoleUpdaterManifestsGenerator) edit the "TraceLevel" item. By default it is set to "Debug". the values for this item are: 1) Debug - full logging for each event. 2) Warning - logging for Warnings and above. 3) Error - logging for Errors only. By setting the TraceLevel to Error, the least logging will take place, and reduce load on the Server resources.
4.4.13. Alerts on client installation are not received in version 3.3 SP1 Note: This solution should be done only with collaboration with Safend support.
Alerts on client installation are not received in version 3.3 SP1. The logs for the client installation are received though. This happens even after performing the proper procedure of generating this type of alerts - defining that this type of event should generate an alert under Tools --> Global Policy Settings --> Alerts, then recreating the .scc file and using it to install / upgrade clients. CAUSE: Generally, the .scc file contains the global policy settings that exist when the file is being generated; consequently, these settings will be included in the initial policy a client receives. In 3.3 SP1, the definition of alert on client installation events doesn't get into the .scc file, and so the initial policy doesn't contain this definition and the alerts are not generated. SOLUTION: In 3.3 SP1, a number of files are to be replaced on the server and on the console(s) in order to make the .scc file receive the client installation definition from the global policy settings: Extract the attached RAR to a temporary folder. The RAR file contains two folders – Management Console (contains
Chapter: Safend Protector Management Server
SYMPTOM:
38 | P a g e one DLL file) and Management Server (contains a few DLL file). Replacing the DLLs for the server, local console and future remote consoles: -------------------------------------------------------------------------------------------------------1. In the server machine, close the console and stop the 2 Safend services – Domain service, Local service. 2. Copy the DLLs from the Management Server folder in the temporary folder, to the folder C:\Program Files\Safend\Safend Protector\Management Server\bin. Replace all existing files. 3. Copy the DLL from the Management Console folder in the temporary folder, to the folder C:\Program Files\Safend\Safend Protector\Management Console\ManagementConsole. Replace the existing file. 4. Copy the DLL from the Management Console folder in the temporary folder to the following zip: C:\Program Files\Safend\Safend Protector\Management Server\consoleUpdater\console.zip, replacing the existing file inside the zip. This will enable future remote consoles to be installed with the modified DLL, without the need to apply it to them. 5. Restart the Safend services – Local service, Domain service. 6. Kill the W3WP process. In case multiple instances of it exist, kill all of them. Replacing the DLLs for existing remote consoles, in case you use such: ------------------------------------------------------------------------------------------------1. In the console machine, close the console. 2. Copy the DLL from the Management Console folder in the temporary folder, to the folder C:\Program Files\Safend\Safend Protector\Management Console\ManagementConsole. Replace the existing file.
4.4.14. Restoring a server with Content Inspection fails PROBLEM: Restoring a server with Content Inspection fails NEED:
The installation throws an exception saying: "fail to validate config backup file: system.xml.xmlexception – the xml declaration is unexpected. Line 86, position 7" This is caused by a wrong line in the XML file SOLUTION: Rename the .SCB file to .ZIP file Extract it Open serverconfig.xml file for editing Go to the line that say
Chapter: Safend Protector Management Server
User wants to restore his server from a backed up configuration (SCB file)
39 | P a g e Replace these two lines with Compress the files back to a zip (don't compress its folder - only the files) Rename the zip file back to .scb Restore the server
4.4.15. Disabling IIS Logs (to prevent accumulation of large log files) NEED: On the Safend Protector Server machine, the IIS component records every action/connection in log files. Theses log files may accumulate and get very large in size. After the initial installation and configuration of the Safend Protector, it is recommended to disable the IIS Logs, in order to avoid unnecessary strain on the server machine. SOLUTION: In order to disable the Safend Protector Web Site in the IIS from recording IIS logs, please do the following: 1) Go to the IIS snap in 2) Go into Web Sites, and right click the Safend Protector Web Site. 3) Choose Properties, and go to the Web Site tab. 4) uncheck "Enable Logging".
4.4.16. Role Based access does not function SYMPTOM: Upon linking different roles with AD User Group, cannot login to the Safend Management Console using a User from the said User Group. CAUSE:
RESOLUTION: Add the appropriate User Group to the Logon Locally list on the Safend Management Server machine, either in a domain policy or in the Local policy: Local Policy 1) Run gpedit.msc 2) Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment 3) under Log On Locally, add the appropriate user group to the list. Domain Policy 1) Open a domain Group Policy for editing 2) Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights
Chapter: Safend Protector Management Server
The user Group linked with a defined Safend Management Console Role, does not have Local Logon access to the Server machine.
40 | P a g e Assignment 3) under Log On Locally, add the appropriate user group to the list.
4.4.17. When changing the server certificate to an organizational certificate, logs are not sent SYMPTOM: When changing the server certificate from Safend's default certificate (created during the installation of the server) to an organization's specific certificate, policies can be updated for the clients but logs aren't sent from them. This is seen in 3.2 and 3.3 clients. CAUSE: When publishing a policy, a derivative of the certificate called the certificate self-signer is being sent to the client. A response based on the self-signer is sent back to the server when sending logs. When replacing the default Safend certificate with an organization's specific certificate, the self-signer of the Safend certificate is still being sent to the client when publishing a policy, which causes a faulty reply when the client attempti to send logs, and thus, prohibits sending the logs - the clients' reply is based on the Safend certificate, while this certificate is no longer in power due to its replacement. Note that policies are updated successfully for the clients since there is no use in the self-signer in this process (it is only "attached" to the policy). SOLUTION:
Note: There are additional KBs describing the replacement of the Backend.Server.dll for different purposes. Be advised that the Safend R&D team should be consulted if more than one of the issues fixed by this replacement are manifested in the same server, since one replacement will cancel the other.
Chapter: Safend Protector Management Server
This issue can be solved in version 3.3 only. This is done by replacing a DLL file on the server side will cause the new, relevant self-signer to be sent to the clients. In case there is a server cluster (possible in version 3.3 and above), the replacement should take place in every server of the cluster. 1. Stop Safend services – Domain, Local, Broadcast if 3.2 in used. Leave the DB service running. 2. Go to C:\Program Files\Safend\Safend Protector\Management Server\bin 3. Replace the existing backend.server.dll with a modified copy of it. Attached to the solution is the modified backend.Server.dll for version 3.3 build 30270; for any other 3.3 build, the .dll file will have to be modified by the R&D team.
41 | P a g e
4.4.18. Changing source name when sending Safend alerts to the Event Viewer Note: This article contains information on how to change Safend configuration files and is intended for advanced users. if you feel uncomfortable with changing these advances settings, please consult with Safend support or your local Safend distributer. NEED: When configuring Safend Protector Alerts to be sent to an "Event Viewer" alert destination, all alerts are stored under the application source. This can be hard to manage since other applications may also write events under the application source, making it hard to isolate the Safend Protector events. You may change the default "Application" source name to a unique name such as Safend by following the steps below. RESOLUTION: If you desire to change the source name to a unique name (easier when wanting to sort or filter out Safend logs only), you may change 2 small parameters in the Safend Server configuration file - "\Program Files\Safend\Safend Protector\Management Server\serverconfig.xml". Look for the following text: eventLogSource="Application". It should appear twice - once for the "Server Alert Action Dispatcher" and once for the "Client Alert Action Dispatcher". Both need to be changed to your desired source name so that all types of logs will be stored using the same source. Example: eventLogSource="SafendAlerts" All alerts which are forwarded to a machine's event viewer by the Safend Protector Server, will be stored under the manually configured source name.
4.4.19. IIS diagnostics tool
In some cases, the IIS service on the Server machine may experience problems that cause the Safend Protector Management Server to become dysfunctional. In these cases, the problems must be identified and resolved appropriately. SOLUTION: IIS problems may be diagnosed with the IIS Diagnostics Toolkit, available for dowload at: http://www.microsoft.com/downloads/details.aspx?familyid=9bfa49bc-376b-4a54-95aa73c9156706e7&displaylang=en One of the tests that can be performed with it is the Server Permissions test in the Auth Diagnostics 1.0 component. This test displays the permissions required for the server, and whether the server has them. Additional IIS diagnostic tools can be found at:
Chapter: Safend Protector Management Server
NEED:
42 | P a g e http://www.iis-resources.com/modules/mydownloads/viewcat.php?cid=15 http://www.iistoolshed.com/tools.aspx
4.4.20. User Permissions for the Safend Server QUESTION: What are the permissions needed for the user account that is used by the Safend Protector Management Server? ANSWER: The user account used by the Safend Server should either be a domain administrator or have the following permissions: a) Member of the "Group Policy Creator Owner" group in the AD b) Have DCOM Remote Launch, Remote Activation and Remote Access permissions on all machines. This can be set through a GPO. Under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options: add the user to lists on both: DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax and DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax. and apply the policy on all machines with the Safend Client.
4.4.21. Unable to publish a policy and a specific error appears in the Domain Service log
Receiving an error when trying to publish a policy (in all methods). In the DomainService log the following error will appear: [2008-02-19 08:00:50.047800] [Warning] [PolicyPublisher4] [ASB-PDC\sv-SafendAdmin] - Mandatory publish sink TranslationSink failed: Safend.Protector.Admin.Utils.Exceptions.OperationAbortedException - The parameter is incorrect. at Safend.Protector.Policy.Interop.ServerPolicyFormatterClass.AddSecurityCategory(Int32 securityConfigIndex, Int32 portIndex, String categoryName, Int32 categoryType, Int32& categoryIndex) [2008-02-19 08:00:50.047800] [Error] [PolicyPublisher4] [ASB-PDC\sv-SafendAdmin] - 1 errors occurred while publishing policy 5 revision 44 (Safend - Allow All + Default Logging (90 minutes)) In addition, this issue occurs only with version 3.1 and 3.2. The fix was added to 3.3. CAUSE:
Chapter: Safend Protector Management Server
SYMPTOM:
43 | P a g e Sometimes a name that is given to a group in the White-list tab shows up in the Base Policy and therefore an error occurs. SOLUTION:
Chapter: Safend Protector Management Server
In order to resolve this issue please change the name of the problematic group in the White-List.
44 | P a g e
5. Safend DB 5.1. Safend Protector Client Support Solutions 5.1.1. Policy not applied due to the small size of the DB column "Groups" SYMPTOM: In version 3.2, machine or user policy does not apply or applies only after restart. In the Policywebservice log, the following error message appears: "String or binary data would be truncated" CAUSE: The size of the DB column called "Group", existing in the 2 DB tables called "User" and "Computers", is set to 255 characters only in version 3.2. If the user/s or machine/s is a member of AD groups which their overall names is composed of over 255 characters, the policy would be truncated and therefore not applied. SOLUTION: Increasing the "Groups" column size in both of the tables in the DB is required.
Chapter: Safend DB
If using an external MsSQL DB (should be performed by the DBA): ---------------------------------------------------------------------------------------1. Close the console, stop the Safend services - Domain, Local and Broadcast. 2. Open the SQL Enterprise Manager / Query Studio on the SQL Server machine. 3. Go to Databases and to the SafendProtector database. 4. Open Tables, and view the list of the different tables in the SafendProtector DB. 5. Right click the "Computers" table, choose Design Table. 6. Go to the "Groups" Column, check the length value and set it to MAX. 7. Save the changes. 8. Repeat the above steps with the "Users" table in the DB. 9. Restart the Safend Services - Broadcast, Local, Domain. Follwing this, run the command IISRESET from start/run or from cmd. 11. Open the console, go to the Clients world. In the tools icon next to the Organizational Tree view, click "Sync Tree with Directory". 12. Try publishing and updating the policy with a user or a machine to verify the policy is updated.
45 | P a g e
5.1.2. Restoring missing MySQL index files Note: *This solution includes modification of the MySQL database, which might render the server useless. Please use this solution with care. NEED: MyISAM is the default storage engine for the MySQL relational database management system, the DB used by Safend as an internal DB. Each MyISAM table is stored on the disk in three files. The files have names that begin with the table name and have an extension to indicate the file type. MySQL uses a .frm file to store the definition and structure of the table, but this file is not a part of the MyISAM engine, rather a part of the server. The data file has a .MYD (MYData) extension. The index file has a .MYI (MYIndex) extension. An example for a MyISAM table in the Safend Protector MySQL DB is the Computers table, which is stored in the file computers.MYD and has an index file by the name of computers.MYI (and also, a .frm file called computer.frm). The MYI (and MYD & frm) files are stored in the following folder: C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector SYMPTOM AND CAUSE: In some occasions, an MYI file/s may become missing due to an unintentional deletion by the user. This can happen only when the DB service is stopped since the DB service locks the MYI files. Although tempering with the Safend installation folder, and especially with the DB folder, might render a Safend server damaged beyond repair and is not officially supported, in many cases a missing MYI can be restored. 1. A missing MYI file can prevent the console from being launched or disrupt the function of the Logs world in such a fashion that queries cannot be used. 2. In the Managementserver log, the following error appears: [Time and date] [Fatal] [Safend.Protector.Admin.App.ManagementServer.SettingsManager1] [PC120001XP\ASPNET] - Failed to obtain license information: Safend.Protector.Admin.Data.DB.Exceptions.DBException - #HY000Can't find file: 'computers.MYI' (errno: 2) In this error message, the missing MYI file's name is displayed. In the above example, the missing MYI file is the computers.MYI. 3. In the folder C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector, the MYI file that appeared in the error above will not be present. In case the MYI file is present, it is probably corrupted; in this case, please refer to KB00000230 - Repairing corrupted MySQL index files
The safest way to restore a missing MYI file would be to revert to a recent image or snapshot of the machine. If this is not possible, described below is a procedure that recreates the index into an MYI file copied from a different Safend server of the same version and build number. This procedure is composed of a part performed in the customer's environment and a part performed in Safend. 1. Preparations at the customer's server: a. Stop the Safend services in the following order – Domain, Local, Broadcast if version 3.2 is used, DB.
Chapter: Safend DB
SOLUTION:
46 | P a g e b. Kill the W3WP process. In case there are multiple instances of the process, kill all of them. c. It is recommended to save an image or a snap-shot of the server machine. If this not possible, backup the entire folder of C:\Program Files\Safend\Safend Protector\Management Server\database\data by copying it to a different location. d. Send to [email protected] the MYD and frm files that correlate with the missing MYI file; for example, if in the computer.MYI file is missing, the computers.MYD and computers.frm files should be sent. 2. Recreating the index at Safend: a. Set-up a Safend server of the same version and build number, stop its services including the DB service. b. Create a temporary folder in the server machine and copy the MYI file in question to the temporary folder from the folder C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector in the server you've just set-up. c. Copy the MYD and frm files sent from the customer to the temporary folder. d. Enter the following in cmd: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" -r -q "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of the missing MYI file. Note the only the "-r -q" should be used. The -r switch must not be used alone, and no other repair switches (such as --safe-recover) should be used as well. This is because only "-r -q" doesn't touch the MYD file, which is essential in this case. If the repair succeeded, all 3 files (MYI, MYD and frm) should be sent back to the customer. If the repair failed, consult with the R&D team. Be advised that It is likely that the MYI cannot be recreated and the entire Safend server should be re-installed. 3. Returning to working state at the customer's server: a. Replace the MYI, MYD and frm file in question with the ones sent by Safend. b. Restart the Safend services in the following order – DB, Broadcast if version 3.2 is used, Local, Domain. c. Open the console and check that the policies have the right associations and the logs can be seen.
5.1.3. Repairing corrupted MySQL index files Note: *This solution includes modification of the MySQL database, which might render the server useless. Please use this solution with care.
MyISAM is the default storage engine for the MySQL relational database management system, the DB used by Safend as an internal DB. Each MyISAM table is stored on the disk in three files. The files have names that begin with the table name and have an extension to indicate the file type. MySQL uses a .frm file to store the definition and structure of the table, but this file is not a part of the MyISAM engine, rather a part of the server. The data file has a .MYD (MYData) extension. The index file has a .MYI (MYIndex) extension. An example for a MyISAM table in the Safend Protector MySQL DB is the Computers table, which is stored in the file computers.MYD and has an index file by the name of computers.MYI (and also, a .frm file called computer.frm). The MYI (and MYD & frm) files are stored in the following folder: C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector SYMPTOM AND CAUSE:
Chapter: Safend DB
NEED:
47 | P a g e
In some occasions, an MYI file/s may become corrupted during the regular operation of the MySQL DB. This usually prevents the console from being launched. There are various manifestations of this issue, some are in the server logs and some are in the Windows Event Viewer: 1. Example #1 – The following error appears in the Managementserver log: [Time and date] [Fatal] [Safend.Protector.Admin.App.ManagementServer.SettingsManager2] [NT AUTHORITY\NETWORK SERVICE] - Failed to obtain license information: Safend.Protector.Admin.Data.DB.Exceptions.DBException - #HY000Got error 127 from storage engine 2. Example #2 – The following error event appears in the Windows Event Viewer. Usually, this event error appears alongside the error in the Managementserver log seen in example #1. Event Type: Error Event Source: MySQL Event Category: None Event ID: 100 Date: 8/19/2008 Time: 7:51:33 AM User: N/A Computer: OCINSAPP01 Description: d:\program files\safend\safend protector\Management Server\database\bin\mysqld-nt.exe: Can't open file: 'clientevents.MYI' (errno: 145) 3. Example #3 – The following error appears in the Managementserver log: [Time and date] [Fatal] [Safend.Protector.Admin.App.ManagementServer.SettingsManager1] [PC120001XP\ASPNET] - Failed to obtain license information: Safend.Protector.Admin.Data.DB.Exceptions.DBException - #HY000Can't find file: 'computers.MYI' (errno: 2) Note that from example #1 alone you cannot tell which MYI file is problematic and thus preventing the console from opening, but in example #2 and #3 the problematic MYI is known (in the above example #2 and #3, the problematic MYIs are clientevents.MYI and computers.MYI, respectively). Also, note that the error message in example #3 may appear as well when an MYI file is missing. Restoring a missing MYI file/s is described in KB00000231 - Restoring missing MySQL index files
The guideline in regards with repairing corrupted MYI files is that the data (MYD) should not be touched if possible. 1. Preparations: a. Stop the Safend services in the following order – Domain, Local, Broadcast b. Kill the W3WP process. In case there are multiple instances of the process, kill all of them. if version 3.2 is used. Leave the DB service running. c. Backup the entire folder of C:\Program Files\Safend\Safend Protector\Management Server\database\data by copying it to a different location. Also, you may want to save an image or a snap-shot of the server machine. 2. Identifying the corrupted MYI: The first goal is to determine which MYI file is corrupted. Usually, only one MYI file gets corrupted at a time, but theoretically, multiple MYI files can simultaneously exist as corrupted. The simplest way to determine which MYI is corrupted is by checking the Event Viewer or the Managementserver
Chapter: Safend DB
SOLUTION:
48 | P a g e log, as seen in examples #2 and #3. In case no indication appears, as seen in example #1, use the myisamchk utility to check the integrity of all of the MYI file. In cmd, enter the following: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of a MYI file. Repeat this action for all of the MYI files. Attached to the solution is an example of the myisamchk's output when the MYI file is valid, and when the MYI is corrupted. 3. Repairing the corrupted MYI: The procedure described below can be performed on the server machine, or in Safend once a customer sends the MYI, MYD and frm files in question. If handled in Safend, the 3 files should be put in a temporary folder on a server machine with the same version and build number of server as at the customer's.. After identifying the corrupted MYI, use the myisamchk utility in cmd to repair it. a. Firstly, try to use the -r -q switches. This attempts to repair the index file without touching the data file. If the MYD file contains everything that it should and the delete links point at the correct locations within the MYD file, this should work, and the MYI is fixed. The complete command should be: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" -r -q "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of the corrupted MYI file. If the repair succeeded, continue to repairing the other corrupted MYI files in case there are indeed additional corrupted MYIs. If the repair failed (clearly seen in the cmd window), continue to the next section. b. Try to use the –r switch alone. This removes incorrect rows and deleted rows from the data file and reconstructs the index file. The complete command should be: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" -r "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of the corrupted MYI file. If the repair succeeded, continue to repairing the other corrupted MYI files in case there are indeed additional corrupted MYIs. If the repair failed (clearly seen in the cmd window), continue to the next section. c. Try to use the --safe-recover switch. Safe recovery mode uses an old recovery method that handles a few cases that regular recovery mode does not, but is slower. The complete command should be:
Where "tablename" should be replaced with the name of the corrupted MYI file. If the repair succeeded, continue to repairing the other corrupted MYI files in case there are indeed additional corrupted MYIs. If the repair failed (clearly seen in the cmd window), continue to the next section. d. Try to use the -f switch. The -f switch forces the indexing by overwriting old temporary files and includes touching the data.
Chapter: Safend DB
"C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" --safe-recover "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI"
49 | P a g e The complete command should be: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" --safe-recover "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of the corrupted MYI file. If the repair succeeded, continue to repairing the other corrupted MYI files in case there are indeed additional corrupted MYIs. If the repair failed (clearly seen in the cmd window), please refer to Stages 3 and 4 in the following MySQL article, and also consult with the R&D team: http://dev.mysql.com/doc/refman/5.0/en/repair.html/url 4. Returning to working state: Start the Safend processes in the following order – Broadcast if version 3.2 is used, Local, Domain.
5.1.4. Changing external DB user, password and authentication method (domain) while connected to Protector QUESTION: Is it possible to change the external DB user and password or to change the authentication method (SQL/Windows) while it is connected to the Protector? ANSWER: There is no problems when changing credentials (user/domain/password) but it should be done the right way and while the Safend services are suspended. SPAdmin utility cannot change more than one parameter simultaneously which means that it should be executed few times - one for each parameter. For example changing username and password to Administrator and Apple1 accordingly should be done like this: 1. SPAdmin.exe -dbinfoview dbinfo.xml username=Administrator 2. SPAdmin.exe -dbinfoview dbinfo.xml password= Apple1 If required, domain may be changed also the same way. There is no problem substituting domain user with SQL user (or vice-versa). In order to do so just specify empty domain name: SPAdmin.exe /dbinfoview dbinfo.xml domain=
5.1.5. Replacing the DB which is used by Safend Protector Management Server
SYMPTUM:
Chapter: Safend DB
NOTE: Password must be always the last parameter to change since when specifying the new password SPadmin tries to connect to DB using existing user name and domain (specified in DBinfo.xml) and the new password.
50 | P a g e
In some cases, replacing the DB which is used by Safend Protector Management Server is needed. SOLUTION: In order to replace an existing DB used by Safend Protector Management Server to another, please perform the following steps: 1. Backup the encryption keys files and configuration files through the Maintenance Tab in the Administration Window. 2. Uninstall the Safend Protector Management Server. 3. Reinstall the Safend Protector Management Server by performing the following: o Please pay attention to choose the Restore mode for restoring Server installations while maintaining previous configuration (as seen in the attachment). o When installing the server using this mode you should choose to use the Safend Protector backup files (as seen in the attachment). o Afterwards, you should choose what database you would like to use – an embedded database on the same machine or an external existing MSSQL database (as seen in the attachment). Following this window continue with the installation.
5.1.6. When using MsSQL DB User cannot save policies, run queries, change settings or logs are not saved. PROBLEM: User cannot save policies, run queries, change settings or logs are not saved. CAUSE: The minimum required level of permissions to run and maintain the Safend protector server is 'DB owner' SOLUTION: Security level can be checked on security --> logins
5.1.7. When using MsSQL DB User cannot connect to the server PROBLEM: User cannot connect to the server SOLUTION:
1. Check that the user has the proper permissions to perform the actions he is trying to do (the minimum required permissions are DB owner) 2. Check connectivity to the server by using the PING utility 3. Telnet the SQL port (TCP 1433) to see if the server is listening both IP and computer name| 4. Install 'SQL client tools' on the Safend Server 4.a. Create a text file and rename its extension to .UDL
Chapter: Safend DB
This can be caused by lake lack of connectivity or lack of proper permissions,
51 | P a g e 4.b. Open it with 'Microsoft old provider for MsSql server' 4.c. Enter the correct user name and password 4.d. Connect to the Safend protector DB 4.e. Server Errors can be found at management a SQL server logs à current
5.1.8. When using MsSQL DB the installation cannot create the DB PROBLEM: During installation the installer cannot create the DB. followed by an error message relating to insufficient permissions of the user used to connect to the DB with CAUSE: The Minimum required level of permissions to install Safend protector is 'DB creator' SOLUTION: Security level can be checked on security --> logins
5.1.9. When using MsSQL DB performing DB related actions causes console freeze. PROBLEM: When performing DB related actions the console freezes. CAUSE: This can be related to certain objects "locking" other objects SOLUTION: On Query analyzer / query studio (installed with the SQL server), run the command 'SP_WHOZ', objects marked with red mark are "locked" if these object persist to be locked they need to be "killed". To kill a Process, run 'Kill [object name]' You may also run a more detailed query: Select * from master sysprocesses where blocked <> 0 or SPID in (select * from master)
Chapter:
Note: this solution should be performed by the Customer's DBA
52 | P a g e
6. Safend Protector Management Console 6.1. Support logs -
Safend Protector Management Console Logging
-
When investigating issues with the Safend Protector Management Console, the logs provide valuable information.
-
There are 2 trace logs for the Management Console:
Console Updater log – \Program Files\Safend\Safend Protector\Management Console\log Management Console log – \Program Files\Safend\Safend Protector\Management Console\Management Console\log
6.2. Troubleshooting Guidelines When investigating an issue concerning the Safend Protector Management Console, most issues fall under the following categories:
Safend Protector Management Console fails to open.
Safend Protector Management Console fails to perform remote client commands. Safend Protector Management Console general errors and exceptions
-
Safend Protector Management Console Fails to Open
-
When the Management Console fails to open, the following must be verified:
Are the Safend Server services running?
Is the Management Console trying to communicate using the correct SSL port? (the correct port can be found in the IIS web sites safend protector web site properties ssl port)
Can the Safend Server machine be contacted from the console machine (Ping, Telnet)?
Is the Management Console on the same machine as the server? If not, Does the local Management Console, on the Safend Server machine, start successfully?
Can the Management Console machine browse to the Safend Server machine using the https protocol? Management Console Install site: https://[servername]:4443/SafendProtector/consoleinstall.aspx Change the [servername] to the real server name 4443 is the default port.
Chapter: Safend Protector Management Console
-
53 | P a g e
-
Safend Protector Management Console Fails to Perform Remote Client Commands
-
When the Management Console fails to perform remote commands, the following WMI configurations should be examined:
Is the WMI service enabled and started on both the Safend Server and Client machine
Can the Safend Server contact the Safend Client machine by its FQDN?
Verify that the RDP ports are open.
Does the Server User have sufficient privileges on the Target machine? i.e., permission to perform WMI commands.
Use wmimgmt.msc to verify WMI valid communication.
-
Safend Protector Management Console General Errors and Exceptions
-
If the Management Console experiences any error or exception during work, the following should be examined:
Does the issue reproduce after a reboot?
Were there any configuration changes applied to the Server/Console machine? Are there any errors in the event viewer logs? What are the exact steps that caused the issue to occur?
Chapter: Safend Protector Management Console
What is the exact error message?
54 | P a g e
6.3. Safend Protector Management Console Solutions
6.3.1. When trying to log-in to the console, the error message "user is not in the authorized user group" appears SYMPTOM: When launching the console, entering the credentials and trying to log-in, the log-in fails with the error message "user is not in the authorized user group". CAUSE: There are 2 possible causes for this issue: 1. The user that one is trying to log-in to the console with is not in the AD User Group / local machine user group that is authorized to use the console. By default, this group is the BUILTIN\Administrators group. Note that this group may differ according to the settings in the Users Management menu under Tools -> Administration -> General. 2. The IIS service was uninstalled and re-installed, after the Safend server had been installed. This causes the deletion of the Safend websites from the original server install. SOLUTION: There are 2 solutions for this, respective to the cause: 1. In AD / the local machine, add the user to the User Group that is authorized to use the console. 2. Re-install the Safend server. You may want to use the Restore installation option, using the backed-up keys and settings, in order to have the new server communicating with the existing clients and to preserve the policies and other settings. Please review the Installation Guide before uninstalling and re-installing the server.
NEED: Sometimes, one needs to be able to login to the console without entering the password on each time launching it. This is usually needed when log-on to Windows is performed using a smart card (usually it is set in AD - the “Smartcard Required" option is active) and not using a password; in this scenario, the users usually don't know the log-on password since they are using the smart card, and thus become unaware to the console's password as well. SOLUTION: One should try to launch the console as usual for the first time, and the login window can be closed (there's no need to enter the password). After this, the Single Sign On (SSO) capability can be used; this is set in the "Safend Protector Web Site" properties. See the exact steps to doing so in the attached document.
Chapter: Safend Protector Management Console
6.3.2. How to login to the console without entering the password each time
55 | P a g e
In order to have SSO enabled please do the following: Go to IIS management, right click on the SafendProtector website and go to directory security.
Chapter: Safend Protector Management Console
Click on Edit under Authentication and access control:
56 | P a g e
Uncheck the “Enable anonymous access” and check the “Integrated Windows authentication” radio buttons. Restart the safend protector website (or just restart all IIS) Close IIS management console In this stage you can delete the shortcut to Safend management console on the desktop and create a new one using these settings: Right click on the desktop and choose new shortcut
Chapter: Safend Protector Management Console
Click browse and go to program files\safend\Safend Protector\management console\management console\management console.exe
57 | P a g e Click ok and add the –no_login switch at the end of the path created so it will look like this: "D:\Program Files\Safend\Safend Protector\Management Console\ManagementConsole\ManagementConsole.exe" -no_login make sure to replace the drive letter with the right one for the safend installation.
6.3.3. Cannot use WMI commands from 3.3 console if MsSQL installed with windows authentication SYMPTOM: When trying to perform a WMI command from a 3.3 console such as retrieve logs or update policy, and if the DB is an MS SQL installed with windows authentication, the command will not be performed and the following error message will appear: Notification failed – try later. Object reference not set to an instance of an object CAUSE: When trying to connect to the MS SQL DB using windows authentication, the impersonation process performed by the local service happens twice instead of once as it should. Connection with double impersonation is forbidden. SOLUTION:
6.3.4. Cannot open the console after upgrade to 3.3 or a fresh install, with an error message of access denied to reports folder SYMPTOM: After upgrading to 3.3 or after a 3.3 fresh installation, opening the console fails after entering the credentials, with the following error message: Application Execution Error Management Console failed to start ((Access to the path '[Server installation path\reports\f39121ddf95a-48c2-beed-9cefc9cc64d1' is denied)). Note that another PID may appear instead of f39121dd-f95a-48c2-beed-9cefc9cc64d1.
Chapter: Safend Protector Management Console
The file Admin.App.WebServer.dll should be replaced in the Safend server with a modified one. This will cause the impersonation process to happen only once, as it should. 1. Stop the Safend Local service. This will stop the domain service as well 2. Go to \Program Files\Safend\Safend Protector\Management Server\bin and backup the file Admin.App.WebServer.dll to another folder 3. Replace this DLL with the modified version. To this soultion, attached is the DLL that should be used with 3.3.30270 server version only. For any other server version and build, the DLL must be modified by the R&D team 4. From cmd, run the IISRESET command 5. Start the Local service and then start the Domain service
58 | P a g e This issue can occur right after the installation, but usually seen later (after a few hours or days). CAUSE: In the installation/upgrade process, a folder called "reports" is created in the management server folder. This folder stores a few files related to the Reporter. By default, the installation/upgrade grants a full control permission to "Everyone" for this folder. In certain environments, GPOs or other means can change the permission to this folder (as to any other folder in the machine) to something else, or simply deny "Everyone" from having full control over it. This might cause the user who is running Safend application pool (by default it is the "network service" user) to be inaccessible to this folder, and so the console cannot be opened. Since general GPO updates usually occur once every in a while , this issue is usually not experienced right after the installation but in a certain delay, hours or days later. SOLUTION: Granting full control over the reports folder to the user who is running the Safend application pool (by default it is the network service). To check which user is running the Safend application pool, go to My Computer > Manage > Internet Information Service > Application Pools >SafendProtectorAppPool > Properties > Identity.
6.3.5. When using role based permissions user can't publish policies PROBLEM: When using "Role Based Management", users from specific 'User Roles' roles receive an error message when trying to publish policies via the Safend Protector Policy Server. SOLUTION:
NEED: When using role based permissions user need to enable "policies" but disable other options.
6.3.6. When using role based permissions user can't associate polices PROBLEM: When using "Role Based Management", users from specific 'User Roles' roles receive an error message when trying to associate policies with organization objects via the Safend Protector Policy Server. SOLUTION:
Chapter: Safend Protector Management Console
This issue could be related to missing permissions for this specific Role. In order to publish policies , the "User Role" must have 'Read' permissions on the "Global Policy" tab.
59 | P a g e
This issue could be related to missing permissions for this specific Role. In order to associate policies with organization objects, the "User Role" must have 'Read' permissions on the "Clients" tab
6.3.7. Console cannot be opened due to Local and Domain Services fail with "System.Security.Cryptography.CryptographicException - Access is denied" in the logs SYMPTOM: In rare cases, on hardened machines, the local and domain services will fail to configure. This will cause the console to not to open. 1. The following error message is received: Application Execution Error Management Console failed to start (Access is denied) 2. A DCOM error in the Event viewer related to the user NT Authority\ Network Service will appear. 3. In the server logs, an error appears including the text: System.Security.Cryptography.CryptographicException - Access is denied CAUSE: The Network Service user cannot access the Cryptographic keys library in Windows.. SOLUTION: Grant Full Control privileges to the user Network Service for the following folder:
6.3.8. Enabling WMI commands via Safend Protector Safend Protector utilizes the, Windows Management Instrumentation (WMI) protocol for providing management capabilities over all Safend clients via the Safend server. This document covers the minimum requirements for enabling WMI communication between the Safend server and Safend clients. What is WMI and how does Safend Protector use it? Windows Management Instrumentation is a set of Window’s API’s in the Windows operating system that enables devices and systems in a network, typically enterprise networks, to be managed and controlled. The Safend Agent retrieves policies and sends logs to the server periodically over an SSL channel. However, the Safend administrator can enforce the client to send logs or update policies immediately, via the management console tab. These
Chapter: Safend Protector Management Console
%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys
60 | P a g e commands are sent to the client via the WMI channel. Please note that when these commands are disabled it will not affect the Safend agent functionality. To learn more about the Windows Management Instrumentation (WMI) protocol, please visit the following link: http://msdn.microsoft.com/en-us/library/ms811553.aspx
1. The Safend domain Service account must have sufficient privileges over the WMI objects on the target machines. By default the built in Domain Admin group is part of the local admin group of any target machine in the network, thus Domain Admin group, most likely will have sufficient privileges over WMI objects on the target machines. If the Safend domain account is part of the Domain Admin group, all you will need to verify is that your domain admin group is indeed part of the local admin on the target machine. In cases where the Safend domain service account cannot be part of the domain admin group, you will need to add this user manually to the local Admin group on all the machines in the network you will want to manage, via the Safend Management console. There are several recommended methods for adding a domain user into a local group: 1. Using unrestricted groups for adding domain groups\users into local users, as described in the following Microsoft article : http://support.microsoft.com/kb/810076
Chapter: Safend Protector Management Console
What are the minimum requirements for using WMI with the Safend protector?
61 | P a g e
2. Writing a simple VB script that will add the desired user automatically into the Local admin group on the target machine using a startup script feature via GPO. In order to see an example of such a script, please refer to Appendix D below. 3. Using an existing group that was already added to the local admin group, such as an SMS management group. Note: To determine which account is being used by the Safend Domain service, please refer to Appendix A below. For further information on necessary WMI privileges required, please contact Safend support at [email protected] 2. The Server must be able to resolve the target machine FQDN name or its short host name. In cases where you cannot resolve the FQDN of the target machines (i.e. machine.domain.com) from the Safend server, but you can resolve the short host name (i.e. machine), you can configure the Safend server to work with a short host name in order to configure the server to work with short host name, please refer to Appendix B below. 3. Network firewalls or personal firewall such as Windows XP Personal firewall or any other personal firewall must enable WMI traffic from the Safend management server to the Safend management console. When sending WMI commands via Safend Management console, WMI must establish a DCOM connection from the Safend Server to the target machines. In order to enable DCOM traffic, the following ports need to be opened in addition to the SSL port (default 443) that must be enabled. Port 135
In cases where the Safend agent machine has installed on it a WinXP personal firewall, you will be able to use the procedure described in Appendix B, in order to allow WMI traffic easily, via GPO settings. In cases where there is a network firewall between the management server and the Safend clients you may want to use a fixed range of ports. For further information please visit the following link: http://msdn.microsoft.com/enus/library/ms809327.aspx 4. DCOM must be enabled on the server and clients. DCOM is enabled by default on any Microsoft Operating system. However, there are some security policies that may disable DCOM on Windows 2003 servers, thus it is wise to verify that DCOM is enabled on the server by performing the following: Run the following command : Start>run>dcomcnfg
Chapter: Safend Protector Management Console
Dynamically assigned ports, in the range of 1024 to 6535(typically in the range of 1024 to 1034).
62 | P a g e
Right click on My Computer and press Default Properties Make sure that the first check box is checked.
5. The Safend Wmi classes are registered properly on the target machine. By default the Safend agent registers all its WMI components. This setting is not changed unless during the installation you use MSI MST files to change the Product name from its original name “Safend Protector”.
Appendix A: How to determine which user is running the WMI commands via the Management Console In order to get the user account that the Safend Server is using, perform the following: 1. Log in to the Management Console. 2. On the menu choose Tools>Administration. 3. In the General section the Server Credentials will indicate which User is being used for the Safend domain service. 4. This account can be changed by pressing the Change button.
Chapter: Safend Protector Management Console
Note: Changing the Product Name is not supported, so WMI commands will not work.
63 | P a g e
Appendix B: Working with a short host name when a FQDN cannot be resolved from the Safend Server In order to configure the Safend server to work with a short host name, please perform the following: For version 3.3 and above: 1. Stop the following Safend Services Safend Local Service
Note: Safend DB service will not be present when working with an external DB. The Safend domain service is set to start manually, so it may not be running. 2. Edit the following info Edit with Notepad the following xml file: C:\Program Files\Safend\Safend Protector\Management Server\serverconfig.xml search the entry below and verify that the value is True, in case the value is false, change its value from False to True. (note the capital ‘T’)- True
3. Reset the IIS by running the command iisreset via the command line.
Chapter: Safend Protector Management Console
Safend DB
64 | P a g e
For version 3.2 and below: 1. Stop all Safend Services Safend Protector broadcast Service Safend Protector Local Service Safend Protector Domain Service Safend Protector DB Note: Safend DB service will not be present when working with an external DB. Edit with Notepad the following xml file: C:\Program Files\Safend\Safend Protector\Management Server\bin\serverconfig.xml Search the entry below and verify that the value is True, in case the value is False, change its value from False to True. (note the capital ‘T’)- True
3. Reset the IIS by running the command iisreset via the command line.
Chapter: Safend Protector Management Console
2. Edit the following info :
65 | P a g e
Appendix C: Allow WMI communication via GPO for Windows Personal firewall Step 1: Updating Your Group Policy Objects with the Windows Firewall Settings To update your Group Policy objects with the Windows Firewall settings, using the Group Policy snap-in or using the Group Policy Management Console (GPMC): 1. Open the GPO snap in or the Group Policy Management console.
3. In the console tree, open Computer Configuration>Administrative Templates>Network>Network Connections>Windows Firewall. An example is shown in the following figure.
Chapter: Safend Protector Management Console
2. Click the Group Policy object that you want to update with the new Windows Firewall settings. An example is shown in the following figure
66 | P a g e
4. Choose Domain Profile and right click on the following setting: Windows Firewall: Allow Remote Administration Exception
6. Each computer in the network that will get this GPO will allow WMI traffic.
Chapter: Safend Protector Management Console
5. Choose Enabled and save settings.
67 | P a g e
7. Safend Auditor 7.1. Troubleshooting Guidelines When investigating an issue regarding the Safend Auditor, most issues fall under the following categories: Safend Auditor fails to audit a remote machine. Safend Auditor fails to open a report as an Excel/HTML file. Safend Auditor fails to audit a remote machine
When the Safend Auditor fails to audit a remote machine, the following must be verified: Is the remote machine running and connected to the network? Are the appropriate ports opened between the scanning and scanned machines? SetupAPI-based Audit: In order for Safend Auditor to be able to access the remote machines using the SetupAPI method, it needs port 445 (SetupAPI; through file and printer sharing and remote registry service) to be open. In addition, you will need to make sure that the "Remote Registry" service is running in the target machine. WMI-based Audit: Safend Auditor also allows auditing remote machines using the WMI method. This method requires port 135, in addition to another dynamic port (allocated automatically by Windows when the WMI is used). Allowing the "Remote Administration" exception in your firewall will allow Safend Auditor to scan the machine using WMI. Does the User used when performing the Auditor scan have the appropriate privileges on the remote machines? Safend Auditor fails to open a report as an Excel/HTML file
When the Safend Auditor fails to open a report as an Excel/HTML file, the following must be verified: Can the Auditor report be opened in a different machine running the Safend Auditor?
Chapter: Safend Auditor
Can a different Auditor report be opened on this machine?
68 | P a g e
7.2. Safend Auditor Support Solutions 7.2.1. Safend Auditor Command Line Parameters NEED: In some cases, there is a need to run the Auditor through a Command Line interface. SOLUTION: To do that, you have the option to run the Auditor with command line parameters. Usage: auditor [/ip | /ou | /comp] [options] *For a full list of all options and flags, please see attached document.
7.2.2. Enabling Safend Auditor Debugging logs Note: the logs are cryptic and no one except from a developer with the code in front of him can understand them NEED: Safend Auditor Debugging Logs may be enabled in order to troubleshoot unusual behavior witnessed during the runtime of the Safend Auditor. RESOLUTION: Starting Safend Auditor Debugging Logs: To enable Auditor logs, open the Registry Editor (regedit), and access the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Auditor. Create a new String value with the name "LogLocation". Give it the Value of the log location and name, for example: "c:\temp\log.txt". Please make sure to use pre-existing directories in the log location value as the Auditor will not create new directories for the log path.
This method will create a logging file in the defined location. When sending this file to the Safend Support team, please provide the Auditor version number, which can be found under Help-->About from the Auditor Menu.
Chapter: Safend Auditor
RESULT:
69 | P a g e
7.2.3. Safend Auditor installation fails with DVOM registration errors SYMPTOMS: The Safend Auditor installation, may fail with the following error message or a similar one: "Error 1402. Could not open key: UNKOWN\CDVOM.DeviceProperty2.1\CLSID. Verify that you have sufficient access to that key, or contact your support personnel. CAUSE: This issue occurs when there has been a previous version of Auditor 2.0 which wasn't cleaned up properly during uninstallation - Occures with specific builds of Auditor 2.0. RESOLUTION: The following registry keys need to be deleted, before the installation can be executed again and completed successfully: HKEY_CLASSES_ROOT\CDVOM.DeviceProperty2 HKEY_CLASSES_ROOT\CDVOM.DeviceProperty2.1 HKEY_CLASSES_ROOT\CDVOM.DVOMComputer2 HKEY_CLASSES_ROOT\CDVOM.DVOMComputer2.1 HKEY_CLASSES_ROOT\CDVOM.DVOMDevice2 HKEY_CLASSES_ROOT\CDVOM.DVOMDevice2.1 HKEY_CLASSES_ROOT\SafendDVOM.DVOMWifiInfo HKEY_CLASSES_ROOT\SafendDVOM.DVOMWifiInfo.1 HKEY_CLASSES_ROOT\SafendXML2DVOM2.Translator2 HKEY_CLASSES_ROOT\SafendXML2DVOM2.Translator2.1
7.2.4. Opening ports on Windows Firewall for the Safend Auditor
SYMPTOMS: In some cases the Safend Auditor will fail in auditing a target machine, although that machine may be up and running.
Depending on the method of scan in which the Safend Auditor is configured, different prerequisits must be met for the Audit to succeed. If the required ports are not allowed in your organization's firewall, and required services are not running, the Audit will fail. RESOLUTION: SetupAPI based Audit: In order for the Safend Auditor to be able to access the remote machines using the SetupAPI method, it needs port 445 (SetupAPI - through file and printer sharing and remote registry service) open. Additionally, you will need to
Chapter: Safend Auditor
CAUSE:
70 | P a g e make sure that the "Remote Registry" service is running in the target machine. WMI based Audit: The Safend Auditor also allows auditing remote machines by using the WMI method which requires port 135 in addition to another dynamic port allocated automatically by Windows when WMI is used. Allowing the "Remote Administration" exception in your firewall will allow the Safend Auditor to scan the machine using WMI. Managing Windows XP Service Pack 2 Windows Firewall Using Group Policy: Published by Microsoft: August 1, 2004 Windows Firewall is a stateful host firewall designed to drop unsolicited incoming traffic that does not correspond to a dynamic or configured exception. A stateful firewall tracks the state of network connections. The firewall monitors traffic sent by the host and dynamically adds exceptions so that the responses to the sent traffic are allowed. Some of the state parameters that the Windows Firewall tracks include source and destination addresses and TCP and UDP port numbers. This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall does not drop outgoing traffic. Windows Firewall, a replacement for the Internet Connection Firewall (ICF) in Windows XP with Service Pack 1 and Windows XP with no service packs installed, is enabled by default in SP2. This means that all the connections of a computer running Windows XP with SP2 have Windows Firewall enabled, including LAN (wired and wireless), dialup, and virtual private network (VPN) connections. New connections also have Windows Firewall enabled by default. Without configured exceptions, Windows Firewall will drop traffic for server, peer, or listener applications and services. Therefore, it is likely you will want to configure Windows Firewall for exceptions to ensure that the Windows Firewall works appropriately for your environment. Windows Firewall settings are available for Computer Configuration only. They are located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall. Identical sets of policy settings, as shown in Table 2, are available for two profiles: • Domain profile. Used when computers are connected to a network that contains your organization’s Active Directory domain.
Policy Setting Description Windows Firewall: Protect all network connections Turns on Windows Firewall. The default is Not Configured. Windows Firewall: Do not allow exceptions Specifies that Windows Firewall blocks all unsolicited incoming messages, including configured exceptions. This policy setting overrides all configured exceptions. The default is Not Configured. Windows Firewall: Define program exceptions Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two
Chapter: Safend Auditor
• Standard profile. Used when computers are not connected to a network that contains your organization’s Active Directory domain, such as a home network or the Internet.
71 | P a g e program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel. The default is Not Configured. Windows Firewall: Allow local program exceptions Allows local administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. The default is Not Configured. Windows Firewall: Allow remote administration exception allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using RPC and DCOM. The default is Not Configured. Windows Firewall: Allow file and printer sharing exception Allows file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445. The default is Not Configured.
7.2.5. Auditing a Remote Domain with the Safend Auditor QUESTION: Can I use the Safend Auditor to audit a domain which my computer is not a member of, using the Change User option? ANSWER: The Change User option in the Auditor can enable log-on to a domain which is not the computer's domain, as long as there is a trust relationship between the two domains. Please ensure a trust relationship is set between the computer's domain, and the domain you would like to audit. In addition, make sure that the user account you are using to perform the audit has administrative permissions on the target computers.
7.2.6. There is no response when clicking "View Excel" PROBLEM:
SOLUTION: The .dll file that is responsible for the operation of Excel (NSExcelProject.dll) may not be updated. The file should be updated using the following steps: 1. Delete the old file 2. Un-register the .dll using the command line: regsvr32 "" /u
Chapter: Safend Auditor
There is no response when clicking "View Excel"
72 | P a g e 3. Copy the new file into the same location 4. Register the .dll using the command line: regsvr32 ""
7.2.7. Error received when attempting to view the Excel report of the Auditor scan QUESTION: Why do I get an error message when I click "Create Excel" in the Auditor? ANSWER: The version of Excel you have installed is incompatible with the Auditor requirements. Please ensure you have installed excel 2003 professional.
7.2.8. Auditor report with connection time and data transfer NEED: Is there an option to get a detailed report on when the device was connected and the files that were transferred to and from the device? RESOLUTION: The Safend Auditor does not have Device Connection timing information, since this information is not provided by Windows. However, both Exact times of device connection and File Transfers are available through the Event Logs recorded by the Safend Protector Client.
7.2.9. Local machine cannot be found in Auditor report
SYMPTOM:
CAUSE: Due to some personal firewall settings, some times the firewall does not allow a ping to the local machine. As a result, the local machine cannot be reached by the Auditor and will not be displayed. RESOLUTION:
Chapter: Safend Auditor
When running the Auditor on an OU that includes the machine from which the Auditor is executed, the local machine cannot be found in the results
73 | P a g e In order to run the Auditor for the current computer, use the option for running it on a single computer, with the computer name being the word "local". This will bypass the firewall limitation.
7.2.10. Safend Auditor fails to audit certain remote machines SYMPTOMS: In some cases the Safend Auditor may will fail to audit a target machine. CAUSE: There may be a number of reasons for this: 1. The auditing user does not have administrative permissions to the audited computer (this is either the user logged on to the computer on which the Auditor is installed, or the user to which the credentials were changed, in the Change User option). 2. The machine did not respond within an acceptable time. This can happen if for any reason there was too much load on the network at the time of the audit, or even if the machine was turned off at the time. 3. The machine is listed in Active Directory but does not exist. This can happen if its name was changed, or if it was disconnected from the network at the time of the audit. 4. A Firewall may be active on these machines, blocking the access of the Safend Auditor. SOLUTION:
1. Make sure the account that is used for auditing has sufficient permissions. 2. Make sure the machine is not turned off. 3. Make sure the machine is listed properly in the AD, and that it is connected to the network. 4. When the reason for failure is a Firewall on the target machine: Depending on the method of scan in which the Safend Auditor is configured, different prerequisites must be met for the Audit to succeed.
In order for the Safend Auditor to be able to access the remote machines using the SetupAPI method, it needs port 445 (SetupAPI - through file and printer sharing and remote registry service) open. Additionally, you will need to make sure that the "Remote Registry" service is running in the target machine. The other ports that the "file and printer sharing" is listening on (137,138 UDP and 139 TCP) are not needed for the auditor, and therefore can remain closed at the firewall. In order to enable file and printer sharing:
Chapter: Safend Auditor
When conducting a SetupAPI based Audit:
74 | P a g e Open Control Panel --> Network Connections Double click on your connection and then click the properties button. * For a LAN connection, click the general tab and make sure the File and Printer Sharing for Microsoft Networks is not selected. * For a dial up connection, click the Networking tab and then make sure File and Printer Sharing for Microsoft Networks is not selected. In addition, the XP SP2 firewall has a built-in exception rule for "File and Printer Sharing", which is an exception for ports 137-139 and 445. The rule is editable and can be modified to apply only to port 445. To do this: Open Control Panel -->Firewall Go to the exceptions tab, choose file and printer sharing, click edit and select the checkbox next to 445. When conducting a WMI based Audit: The Safend Auditor also allows auditing remote machines by using the WMI method which requires port 135 in addition to another dynamic port allocated automatically by Windows when WMI is used. Allowing the "Remote Administration" exception in your firewall will allow the Safend Auditor to scan the machine using WMI. Managing Windows XP Service Pack 2 Windows Firewall Using Group Policy: Published by Microsoft: August 1, 2004 Windows Firewall is a stateful host firewall designed to drop unsolicited incoming traffic that does not correspond to a dynamic or configured exception. A stateful firewall tracks the state of network connections. The firewall monitors traffic sent by the host and dynamically adds exceptions so that the responses to the sent traffic are allowed. Some of the state parameters that the Windows Firewall tracks include source and destination addresses and TCP and UDP port numbers. This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall does not drop outgoing traffic. Windows Firewall, a replacement for the Internet Connection Firewall (ICF) in Windows XP with Service Pack 1 and Windows XP with no service packs installed, is enabled by default in SP2. This means that all the connections of a computer running Windows XP with SP2 have Windows Firewall enabled, including LAN (wired and wireless), dialup, and virtual private network (VPN) connections. New connections also have Windows Firewall enabled by default.
Identical sets of policy settings, as shown in Table 2, are available for two profiles: • Domain profile. Used when computers are connected to a network that contains your organization’s Active Directory domain. • Standard profile. Used when computers are not connected to a network that contains your organization’s Active Directory domain, such as a home network or the Internet.
Chapter: Safend Auditor
Without configured exceptions, Windows Firewall will drop traffic for server, peer, or listener applications and services. Therefore, it is likely you will want to configure Windows Firewall for exceptions to ensure that the Windows Firewall works appropriately for your environment. Windows Firewall settings are available for Computer Configuration only. They are located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall.
75 | P a g e
Policy Setting Description Windows Firewall: Protect all network connections Turns on Windows Firewall. The default is Not Configured. Windows Firewall: Do not allow exceptions Specifies that Windows Firewall blocks all unsolicited incoming messages, including configured exceptions. This policy setting overrides all configured exceptions. The default is Not Configured. Windows Firewall: Define program exceptions Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel. The default is Not Configured. Windows Firewall: Allow local program exceptions Allows local administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. The default is Not Configured. Windows Firewall: Allow remote administration exception allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using RPC and DCOM. The default is Not Configured. Windows Firewall: Allow file and printer sharing exception Allows file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445. The default is Not Configured.
7.2.11. Error message received when attempting to view HTML report of Auditor scan QUESTION: Why do I get an error message when I click "View Report" in Auditor? ANSWER:
7.2.12. Safend Auditor Graphic Report Procedure for MS Excel NEED: Presenting the Safend Auditor reports in Excel worksheets with queries and graphic representations - charts etc. SOLUTION:
Chapter: Safend Auditor
The version of Internet Explorer you have installed is incompatible with the Auditor requirements. Please ensure you have Internet Explorer 6 or above installed. If you have defined a different browser as your default browser, try redefining Internet Explorer as the default browser.
76 | P a g e
The Safend Auditor can export reports to MS Excel files that are pre-configured with the most commonly used queries. It is also possible to add graphic reports of the audit results using the following procedure: Note: MS Excel 2003 or above must be installed 1. Execute the Safend Auditor 2. Select the OU or IP range you wish to audit 3. Click Run to perform the Audit 4. Wait for Audit to complete 5. Click Create Excel 6. MS Excel will then open automatically with the Auditor results 7. In Excel select and highlight the entire devices or computers data table (DO NOT select the Audit status table) including the Column Titles. 8. Go to the Data menu and select Pivot Table and Pivot Chart report. 9. The Pivot Table wizard will than start. Leave the settings as they appear by default and click next. 10. The Pivot Table and Pivot Chart window (Step 2 of 3) will than appear. Click next. 11. In the following window (Step 3 of 3) click Finish. 12. A window with the fields you have chosen will be displayed. 13. From the Pivot Table Field List window select “PORT”, drag it into the “Drop Row Fields Here” area. 14. Perform step 13 for the “Types”, and “Device Info” fields as well as placing them beside the port field performed in step 13 in succession. Note the order of the fields: Port, Type, and than Device Info. 15. Next you will need to drag the “Description” field into the “Drop Data Items Here” area. 16. In the “Device info Column” click the drop down arrow, and deselect (uncheck) any unwanted devices, such as PCI devices. Make sure to uncheck the “Blank” items at the bottom of the list. 16. You can now use the Chart wizard button to generate Bar or Pie charts as needed. See the attached document for these instructions, accompanied by screenshots of the entire process.
7.2.13. The Safend Auditor Scanning Method and Network bandwidth information QUESTION:
ANSWER: The Safend Auditor software is configured to scan multiple computers on a single network simultaneously, through WMI or SetupAPI protocols, as defined by the user via Settings--> Scan Protocol. This is done by allocating a different thread for each machine to be scanned. By default the Auditor opens 10 threads in order to perform the scan, thus scanning 10 machines at the same time. This value can be changed by editing the registry value NumThreads, located under: HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Auditor.
Chapter: Safend Auditor
How does the Safend Auditor scan target computers and what is the scan's impact on the network?
77 | P a g e
Audit Bandwidth: In general when scanning a single machine the amount of data transferred from the machine is approximately 300KB ,depending on the number of devices that were previously connected to that machine up until the scan. The network bandwidth taken up by a scan, is in direct proportion to the number of machines that are being scanned simultaneously. It is important to note that while the accumulated bandwidth from scanning across multiple machines simultaneously may appear to be large, the actual effect on the network is relatively small. This is due to the fact, that audit information is sent to the auditor in bursts, taking up short amounts of time.
7.2.14. Where the auditor is key located in the registry? SYMPTUM: When right-clicking a machine in the Clients World and choosing to Audit Devices, the Auditor is unreachable. CAUSE: On the first time when choosing to audit a machine from the Clients World, a window will pop-up asking to browse the Auditor. When a wrong path was entered, every attempt to audit a machine via the Clients World will fail. SOLUTION: The registry key holding the location of the Auditor (used by the management server) is: [HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Auditor] The value under this key that holds the location of the Auditor exe file is “ExePath”. Here is an example value: "ExePath"="C:\\Program Files\\Safend\\Safend Auditor\\\\Auditor.exe" Please delete this value.
7.2.15. The Safend Auditor creates new user profiles on the audited machines PROBLEM:
SOLUTION: The Safend Auditor has two scanning protocols that can be used while performing a scan: WMI and Setup API. When the auditing process is done using the WMI protocol, the local OS on the end user's scanned machine will automatically create a new administrator profile that will be named after the user that performed the auditing. In order to avoid this result, the scan should be done using the Setup API protocol. The only exception is that when auditing a machine that runs Windows Vista the scanning protocol must be WMI.
Chapter: Safend Auditor
new administrator profiles were created on organization machines that were scanned by the Safend Auditor.
78 | P a g e
7.2.16. The Auditor seems not to detect remote devices when working via VPN In order to run audits successfully, port 445 (‘Microsoft-DS’, which is used for resource sharing) and ICMP (Internet Control Message Protocol) must be permitted in the network, and in the specific case, through the VPN.
7.2.17. The Auditor is unreachable when right-clicking on a machine in the Clients World and choosing to Audit Devices. SYMPTUM: When right-clicking a machine in the Clients World and choosing to Audit Devices, the Auditor is unreachable. CASUE: On the first time when choosing to audit a machine from the Clients World, a window will pop-up asking to browse the Auditor. When a wrong path was entered, every attempt to audit a machine via the Clients World will fail. SOLUTION: The registry key holding the location of the Auditor (used by the management server) is: [HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Auditor] The value under this key that holds the location of the Auditor exe file is “ExePath”. Here is an example value: "ExePath"="C:\\Program Files\\Safend\\Safend Auditor\\\\Auditor.exe"
Chapter: Safend Auditor
Please delete this value
79 | P a g e
8. Safend Reporter 8.1. Safend Reporter Support Solutions 8.1.1. Internet Explorer Error message when running any report on Safend server 3.3 SP2 SYMPTOM: After Upgrading from Safend Server 3.3 SP1 to Safend Server 3.3 SP2 with Reporter, in the reports tab, when trying to run any report, Internet Explorer security error message appears with the path: file://E:\Development\Code\trunk\Safend.Protector.Admin.UI\Admin.UI.World After hitting “close”, the error message disappears and the report will run properly. Attached are screenshot of the Spanish version of the error. CAUSE: The error pops up whenever the security level of the internet is set to "high" (or Active Scripting is Disable). You can check it out at Tools-> Internet Options -> Security -> Internet (or in Custom Level). SOLUTION: Replacing 2 .mht files under \Program Files\Safend\Safend Protector\Management Console\ManagementConsole: - PleaseWait.en-US.mht - PleaseWait.mht Save the file that is attached to the solution under the two names, once as: PleaseWait.en-US.mht and once as: PleaseWait.mht.
Chapter: Safend Reporter
Note: The files need to be replaced at each existing console. In order to have future remote console that might be installed from the given server to include the fix, the .mht file should also be replaced in the console zip under the server's directory - C:\Program Files\Safend\Safend Protector\Management Server\consoleUpdater\console.zip
80 | P a g e
8.1.2. Required IE settings for Safend reporter Internet explorer settings for Safend Reporter best view 1. Open internet explorer. 2. From the top menus select tools -> internet options
Chapter: Safend Reporter
3. Go to advanced tab
Chapter: Safend Reporter
81 | P a g e
82 | P a g e
4. Under multimedia select "play animations in web pages" and "show pictures"
Chapter: Safend Reporter
5. Under printing select "print background colors and images
83 | P a g e
Chapter: Safend Reporter
6. Under security select use TLS 1.0
84 | P a g e
9. Safend Encryptor 9.1. Safend Encryptor Support Solutions 9.1.1. Internal hard disk encryption doesn't get applied to the client due to publishing backup compatible policies SYMPTOM: With Encryptor 2.0 (Protector 3.3 SP2), when publishing policies using GPO or REG files and "Publish backward compatible policies" is checked in the console (under Tool --> Administration --> Policies): 1. Policies that contain HD encryption will not cause the hard disk to be encrypted although they are applied properly to the client (can be seen in the client's GUI properly, and other functionality of the policy such as port protection works properly). 2. In the client's GUI, the encryption status bar doesn't exist at all, as if it is not an Encryptor client. 3. In the registry under HKEY_LOCAL_MACHINE\software\policies\safend, a key called "V_3_3H" does not exist although it should be. Note: Generally, the key HKEY_LOCAL_MACHINE\software\policies\safend exists only if policies are published using GPO or REG files. CAUSE: When applying policy using the GPO or REG file methods, under HKEY_LOCAL_MACHINE\software\policies\safend, keys by the names of existing and previous Safend versions, which are "containers" of the policies themselves, will appear under this key. An example for such a key is HKEY_LOCAL_MACHINE\software\policies\safend\V3_3, which contains in it the policy in 3.3 format once a policy is published to the client. With a 3.3 SP1 client, the client will read the policy from this "container". With Encryptor, when the Backward Compatible policies option is applied in the console, the key HKEY_LOCAL_MACHINE\software\policies\safendV_3_3H, that is used to store in the policies created for the Encryptor client, doesn't get created since the policy, being backward compatible, gets written to a previous "container", usually "V_3_3". When the policy is written to the "V_3_3" container, it can be read by the Encryptor client, but the part in the policy regarding the HD encryption cannot be read by it. The end result is that the policy is applied properly but HD encryption functionality will not work. SOLUTION:
Chapter: Safend Encryptor
Each policy containing HD encryption should be published twice, so both Encryptor clients and previous client versions will be able to read it and in order to have the HD encryption working properly. This issue is fixed in versions above Encryptor 2.0.
85 | P a g e
9.1.2. After encrypting the HD of a machine, shared folders which are located on this machine cannot be accessed from another machine SYMPTOM: With Windows XP, after encrypting the HD of a machine: 1. Shared folders which are located on this machine cannot be accessed from another machine even though all permissions and sharing setting are correct. This is more common when using one or more anti-virus or similar software on the encrypted machine. 2. BSOD occurs when trying to rename a network folder. CAUSE: Generally, several Windows drivers related to network shares assume a fixed number of file system drivers on the machine. Installing Safend and encrypting the HD adds at least one file system driver, and each anti-virus or similar software usually adds one as well, and so the default number of file systems drivers may be too low. This issue is described in details in the following Microsoft article: http://support.microsoft.com/kb/177078/en-us SOLUTION: There are 2 possible solutions for this issue: 1. Upgrading the XP service pack of the encrypted machine to SP3. 2. If the above is not possible - Increase the number of file systems drivers allowed on the encrypted machine: a. Increase the IrpStackSize in the registry as described in http://support.microsoft.com/kb/177078/. The IrpStackSize should have the value of 18 or more (in decimal). In case increasing it to a certain number doesn't resolve the issue, try to increase it further after completion of the steps below b. Replace the mup.sys driver located at system32\drivers with the mup.sys driver attached to this solution. This file is included in one of XP SP2 hot fixes, described in the following Microsoft article: http://support.microsoft.com/kb/906866 Note that the mup.sys driver should only be replaced in client machines experiencing the issue and not with every client machine c. Increse the DfsIrpStackSize in the registry as described in following Microsoft article: http://support.microsoft.com/kb/906866. The DfsIrpStackSize should have the value of 10 only. d. Restart the machine
9.1.3. In Encryptor 2.0, how to copy the reset code & the one time access code from Encryptor login screen,
1. One method of resetting the access password to the encrypted HD is by entering a reset password in Sami (in native mode, before startup) on the client machine. This is done by pressing the F6 key and then the F9 key when in Encryptor login screen. These 2 key strokes generate a long hexadecimal string that should be copied to the console, and the reset password generated in the console (relatively short) should be entered back to Encryptor login screen. Since the process described above happens in Encryptor login screen before startup, there is no obvious way to copy the long hexadecimal string so it can be pasted later into the console. 2. One method of obtaining a one time access password to the encrypted HD is from Encryptor login screen on the
Chapter: Safend Encryptor
NEED:
86 | P a g e Client machine (in native mode, before startup). This is done by pressing the F7 key and then F9 key when in Encryptor login screen. These 2 key strokes generate a long hexadecimal string that should be copied to the console, and then a one time access password (relatively short) is generated in the console. This password can entered back to Encryptor login screen for one time access. Since the process described above happens in Encryptor login screen before startup, there is no obvious way to copy the long hexadecimal string so it can be pasted later into the console. SOLUTION: Respectively to the previous paragraph: 1. In Encryptor login screen, pressing Ctrl + Alt + Shift + F1 instantly creates a registry key in the client machine containing the reset code. After pressing the keys above, load Windows normally (can be done using Technician mode), open regedit and go to: HKEY_LOCAL_MACHINE\CurrentControlSet\Services\SafendPS\ResetPasswordCode The value of this key is the reset code that should be pasted into the console. 2. In Encryptor login screen, pressing Ctrl + Alt + Shift + F2 instantly creates a registry key in the client machine containing the one time access password. After pressing the keys above, load Windows normally (can be done using Technician mode), open regedit and go to: HKEY_LOCAL_MACHINE\CurrentControlSet\Services\SafendPS\OtpCode The value of this key is the one time access code that should be pasted into the console.
Chapter: Safend Encryptor
Note that In both cases, when loading Windows right after pressing the above mentioned key combinations, many files will be encrypted since no password was entered to Encryptor login screen; this does not matter here, there is no problem viewing the registry, even if logging-in with a non-admin user.
87 | P a g e
10. Implementation 10.1. Implementation Support Solutions 10.1.1. Implementation in non directory environments NEED: When installing Safend Protector in a non- Active Directory environment, the procedure for installing and working with the protector is different. The changes to this procedure are listed below. RESOLUTION: The Safend Protector can easily be installed in non-AD environments. The differences when working with Safend Protector in non-AD environments are: • The product can be deployed using any deployment software that supports .msi files (again, such as Microsoft SMS, etc.) • The clients list will not be retrieved from the Active Directory, however, any machine with Safend Protector Client installed will appear under the 'Clients' tab in the Safend Management Console and as "not in domain" in the organizational tree, and all the management activities will be available for these machines. • Policy Distribution must be done through either the direct Server-Client policy publish, or by publishing the policies as Registry files. All other functionality is exactly the same in non-AD environments. When installing Safend Protector in non-AD environments you should ensure the following: • During the Safend Server installation, when you reach the Domain Credentials Menu, enter the user name and password of the local administrator, and enter the computer name of the server machine as the domain name. Make sure the local administrator for the server also has local admin privileges on any of the client machines. • SSL communication ports used for the Server-Client are open on all machines and firewalls. As well, Policy distribution can also be done using reg files (that can be distributed using any distribution software such as SMS, Novell Zenworks, etc.) rather than direct Server-Client policy publishing. These files are then run on the endpoint machines, in order to link them to each respective machine's registry, causing the policy to take affect. (Please see the note at the bottom of this page for an example of such a method.)
There is also an option of automatically running an executable file after saving a policy, which enables automating the entire policy distribution process (e.g. every time that a policy is saved, a script will be activated to distribute this policy using the company's deployment software). · To enable this option, be sure to check the "Run executable after publish" box, and provide a link to the custom made executable.
Chapter: Implementation
To enable Registry Policy Publishing, after the installation make sure to change the policy distribution method in the Management Console Administration to use registry files. This is done by opening the TOOLS menu in the Management Console, and selecting Policies, checking the "Publish policies to a shared folder" box, and specifying a location to store the regfiles. Make sure that "Use Active Directory" is not checked.
88 | P a g e
10.1.2. Environment Requirements Estimates for the Safend Protector QUESTION: What are the system requirements and network requirements of the Safend Protector? ANSWER: Numerous real-life tests of the Safend software in live installations have shown that the effect on network and endpoint performance of the software is insignificant, in that it is virtually unnoticeable and remains under the average 'noise level' in a standard network environment. Following is some data about the performance of the Safend system in a network environment. Statistics regarding network bandwidth: 1. Safend Management Server → Endpoints: 1a. Update policy command over WMI – 1KB per machine (eg, sending an Update Policy trigger to an OU with 1,000 machines would require ~1MB). 1b. Retrieve logs command over WMI – 1KB per machine (eg, sending a Retrieve Logs trigger to an OU with 1,000 machines would require ~1MB). 2. Endpoints → Safend Management Server 2a. Send endpoint logs to database – Assuming average device activity, this will require around 40KB per machine per day. The machines will send their logs every predefined interval, which can be fine-tuned according to the organization's size, needs and network configuration. 3. Safend Management Server → Safend Management Console: 3a. Because the Safend Management Console will be installed only on a limited number of machines, the network bandwidth required in this case is insignificant. Statistics regarding workstation performance: The installation of the Safend Protector Client on an endpoint has minimal effect on the system's performance. Following are details of CPU & RAM utilization of the Safend Protector Client in both idle and active states: 1. Safend Protector Client Worker Process when idle: CPU utilization = 0%; RAM usage = 12MB. 2. Safend Protector Client Worker Process when active (ie: when the Safend Protector Client policy is being updated): CPU utilization = 12% for less than a second, then back to 0%; RAM usage = 12.5MB 3. Safend Protector Client Worker Process when active upon the connection of a restricted device: CPU utilization = 2% for less than a second, then back to 0%; RAM usage = 12.76MB.
Environment requirements for the installation of the Safend Management Server v3.0: The following estimations assume that the customer has a dedicated Safend server. 1. Organizations with up to 1,000 endpoints -- We recommend using a server PC with 1 3~GHZ Processor, 1GB RAM, a standard 7,200rpm HD, and Windows 2003 Server. We estimate that the Safend database will require about 25-30GB a year, depending on device activity at the endpoints. 2. Organizations of up to 10,000 endpoints -- A dedicated server with 2-4 3.4~ Ghz Dual Xeon Processors, with at least 2GB RAM and a large 10,000rpm HD. It is recommended that the customer install Windows 2003 Enterprise
Chapter: Implementation
Note: The above results were recorded in our test lab, on a Pentium IV machine running WinXP SP2 with no special additional applications running. The results may differ for machines with different specs than those in our lab.
89 | P a g e Server. The Safend DB will reach about 250-300GB a year. 3. Organizations of up to 50,000 endpoints -- A dedicated server with 4 3.4~ Ghz Dual Xeon Processors, with at least 2-4GB RAM and a large 10,000rpm HD. It is recommended that the customer install Windows 2003 Enterprise Server. The Safend DB will reach about 1-2TB a year. 4. Organizations serving 50,000+ endpoints – Please contact Safend Support for a more precise hardware requirements estimation according to the specific domain and clustering configurations. Log files size: Usually, the log files do not tend to exceed 1-2KB each when the machine is idle (and users are simply logging off and back on), and you shouldn’t expect more than 10 log files a day. However, if there is much activity at the endpoint (device connection/disconnection, such as you would expect for example on the sysadmin's endpoint), the log files can reach 10-20KB each, plus another couple of KBs if file logging is enabled.
10.1.3. Resolving and Identifying GPO Errors In order to verify that the computer can receive Group Policy updates, the computer must be connected properly to the domain. All errors from SecCli , Userenv or Netlogon in the event viewer must be checked out thoroughly. These errors can cause the computer not to receive group policy update or even to prevent proper domain logon. 2. The command line utility gpresult.exe can be used to verify that the Group Policy was received and applied properly by the client computer (this utility should be run locally on the client computer). It is imperative to make sure that the GPO is applied to the appropriate OU and Domain. Gpresult is built in Windows XP and you can download it for Windows 2000 from: http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp After running this tool in a command window with the /v option this utility will output all the Group Policy objects that were applied to the local system. The output will be divided to user settings and computer settings. Verify that all the Group Policy objects configured in the active directory are properly applied to the local system. If some or all group policies are missing from gpresult's output, the event viewer needs to be checked for errors. 3. The command line utility gpotool.exe can be used to verify that all the group policy objects stored in the active directory are valid and contain all the information needed to apply the group policy locally. (This utility should be run locally on the client computer) This tool can be downloaded from: http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpotool-o.asp
Two more utilities that can be used to diagnose a misconfiguration in the network or the domain are netdiag.exe and dcdiag.exe: 4. The Command line Utility netdiag.exe is used to test the network status and indicate problems with the connectivity of your client. This utility is included in the support tools package which is located on the install CD under support\tools, it can also be downloaded from: http://www.microsoft.com/downloads/details.aspx?familyid=1EA70814-7E6C-46E5-8C8C3C439A732E9F&displaylang=en Use this utitlity by typing netdiag in the command line prompt and inspecting the results to make sure there are no
Chapter: Implementation
If you cannot find a certain group policy in the gpresult's output but you can find it in the gpotool, this might occur due to late replication schedule.
90 | P a g e connectivity issues. 5. The command line utility dcdiag.exe is used to verify that the domain controller is configured properly and fully functional, this tool runs numerous tests on the domain controller and any errors received need to be fixed and verified. A poorly configured domain, or a malfunctioning domain controller can prevent the computers from receiving a valid Group Policy. (This utility could be run locally on the client computer or on the domain controller). This utility is included in the support tools package which is located on the install CD under support\tools, it can also be downloaded from: http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/dcdiag-o.asp
10.1.4. Building Protector Policy per Security Group (GPO policy distribution) *This KB article describes the method of applying policies in Version 3.1, in version 3.2 this problem can be easily resolved using 'Policy Server' mechanism. NEED: In some cases several Group Policy Objects need to be applied to different user/machine objects located in the same OU. The "Normal" way to apply the Protector Policies on objects that reside in an OU, is to link the GPO to the OU, thus applying the Policy to all of the objects contained in the OU. In some cases, mainly large scale organizations, this may be cumbersome, and very difficult to manage. SOLUTION: There is a way that enables us to apply several Protector/Group Policies on users that reside in security groups in the same OU, in a process called security filtering. A good example of an organization which could use this method is an organization which contains all users in one OU, and all computers in another OU (in the domain). In this case it will be easier to use existing security groups and apply the Protector policy on them rather than rearrange the whole computers/users in a new OU structure. The security filtering is essentially a procedure where we apply several Protector/Group Policy objects on the same OU (which contains users/computers) and then change the ACE (Access Control Entries) on those Protector/Group Policy objects to only allow users in certain security group to read and apply that specific Protector/Group Policy.
Chapter: Implementation
Detailed instructions with screenshots can be found in the attached pdf document:
91 | P a g e
10.1.5. Enabling Verbose logging for GPO installations NEED: In some cases, the GPO installation of the Safend Protector Client may fail due to misconfiguration of the Active Directory, or other components of the OS. In such cases, detailed logs called Verbose Logs will need to be created in order to help identify and solve the problem. SOLUTION: Following, are Microsoft's instructions on how to enable Verbose logging for GPO installations: Warning!!! - Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by any other method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. Use Registry Editor to add the following registry value (or modify it, if the value already exists): Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Value: UserEnvDebugLevel Value Type: REG_DWORD Value Data: 10002 (Hexadecimal) UserEnvDebugLevel can have the following values: NONE 0x00000000 NORMAL 0x00000001 VERBOSE 0x00000002 LOGFILE 0x00010000 DEBUGGER 0x00020000 The default value is NORMAL|LOGFILE (0x00010001). Note: To disable logging, select NONE (where the value is 0X00000000). You can also combine the values. For example, you can combine VERBOSE 0x00000002 and LOGFILE 0x00010000 to get 0x00010002. So if UserEnvDebugLevel is set with a value of 0x00010002, this turns on both LOGFILE and VERBOSE. Combining these values is the same as using an OR statement: 0x00010000 OR 0x00000002 = 0x00010002 Note If you set UserEnvDebugLevel = 0x00030002, the most verbose details are logged in the Userenv.log file. The log file is written to the %Systemroot%\Debug\UserMode\Userenv.log file. If the Userenv.log exists and is greater than 300 KB, the existing file will be renamed to Userenv.bak, and a new log file created.
Chapter: Implementation
These instructions can also be found at: http://support.microsoft.com/kb/221833/
SAFEND SUPPORT KNOWLEDGE BASE DOCUMENT
February 2009
2|P a g e
Table of Contents 2. Introduction: ....................................................................................................................................................7 3. Safend Protector Client .....................................................................................................................................8 3.1. Safend Protector Client architecture ..................................................................................................................................... 8 3.2. Support logs ........................................................................................................................................................................... 8 3.3. Troubleshooting Guidelines ................................................................................................................................................... 9 3.4. Safend Protector Client Support Solutions .......................................................................................................................... 11 3.4.1.
Clients not sending logs back to the Safend Server ............................................................................................. 11
3.4.2.
Pointing the installation to the SCC file ............................................................................................................... 11
3.4.3.
Uninstalling the Safend Protector Client via startup script ................................................................................. 12
3.4.4.
Silent install of a client ......................................................................................................................................... 12
3.4.5.
The message "The Client Configuration file does not contain a valid policy." shows up when installing Safend Protector Client ................................................................................................................................................... 13
3.4.6.
Installing the Safend Protector Client with by a startup script with elevated privileges..................................... 13
3.4.7.
How to activate an ETL when using the offline access utility (when a client is not installed) – Version 3.2, 3.3 .... ............................................................................................................................................................................. 15
3.4.8.
Sonic DLA burning not supported by Safend Protector ....................................................................................... 16
3.4.9.
Cleanup utility for the Safend Protector Client ................................................................................................... 17
3.4.10.
Using the Registry To Check If A Policy Was Updated ......................................................................................... 17
3.4.11.
Client stops sending logs to the server when disabling the sprotector service .................................................. 18
3.4.12.
Bubble notifications are not displayed for Safend Protector Events ................................................................... 18
3.4.13.
Client installation fails instantly with an error message requesting to reboot ................................................... 19
3.4.14.
Safend Trigger commands - alternatives to "update policy" and "collect logs" WMI commands ...................... 19
3.4.15.
Changing the Safend Protector Client installation method ................................................................................. 20
3.4.16.
User or Computer Policy Uninstall Password ...................................................................................................... 21
3.4.17.
Changing the Safend Protector Balloon Message Display Time .......................................................................... 21
3.4.18.
Installing Safend Protector Client to a Non-Default Folder ................................................................................. 22
4. Safend Protector Management Server ............................................................................................................ 23 4.1. Safend Protector Management Server architecture ............................................................................................................ 23 4.2. Support logs ......................................................................................................................................................................... 24 4.3. Troubleshooting Guidelines ................................................................................................................................................. 24 4.4. Safend Protector Management Server Support Solutions ................................................................................................... 26 4.4.1.
How to configure the Websense integration ...................................................................................................... 26
4.4.2.
How to change the synchronization interval between AD and the Management Server ................................... 27
4.4.3.
How to use the log restore tool in versions 3.2 GA2 and 3.2 GA3 ...................................................................... 28
4.4.4.
How to use the log restore tool in version 3.2 GA1 ............................................................................................. 28
Chapter: Introduction:
1.
3|P a g e 4.4.5.
How to obtain and change the base policy in 3.3 ................................................................................................ 29
4.4.6.
How to manually remove the Management Server and Console........................................................................ 30 ............................................................................................................................................................................. 30
4.4.7. levels
How to view the lower levels of the organizational tree in 3.3 console when the directory tree has many ............................................................................................................................................................................. 32
4.4.8.
Suspension password identified as wrong when entered to the client .............................................................. 33
4.4.9.
Using the HW fingerprint tool when changing server's hardware ...................................................................... 34
4.4.10.
Time format conflict in the DB ............................................................................................................................. 34
4.4.11.
Upgrade Path from Safend Protector 2.0 to 3.3 .................................................................................................. 36
4.4.12.
Reducing the Logs Trace Level for the Safend Server .......................................................................................... 37
4.4.13.
Alerts on client installation are not received in version 3.3 SP1 ......................................................................... 37
4.4.14.
Restoring a server with Content Inspection fails ................................................................................................. 38
4.4.15.
Disabling IIS Logs (to prevent accumulation of large log files) ............................................................................ 39
4.4.16.
Role Based access does not function ................................................................................................................... 39
4.4.17.
When changing the server certificate to an organizational certificate, logs are not sent ................................... 40
4.4.18.
Changing source name when sending Safend alerts to the Event Viewer .......................................................... 41
4.4.19.
IIS diagnostics tool ............................................................................................................................................... 41
4.4.20.
User Permissions for the Safend Server .............................................................................................................. 42
4.4.21.
Unable to publish a policy and a specific error appears in the Domain Service log ............................................ 42
5. Safend DB ......................................................................................................................................................... ...................................................................................................................................................................... 44 5.1.1.
Policy not applied due to the small size of the DB column "Groups" .................................................................. 44
5.1.2.
Restoring missing MySQL index files ................................................................................................................... 45
5.1.3.
Repairing corrupted MySQL index files ............................................................................................................... 46
5.1.4.
Changing external DB user, password and authentication method (domain) while connected to Protector .... 49
5.1.5.
Replacing the DB which is used by Safend Protector Management Server ........................................................ 49
5.1.6.
When using MsSQL DB User cannot save policies, run queries, change settings or logs are not saved. ................ ............................................................................................................................................................................. 50
5.1.7.
When using MsSQL DB User cannot connect to the server ................................................................................. 50
5.1.8.
When using MsSQL DB the installation cannot create the DB ............................................................................ 51
5.1.9.
When using MsSQL DB performing DB related actions causes console freeze. .................................................. 51
6. Safend Protector Management Console .......................................................................................................... 52 6.1. Support logs ......................................................................................................................................................................... 52 6.2. Troubleshooting Guidelines ................................................................................................................................................. 52
Chapter: Introduction:
5.1. Safend Protector Client Support Solutions .......................................................................................................................... 44
4|P a g e 6.3. Safend Protector Management Console Solutions .............................................................................................................. 54 6.3.1.
When trying to log-in to the console, the error message "user is not in the authorized user group" appears ...... ............................................................................................................................................................................. 54
6.3.2.
How to login to the console without entering the password each time ............................................................. 54
6.3.3.
Cannot use WMI commands from 3.3 console if MsSQL installed with windows authentication ...................... 57
6.3.4.
Cannot open the console after upgrade to 3.3 or a fresh install, with an error message of access denied to reports folder ....................................................................................................................................................... 57
6.3.5.
When using role based permissions user can't publish policies .......................................................................... 58
6.3.6.
When using role based permissions user can't associate polices ....................................................................... 58
6.3.7. Console cannot be opened due to Local and Domain Services fail with "System.Security.Cryptography.CryptographicException - Access is denied" in the logs .................................................... 59 6.3.8.
Enabling WMI commands via Safend Protector .................................................................................................. 59
7. Safend Auditor .................................................................................................................................................. ............................................................................................................................................................... 67 7.1. Troubleshooting Guidelines ................................................................................................................................................. 67 7.2.1.
Safend Auditor Command Line Parameters ........................................................................................................ 68
7.2.2.
Enabling Safend Auditor Debugging logs Note: the logs are cryptic and no one except from a developer with the code in front of him can understand them ................................................................................................... 68
7.2.3.
Safend Auditor installation fails with DVOM registration errors ......................................................................... 69
7.2.4.
Opening ports on Windows Firewall for the Safend Auditor .............................................................................. 69
7.2.5.
Auditing a Remote Domain with the Safend Auditor .......................................................................................... 71
7.2.6.
There is no response when clicking "View Excel" ................................................................................................ 71
7.2.7.
Error received when attempting to view the Excel report of the Auditor scan .................................................. 72
7.2.8.
Auditor report with connection time and data transfer ...................................................................................... 72
7.2.9.
Local machine cannot be found in Auditor report .............................................................................................. 72
7.2.10.
Safend Auditor fails to audit certain remote machines ....................................................................................... 73
7.2.11.
Error message received when attempting to view HTML report of Auditor scan ............................................... 75
7.2.12.
Safend Auditor Graphic Report Procedure for MS Excel ..................................................................................... 75
7.2.13.
The Safend Auditor Scanning Method and Network bandwidth information..................................................... 76
7.2.14.
Where the auditor is key located in the registry? ............................................................................................... 77
7.2.15.
The Safend Auditor creates new user profiles on the audited machines ............................................................ 77
7.2.16.
The Auditor seems not to detect remote devices when working via VPN .......................................................... 78
7.2.17.
The Auditor is unreachable when right-clicking on a machine in the Clients World and choosing to Audit Devices. .................................................................................................................................................................... ............................................................................................................................................................................. 78
Chapter: Introduction:
7.2. Safend Auditor Support Solutions ........................................................................................................................................ 68
5|P a g e
8. Safend Reporter ............................................................................................................................................. 79 8.1. Safend Reporter Support Solutions ...................................................................................................................................... 79 8.1.1.
Internet Explorer Error message when running any report on Safend server 3.3 SP2 ........................................ 79
8.1.2.
Required IE settings for Safend reporter ............................................................................................................. 80
9. Safend Encryptor ............................................................................................................................................ 84 9.1. Safend Encryptor Support Solutions .................................................................................................................................... 84 9.1.1.
Internal hard disk encryption doesn't get applied to the client due to publishing backup compatible policies ..... ............................................................................................................................................................................. 84
9.1.2.
After encrypting the HD of a machine, shared folders which are located on this machine cannot be accessed from another machine ......................................................................................................................................... 85
9.1.3.
In Encryptor 2.0, how to copy the reset code & the one time access code from Encryptor login screen, .............. ............................................................................................................................................................................. 85
10.Implementation ............................................................................................................................................. 87 10.1.1.
Implementation in non directory environments ................................................................................................. 87
10.1.2.
Environment Requirements Estimates for the Safend Protector ........................................................................ 88
10.1.3.
Resolving and Identifying GPO Errors .................................................................................................................. 89
10.1.4.
Building Protector Policy per Security Group (GPO policy distribution) .............................................................. 90
10.1.5.
Enabling Verbose logging for GPO installations .................................................................................................. 91
Chapter: Introduction:
10.1. Implementation Support Solutions ...................................................................................................................................... 87
Chapter: Introduction:
6|P a g e
7|P a g e
2. Introduction: The Support knowledge base document provides common troubleshooting guidelines for Safend products. It also includes support solutions for each and every safend component. This document includes basic knowledge for which every certified safend engineer should know when managing or supporting safend products.
Chapter: Introduction:
For any further information feel free to contact us at [email protected]
8|P a g e
3. Safend Protector Client 3.1. Safend Protector Client architecture -
Safend Protector consists of User and Kernel mode components.
The “Manager” of all components is the SimonPro.exe process.
Safend runs a service on the endpoint - SProtector.exe.
The GUI process is Simba.exe.
Safend Protector Emergency Clean-up utility (SPEC) is located under “…\Windows\System32\SPEC.exe”.
3.2. Support logs
-
-
Installation Logs:
An Event Trace Log (ETL) is automatically created during the installation process in the installation directory (\program files\safend\safend protector client\)
A file called ‘Sinta.log’ is created in “…\Windows\temp\” directory
An MSI installer log can be created when installing the safend client using the following syntax: ‘msiexec /i SafendProtectorClient.msi /l* *filename+’
Client operation logs
To debug a certain issue, you need to create an ETL file and Policy XML files.
Creation of an ETL file:
Open regedit
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\Input
Add a new dword called ‘dll’ and assign it with the value 3
A file with ETL extension will be created in the installation directory (“…\program files\safend\safend protector client\”)
Reproduce the issue scenario
Change the dword value to 0
Creation of Policy XML files:
Open regedit
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\Input
Add a new dword called ‘dll’ and assign it with the value 4
From the client GUI press Policy Update
Policy XML files will be created in the installation directory (“…\program files\safend\safend protector client\”)
Change the dword value to 0
Creating a memory dump: In cases of a BSOD, a full memory dump is needed in order to investigate the cause of the issue. Configuring a full memory dump – via my computer properties advanced startup and recovery settings write debugging information select complete memory dump
Chapter: Safend Protector Client
-
9|P a g e
A BSOD memory dump can be open with the Windows Debugging Tools (windbg) to determine what was the probable cause of the BSOD.
Send the dump to Safend Support with the needed information.
3.3. Troubleshooting Guidelines -
When investigating an issue regarding the Safend Protector Client, most issues fall under the following categories:
Safend Client fails to install/uninstall
Safend Client fails to send logs back to the Safend Server.
Safend Client fails to receive/apply policies.
Safend Client handles a device incorrectly.
Safend Client conflicts with other software/BSOD.
-
Safend Client Fails to Install/Uninstall
-
When you encounter installation/uninstall issues, the following needs to be performed:
Try the installation process again.
Try the installation process on a different machine.
Try to completely remove the Safend Client using the SPEC utility and run the installation process again.
If one of the above was successful, the differences between the two attempts must be inspected. Examples of differences between installation attempts:
The new machine is in a different domain.
A specific machine had environmental issues.
There are different security configurations on the machine.
The SPEC utility removed random corruptions that were previously on the machine.
-
Safend Client Fails to Send Logs/ Receive Policies to/from the Safend Server
-
When the client is not sending logs or receiving policies the following needs to be verified:
Check that Safend Server services are running and that the websites are up.
Check the Policy web service and event web service logs for indications of the source of the problem Try to browse Safend web services: https://[ServerName]:443/SafendProtector/EventSinkWebService.cs.asmx https://[ServerName]:443/SafendProtector/PolicyWebService.cs.asmx
Chapter: Safend Protector Client
-
10 | P a g e SC commands – sc control SafendPS 222 (logs)/ 225 (policies)/ 228 (OTP)
create an ETL file
Safend Client handles a device incorrectly
When the client does not handle a device correctly, the following needs to be verified:
Search for the relevant log in the management console – how is the device identified (device type, port)?
Is it a composite device, i.e., is it identified as several devices by the OS?
Is the correct policy applied properly?
Is the policy configured properly? Was the device added/removed from the white list?
When auditing the device, does it appear correctly (as it appears in the policy)?
-
Safend Client conflict with 3rd party software / BSOD
-
When a conflict occurs between the Safend Client and 3rd party software, the following should be verified:
-
Is this a system/environment issue?
Is this the latest version/driver of the 3rd party software?
What are the exact steps that caused the issue to occur?
When a BSOD occurs with the Safend Client, the following should be verified:
Is this a system/environment issue?
Which driver was shown as the probable cause for the BSOD?
What are the exact steps that caused the issue to occur?
Create a full memory dump and send it to Safend support with the needed information.
Chapter: Safend Protector Client
-
11 | P a g e
3.4. Safend Protector Client Support Solutions 3.4.1. Clients not sending logs back to the Safend Server NEED: In some cases, installed Safend Protector Clients do not succeed in sending logs back to the Safend Server. This is usually due to environment definitions that block the log transfer to the Safend Server. RESOLUTION: In order to identify the issue and resolve it, please verify the following: a) The policy you created is applied on the Client. b) The Server is up and running (accessible by the Console). c) Try pinging the Server from the Client machine. d) Make sure the SSL port you use for the communication between the Server and the Clients (by default it is 443) is open on any firewall or port blocking application (either on the Client or on the Server). e) Try browsing (from the Client machine) to https://ServerName/SafendProtectorWS/EventSinkWebService.cs.asmx f) If all above is ok, please activate the Client logging run regedit go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector on V3.1 or HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\input on V3.2 create a new DWORD called Dll give it the value of 3. g) Run (on the Client machine) the following command – sc control SafendPS 222 h) Change the DWORD value back to 0 to stop logging, and send [email protected] the Solog*.etl file created in the \Program Files\Safend\Safend Protector Client folder.
3.4.2. Pointing the installation to the SCC file NEED:
PROBLEM: The SCC file must be on the same directory as the installation file SOLUTION: When running the client installation a parameter can be specified to access the SCC file: msiexec /i safendprotectorclient.msi /standalone="[path to SCC]"
Chapter: Safend Protector Client
To point the installation to the location of the SCC files
12 | P a g e
3.4.3. Uninstalling the Safend Protector Client via startup script NEED: When uninstalling the Safend Protector client in a large environment, a method for performing mass uninstallation is required. Below you will find instructions for executing such a method, using a GPO linked to a startup script which uninstalls the protector. RESOLUTION: Open Note Pad and enter the following text: msiexec.exe /x "\\Servername\Path\SafendProtectorClient.msi" /qn UNINSTALL_PASSWORD="Password1" Where instead of Servername\Path you enter the machine name and path to the SafendProtectorClient.msi file used for the installation, and instead of "Password1" you enter the uninstall password defined for the client. Save this file as a .bat file. In Active Directory, go to the relevant OU, click properties and create and link a new GPO which will contain the uninstall script. Once the GPO is created within the OU, right click it and select edit. In the Group Policy Management menu, go to "Computer configuration->Windows Settings->Scripts" Double click the startup script and select Add and Browse. This should open the policy's Startup folder from within the domain controller. Copy the script file to this location and click OK. Once this is done, restart the relevant machines in order for the startup script to run and remove Safend's Clients from them. keywords: command line, uninstall
Silent install of a client NEED: When using silent installation one may want to prevent a reboot following the installation RESOLUTION: The reboot is caused due to two factors: 1. Windows installer requirement of reboot following the installation 2. Safend client requirement of reboot following the installation Using the following command will suppress the reboot required by the windows installer: msiexec /i \\PathToFile\Share\SafendProtectorClient.msi /norestart REBOOT=ReallySuppress /qn */qn parameter will causes a quite installation without showing the UI Performing the following changes will suppress the reboot required by the client:
Chapter: Safend Protector Client
3.4.4.
13 | P a g e 1. Open the clientconfig.scc file for editing 2. Search for the string “installmethod” 3. Change its value from “2” to “3”
3.4.5. The message "The Client Configuration file does not contain a valid policy." shows up when installing Safend Protector Client SYMPTOMS: On rare occasions, when trying to reinstall Safend Protector Client with a different user than the original installation, the following message will show up: "The Client Configuration file does not contain a valid policy." CAUSE: The user trying to access the encryption object doesn't have the appropriate privileges. SOLUTION: In such cases, perform the following: 1. In order to run the Safend Protector Client installation as local machine please run the following command: at *time+ /INTERACTIVE “cmd” Instead of [time] write the current time + 1 minute. For example: when time is 16:08 write 16:09. 2. A local system window will open. Run the installation from there by writing the following: msiexec /I SafendProtectorClient.msi
3.4.6. Installing the Safend Protector Client with by a startup script with elevated privileges NEED:
SOLUTION: 1. Installing the Safend Protector Client with a startup script: Open Note Pad and enter the following text: msiexec.exe /i "\\Servername\Path\SafendProtectorClient.msi" /qn Where instead of Servername\Path you enter the machine name and path to the SafendProtectorClient.msi file used for the installation. make sure the folder containing the msi is shared. Save this file as a .bat file.
Chapter: Safend Protector Client
In some cases, it is not possible to implement the Safend Protector Client's installation process through a regular GPO package. In such cases, the installation must be implemented by a GPO with a start up script, and the administrator must enable elevated privileges for the end-users.
14 | P a g e In Active Directory, go to the relevant OU, click properties and create and link a new GPO which will contain the installation script. Once the GPO is created within the OU, right click it and select edit. In the Group Policy Management menu, go to "Computer configuration->Windows Settings->Scripts" Double click the startup script and select Add and Browse. This should open the policy's Startup folder from within the domain controller. Copy the script file to this location and click OK. Once this is done, restart the relevant machines in order for the startup script to run and install the Safend Client on them. 2. Granting elevated privileges to non-administrator users: following is an article by Microsoft, pertaining to this issue: Important: This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. SUMMARY: This article describes three methods by which an administrator can enable a non-administrator user to install managed Windows Installer applications. An application is called a "managed application" if elevated (system) privileges are used to install the application. A situation in which you might need to install a managed application is if you are installing an application on Windows NT or Windows 2000 and do not have administrative privileges on that computer. By using the following methods, an administrator can enable a non-administrator user to install managed applications. A) On a computer running Windows NT 4.0, Windows 2000, or Windows XP an administrator can set the AlwaysInstallElevated registry keys for both per-user and per-machine installations on the computer. If you want to make sure that all Windows Installer packages are installed with elevated (system) privileges, you must set the AlwaysInstallElevated value to "1" under the following registry keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
B) On Windows NT 4.0 or Windows 2000, an administrator can install or advertise the package on the computer for a per-machine installation (per-machine means that it will be available for all users of that computer). The Windows Installer always has elevated privileges while performing per-machine installations. The administrator uses elevated privileges to advertise the package. If a non-administrator user then installs the application, the installation can run with elevated privileges. Non-administrator users still cannot install unadvertised packages that require elevated system privileges. The following is an example of a command line used by an administrator doing a per-machine installation: msiexec -i c:\pathtofile\mypackage.msi ALLUSERS=1 Here is an example of how the administrator would advertise the package on the computer per-machine: msiexec -jm c:\pathtofile\mypackage.msi For more information, see the Help topic "Advertisement" in the Windows Installer Platform SDK: http://msdn.microsoft.com/library/en-us/msi/setup/advertisement.asp
Chapter: Safend Protector Client
WARNING: This particular method can open the computer to a security risk because once an administrator with elevated privileges has set these registry keys, non-administrator users can run installations with elevated privileges and access secure locations on the computer, such as the System folder or HKLM registry key.
15 | P a g e C) On Windows 2000, an administrator can advertise an application on a user's computer by assigning or publishing the Windows Installer package using application deployment and Group Policy. The administrator uses elevated privileges to advertise the package per machine. If a non-administrator user then installs the application, the installation can run with elevated privileges. Non-administrator users still cannot install unadvertised packages that require elevated system privileges. For more information on Group Policy, see the "Introduction to Windows 2000 Group Policy" white paper: http://www.microsoft.com/windows2000/docs/GPIntro.doc These settings can also be set via GPO and not by directly opening the registry - the settings must be applied both for Machines and Users: - Computer Configuration>Administrative Templates>Windows Components> Windows Installer: Always install with elevated privileges (enabled/disabled; this policy must be set for the machine and the user to be enforced). - User Configuration>Administrative Templates>Windows Components> Windows Installer: Always install with elevated privileges (enabled/disabled; this policy must be set for the machine and the user to be enforced) Link to Microsoft documentation: http://support.microsoft.com/default.aspx?scid=kb;en-us;q259459 Link to additional documentations for GPO configuration: http://lspservices.iupui.edu/docs/win2k/gpo_configurations.asp
3.4.7. How to activate an ETL when using the offline access utility (when a client is not installed) – Version 3.2, 3.3 NEED: On some cases the need to activate ETL for the offline access utility (Access secure data) PROBLEM: An ETL cannot be activated the ordinary way when a client is not installed, since the ETL requires the existence of a registry string that indicates what is the Client's installation path.
In order to activate the ETL when no Client is installed: 1. Connect the encrypted device to the home machine. 2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector 3. Create a new String Value called InstallDir, and assign it with the value "c:\Progrem Files\Safend\Safend Protector Client" . This creates the registry string that indicates where the Client is installed (of course, the Client is not really installed; the above mentioned path is a path created when running the Offline Access Utility) 4. Now the ETL can be activated, as usual.
Chapter: Safend Protector Client
SOLUTION:
16 | P a g e
Sonic DLA burning not supported by Safend Protector QUESTION: Is the burning format used with the Sonic DLA software supported by the Safend Protector Client? ANSWER: The Sonic DLA software uses the UDF file system (which is supported by us) and the Packet writing burning format, which is not supported. Therefore, the Sonic DLA burning format is not supported by the Safend Protector Client, which means it will be blocked if the policy applied has the check box for "Block unsupported burning formats" checked. From Roxio 09/20/07 3:10 PM Thank you for contacting Roxio Technical Support Our apologies for the earlier agent's response. Please disregard it. Drag to Disk and DirectCD have been discontinued in version 10 of our software due to compatibility concerns. You should, however, be able to manage anything that they were able to do using version 10. Please tell us what you are trying to accomplish with them so that we may suggest other means of doing so. If the information provided does not resolve your issue simply update your web ticket with a detailed explanation with the steps you have tried and any error messages you receive.
Regards, Roxio Technical Support http://support.roxio.com Thank you for your comments and we appreciate the feedback
More information will be found on : http://forums.support.roxio.com/lofiversion/index.php/t28374.html
Chapter: Safend Protector Client
3.4.8.
17 | P a g e
3.4.9.
Cleanup utility for the Safend Protector Client
NEED: In some very rare cases, the Safend Protector Client installation may fail, rendering the Safend Protector Client unable to function. in such cases, an alternate way for removing the Safend Protector Client is needed. RESOLUTION: The Safend Protector Emergency Cleanup utility - SPEC, is used to uninstall the Safend Protector Client in Cleanup Mode. Once unzipped, it is ready for use, and requires only a link to the ClientConfig.scc file and the global uninstall password. If any of these details are not available, we will be able to generate a machine-specific Cleanup key according to the Cleanup Token, provided by the utility. Please contact [email protected] and request the SPEC utility and the cleanup key for your machine's token. Remember! This is more of a last resort for cleaning up the protector when nothing else can be done. Usually, we would want to get to the bottom of why the crash happened so we will be able to improve the Safend protector to be able to cope with such situations in the future. On version 3.2 and above the Spec.exe utility is located in windows\system32 directory
3.4.10. Using the Registry To Check If A Policy Was Updated QUESTION: I would like to integrate a third party tool in order to distribute policy registry files to the end point. I would like to have an indication that the policy was indeed updated.
The registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Protector\LastPolicyUpdate is a 4 bytes key that contains the time in which the policy was last updated. You can use this key to check for update of policies. The key "LastPolicyUpdate" is set to indicate that a policy was pulled from the GPO, without consideration of whether the content of the policy was updated. As the computer pulls policies on startup, it will show an update when the computer is restarted, even though the content of the policy is not changed.
Chapter: Safend Protector Client
ANSWER:
18 | P a g e
3.4.11. Client stops sending logs to the server when disabling the Sprotector service PROBLEM: When using local admin credentials, disabling the Sprotector service and then closing it, the safend client stops sending logs to the server. SOLUTION: The mentioned behavior of the client is according to the product design. Be advised that the only effect of the procedure on the Safend client is that he will not send logs until the next time that he will be loaded. All other parameters of the clients are set exactly as they were before the procedure. All ports, device, storage device, files and etc will act exactly as they acted before the procedure. Please notice that usually a user in an organization will not receive local admin rights on machines, so this shouldn’t be a major issue.
3.4.12. Bubble notifications are not displayed for Safend Protector Events SYMPTOM: After installing the Safend Protector Client, Event Messages (Pop Up Messages) for device/port actions, do not appear. CAUSE: Windows registry settings have disabled Balloon Tips for the machine. SOLUTION: Make sure that in the registry, under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, there is no DWORD key named EnableBalloonTips. If it exists, simply delete it.
Chapter: Safend Protector Client
Another simple way to control the balloons is by using a Microsoft's power tool called TweakUI (the tool can be downloaded from http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx). The option to allow balloon tips in TweakUI can be found in the Taskbar and Start Menu option and is called Enable balloon tips.
19 | P a g e
3.4.13. Client installation fails instantly with an error message requesting to reboot SYMPTOM: When trying to install the Protector Client, installation fails instantly and the following error message is received: Safend Protector Client Please reboot before starting the Install process If a reboot is indeed performed, the same error message is received again. Additionally, the sinta.log file (located at windows\temp folder) will contain only the following entries: [installation Date and time] = Localize installation [installation Date and time] = ********************************** [installation Date and time] = Started Install Process. [version and build number] CAUSE: A Client was installed on the machine in the past, or the Offline Access Utility was used on the machine in the past. For some reason, remnants of this were left in the system, and so the current installation process behaves as is if a Client is currently installed. SOLUTION: Running the SPEC utility will clear any remnants of a previous Client installation or Offline Access Utility use. Note that a SPEC utility of the same version or of a version above the version of the previous Client or Offline Access Utility is to be used.
3.4.14. Safend Trigger commands - alternatives to "update policy" and "collect logs" WMI commands NEED: In cases the WMI commands from the management console are not working, it is possible to trigger management commands (update policy, send logs etc.) to the Protector Client from the command line.
The SC command (supplied with Windows XP or higher) can be used to specifically trigger our process for the following actions. Send logs now! (without waiting for the interval): sc control SafendPS 222 Update policy from the GPO (similar to gpupdate /force, but specific to our product and faster): sc control SafendPS 223
Chapter: Safend Protector Client
SOLUTION:
20 | P a g e
Update policy from REG file: sc control SafendPS 225 Force InitOTP (In case Client will not accept any passwords, or server will not generate them): sc control SafendPS 228 . For Windows 2000 machines this command can be run remotely (i.e. : sc \\ComputerName control SafendPS 223).
3.4.15. Changing the Safend Protector Client installation method NEED: During the installation of the Safend Protector Client, the installer will go through a process of restarting all the devices in order to make sure its drivers are effective immediately after the installation without the need for a reboot. The default installation method might take a few minutes to complete depending on the amount of connected devices. Additionally, the administrator should consider a momentary network disconnection during this phase. In case the administrator would like to avoid this, a simple parameter may be added to the Safend Protector Client Configuration file (ClientConfig.scc). RESOLUTION: In order to configure the installation method, open the ClientConfig.scc file which is created using the Safend Protector Management Console and add the following lines: [InstallParams] InstallMethod=x where x is the option parameter as listed below: InstallMethod=0
InstallMethod=1 During the installation process, all the ports and devices are restarted. The user is not prompted to reboot, even if one of the devices has failed to restart. It is important to note that the endpoint will not be fully protected by the Safend Protector Client until the system restarts. It is the responsibility of the system administrator to schedule this system restart. InstallMethod=2 During the installation process, none of the ports or devices are restarted. At the end of the installation, the user is always prompted to reboot.
Chapter: Safend Protector Client
This is the default method (as if no parameter is added at all). During the installation process all the ports and devices are restarted. If one of the devices has failed to restart, the user is prompted to reboot.
21 | P a g e
InstallMethod=3 During the installation process none of the ports or devices are restarted. The user is not prompted to reboot. It is important to note that the endpoint will not be fully protected by the Safend Protector until the user restarts the computer. It is the responsibility of the system administrator to schedule this system restart.
3.4.16. User or Computer Policy Uninstall Password QUESTION: If I set a different Uninstall Password for the Computer policies and the User policies, Which password should I use to uninstall the Safend Protector Client? ANSWER: There are three scenarios that can be recognized in this situation: 1. The endpoint computer was installed with the Safend Protector. A COMPUTER policy was either applied or not. The current policy is applied for the logged on USER. The Safend Protector is uninstalled manually. ==> The uninstall password is the one set in the USER policy 2. The endpoint computer was installed with the Safend Protector. A COMPUTER policy was never applied. There is currently no logged on user, so the default policy, as set in the Client Configuration file is applied. (This is the situation if the uninstall process is taking place through Active Directory). ==> The uninstall password is the Global uninstall password as it is set for the COMPUTER. 3. The machine was installed with the Safend Protector. A COMPUTER policy was applied. There is currently no logged on user, so the COMPUTER policy is applied. ==> The uninstall password is the one set in the COMPUTER policy.
3.4.17. Changing the Safend Protector Balloon Message Display Time QUESTION: Can the "User Message Balloon" display time be controlled?
The parameter for the Balloon Tips display time in Windows XP can be found in the registry, in: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify. The DWORD entry called BalloonTip is set by default to the value of 3 (seconds). Change its value to control the display time of the Balloon Tips. Some information pertaining to the Balloon Tips of the Safend Protector can be controlled through the Default Agent Policy (the Default Agent Policy is a file that contains some parameters that are not hard-coded into the Protector, but are also not exposed to the user. It is possible to update the Default Agent Policy if necessary). These parameters are the number of seconds that the Protector processes wait between balloons and the number of
Chapter: Safend Protector Client
ANSWER:
22 | P a g e seconds between the last notification and the icon returning to its idle mode. In order to change the Default Agent Policy, please contact [email protected].
3.4.18. Installing Safend Protector Client to a Non-Default Folder NEED: Is it possible to install the Safend Protector Client silently as a GPO to a folder or drive which is not the default installation path? SOLUTION:
Chapter: Safend Protector Client
Yes, it is possible to install the client to a specified directory, but the installation needs to be done using a start-up script, instead of a package installation. The process is as follows: 1. For the OU on which you would like to install, go to the OU Properties, Group Policy tab. 2. Create a new Group Policy, and give it a name, then click Edit to open the Group Policy Editor 3. Go to Computer Configuration > Windows Settings and select Start-up > Script 4. Click the Show Files button and create a new text document containing the following command: msiexec.exe /i "\\
23 | P a g e
4. Safend Protector Management Server 4.1. Safend Protector Management Server architecture
The Safend server contains three services:
Safend protector DB
Safend protector domain service
Safend protector local service
These services should start when starting the server (As a default, the services are running upon server installation)
Safend server is using the IIS Application for communication between its components:
Server - Clients (Safend Protector Web Site WS)
Server - Management Consoles (Safend Protector Web Site )
The IIS web site processes are visible in the Windows task manager (W3WP).
Chapter: Safend Protector Management Server
-
24 | P a g e
4.2. Support logs -
Safend Protector Server Logging When investigating Safend Server issues, the Server trace logs will provide valuable information. Each of the different Safend Protector Server components writes a separate log file. The relevant Server logs reside under the following folders: \Program Files\Safend\Safend Protector\Management Server\logs C:\Temp\bin\log
4.3. Troubleshooting Guidelines -
Safend Protector Server Fails to Install/Upgrade/Uninstall
-
When the installation/uninstall process fails, the following needs to be verified:
Were all Safend Server prerequisites met (Please find the prerequisites at the end of the presentation)?
Are there any security hardenings that can block the installation?
Did the User used during installation have the appropriate credentials: Local administrator Domain account from your Active Directory that can control clients via WMI. We recommend using an account with domain administrator privileges.
-
-
Are there any remnants of a previously installed Server?
Verify that Safend services do not exist
Verify that Safend Web sites do not exist
Verify that Safend Protector folder does not exist under Program Files=>Safend
Under <systemroot>\program files\common files\safend unregister and delete the dll files in case they exist.
Safend Protector Server Fails to Initialize
When the Safend Protector Server fails to initialize, the following must be verified:
Were there any hardware changes to the Server computer? HW changes will change the machine fingerprint and you will need to use the HW fingerprint tool.
Verify that no security policy was applied to the machine.
Were the Server User credentials (the user supplied during installation) changed (password\permissions etc.)?
Was the Server DB user changed in any way?
Are there any errors in the event viewer logs?
When investigating an issue regarding the Safend Protector Server, most issues fall under the following categories:
Chapter: Safend Protector Management Server
When you use an external DB (MS-SQL) – DB creator credentials are required.
-
Safend Protector Server fails to install/upgrade/uninstall
-
Safend Protector Server fails to initialize.
Chapter: Safend Protector Management Server
25 | P a g e
26 | P a g e
4.4. Safend Protector Management Server Support Solutions How to configure the Websense integration NEED Installation of Safend Protector integrated with Websense. SOLUTION In all Safend versions ----------------------------To install Safend protector with Websense integration steps should be performed on both servers Websense server: 1.1 system modulesClick on configuration 1.2 Click the add button 1.3 Choose agent type: “endpoint server” 1.4 Enter Safend Server FQDN 1.5 Enter a password (this password will be used when installing Websense files on Safend’s server) 1.6 The “endpoint server” entry should be displayed in the system modules screen. 1.7 A new file called CPS.MSI should be created Safend server: 2.1 Copy CPS.exe to Safend server 2.2 Run CPS.MSI 2.3 Choose an installation directory 2.4 Select “agents only’ installation 2.5 Click on the “endpoint support” icon, then press next 2.6 Provide the IP address for the CPS server and enter the one time password defined on the CPS server (step 5 above) 2.7 Press install Websense server: 3.1 Press “deploy settings” Safend server: 4.1 Press okay 4.2 Conf.xml file will be created in the directory defined during the installation Safend console: 5.1 Open the console 5.2 Enter a license key (that includes Websense integration) 5.3 administrationgo to tools 5.4 choose the content inspection panel 5.5 check the “integrate with a 3rd Party Content Inspection Solution” checkbox 5.6 browse to the Conf.xml file
Chapter: Safend Protector Management Server
4.4.1.
27 | P a g e 5.7 Click “show details” 5.8 Click “OK” to apply the content inspection flag to all policies To verify that the policy was indeed applied check content inspection status in the client GUI Addition to Safend Protector version 3.3 and above -------------------------------------------------------------------Since in version 3.3 and above, the Safend client automatically encrypts the files sent to the server (for inspection or shadowing, inspection in this case), the files are sent encrypted to the Websense server as well. The Websense server cannot decrypt these files, and therefore they become inaccessible. Replacing a DLL on the Safend server will cause the files not to be encrypted on the client side, and therefore will prevent the problem on Websense’s side. In order to replace the relevant DLL: 1. Stop Safend Local service 2. Kill the W3WP process. If multiple instances of the process exist, all of them should be killed 3. Go to \program files\safend\safend protector\Management server\bin, replace the Backend.Server.dll file with the modified one. The modified DLL for server version 3.3 build 30270 is attached to this solution. For any other server version, a DLL should be created by Safend team. 4. Restart Safend Local service. Note: There are additional KBs describing the replacement of the Backend.Server.dll for different purposes. Be advised that the Safend R&D team should be consulted if more than one of the issues fixed by this replacement is manifested in the same server, since one replacement will cancel the other.
How to change the synchronization interval between AD and the Management Server
Note: Please be advised that changing the synchronization interval is not recommended. It can cause overload to the Management Server's machine, to Active Directory and it creates a load on the network. (This solution is only relevant for version until version 3.2 GA3)
NEED: Sometimes customers want to change the synchronization interval between AD and the Management Server. By default the interval is set to 8 hours which may not be enough. SOLUTION: The following steps should be performed on the server machine: 1. Stop Safend services - Domain, Local, Broadcast if version 3.2 is used. 2. Kill the w3wp process (check for multiple instances, kill all of them). 3. Open with notepad the following file for edit : C:\Program Files\Safend\Safend Protector\Management server\servercconfig.xml 4. Search for the following line :
Chapter: Safend Protector Management Server
4.4.2.
28 | P a g e in hours, please use whole numbers. 6. Save the changes and close the file. 7. Start the Safend services - Broadcast if version 3.2 is used, Local; wait for the Domain service to be restarted.
4.4.3.
How to use the log restore tool in versions 3.2 GA2 and 3.2 GA3 Note: This KB article is valid only for versions 3.2 GA2 and 3.2 GA3. for version 3.2.19275 NEED: Sometimes a need to restore a Safend Log Back (SLB) arises. PROBLEM: There is no “import” option in the server for the backed up logs an external tool to the server exist to perform this action SOLUTION: Running the following command will restore all the information from a backup file to the DB. *Please note that this action will delete all the current logs from the server 1. Rename the ".slb" file to ".slb.Zip" 2. Double click and open the ".slb.zip" file 3. Change the value inside the version.txt file from 3200 to 3210 for GA2 or 3220 for GA3 and save. 4. Rename the ".slb.zip" back to ".slb" 5. Stop safend services, leave the db service running. 6. Run RestoreTool.exe restore -backupFile "[backup file+” when –backupFile is case sensitive and [backup file] points to the actual file location
4.4.4.
How to use the log restore tool in version 3.2 GA1 Note: This KB article is valid only for version 3.2.19275 NEED: Sometimes a need to restore a Safend Log Back (SLB) arises. PROBLEM: There is no “import” option in the server for the backed up logs. An external tool exists to perform this action. SOLUTION:
Chapter: Safend Protector Management Server
Note: The log restore tool cannot be used for restoration of logs from 3.2 version to 3.3 version due to a change in the log structure in 3.3.X.
29 | P a g e
Running the following command will restore all the information from a backup file to the DB. *Please note that this action will delete all the current logs from the server 1. Stop Safend services, leave the DB service running 2. In cmd, run the following: RestoreTool.exe restore -backupFile "*backup file+” Where [backup file] points to the actual file location
How to obtain and change the base policy in 3.3 Note: This solution should be done only with collaboration with Safend support. NEED: For different reasons, one would require to obtain the base policy and change it. In 3.2, the base policy is one or two XML file/s located under the server “Bin” directory - “defaultAgentPolicy.xml” and/or “defaultAgentPolicy.en-us.xml”. In version 3.3, the base policy cannot be found in the one or two XML file/s, since they do not exist; The base policy in 3.3 is a table in the database, which cannot be reached directly. SOLUTION: 1. How to Obtain the base policy: To obtain the base policy in 3.3, one should run the SPAdmin tool in the following way: a. Open Run / CMD b. Type in the following (this is case sensitive): "C:\Program Files\Safend\Safend Protector\Management Server\bin\SPAdmin.exe" -updateconfig -getfile defaultagentpolicy.en-US [EnterAnyPath]:\[EnterAnyFilename].txt c. Run the string. This will result in a .txt file in the name and path entered. This .txt is a reflection of the base policy. 2. How to change the base policy: After modifying and saving the .txt as required and with caution (again, please review KB00000177 as mentioned above), in order to apply the changes to the base policy (since this .txt is only a reflection), one should perform the following: a. Stop the Local service, kill the w3wp process. b. Open Run / CMD c. Type in the following (this is case sensitive): "C:\Program Files\Safend\Safend Protector\Management Server\bin\SPAdmin.exe" -updateconfig -setfile defaultagentpolicy.en-US [PathOfTheTxtFile]:\[TxtFilename].txt d. Run the string. e. Restart the above mentioned services
Chapter: Safend Protector Management Server
4.4.5.
30 | P a g e
4.4.6. How to manually remove the Management Server and Console NEED: Sometimes, the Safend Protector Management Server and Console need to be uninstalled. The following solution is required for scenarios in which you cannot uninstall successfully the Server and/or the Console using the Add/Remove Programs menu. SOLUTION: There are 3 methods of removing the Safend Protector Server and Console. One should use the methods in the order of appearance in this solution, so the cleanest possible removal will be achieved.
Method #2 – Using the MSIzap tool ----------------------------------------------1. Download the Msiinv tool from Microsoft MSDN, Extract it to c:\ or any other path. 2. In cmd prompt, run the following command: c:\msiinv\msiinv.exe -p > c:\msiinv_output.txt You may change the path to the msiinv.exe according to the previous section, and the path of the .txt to any other path desired. This will create a .txt file which contains a list of the programs installed on the machine according to the Windows Installer. 3. Open the c:\msiinv_output.txt , and locate the Safend Server and/or Console entries. Copy the GUID of the product code from the server and/or console entries. The GUID appears in the following format: 77BFE295-D7B74AF0-AF15-D14AF646AAE7. Make sure to copy the Product Code and not the Package Code. 4. Download and the SmartMSIZap tool 5. Extract the tool to c:\ or any other path.
Chapter: Safend Protector Management Server
Method #1 – Using the msiexec /x command -----------------------------------------------------------1. Download the Msiinv tool from Microsoft MSDN: Extract it to c:\ or any other path. 2. In cmd, run the following command: c:\msiinv\msiinv.exe -p > c:\msiinv_output.txt You may change the path to the msiinv.exe according to the previous section, and the path of the .txt to any other path desired. This will create a .txt file which contains a list of the programs installed on the machine according to the Windows Installer. 3. Open the c:\msiinv_output.txt , and locate the Safend Server and/or Console entries. Copy the GUID of the Product Code from the server and/or console entries. The GUID appears in the following format: 77BFE295-D7B74AF0-AF15-D14AF646AAE7. Make sure to copy the product code and not the package code. 4. In run/cmd prompt, run the following command: msiexec /x {Product Code} When the Product Code is the GUID you previously copied. Make sure to use the curly braces. 5. If you removed the Server/Console and need also to remove the Console/server, perform the previous section again with the proper GUID (again, make sure to use the curly braces). 6. Note that if an external DB was used with the server, the SafendProtector schema remains in the DB, as it does when uninstalling the server properly (using add/remove programs). Altering the schema can be performed by the DBA, an action that is not supported by Safend.
31 | P a g e
Method #3 – Server removal only* – "Aggressive" deletion of Safend Server components -----------------------------------------------------------------------------------------------------------------------1. Stop the Safend Services: Domain, Local, Broadcast (in 3.2 and below), DB (if internal DB is used). 2. Kill the w3wp.exe process (if more than one exists, kill all of the duplicates). 3. Delete the Safend websites: In the Internet Information Services (IIS) snap-in in the Computer Management, delete the "Safend Protector Web Site" and the "Safend Protector Web Site WS". 4. Delete the Safend services in the following order. Note that for version 3.3, the Broadcast service doesn't need to be deleted since it doesn't exist. Also note that if an external DB was used, the Safend Protector DB sevice doesn't need to be deleted since it doesn't exist. a. In cmd type: sc delete "safend.protector.admin.app.managementserver.broadcastservice" Press enter, and if the service was deleted successfully, the following line will apper: SC [DeleteService] SUCCESS. b. In cmd type: sc delete "safend protector db" Press enter, and if the service was deleted successfully, the following line will apper: SC [DeleteService] SUCCESS. c. In cmd type: sc delete "safend.protector.admin.app.managementserver.domainservice" Press enter, and if the service was deleted successfully, the following line will apper: SC [DeleteService] SUCCESS. d. In cmd type: sc delete "safend.protector.admin.app.managementserver.localservice" Press enter, and if the service was deleted successfully, the following line will apper: SC [DeleteService] SUCCESS. 5. Go to the server's installation path, and change the name of the folder "management server" to "management server old" or any other name. 6. Note that if an external DB was used with the server, the SafendProtector schema remains in the DB, as it does when uninstalling the server properly (using add/remove programs). Altering the schema can be performed by the DBA, an action that is not supported by Safend. * Method #3 does not relate to the removal of the console. The console can always be removed using method #1 or #2.
Chapter: Safend Protector Management Server
6. From cmd prompt, run the following (path may differ according to the where you extracted the tool to): c:\smartmsizap.exe /p {product_code} When the Product Code is the GUID you previously copied from the Msiinv tool. Make sure to use the curly braces. 7. If you removed the Server/Console and need also to remove the Console/server, perform the previous section again with the proper GUID (again, make sure to use the curly braces). 8. Note that if an external DB was used with the server, the SafendProtector schema remains in the DB, as it does when uninstalling the server properly (using add/remove programs). Altering the schema can be performed by the DBA, an action that is not supported by Safend.
32 | P a g e
4.4.7. How to view the lower levels of the organizational tree in 3.3 console when the directory tree has many levels SYMPTOM: In environments where the directory tree has many levels in its hierarchy, around 7 levels and above, only the few highest levels can be seen in the console when browsing in the organizational tree in the Clients world or in other places where the organizational tree is displayed. CAUSE: The component in the console that displays the organizational tree is a 3rd party component integrated into the console. This component has a performance issue that causes long delays when trying to display a directory tree that has many OUs under the root level. In version 3.3, in order to improve performance, it has been configured for the console to automatically create "virtual containers", that each contain a certain amount of OUs. These containers are relevant for the display only and are not created in the domain controller of course. In this way, the loading time of the organizational tree decreases significantly. However, due to their manner of action the virtual containers prevent the display of the lower levels of the directory tree in trees with many levels. SOLUTION: It is possible to increase the amount of OU the virtual container contains, thus virtually disabling the function of virtual containers. This is done by modifying the consoleconfig.xml file. Note that if multiple consoles are used (remote consoles), the modification should be performed for each and every console.
Chapter: Safend Protector Management Server
1. Close the console and kill the W3WP process. In case multiple instances of the process exist, kill all of them. 2. Go to C:\Program Files\Safend\Safend Protector\Management Console\ManagementConsole, open the consoleconfig.xml file for editing. 3. Search the following item:
33 | P a g e
4.4.8. Suspension password identified as wrong when entered to the client SYMPTOM: The one time suspension password (OTP) generated from the console in order to suspend the client's action is identified as a wrong password when entered in the Client's GUI. SOLUTION: The steps below should be followed in order to identify and solve the source of this issue: 1. If the password was typed and not copied: Make sure it was entered in uppercase and not in lower case, since the suspension passwords are always in uppercase. 2. If this password was entered in lowercase twice or more in the specific client: The password in question and no other new password generated will be applied since the suspension mechanism was locked. In order to release the suspension mechanism, the OTP pool should be regenerated (InitOTP). This is done when running the following command in the client machine: sc control SafendPS 228 As an alternative to this command, in version 3.3 the OTP pool can be regenerated from the console using a WMI command from the clients world, by right-clicking the client/s and choosing "InitOTP". Please refer to "KB00000123 - Forceful Initialization of OTP (InitOTP)" for further information regarding the OTP pool initialization process. 3. If this password was always entered in uppercase in the specific client:
b. If regenerating the OTP pool didn't help, make sure the client can browse to the OTPWebService page in the SafendProtectorWS website. The address of the OTPWebService page is: https://[ServerName]/SafendProtectorWS/OTPWebService.cs.asmx A successful browsing will result in an approval page (since connection is made thru SSL). c. If The client can browse successfully to the OTPWebService page, examine and escalate the OTPWebService server log and activate an .etl while performing the command: sc control SafendPS 228
Chapter: Safend Protector Management Server
a. It is possible the OTP pool was exhausted. In order to regenerate it, use the following command: sc control SafendPS 228 As an alternative to this command, in version 3.3 the OTP pool can be regenerated from the console using a WMI command from the clients world, by right-clicking the client/s and choosing "InitOTP". Please refer to "KB00000123 - Forceful Initialization of OTP (InitOTP)" for further information regarding the OTP pool initialization process.
34 | P a g e
4.4.9. Using the HW fingerprint tool when changing server's hardware NEED: Sometimes a change to the server hardware needs to be performed. This solution also applies when changing a VM workstation. PROBLEM: Every hardware has a unique fingerprint that Safend uses for certification. When you change the server’s machine hardware, the HW fingerprint is automatically changed. The contradiction between the HW fingerprint that is stored in the Safend server configuration and the machine’s new fingerprint cause a collision that prevents the server from running. SOLUTION: After changing the hardware one should perform the following steps: • If running, stop the server’s services in the following order: Broadcast, Local and Domain. • Run the attached Hardware Fingerprint Tool (after renaming the file’s extension back to zip) in order to reset the license. • When running the HW Tool, if a message window pops up regarding an invalid key, click “no" to return to defaults, and send the new fingerprint to Safend support. • Restart the services: Broadcast, Local and Domain. • If running, kill the IIS processes: w3wp. • Reopen Safend Protector Console.
4.4.10. Time format conflict in the DB
SYMPTOM In 3.2, MS SQL environment, when trying to change a global policy settings an error message appears regarding regional time/date format. The problem also appears while trying to save a policy. While trying to enter the logging tab in the policy world the console crushes followed by an "internal error message" CAUSE One of the definitions of regional settings is different in either the console machine, server machine or MS-SQL machine. The server doesn't know how to handle different date/time formats (the problem is fixed in 3.3). SOLUTION
Chapter: Safend Protector Management Server
*note - this KB article contains changes to be done with DLL files which are part of the Safend system, applying this article incorrectly may cause the server to be dysfunctional. If you are unsure of how to do it, please contact Safend support
35 | P a g e This issue is resolved in version 3.3 and above. Also, if 3.2 GA3is used, a resolution is possible by replacing of one of the dll file. Follow these instructions:
1. When installing a new server, use GA3 installation, following the install you will need to replace the Admin.Utils.GeneralUtils.dll with the new one we gave you. 2. The dll should be replaced as follows: a. Stop the Safend services. (stopping the Safend broadcast service will stop the domain and the local as well) b. Copy the “Admin.Utils.GeneralUtils.dll” to < Safend\Safend Protector\Management Server\bin > this will overwrite the existing dll file. c. Then copy this dll file to the management console installation folders on every running console on the system ( on the web session we have only replaced the dll on the local console on the server machine) the dll should be replaced on the console installation folder as follows : - Copy the dll to < \Safend\Safend Protector\Management Console > this will overwrite the existing dll. - Copy the dll to < \Safend\Safend Protector\Management Console\ManagementConsole > this will overwrite the existing dll. d. open the command line window and go to the server bin path. e. run the following command: " SPAdmin /updateconfig /getfile globalPolicyBody <pathToFile>" (The getfile command retrieves the value of the globalPolicyBody item in the serverconfig DB table) Note: The item name is case sensitive so please Pay attention when running the command. f. A file is created with the name "temp.xml", open it and look for the problematic string -look for the word “false” and then change the problematic separators to " : " separators). Save the file g. Run the following command: " SPAdmin /updateconfig /setfile globalPolicyBody <pathToFile>" (The setfile command stores the file contents in the globalPolicyBody item in the serverconfig DB table). h. Stop Safend services, kill W3Wp processes. i. Replace the dll files in the management console and console updater. j. Turn on Safend Services
In order to replace the Admin.Utils.GeneralUtils.dll in the management console install package please perform the following: 1. Under < \Safend\Safend Protector\Management Server\consoleUpdater > you will find the console.zip file which includes the actual console install files which are use upon the console installation. 2.Extract console.zip folder to any destination. 3. After extracting console.zip please copy Admin.Utils.GeneralUtils.dll to the extracted folder. this will overwrite the existing Admin.Utils.GeneralUtils.dll. 4. Compress the extracted console folder which includes the new dll and name it console.zip. 5. Copy console.zip to < \Safend\Safend Protector\Management Server\consoleUpdater > and overwrite the existing console.zip before the change of the .dll. e. After performing all the replacements of the dll, please start the Safend server services again (start the broadcast, then the local and finally the domain service), then kill the w3wp process and then start the console. 3. Please note that this issue will only happen when there is a difference between the regional settings of at least one of the console machines or the server, and not on every environment. This fix is included in version 3.3. 4. in addition for fixing the problem after it happens using the SPAdmin tool: a. open the command line window and go to the server bin path. b. run the following command: " SPAdmin /updateconfig /getfile globalPolicyBody <pathToFile>" (The getfile command retrieves the value of the globalPolicyBody item in the serverconfig DB table) Note: The item name is
Chapter: Safend Protector Management Server
Once the change for existing components is it required to be done in the installation package so new consoles will also include this change.
36 | P a g e case sensitive so please Pay attention when running the command. c. A file is created with the name "temp.xml", open it and look for the problematic string -look for false and then change the problematic separators to " : " separators). Save the file d. Run the following command: " SPAdmin /updateconfig /setfile globalPolicyBody <pathToFile>" (The setfile command stores the file contents in the globalPolicyBody item in the serverconfig DB table). e. Stop Safend services, kill W3Wp processes. f. Replace the dll files in the management console and console updater. h. Turn on Safend Services
4.4.11. Upgrade Path from Safend Protector 2.0 to 3.3 NEED: At some customer site, version 2.0 of the Safend Protector is installed, and an upgrade path to version 3.3 is needed. RESOLUTION: No direct upgrade path is available from 2.0 to 3.2. The current options for moving from version 2.0 to 3.3 are: a) Uninstalling version 2.0 (Management Tools and Clients) and installing version 3.3 b) Upgrading version 2.0 to version 3.1 (Server and Clients), and then upgrading version 3.1 to 3.3 To upgrade your Safend Protector from V2.0 to V3.1 1. Export your current V2.0 policies manually using the Policy Builder. 2. Place the Safend Protector V2.0 datasource.smc file in the same folder in which the ManagementServer.msi file is (This is the temporary folder into which the Self Extractor opens the installation files - C:\Temp). The .smc file is placed in the System Configuration folder that you created while installing your first Management Tools in V2.0.
4. Edit the exported .spl file, and go to: ProtectorPolicy -> Body -> uiPolicy -> Security -> restrictedPorts -> deviceApproval -> detailedPolicy -> deviceTypes Add the value: <deviceType name="KeyLoggers" security="Allow" activityLogging="Log" /> At the bottom of the list. 5. Import the policies that you exported manually into Safend Protector Management Console. . 6. Upgrade the Safend Clients to version 3.1.
Chapter: Safend Protector Management Server
3. Install the Safend Protector Management Server.
37 | P a g e
4.4.12. Reducing the Logs Trace Level for the Safend Server NEED: By default the Safend Protector Server logs are set to DEBUG level, for writing every Server action, in order to have the most detailed logging for any investigation needed. In most environments, this level of logging is not necessary, and should be changed in order to reduce the server resources needed for Log writing. SOLUTION: To Reduce the Logs detail level, open serverconfig.xml for editing (the file is located at \Program Files\Safend\Safend Protector\Management Server\). For each of the Server services (domainservice, broadcastservice, localService, managementServer, eventSinkWebService, otpWebService, consoleUpdaterSite, consoleUpdaterManifestsGenerator) edit the "TraceLevel" item. By default it is set to "Debug". the values for this item are: 1) Debug - full logging for each event. 2) Warning - logging for Warnings and above. 3) Error - logging for Errors only. By setting the TraceLevel to Error, the least logging will take place, and reduce load on the Server resources.
4.4.13. Alerts on client installation are not received in version 3.3 SP1 Note: This solution should be done only with collaboration with Safend support.
Alerts on client installation are not received in version 3.3 SP1. The logs for the client installation are received though. This happens even after performing the proper procedure of generating this type of alerts - defining that this type of event should generate an alert under Tools --> Global Policy Settings --> Alerts, then recreating the .scc file and using it to install / upgrade clients. CAUSE: Generally, the .scc file contains the global policy settings that exist when the file is being generated; consequently, these settings will be included in the initial policy a client receives. In 3.3 SP1, the definition of alert on client installation events doesn't get into the .scc file, and so the initial policy doesn't contain this definition and the alerts are not generated. SOLUTION: In 3.3 SP1, a number of files are to be replaced on the server and on the console(s) in order to make the .scc file receive the client installation definition from the global policy settings: Extract the attached RAR to a temporary folder. The RAR file contains two folders – Management Console (contains
Chapter: Safend Protector Management Server
SYMPTOM:
38 | P a g e one DLL file) and Management Server (contains a few DLL file). Replacing the DLLs for the server, local console and future remote consoles: -------------------------------------------------------------------------------------------------------1. In the server machine, close the console and stop the 2 Safend services – Domain service, Local service. 2. Copy the DLLs from the Management Server folder in the temporary folder, to the folder C:\Program Files\Safend\Safend Protector\Management Server\bin. Replace all existing files. 3. Copy the DLL from the Management Console folder in the temporary folder, to the folder C:\Program Files\Safend\Safend Protector\Management Console\ManagementConsole. Replace the existing file. 4. Copy the DLL from the Management Console folder in the temporary folder to the following zip: C:\Program Files\Safend\Safend Protector\Management Server\consoleUpdater\console.zip, replacing the existing file inside the zip. This will enable future remote consoles to be installed with the modified DLL, without the need to apply it to them. 5. Restart the Safend services – Local service, Domain service. 6. Kill the W3WP process. In case multiple instances of it exist, kill all of them. Replacing the DLLs for existing remote consoles, in case you use such: ------------------------------------------------------------------------------------------------1. In the console machine, close the console. 2. Copy the DLL from the Management Console folder in the temporary folder, to the folder C:\Program Files\Safend\Safend Protector\Management Console\ManagementConsole. Replace the existing file.
4.4.14. Restoring a server with Content Inspection fails PROBLEM: Restoring a server with Content Inspection fails NEED:
The installation throws an exception saying: "fail to validate config backup file: system.xml.xmlexception – the xml declaration is unexpected. Line 86, position 7" This is caused by a wrong line in the XML file SOLUTION: Rename the .SCB file to .ZIP file Extract it Open serverconfig.xml file for editing Go to the line that say
Chapter: Safend Protector Management Server
User wants to restore his server from a backed up configuration (SCB file)
39 | P a g e Replace these two lines with
4.4.15. Disabling IIS Logs (to prevent accumulation of large log files) NEED: On the Safend Protector Server machine, the IIS component records every action/connection in log files. Theses log files may accumulate and get very large in size. After the initial installation and configuration of the Safend Protector, it is recommended to disable the IIS Logs, in order to avoid unnecessary strain on the server machine. SOLUTION: In order to disable the Safend Protector Web Site in the IIS from recording IIS logs, please do the following: 1) Go to the IIS snap in 2) Go into Web Sites, and right click the Safend Protector Web Site. 3) Choose Properties, and go to the Web Site tab. 4) uncheck "Enable Logging".
4.4.16. Role Based access does not function SYMPTOM: Upon linking different roles with AD User Group, cannot login to the Safend Management Console using a User from the said User Group. CAUSE:
RESOLUTION: Add the appropriate User Group to the Logon Locally list on the Safend Management Server machine, either in a domain policy or in the Local policy: Local Policy 1) Run gpedit.msc 2) Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment 3) under Log On Locally, add the appropriate user group to the list. Domain Policy 1) Open a domain Group Policy for editing 2) Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights
Chapter: Safend Protector Management Server
The user Group linked with a defined Safend Management Console Role, does not have Local Logon access to the Server machine.
40 | P a g e Assignment 3) under Log On Locally, add the appropriate user group to the list.
4.4.17. When changing the server certificate to an organizational certificate, logs are not sent SYMPTOM: When changing the server certificate from Safend's default certificate (created during the installation of the server) to an organization's specific certificate, policies can be updated for the clients but logs aren't sent from them. This is seen in 3.2 and 3.3 clients. CAUSE: When publishing a policy, a derivative of the certificate called the certificate self-signer is being sent to the client. A response based on the self-signer is sent back to the server when sending logs. When replacing the default Safend certificate with an organization's specific certificate, the self-signer of the Safend certificate is still being sent to the client when publishing a policy, which causes a faulty reply when the client attempti to send logs, and thus, prohibits sending the logs - the clients' reply is based on the Safend certificate, while this certificate is no longer in power due to its replacement. Note that policies are updated successfully for the clients since there is no use in the self-signer in this process (it is only "attached" to the policy). SOLUTION:
Note: There are additional KBs describing the replacement of the Backend.Server.dll for different purposes. Be advised that the Safend R&D team should be consulted if more than one of the issues fixed by this replacement are manifested in the same server, since one replacement will cancel the other.
Chapter: Safend Protector Management Server
This issue can be solved in version 3.3 only. This is done by replacing a DLL file on the server side will cause the new, relevant self-signer to be sent to the clients. In case there is a server cluster (possible in version 3.3 and above), the replacement should take place in every server of the cluster. 1. Stop Safend services – Domain, Local, Broadcast if 3.2 in used. Leave the DB service running. 2. Go to C:\Program Files\Safend\Safend Protector\Management Server\bin 3. Replace the existing backend.server.dll with a modified copy of it. Attached to the solution is the modified backend.Server.dll for version 3.3 build 30270; for any other 3.3 build, the .dll file will have to be modified by the R&D team.
41 | P a g e
4.4.18. Changing source name when sending Safend alerts to the Event Viewer Note: This article contains information on how to change Safend configuration files and is intended for advanced users. if you feel uncomfortable with changing these advances settings, please consult with Safend support or your local Safend distributer. NEED: When configuring Safend Protector Alerts to be sent to an "Event Viewer" alert destination, all alerts are stored under the application source. This can be hard to manage since other applications may also write events under the application source, making it hard to isolate the Safend Protector events. You may change the default "Application" source name to a unique name such as Safend by following the steps below. RESOLUTION: If you desire to change the source name to a unique name (easier when wanting to sort or filter out Safend logs only), you may change 2 small parameters in the Safend Server configuration file - "\Program Files\Safend\Safend Protector\Management Server\serverconfig.xml". Look for the following text: eventLogSource="Application". It should appear twice - once for the "Server Alert Action Dispatcher" and once for the "Client Alert Action Dispatcher". Both need to be changed to your desired source name so that all types of logs will be stored using the same source. Example: eventLogSource="SafendAlerts" All alerts which are forwarded to a machine's event viewer by the Safend Protector Server, will be stored under the manually configured source name.
4.4.19. IIS diagnostics tool
In some cases, the IIS service on the Server machine may experience problems that cause the Safend Protector Management Server to become dysfunctional. In these cases, the problems must be identified and resolved appropriately. SOLUTION: IIS problems may be diagnosed with the IIS Diagnostics Toolkit, available for dowload at: http://www.microsoft.com/downloads/details.aspx?familyid=9bfa49bc-376b-4a54-95aa73c9156706e7&displaylang=en One of the tests that can be performed with it is the Server Permissions test in the Auth Diagnostics 1.0 component. This test displays the permissions required for the server, and whether the server has them. Additional IIS diagnostic tools can be found at:
Chapter: Safend Protector Management Server
NEED:
42 | P a g e http://www.iis-resources.com/modules/mydownloads/viewcat.php?cid=15 http://www.iistoolshed.com/tools.aspx
4.4.20. User Permissions for the Safend Server QUESTION: What are the permissions needed for the user account that is used by the Safend Protector Management Server? ANSWER: The user account used by the Safend Server should either be a domain administrator or have the following permissions: a) Member of the "Group Policy Creator Owner" group in the AD b) Have DCOM Remote Launch, Remote Activation and Remote Access permissions on all machines. This can be set through a GPO. Under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options: add the user to lists on both: DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax and DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax. and apply the policy on all machines with the Safend Client.
4.4.21. Unable to publish a policy and a specific error appears in the Domain Service log
Receiving an error when trying to publish a policy (in all methods). In the DomainService log the following error will appear: [2008-02-19 08:00:50.047800] [Warning] [PolicyPublisher4] [ASB-PDC\sv-SafendAdmin] - Mandatory publish sink TranslationSink failed: Safend.Protector.Admin.Utils.Exceptions.OperationAbortedException - The parameter is incorrect. at Safend.Protector.Policy.Interop.ServerPolicyFormatterClass.AddSecurityCategory(Int32 securityConfigIndex, Int32 portIndex, String categoryName, Int32 categoryType, Int32& categoryIndex) [2008-02-19 08:00:50.047800] [Error] [PolicyPublisher4] [ASB-PDC\sv-SafendAdmin] - 1 errors occurred while publishing policy 5 revision 44 (Safend - Allow All + Default Logging (90 minutes)) In addition, this issue occurs only with version 3.1 and 3.2. The fix was added to 3.3. CAUSE:
Chapter: Safend Protector Management Server
SYMPTOM:
43 | P a g e Sometimes a name that is given to a group in the White-list tab shows up in the Base Policy and therefore an error occurs. SOLUTION:
Chapter: Safend Protector Management Server
In order to resolve this issue please change the name of the problematic group in the White-List.
44 | P a g e
5. Safend DB 5.1. Safend Protector Client Support Solutions 5.1.1. Policy not applied due to the small size of the DB column "Groups" SYMPTOM: In version 3.2, machine or user policy does not apply or applies only after restart. In the Policywebservice log, the following error message appears: "String or binary data would be truncated" CAUSE: The size of the DB column called "Group", existing in the 2 DB tables called "User" and "Computers", is set to 255 characters only in version 3.2. If the user/s or machine/s is a member of AD groups which their overall names is composed of over 255 characters, the policy would be truncated and therefore not applied. SOLUTION: Increasing the "Groups" column size in both of the tables in the DB is required.
Chapter: Safend DB
If using an external MsSQL DB (should be performed by the DBA): ---------------------------------------------------------------------------------------1. Close the console, stop the Safend services - Domain, Local and Broadcast. 2. Open the SQL Enterprise Manager / Query Studio on the SQL Server machine. 3. Go to Databases and to the SafendProtector database. 4. Open Tables, and view the list of the different tables in the SafendProtector DB. 5. Right click the "Computers" table, choose Design Table. 6. Go to the "Groups" Column, check the length value and set it to MAX. 7. Save the changes. 8. Repeat the above steps with the "Users" table in the DB. 9. Restart the Safend Services - Broadcast, Local, Domain. Follwing this, run the command IISRESET from start/run or from cmd. 11. Open the console, go to the Clients world. In the tools icon next to the Organizational Tree view, click "Sync Tree with Directory". 12. Try publishing and updating the policy with a user or a machine to verify the policy is updated.
45 | P a g e
5.1.2. Restoring missing MySQL index files Note: *This solution includes modification of the MySQL database, which might render the server useless. Please use this solution with care. NEED: MyISAM is the default storage engine for the MySQL relational database management system, the DB used by Safend as an internal DB. Each MyISAM table is stored on the disk in three files. The files have names that begin with the table name and have an extension to indicate the file type. MySQL uses a .frm file to store the definition and structure of the table, but this file is not a part of the MyISAM engine, rather a part of the server. The data file has a .MYD (MYData) extension. The index file has a .MYI (MYIndex) extension. An example for a MyISAM table in the Safend Protector MySQL DB is the Computers table, which is stored in the file computers.MYD and has an index file by the name of computers.MYI (and also, a .frm file called computer.frm). The MYI (and MYD & frm) files are stored in the following folder: C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector SYMPTOM AND CAUSE: In some occasions, an MYI file/s may become missing due to an unintentional deletion by the user. This can happen only when the DB service is stopped since the DB service locks the MYI files. Although tempering with the Safend installation folder, and especially with the DB folder, might render a Safend server damaged beyond repair and is not officially supported, in many cases a missing MYI can be restored. 1. A missing MYI file can prevent the console from being launched or disrupt the function of the Logs world in such a fashion that queries cannot be used. 2. In the Managementserver log, the following error appears: [Time and date] [Fatal] [Safend.Protector.Admin.App.ManagementServer.SettingsManager1] [PC120001XP\ASPNET] - Failed to obtain license information: Safend.Protector.Admin.Data.DB.Exceptions.DBException - #HY000Can't find file: 'computers.MYI' (errno: 2) In this error message, the missing MYI file's name is displayed. In the above example, the missing MYI file is the computers.MYI. 3. In the folder C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector, the MYI file that appeared in the error above will not be present. In case the MYI file is present, it is probably corrupted; in this case, please refer to KB00000230 - Repairing corrupted MySQL index files
The safest way to restore a missing MYI file would be to revert to a recent image or snapshot of the machine. If this is not possible, described below is a procedure that recreates the index into an MYI file copied from a different Safend server of the same version and build number. This procedure is composed of a part performed in the customer's environment and a part performed in Safend. 1. Preparations at the customer's server: a. Stop the Safend services in the following order – Domain, Local, Broadcast if version 3.2 is used, DB.
Chapter: Safend DB
SOLUTION:
46 | P a g e b. Kill the W3WP process. In case there are multiple instances of the process, kill all of them. c. It is recommended to save an image or a snap-shot of the server machine. If this not possible, backup the entire folder of C:\Program Files\Safend\Safend Protector\Management Server\database\data by copying it to a different location. d. Send to [email protected] the MYD and frm files that correlate with the missing MYI file; for example, if in the computer.MYI file is missing, the computers.MYD and computers.frm files should be sent. 2. Recreating the index at Safend: a. Set-up a Safend server of the same version and build number, stop its services including the DB service. b. Create a temporary folder in the server machine and copy the MYI file in question to the temporary folder from the folder C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector in the server you've just set-up. c. Copy the MYD and frm files sent from the customer to the temporary folder. d. Enter the following in cmd: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" -r -q "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of the missing MYI file. Note the only the "-r -q" should be used. The -r switch must not be used alone, and no other repair switches (such as --safe-recover) should be used as well. This is because only "-r -q" doesn't touch the MYD file, which is essential in this case. If the repair succeeded, all 3 files (MYI, MYD and frm) should be sent back to the customer. If the repair failed, consult with the R&D team. Be advised that It is likely that the MYI cannot be recreated and the entire Safend server should be re-installed. 3. Returning to working state at the customer's server: a. Replace the MYI, MYD and frm file in question with the ones sent by Safend. b. Restart the Safend services in the following order – DB, Broadcast if version 3.2 is used, Local, Domain. c. Open the console and check that the policies have the right associations and the logs can be seen.
5.1.3. Repairing corrupted MySQL index files Note: *This solution includes modification of the MySQL database, which might render the server useless. Please use this solution with care.
MyISAM is the default storage engine for the MySQL relational database management system, the DB used by Safend as an internal DB. Each MyISAM table is stored on the disk in three files. The files have names that begin with the table name and have an extension to indicate the file type. MySQL uses a .frm file to store the definition and structure of the table, but this file is not a part of the MyISAM engine, rather a part of the server. The data file has a .MYD (MYData) extension. The index file has a .MYI (MYIndex) extension. An example for a MyISAM table in the Safend Protector MySQL DB is the Computers table, which is stored in the file computers.MYD and has an index file by the name of computers.MYI (and also, a .frm file called computer.frm). The MYI (and MYD & frm) files are stored in the following folder: C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector SYMPTOM AND CAUSE:
Chapter: Safend DB
NEED:
47 | P a g e
In some occasions, an MYI file/s may become corrupted during the regular operation of the MySQL DB. This usually prevents the console from being launched. There are various manifestations of this issue, some are in the server logs and some are in the Windows Event Viewer: 1. Example #1 – The following error appears in the Managementserver log: [Time and date] [Fatal] [Safend.Protector.Admin.App.ManagementServer.SettingsManager2] [NT AUTHORITY\NETWORK SERVICE] - Failed to obtain license information: Safend.Protector.Admin.Data.DB.Exceptions.DBException - #HY000Got error 127 from storage engine 2. Example #2 – The following error event appears in the Windows Event Viewer. Usually, this event error appears alongside the error in the Managementserver log seen in example #1. Event Type: Error Event Source: MySQL Event Category: None Event ID: 100 Date: 8/19/2008 Time: 7:51:33 AM User: N/A Computer: OCINSAPP01 Description: d:\program files\safend\safend protector\Management Server\database\bin\mysqld-nt.exe: Can't open file: 'clientevents.MYI' (errno: 145) 3. Example #3 – The following error appears in the Managementserver log: [Time and date] [Fatal] [Safend.Protector.Admin.App.ManagementServer.SettingsManager1] [PC120001XP\ASPNET] - Failed to obtain license information: Safend.Protector.Admin.Data.DB.Exceptions.DBException - #HY000Can't find file: 'computers.MYI' (errno: 2) Note that from example #1 alone you cannot tell which MYI file is problematic and thus preventing the console from opening, but in example #2 and #3 the problematic MYI is known (in the above example #2 and #3, the problematic MYIs are clientevents.MYI and computers.MYI, respectively). Also, note that the error message in example #3 may appear as well when an MYI file is missing. Restoring a missing MYI file/s is described in KB00000231 - Restoring missing MySQL index files
The guideline in regards with repairing corrupted MYI files is that the data (MYD) should not be touched if possible. 1. Preparations: a. Stop the Safend services in the following order – Domain, Local, Broadcast b. Kill the W3WP process. In case there are multiple instances of the process, kill all of them. if version 3.2 is used. Leave the DB service running. c. Backup the entire folder of C:\Program Files\Safend\Safend Protector\Management Server\database\data by copying it to a different location. Also, you may want to save an image or a snap-shot of the server machine. 2. Identifying the corrupted MYI: The first goal is to determine which MYI file is corrupted. Usually, only one MYI file gets corrupted at a time, but theoretically, multiple MYI files can simultaneously exist as corrupted. The simplest way to determine which MYI is corrupted is by checking the Event Viewer or the Managementserver
Chapter: Safend DB
SOLUTION:
48 | P a g e log, as seen in examples #2 and #3. In case no indication appears, as seen in example #1, use the myisamchk utility to check the integrity of all of the MYI file. In cmd, enter the following: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of a MYI file. Repeat this action for all of the MYI files. Attached to the solution is an example of the myisamchk's output when the MYI file is valid, and when the MYI is corrupted. 3. Repairing the corrupted MYI: The procedure described below can be performed on the server machine, or in Safend once a customer sends the MYI, MYD and frm files in question. If handled in Safend, the 3 files should be put in a temporary folder on a server machine with the same version and build number of server as at the customer's.. After identifying the corrupted MYI, use the myisamchk utility in cmd to repair it. a. Firstly, try to use the -r -q switches. This attempts to repair the index file without touching the data file. If the MYD file contains everything that it should and the delete links point at the correct locations within the MYD file, this should work, and the MYI is fixed. The complete command should be: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" -r -q "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of the corrupted MYI file. If the repair succeeded, continue to repairing the other corrupted MYI files in case there are indeed additional corrupted MYIs. If the repair failed (clearly seen in the cmd window), continue to the next section. b. Try to use the –r switch alone. This removes incorrect rows and deleted rows from the data file and reconstructs the index file. The complete command should be: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" -r "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of the corrupted MYI file. If the repair succeeded, continue to repairing the other corrupted MYI files in case there are indeed additional corrupted MYIs. If the repair failed (clearly seen in the cmd window), continue to the next section. c. Try to use the --safe-recover switch. Safe recovery mode uses an old recovery method that handles a few cases that regular recovery mode does not, but is slower. The complete command should be:
Where "tablename" should be replaced with the name of the corrupted MYI file. If the repair succeeded, continue to repairing the other corrupted MYI files in case there are indeed additional corrupted MYIs. If the repair failed (clearly seen in the cmd window), continue to the next section. d. Try to use the -f switch. The -f switch forces the indexing by overwriting old temporary files and includes touching the data.
Chapter: Safend DB
"C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" --safe-recover "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI"
49 | P a g e The complete command should be: "C:\Program Files\Safend\Safend Protector\Management Server\database\bin\myisamchk.exe" --safe-recover "C:\Program Files\Safend\Safend Protector\Management Server\database\data\safendprotector\tablename.MYI" Where "tablename" should be replaced with the name of the corrupted MYI file. If the repair succeeded, continue to repairing the other corrupted MYI files in case there are indeed additional corrupted MYIs. If the repair failed (clearly seen in the cmd window), please refer to Stages 3 and 4 in the following MySQL article, and also consult with the R&D team: http://dev.mysql.com/doc/refman/5.0/en/repair.html/url 4. Returning to working state: Start the Safend processes in the following order – Broadcast if version 3.2 is used, Local, Domain.
5.1.4. Changing external DB user, password and authentication method (domain) while connected to Protector QUESTION: Is it possible to change the external DB user and password or to change the authentication method (SQL/Windows) while it is connected to the Protector? ANSWER: There is no problems when changing credentials (user/domain/password) but it should be done the right way and while the Safend services are suspended. SPAdmin utility cannot change more than one parameter simultaneously which means that it should be executed few times - one for each parameter. For example changing username and password to Administrator and Apple1 accordingly should be done like this: 1. SPAdmin.exe -dbinfoview dbinfo.xml username=Administrator 2. SPAdmin.exe -dbinfoview dbinfo.xml password= Apple1 If required, domain may be changed also the same way. There is no problem substituting domain user with SQL user (or vice-versa). In order to do so just specify empty domain name: SPAdmin.exe /dbinfoview dbinfo.xml domain=
5.1.5. Replacing the DB which is used by Safend Protector Management Server
SYMPTUM:
Chapter: Safend DB
NOTE: Password must be always the last parameter to change since when specifying the new password SPadmin tries to connect to DB using existing user name and domain (specified in DBinfo.xml) and the new password.
50 | P a g e
In some cases, replacing the DB which is used by Safend Protector Management Server is needed. SOLUTION: In order to replace an existing DB used by Safend Protector Management Server to another, please perform the following steps: 1. Backup the encryption keys files and configuration files through the Maintenance Tab in the Administration Window. 2. Uninstall the Safend Protector Management Server. 3. Reinstall the Safend Protector Management Server by performing the following: o Please pay attention to choose the Restore mode for restoring Server installations while maintaining previous configuration (as seen in the attachment). o When installing the server using this mode you should choose to use the Safend Protector backup files (as seen in the attachment). o Afterwards, you should choose what database you would like to use – an embedded database on the same machine or an external existing MSSQL database (as seen in the attachment). Following this window continue with the installation.
5.1.6. When using MsSQL DB User cannot save policies, run queries, change settings or logs are not saved. PROBLEM: User cannot save policies, run queries, change settings or logs are not saved. CAUSE: The minimum required level of permissions to run and maintain the Safend protector server is 'DB owner' SOLUTION: Security level can be checked on security --> logins
5.1.7. When using MsSQL DB User cannot connect to the server PROBLEM: User cannot connect to the server SOLUTION:
1. Check that the user has the proper permissions to perform the actions he is trying to do (the minimum required permissions are DB owner) 2. Check connectivity to the server by using the PING utility 3. Telnet the SQL port (TCP 1433) to see if the server is listening both IP and computer name| 4. Install 'SQL client tools' on the Safend Server 4.a. Create a text file and rename its extension to .UDL
Chapter: Safend DB
This can be caused by lake lack of connectivity or lack of proper permissions,
51 | P a g e 4.b. Open it with 'Microsoft old provider for MsSql server' 4.c. Enter the correct user name and password 4.d. Connect to the Safend protector DB 4.e. Server Errors can be found at management a SQL server logs à current
5.1.8. When using MsSQL DB the installation cannot create the DB PROBLEM: During installation the installer cannot create the DB. followed by an error message relating to insufficient permissions of the user used to connect to the DB with CAUSE: The Minimum required level of permissions to install Safend protector is 'DB creator' SOLUTION: Security level can be checked on security --> logins
5.1.9. When using MsSQL DB performing DB related actions causes console freeze. PROBLEM: When performing DB related actions the console freezes. CAUSE: This can be related to certain objects "locking" other objects SOLUTION: On Query analyzer / query studio (installed with the SQL server), run the command 'SP_WHOZ', objects marked with red mark are "locked" if these object persist to be locked they need to be "killed". To kill a Process, run 'Kill [object name]' You may also run a more detailed query: Select * from master sysprocesses where blocked <> 0 or SPID in (select * from master)
Chapter:
Note: this solution should be performed by the Customer's DBA
52 | P a g e
6. Safend Protector Management Console 6.1. Support logs -
Safend Protector Management Console Logging
-
When investigating issues with the Safend Protector Management Console, the logs provide valuable information.
-
There are 2 trace logs for the Management Console:
Console Updater log – \Program Files\Safend\Safend Protector\Management Console\log Management Console log – \Program Files\Safend\Safend Protector\Management Console\Management Console\log
6.2. Troubleshooting Guidelines When investigating an issue concerning the Safend Protector Management Console, most issues fall under the following categories:
Safend Protector Management Console fails to open.
Safend Protector Management Console fails to perform remote client commands. Safend Protector Management Console general errors and exceptions
-
Safend Protector Management Console Fails to Open
-
When the Management Console fails to open, the following must be verified:
Are the Safend Server services running?
Is the Management Console trying to communicate using the correct SSL port? (the correct port can be found in the IIS web sites safend protector web site properties ssl port)
Can the Safend Server machine be contacted from the console machine (Ping, Telnet)?
Is the Management Console on the same machine as the server? If not, Does the local Management Console, on the Safend Server machine, start successfully?
Can the Management Console machine browse to the Safend Server machine using the https protocol? Management Console Install site: https://[servername]:4443/SafendProtector/consoleinstall.aspx Change the [servername] to the real server name 4443 is the default port.
Chapter: Safend Protector Management Console
-
53 | P a g e
-
Safend Protector Management Console Fails to Perform Remote Client Commands
-
When the Management Console fails to perform remote commands, the following WMI configurations should be examined:
Is the WMI service enabled and started on both the Safend Server and Client machine
Can the Safend Server contact the Safend Client machine by its FQDN?
Verify that the RDP ports are open.
Does the Server User have sufficient privileges on the Target machine? i.e., permission to perform WMI commands.
Use wmimgmt.msc to verify WMI valid communication.
-
Safend Protector Management Console General Errors and Exceptions
-
If the Management Console experiences any error or exception during work, the following should be examined:
Does the issue reproduce after a reboot?
Were there any configuration changes applied to the Server/Console machine? Are there any errors in the event viewer logs? What are the exact steps that caused the issue to occur?
Chapter: Safend Protector Management Console
What is the exact error message?
54 | P a g e
6.3. Safend Protector Management Console Solutions
6.3.1. When trying to log-in to the console, the error message "user is not in the authorized user group" appears SYMPTOM: When launching the console, entering the credentials and trying to log-in, the log-in fails with the error message "user is not in the authorized user group". CAUSE: There are 2 possible causes for this issue: 1. The user that one is trying to log-in to the console with is not in the AD User Group / local machine user group that is authorized to use the console. By default, this group is the BUILTIN\Administrators group. Note that this group may differ according to the settings in the Users Management menu under Tools -> Administration -> General. 2. The IIS service was uninstalled and re-installed, after the Safend server had been installed. This causes the deletion of the Safend websites from the original server install. SOLUTION: There are 2 solutions for this, respective to the cause: 1. In AD / the local machine, add the user to the User Group that is authorized to use the console. 2. Re-install the Safend server. You may want to use the Restore installation option, using the backed-up keys and settings, in order to have the new server communicating with the existing clients and to preserve the policies and other settings. Please review the Installation Guide before uninstalling and re-installing the server.
NEED: Sometimes, one needs to be able to login to the console without entering the password on each time launching it. This is usually needed when log-on to Windows is performed using a smart card (usually it is set in AD - the “Smartcard Required" option is active) and not using a password; in this scenario, the users usually don't know the log-on password since they are using the smart card, and thus become unaware to the console's password as well. SOLUTION: One should try to launch the console as usual for the first time, and the login window can be closed (there's no need to enter the password). After this, the Single Sign On (SSO) capability can be used; this is set in the "Safend Protector Web Site" properties. See the exact steps to doing so in the attached document.
Chapter: Safend Protector Management Console
6.3.2. How to login to the console without entering the password each time
55 | P a g e
In order to have SSO enabled please do the following: Go to IIS management, right click on the SafendProtector website and go to directory security.
Chapter: Safend Protector Management Console
Click on Edit under Authentication and access control:
56 | P a g e
Uncheck the “Enable anonymous access” and check the “Integrated Windows authentication” radio buttons. Restart the safend protector website (or just restart all IIS) Close IIS management console In this stage you can delete the shortcut to Safend management console on the desktop and create a new one using these settings: Right click on the desktop and choose new shortcut
Chapter: Safend Protector Management Console
Click browse and go to program files\safend\Safend Protector\management console\management console\management console.exe
57 | P a g e Click ok and add the –no_login switch at the end of the path created so it will look like this: "D:\Program Files\Safend\Safend Protector\Management Console\ManagementConsole\ManagementConsole.exe" -no_login make sure to replace the drive letter with the right one for the safend installation.
6.3.3. Cannot use WMI commands from 3.3 console if MsSQL installed with windows authentication SYMPTOM: When trying to perform a WMI command from a 3.3 console such as retrieve logs or update policy, and if the DB is an MS SQL installed with windows authentication, the command will not be performed and the following error message will appear: Notification failed – try later. Object reference not set to an instance of an object CAUSE: When trying to connect to the MS SQL DB using windows authentication, the impersonation process performed by the local service happens twice instead of once as it should. Connection with double impersonation is forbidden. SOLUTION:
6.3.4. Cannot open the console after upgrade to 3.3 or a fresh install, with an error message of access denied to reports folder SYMPTOM: After upgrading to 3.3 or after a 3.3 fresh installation, opening the console fails after entering the credentials, with the following error message: Application Execution Error Management Console failed to start (
Chapter: Safend Protector Management Console
The file Admin.App.WebServer.dll should be replaced in the Safend server with a modified one. This will cause the impersonation process to happen only once, as it should. 1. Stop the Safend Local service. This will stop the domain service as well 2. Go to \Program Files\Safend\Safend Protector\Management Server\bin and backup the file Admin.App.WebServer.dll to another folder 3. Replace this DLL with the modified version. To this soultion, attached is the DLL that should be used with 3.3.30270 server version only. For any other server version and build, the DLL must be modified by the R&D team 4. From cmd, run the IISRESET command 5. Start the Local service and then start the Domain service
58 | P a g e This issue can occur right after the installation, but usually seen later (after a few hours or days). CAUSE: In the installation/upgrade process, a folder called "reports" is created in the management server folder. This folder stores a few files related to the Reporter. By default, the installation/upgrade grants a full control permission to "Everyone" for this folder. In certain environments, GPOs or other means can change the permission to this folder (as to any other folder in the machine) to something else, or simply deny "Everyone" from having full control over it. This might cause the user who is running Safend application pool (by default it is the "network service" user) to be inaccessible to this folder, and so the console cannot be opened. Since general GPO updates usually occur once every in a while , this issue is usually not experienced right after the installation but in a certain delay, hours or days later. SOLUTION: Granting full control over the reports folder to the user who is running the Safend application pool (by default it is the network service). To check which user is running the Safend application pool, go to My Computer > Manage > Internet Information Service > Application Pools >SafendProtectorAppPool > Properties > Identity.
6.3.5. When using role based permissions user can't publish policies PROBLEM: When using "Role Based Management", users from specific 'User Roles' roles receive an error message when trying to publish policies via the Safend Protector Policy Server. SOLUTION:
NEED: When using role based permissions user need to enable "policies" but disable other options.
6.3.6. When using role based permissions user can't associate polices PROBLEM: When using "Role Based Management", users from specific 'User Roles' roles receive an error message when trying to associate policies with organization objects via the Safend Protector Policy Server. SOLUTION:
Chapter: Safend Protector Management Console
This issue could be related to missing permissions for this specific Role. In order to publish policies , the "User Role" must have 'Read' permissions on the "Global Policy" tab.
59 | P a g e
This issue could be related to missing permissions for this specific Role. In order to associate policies with organization objects, the "User Role" must have 'Read' permissions on the "Clients" tab
6.3.7. Console cannot be opened due to Local and Domain Services fail with "System.Security.Cryptography.CryptographicException - Access is denied" in the logs SYMPTOM: In rare cases, on hardened machines, the local and domain services will fail to configure. This will cause the console to not to open. 1. The following error message is received: Application Execution Error Management Console failed to start (Access is denied) 2. A DCOM error in the Event viewer related to the user NT Authority\ Network Service will appear. 3. In the server logs, an error appears including the text: System.Security.Cryptography.CryptographicException - Access is denied CAUSE: The Network Service user cannot access the Cryptographic keys library in Windows.. SOLUTION: Grant Full Control privileges to the user Network Service for the following folder:
6.3.8. Enabling WMI commands via Safend Protector Safend Protector utilizes the, Windows Management Instrumentation (WMI) protocol for providing management capabilities over all Safend clients via the Safend server. This document covers the minimum requirements for enabling WMI communication between the Safend server and Safend clients. What is WMI and how does Safend Protector use it? Windows Management Instrumentation is a set of Window’s API’s in the Windows operating system that enables devices and systems in a network, typically enterprise networks, to be managed and controlled. The Safend Agent retrieves policies and sends logs to the server periodically over an SSL channel. However, the Safend administrator can enforce the client to send logs or update policies immediately, via the management console tab. These
Chapter: Safend Protector Management Console
%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys
60 | P a g e commands are sent to the client via the WMI channel. Please note that when these commands are disabled it will not affect the Safend agent functionality. To learn more about the Windows Management Instrumentation (WMI) protocol, please visit the following link: http://msdn.microsoft.com/en-us/library/ms811553.aspx
1. The Safend domain Service account must have sufficient privileges over the WMI objects on the target machines. By default the built in Domain Admin group is part of the local admin group of any target machine in the network, thus Domain Admin group, most likely will have sufficient privileges over WMI objects on the target machines. If the Safend domain account is part of the Domain Admin group, all you will need to verify is that your domain admin group is indeed part of the local admin on the target machine. In cases where the Safend domain service account cannot be part of the domain admin group, you will need to add this user manually to the local Admin group on all the machines in the network you will want to manage, via the Safend Management console. There are several recommended methods for adding a domain user into a local group: 1. Using unrestricted groups for adding domain groups\users into local users, as described in the following Microsoft article : http://support.microsoft.com/kb/810076
Chapter: Safend Protector Management Console
What are the minimum requirements for using WMI with the Safend protector?
61 | P a g e
2. Writing a simple VB script that will add the desired user automatically into the Local admin group on the target machine using a startup script feature via GPO. In order to see an example of such a script, please refer to Appendix D below. 3. Using an existing group that was already added to the local admin group, such as an SMS management group. Note: To determine which account is being used by the Safend Domain service, please refer to Appendix A below. For further information on necessary WMI privileges required, please contact Safend support at [email protected] 2. The Server must be able to resolve the target machine FQDN name or its short host name. In cases where you cannot resolve the FQDN of the target machines (i.e. machine.domain.com) from the Safend server, but you can resolve the short host name (i.e. machine), you can configure the Safend server to work with a short host name in order to configure the server to work with short host name, please refer to Appendix B below. 3. Network firewalls or personal firewall such as Windows XP Personal firewall or any other personal firewall must enable WMI traffic from the Safend management server to the Safend management console. When sending WMI commands via Safend Management console, WMI must establish a DCOM connection from the Safend Server to the target machines. In order to enable DCOM traffic, the following ports need to be opened in addition to the SSL port (default 443) that must be enabled. Port 135
In cases where the Safend agent machine has installed on it a WinXP personal firewall, you will be able to use the procedure described in Appendix B, in order to allow WMI traffic easily, via GPO settings. In cases where there is a network firewall between the management server and the Safend clients you may want to use a fixed range of ports. For further information please visit the following link: http://msdn.microsoft.com/enus/library/ms809327.aspx 4. DCOM must be enabled on the server and clients. DCOM is enabled by default on any Microsoft Operating system. However, there are some security policies that may disable DCOM on Windows 2003 servers, thus it is wise to verify that DCOM is enabled on the server by performing the following: Run the following command : Start>run>dcomcnfg
Chapter: Safend Protector Management Console
Dynamically assigned ports, in the range of 1024 to 6535(typically in the range of 1024 to 1034).
62 | P a g e
Right click on My Computer and press Default Properties Make sure that the first check box is checked.
5. The Safend Wmi classes are registered properly on the target machine. By default the Safend agent registers all its WMI components. This setting is not changed unless during the installation you use MSI MST files to change the Product name from its original name “Safend Protector”.
Appendix A: How to determine which user is running the WMI commands via the Management Console In order to get the user account that the Safend Server is using, perform the following: 1. Log in to the Management Console. 2. On the menu choose Tools>Administration. 3. In the General section the Server Credentials will indicate which User is being used for the Safend domain service. 4. This account can be changed by pressing the Change button.
Chapter: Safend Protector Management Console
Note: Changing the Product Name is not supported, so WMI commands will not work.
63 | P a g e
Appendix B: Working with a short host name when a FQDN cannot be resolved from the Safend Server In order to configure the Safend server to work with a short host name, please perform the following: For version 3.3 and above: 1. Stop the following Safend Services Safend Local Service
Note: Safend DB service will not be present when working with an external DB. The Safend domain service is set to start manually, so it may not be running. 2. Edit the following info Edit with Notepad the following xml file: C:\Program Files\Safend\Safend Protector\Management Server\serverconfig.xml search the entry below and verify that the value is True, in case the value is false, change its value from False to True. (note the capital ‘T’)
Chapter: Safend Protector Management Console
Safend DB
64 | P a g e
For version 3.2 and below: 1. Stop all Safend Services Safend Protector broadcast Service Safend Protector Local Service Safend Protector Domain Service Safend Protector DB Note: Safend DB service will not be present when working with an external DB. Edit with Notepad the following xml file: C:\Program Files\Safend\Safend Protector\Management Server\bin\serverconfig.xml Search the entry below and verify that the value is True, in case the value is False, change its value from False to True. (note the capital ‘T’)
Chapter: Safend Protector Management Console
2. Edit the following info :
65 | P a g e
Appendix C: Allow WMI communication via GPO for Windows Personal firewall Step 1: Updating Your Group Policy Objects with the Windows Firewall Settings To update your Group Policy objects with the Windows Firewall settings, using the Group Policy snap-in or using the Group Policy Management Console (GPMC): 1. Open the GPO snap in or the Group Policy Management console.
3. In the console tree, open Computer Configuration>Administrative Templates>Network>Network Connections>Windows Firewall. An example is shown in the following figure.
Chapter: Safend Protector Management Console
2. Click the Group Policy object that you want to update with the new Windows Firewall settings. An example is shown in the following figure
66 | P a g e
4. Choose Domain Profile and right click on the following setting: Windows Firewall: Allow Remote Administration Exception
6. Each computer in the network that will get this GPO will allow WMI traffic.
Chapter: Safend Protector Management Console
5. Choose Enabled and save settings.
67 | P a g e
7. Safend Auditor 7.1. Troubleshooting Guidelines When investigating an issue regarding the Safend Auditor, most issues fall under the following categories: Safend Auditor fails to audit a remote machine. Safend Auditor fails to open a report as an Excel/HTML file. Safend Auditor fails to audit a remote machine
When the Safend Auditor fails to audit a remote machine, the following must be verified: Is the remote machine running and connected to the network? Are the appropriate ports opened between the scanning and scanned machines? SetupAPI-based Audit: In order for Safend Auditor to be able to access the remote machines using the SetupAPI method, it needs port 445 (SetupAPI; through file and printer sharing and remote registry service) to be open. In addition, you will need to make sure that the "Remote Registry" service is running in the target machine. WMI-based Audit: Safend Auditor also allows auditing remote machines using the WMI method. This method requires port 135, in addition to another dynamic port (allocated automatically by Windows when the WMI is used). Allowing the "Remote Administration" exception in your firewall will allow Safend Auditor to scan the machine using WMI. Does the User used when performing the Auditor scan have the appropriate privileges on the remote machines? Safend Auditor fails to open a report as an Excel/HTML file
When the Safend Auditor fails to open a report as an Excel/HTML file, the following must be verified: Can the Auditor report be opened in a different machine running the Safend Auditor?
Chapter: Safend Auditor
Can a different Auditor report be opened on this machine?
68 | P a g e
7.2. Safend Auditor Support Solutions 7.2.1. Safend Auditor Command Line Parameters NEED: In some cases, there is a need to run the Auditor through a Command Line interface. SOLUTION: To do that, you have the option to run the Auditor with command line parameters. Usage: auditor [/ip | /ou | /comp] [options] *For a full list of all options and flags, please see attached document.
7.2.2. Enabling Safend Auditor Debugging logs Note: the logs are cryptic and no one except from a developer with the code in front of him can understand them NEED: Safend Auditor Debugging Logs may be enabled in order to troubleshoot unusual behavior witnessed during the runtime of the Safend Auditor. RESOLUTION: Starting Safend Auditor Debugging Logs: To enable Auditor logs, open the Registry Editor (regedit), and access the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Auditor. Create a new String value with the name "LogLocation". Give it the Value of the log location and name, for example: "c:\temp\log.txt". Please make sure to use pre-existing directories in the log location value as the Auditor will not create new directories for the log path.
This method will create a logging file in the defined location. When sending this file to the Safend Support team, please provide the Auditor version number, which can be found under Help-->About from the Auditor Menu.
Chapter: Safend Auditor
RESULT:
69 | P a g e
7.2.3. Safend Auditor installation fails with DVOM registration errors SYMPTOMS: The Safend Auditor installation, may fail with the following error message or a similar one: "Error 1402. Could not open key: UNKOWN\CDVOM.DeviceProperty2.1\CLSID. Verify that you have sufficient access to that key, or contact your support personnel. CAUSE: This issue occurs when there has been a previous version of Auditor 2.0 which wasn't cleaned up properly during uninstallation - Occures with specific builds of Auditor 2.0. RESOLUTION: The following registry keys need to be deleted, before the installation can be executed again and completed successfully: HKEY_CLASSES_ROOT\CDVOM.DeviceProperty2 HKEY_CLASSES_ROOT\CDVOM.DeviceProperty2.1 HKEY_CLASSES_ROOT\CDVOM.DVOMComputer2 HKEY_CLASSES_ROOT\CDVOM.DVOMComputer2.1 HKEY_CLASSES_ROOT\CDVOM.DVOMDevice2 HKEY_CLASSES_ROOT\CDVOM.DVOMDevice2.1 HKEY_CLASSES_ROOT\SafendDVOM.DVOMWifiInfo HKEY_CLASSES_ROOT\SafendDVOM.DVOMWifiInfo.1 HKEY_CLASSES_ROOT\SafendXML2DVOM2.Translator2 HKEY_CLASSES_ROOT\SafendXML2DVOM2.Translator2.1
7.2.4. Opening ports on Windows Firewall for the Safend Auditor
SYMPTOMS: In some cases the Safend Auditor will fail in auditing a target machine, although that machine may be up and running.
Depending on the method of scan in which the Safend Auditor is configured, different prerequisits must be met for the Audit to succeed. If the required ports are not allowed in your organization's firewall, and required services are not running, the Audit will fail. RESOLUTION: SetupAPI based Audit: In order for the Safend Auditor to be able to access the remote machines using the SetupAPI method, it needs port 445 (SetupAPI - through file and printer sharing and remote registry service) open. Additionally, you will need to
Chapter: Safend Auditor
CAUSE:
70 | P a g e make sure that the "Remote Registry" service is running in the target machine. WMI based Audit: The Safend Auditor also allows auditing remote machines by using the WMI method which requires port 135 in addition to another dynamic port allocated automatically by Windows when WMI is used. Allowing the "Remote Administration" exception in your firewall will allow the Safend Auditor to scan the machine using WMI. Managing Windows XP Service Pack 2 Windows Firewall Using Group Policy: Published by Microsoft: August 1, 2004 Windows Firewall is a stateful host firewall designed to drop unsolicited incoming traffic that does not correspond to a dynamic or configured exception. A stateful firewall tracks the state of network connections. The firewall monitors traffic sent by the host and dynamically adds exceptions so that the responses to the sent traffic are allowed. Some of the state parameters that the Windows Firewall tracks include source and destination addresses and TCP and UDP port numbers. This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall does not drop outgoing traffic. Windows Firewall, a replacement for the Internet Connection Firewall (ICF) in Windows XP with Service Pack 1 and Windows XP with no service packs installed, is enabled by default in SP2. This means that all the connections of a computer running Windows XP with SP2 have Windows Firewall enabled, including LAN (wired and wireless), dialup, and virtual private network (VPN) connections. New connections also have Windows Firewall enabled by default. Without configured exceptions, Windows Firewall will drop traffic for server, peer, or listener applications and services. Therefore, it is likely you will want to configure Windows Firewall for exceptions to ensure that the Windows Firewall works appropriately for your environment. Windows Firewall settings are available for Computer Configuration only. They are located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall. Identical sets of policy settings, as shown in Table 2, are available for two profiles: • Domain profile. Used when computers are connected to a network that contains your organization’s Active Directory domain.
Policy Setting Description Windows Firewall: Protect all network connections Turns on Windows Firewall. The default is Not Configured. Windows Firewall: Do not allow exceptions Specifies that Windows Firewall blocks all unsolicited incoming messages, including configured exceptions. This policy setting overrides all configured exceptions. The default is Not Configured. Windows Firewall: Define program exceptions Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two
Chapter: Safend Auditor
• Standard profile. Used when computers are not connected to a network that contains your organization’s Active Directory domain, such as a home network or the Internet.
71 | P a g e program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel. The default is Not Configured. Windows Firewall: Allow local program exceptions Allows local administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. The default is Not Configured. Windows Firewall: Allow remote administration exception allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using RPC and DCOM. The default is Not Configured. Windows Firewall: Allow file and printer sharing exception Allows file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445. The default is Not Configured.
7.2.5. Auditing a Remote Domain with the Safend Auditor QUESTION: Can I use the Safend Auditor to audit a domain which my computer is not a member of, using the Change User option? ANSWER: The Change User option in the Auditor can enable log-on to a domain which is not the computer's domain, as long as there is a trust relationship between the two domains. Please ensure a trust relationship is set between the computer's domain, and the domain you would like to audit. In addition, make sure that the user account you are using to perform the audit has administrative permissions on the target computers.
7.2.6. There is no response when clicking "View Excel" PROBLEM:
SOLUTION: The .dll file that is responsible for the operation of Excel (NSExcelProject.dll) may not be updated. The file should be updated using the following steps: 1. Delete the old file 2. Un-register the .dll using the command line: regsvr32 "
Chapter: Safend Auditor
There is no response when clicking "View Excel"
72 | P a g e 3. Copy the new file into the same location 4. Register the .dll using the command line: regsvr32 "
7.2.7. Error received when attempting to view the Excel report of the Auditor scan QUESTION: Why do I get an error message when I click "Create Excel" in the Auditor? ANSWER: The version of Excel you have installed is incompatible with the Auditor requirements. Please ensure you have installed excel 2003 professional.
7.2.8. Auditor report with connection time and data transfer NEED: Is there an option to get a detailed report on when the device was connected and the files that were transferred to and from the device? RESOLUTION: The Safend Auditor does not have Device Connection timing information, since this information is not provided by Windows. However, both Exact times of device connection and File Transfers are available through the Event Logs recorded by the Safend Protector Client.
7.2.9. Local machine cannot be found in Auditor report
SYMPTOM:
CAUSE: Due to some personal firewall settings, some times the firewall does not allow a ping to the local machine. As a result, the local machine cannot be reached by the Auditor and will not be displayed. RESOLUTION:
Chapter: Safend Auditor
When running the Auditor on an OU that includes the machine from which the Auditor is executed, the local machine cannot be found in the results
73 | P a g e In order to run the Auditor for the current computer, use the option for running it on a single computer, with the computer name being the word "local". This will bypass the firewall limitation.
7.2.10. Safend Auditor fails to audit certain remote machines SYMPTOMS: In some cases the Safend Auditor may will fail to audit a target machine. CAUSE: There may be a number of reasons for this: 1. The auditing user does not have administrative permissions to the audited computer (this is either the user logged on to the computer on which the Auditor is installed, or the user to which the credentials were changed, in the Change User option). 2. The machine did not respond within an acceptable time. This can happen if for any reason there was too much load on the network at the time of the audit, or even if the machine was turned off at the time. 3. The machine is listed in Active Directory but does not exist. This can happen if its name was changed, or if it was disconnected from the network at the time of the audit. 4. A Firewall may be active on these machines, blocking the access of the Safend Auditor. SOLUTION:
1. Make sure the account that is used for auditing has sufficient permissions. 2. Make sure the machine is not turned off. 3. Make sure the machine is listed properly in the AD, and that it is connected to the network. 4. When the reason for failure is a Firewall on the target machine: Depending on the method of scan in which the Safend Auditor is configured, different prerequisites must be met for the Audit to succeed.
In order for the Safend Auditor to be able to access the remote machines using the SetupAPI method, it needs port 445 (SetupAPI - through file and printer sharing and remote registry service) open. Additionally, you will need to make sure that the "Remote Registry" service is running in the target machine. The other ports that the "file and printer sharing" is listening on (137,138 UDP and 139 TCP) are not needed for the auditor, and therefore can remain closed at the firewall. In order to enable file and printer sharing:
Chapter: Safend Auditor
When conducting a SetupAPI based Audit:
74 | P a g e Open Control Panel --> Network Connections Double click on your connection and then click the properties button. * For a LAN connection, click the general tab and make sure the File and Printer Sharing for Microsoft Networks is not selected. * For a dial up connection, click the Networking tab and then make sure File and Printer Sharing for Microsoft Networks is not selected. In addition, the XP SP2 firewall has a built-in exception rule for "File and Printer Sharing", which is an exception for ports 137-139 and 445. The rule is editable and can be modified to apply only to port 445. To do this: Open Control Panel -->Firewall Go to the exceptions tab, choose file and printer sharing, click edit and select the checkbox next to 445. When conducting a WMI based Audit: The Safend Auditor also allows auditing remote machines by using the WMI method which requires port 135 in addition to another dynamic port allocated automatically by Windows when WMI is used. Allowing the "Remote Administration" exception in your firewall will allow the Safend Auditor to scan the machine using WMI. Managing Windows XP Service Pack 2 Windows Firewall Using Group Policy: Published by Microsoft: August 1, 2004 Windows Firewall is a stateful host firewall designed to drop unsolicited incoming traffic that does not correspond to a dynamic or configured exception. A stateful firewall tracks the state of network connections. The firewall monitors traffic sent by the host and dynamically adds exceptions so that the responses to the sent traffic are allowed. Some of the state parameters that the Windows Firewall tracks include source and destination addresses and TCP and UDP port numbers. This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall does not drop outgoing traffic. Windows Firewall, a replacement for the Internet Connection Firewall (ICF) in Windows XP with Service Pack 1 and Windows XP with no service packs installed, is enabled by default in SP2. This means that all the connections of a computer running Windows XP with SP2 have Windows Firewall enabled, including LAN (wired and wireless), dialup, and virtual private network (VPN) connections. New connections also have Windows Firewall enabled by default.
Identical sets of policy settings, as shown in Table 2, are available for two profiles: • Domain profile. Used when computers are connected to a network that contains your organization’s Active Directory domain. • Standard profile. Used when computers are not connected to a network that contains your organization’s Active Directory domain, such as a home network or the Internet.
Chapter: Safend Auditor
Without configured exceptions, Windows Firewall will drop traffic for server, peer, or listener applications and services. Therefore, it is likely you will want to configure Windows Firewall for exceptions to ensure that the Windows Firewall works appropriately for your environment. Windows Firewall settings are available for Computer Configuration only. They are located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall.
75 | P a g e
Policy Setting Description Windows Firewall: Protect all network connections Turns on Windows Firewall. The default is Not Configured. Windows Firewall: Do not allow exceptions Specifies that Windows Firewall blocks all unsolicited incoming messages, including configured exceptions. This policy setting overrides all configured exceptions. The default is Not Configured. Windows Firewall: Define program exceptions Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel. The default is Not Configured. Windows Firewall: Allow local program exceptions Allows local administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. The default is Not Configured. Windows Firewall: Allow remote administration exception allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using RPC and DCOM. The default is Not Configured. Windows Firewall: Allow file and printer sharing exception Allows file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445. The default is Not Configured.
7.2.11. Error message received when attempting to view HTML report of Auditor scan QUESTION: Why do I get an error message when I click "View Report" in Auditor? ANSWER:
7.2.12. Safend Auditor Graphic Report Procedure for MS Excel NEED: Presenting the Safend Auditor reports in Excel worksheets with queries and graphic representations - charts etc. SOLUTION:
Chapter: Safend Auditor
The version of Internet Explorer you have installed is incompatible with the Auditor requirements. Please ensure you have Internet Explorer 6 or above installed. If you have defined a different browser as your default browser, try redefining Internet Explorer as the default browser.
76 | P a g e
The Safend Auditor can export reports to MS Excel files that are pre-configured with the most commonly used queries. It is also possible to add graphic reports of the audit results using the following procedure: Note: MS Excel 2003 or above must be installed 1. Execute the Safend Auditor 2. Select the OU or IP range you wish to audit 3. Click Run to perform the Audit 4. Wait for Audit to complete 5. Click Create Excel 6. MS Excel will then open automatically with the Auditor results 7. In Excel select and highlight the entire devices or computers data table (DO NOT select the Audit status table) including the Column Titles. 8. Go to the Data menu and select Pivot Table and Pivot Chart report. 9. The Pivot Table wizard will than start. Leave the settings as they appear by default and click next. 10. The Pivot Table and Pivot Chart window (Step 2 of 3) will than appear. Click next. 11. In the following window (Step 3 of 3) click Finish. 12. A window with the fields you have chosen will be displayed. 13. From the Pivot Table Field List window select “PORT”, drag it into the “Drop Row Fields Here” area. 14. Perform step 13 for the “Types”, and “Device Info” fields as well as placing them beside the port field performed in step 13 in succession. Note the order of the fields: Port, Type, and than Device Info. 15. Next you will need to drag the “Description” field into the “Drop Data Items Here” area. 16. In the “Device info Column” click the drop down arrow, and deselect (uncheck) any unwanted devices, such as PCI devices. Make sure to uncheck the “Blank” items at the bottom of the list. 16. You can now use the Chart wizard button to generate Bar or Pie charts as needed. See the attached document for these instructions, accompanied by screenshots of the entire process.
7.2.13. The Safend Auditor Scanning Method and Network bandwidth information QUESTION:
ANSWER: The Safend Auditor software is configured to scan multiple computers on a single network simultaneously, through WMI or SetupAPI protocols, as defined by the user via Settings--> Scan Protocol. This is done by allocating a different thread for each machine to be scanned. By default the Auditor opens 10 threads in order to perform the scan, thus scanning 10 machines at the same time. This value can be changed by editing the registry value NumThreads, located under: HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Auditor.
Chapter: Safend Auditor
How does the Safend Auditor scan target computers and what is the scan's impact on the network?
77 | P a g e
Audit Bandwidth: In general when scanning a single machine the amount of data transferred from the machine is approximately 300KB ,depending on the number of devices that were previously connected to that machine up until the scan. The network bandwidth taken up by a scan, is in direct proportion to the number of machines that are being scanned simultaneously. It is important to note that while the accumulated bandwidth from scanning across multiple machines simultaneously may appear to be large, the actual effect on the network is relatively small. This is due to the fact, that audit information is sent to the auditor in bursts, taking up short amounts of time.
7.2.14. Where the auditor is key located in the registry? SYMPTUM: When right-clicking a machine in the Clients World and choosing to Audit Devices, the Auditor is unreachable. CAUSE: On the first time when choosing to audit a machine from the Clients World, a window will pop-up asking to browse the Auditor. When a wrong path was entered, every attempt to audit a machine via the Clients World will fail. SOLUTION: The registry key holding the location of the Auditor (used by the management server) is: [HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Auditor] The value under this key that holds the location of the Auditor exe file is “ExePath”. Here is an example value: "ExePath"="C:\\Program Files\\Safend\\Safend Auditor\\\\Auditor.exe" Please delete this value.
7.2.15. The Safend Auditor creates new user profiles on the audited machines PROBLEM:
SOLUTION: The Safend Auditor has two scanning protocols that can be used while performing a scan: WMI and Setup API. When the auditing process is done using the WMI protocol, the local OS on the end user's scanned machine will automatically create a new administrator profile that will be named after the user that performed the auditing. In order to avoid this result, the scan should be done using the Setup API protocol. The only exception is that when auditing a machine that runs Windows Vista the scanning protocol must be WMI.
Chapter: Safend Auditor
new administrator profiles were created on organization machines that were scanned by the Safend Auditor.
78 | P a g e
7.2.16. The Auditor seems not to detect remote devices when working via VPN In order to run audits successfully, port 445 (‘Microsoft-DS’, which is used for resource sharing) and ICMP (Internet Control Message Protocol) must be permitted in the network, and in the specific case, through the VPN.
7.2.17. The Auditor is unreachable when right-clicking on a machine in the Clients World and choosing to Audit Devices. SYMPTUM: When right-clicking a machine in the Clients World and choosing to Audit Devices, the Auditor is unreachable. CASUE: On the first time when choosing to audit a machine from the Clients World, a window will pop-up asking to browse the Auditor. When a wrong path was entered, every attempt to audit a machine via the Clients World will fail. SOLUTION: The registry key holding the location of the Auditor (used by the management server) is: [HKEY_LOCAL_MACHINE\SOFTWARE\Safend\Auditor] The value under this key that holds the location of the Auditor exe file is “ExePath”. Here is an example value: "ExePath"="C:\\Program Files\\Safend\\Safend Auditor\\\\Auditor.exe"
Chapter: Safend Auditor
Please delete this value
79 | P a g e
8. Safend Reporter 8.1. Safend Reporter Support Solutions 8.1.1. Internet Explorer Error message when running any report on Safend server 3.3 SP2 SYMPTOM: After Upgrading from Safend Server 3.3 SP1 to Safend Server 3.3 SP2 with Reporter, in the reports tab, when trying to run any report, Internet Explorer security error message appears with the path: file://E:\Development\Code\trunk\Safend.Protector.Admin.UI\Admin.UI.World After hitting “close”, the error message disappears and the report will run properly. Attached are screenshot of the Spanish version of the error. CAUSE: The error pops up whenever the security level of the internet is set to "high" (or Active Scripting is Disable). You can check it out at Tools-> Internet Options -> Security -> Internet (or in Custom Level). SOLUTION: Replacing 2 .mht files under \Program Files\Safend\Safend Protector\Management Console\ManagementConsole: - PleaseWait.en-US.mht - PleaseWait.mht Save the file that is attached to the solution under the two names, once as: PleaseWait.en-US.mht and once as: PleaseWait.mht.
Chapter: Safend Reporter
Note: The files need to be replaced at each existing console. In order to have future remote console that might be installed from the given server to include the fix, the .mht file should also be replaced in the console zip under the server's directory - C:\Program Files\Safend\Safend Protector\Management Server\consoleUpdater\console.zip
80 | P a g e
8.1.2. Required IE settings for Safend reporter Internet explorer settings for Safend Reporter best view 1. Open internet explorer. 2. From the top menus select tools -> internet options
Chapter: Safend Reporter
3. Go to advanced tab
Chapter: Safend Reporter
81 | P a g e
82 | P a g e
4. Under multimedia select "play animations in web pages" and "show pictures"
Chapter: Safend Reporter
5. Under printing select "print background colors and images
83 | P a g e
Chapter: Safend Reporter
6. Under security select use TLS 1.0
84 | P a g e
9. Safend Encryptor 9.1. Safend Encryptor Support Solutions 9.1.1. Internal hard disk encryption doesn't get applied to the client due to publishing backup compatible policies SYMPTOM: With Encryptor 2.0 (Protector 3.3 SP2), when publishing policies using GPO or REG files and "Publish backward compatible policies" is checked in the console (under Tool --> Administration --> Policies): 1. Policies that contain HD encryption will not cause the hard disk to be encrypted although they are applied properly to the client (can be seen in the client's GUI properly, and other functionality of the policy such as port protection works properly). 2. In the client's GUI, the encryption status bar doesn't exist at all, as if it is not an Encryptor client. 3. In the registry under HKEY_LOCAL_MACHINE\software\policies\safend, a key called "V_3_3H" does not exist although it should be. Note: Generally, the key HKEY_LOCAL_MACHINE\software\policies\safend exists only if policies are published using GPO or REG files. CAUSE: When applying policy using the GPO or REG file methods, under HKEY_LOCAL_MACHINE\software\policies\safend, keys by the names of existing and previous Safend versions, which are "containers" of the policies themselves, will appear under this key. An example for such a key is HKEY_LOCAL_MACHINE\software\policies\safend\V3_3, which contains in it the policy in 3.3 format once a policy is published to the client. With a 3.3 SP1 client, the client will read the policy from this "container". With Encryptor, when the Backward Compatible policies option is applied in the console, the key HKEY_LOCAL_MACHINE\software\policies\safendV_3_3H, that is used to store in the policies created for the Encryptor client, doesn't get created since the policy, being backward compatible, gets written to a previous "container", usually "V_3_3". When the policy is written to the "V_3_3" container, it can be read by the Encryptor client, but the part in the policy regarding the HD encryption cannot be read by it. The end result is that the policy is applied properly but HD encryption functionality will not work. SOLUTION:
Chapter: Safend Encryptor
Each policy containing HD encryption should be published twice, so both Encryptor clients and previous client versions will be able to read it and in order to have the HD encryption working properly. This issue is fixed in versions above Encryptor 2.0.
85 | P a g e
9.1.2. After encrypting the HD of a machine, shared folders which are located on this machine cannot be accessed from another machine SYMPTOM: With Windows XP, after encrypting the HD of a machine: 1. Shared folders which are located on this machine cannot be accessed from another machine even though all permissions and sharing setting are correct. This is more common when using one or more anti-virus or similar software on the encrypted machine. 2. BSOD occurs when trying to rename a network folder. CAUSE: Generally, several Windows drivers related to network shares assume a fixed number of file system drivers on the machine. Installing Safend and encrypting the HD adds at least one file system driver, and each anti-virus or similar software usually adds one as well, and so the default number of file systems drivers may be too low. This issue is described in details in the following Microsoft article: http://support.microsoft.com/kb/177078/en-us SOLUTION: There are 2 possible solutions for this issue: 1. Upgrading the XP service pack of the encrypted machine to SP3. 2. If the above is not possible - Increase the number of file systems drivers allowed on the encrypted machine: a. Increase the IrpStackSize in the registry as described in http://support.microsoft.com/kb/177078/. The IrpStackSize should have the value of 18 or more (in decimal). In case increasing it to a certain number doesn't resolve the issue, try to increase it further after completion of the steps below b. Replace the mup.sys driver located at system32\drivers with the mup.sys driver attached to this solution. This file is included in one of XP SP2 hot fixes, described in the following Microsoft article: http://support.microsoft.com/kb/906866 Note that the mup.sys driver should only be replaced in client machines experiencing the issue and not with every client machine c. Increse the DfsIrpStackSize in the registry as described in following Microsoft article: http://support.microsoft.com/kb/906866. The DfsIrpStackSize should have the value of 10 only. d. Restart the machine
9.1.3. In Encryptor 2.0, how to copy the reset code & the one time access code from Encryptor login screen,
1. One method of resetting the access password to the encrypted HD is by entering a reset password in Sami (in native mode, before startup) on the client machine. This is done by pressing the F6 key and then the F9 key when in Encryptor login screen. These 2 key strokes generate a long hexadecimal string that should be copied to the console, and the reset password generated in the console (relatively short) should be entered back to Encryptor login screen. Since the process described above happens in Encryptor login screen before startup, there is no obvious way to copy the long hexadecimal string so it can be pasted later into the console. 2. One method of obtaining a one time access password to the encrypted HD is from Encryptor login screen on the
Chapter: Safend Encryptor
NEED:
86 | P a g e Client machine (in native mode, before startup). This is done by pressing the F7 key and then F9 key when in Encryptor login screen. These 2 key strokes generate a long hexadecimal string that should be copied to the console, and then a one time access password (relatively short) is generated in the console. This password can entered back to Encryptor login screen for one time access. Since the process described above happens in Encryptor login screen before startup, there is no obvious way to copy the long hexadecimal string so it can be pasted later into the console. SOLUTION: Respectively to the previous paragraph: 1. In Encryptor login screen, pressing Ctrl + Alt + Shift + F1 instantly creates a registry key in the client machine containing the reset code. After pressing the keys above, load Windows normally (can be done using Technician mode), open regedit and go to: HKEY_LOCAL_MACHINE\CurrentControlSet\Services\SafendPS\ResetPasswordCode The value of this key is the reset code that should be pasted into the console. 2. In Encryptor login screen, pressing Ctrl + Alt + Shift + F2 instantly creates a registry key in the client machine containing the one time access password. After pressing the keys above, load Windows normally (can be done using Technician mode), open regedit and go to: HKEY_LOCAL_MACHINE\CurrentControlSet\Services\SafendPS\OtpCode The value of this key is the one time access code that should be pasted into the console.
Chapter: Safend Encryptor
Note that In both cases, when loading Windows right after pressing the above mentioned key combinations, many files will be encrypted since no password was entered to Encryptor login screen; this does not matter here, there is no problem viewing the registry, even if logging-in with a non-admin user.
87 | P a g e
10. Implementation 10.1. Implementation Support Solutions 10.1.1. Implementation in non directory environments NEED: When installing Safend Protector in a non- Active Directory environment, the procedure for installing and working with the protector is different. The changes to this procedure are listed below. RESOLUTION: The Safend Protector can easily be installed in non-AD environments. The differences when working with Safend Protector in non-AD environments are: • The product can be deployed using any deployment software that supports .msi files (again, such as Microsoft SMS, etc.) • The clients list will not be retrieved from the Active Directory, however, any machine with Safend Protector Client installed will appear under the 'Clients' tab in the Safend Management Console and as "not in domain" in the organizational tree, and all the management activities will be available for these machines. • Policy Distribution must be done through either the direct Server-Client policy publish, or by publishing the policies as Registry files. All other functionality is exactly the same in non-AD environments. When installing Safend Protector in non-AD environments you should ensure the following: • During the Safend Server installation, when you reach the Domain Credentials Menu, enter the user name and password of the local administrator, and enter the computer name of the server machine as the domain name. Make sure the local administrator for the server also has local admin privileges on any of the client machines. • SSL communication ports used for the Server-Client are open on all machines and firewalls. As well, Policy distribution can also be done using reg files (that can be distributed using any distribution software such as SMS, Novell Zenworks, etc.) rather than direct Server-Client policy publishing. These files are then run on the endpoint machines, in order to link them to each respective machine's registry, causing the policy to take affect. (Please see the note at the bottom of this page for an example of such a method.)
There is also an option of automatically running an executable file after saving a policy, which enables automating the entire policy distribution process (e.g. every time that a policy is saved, a script will be activated to distribute this policy using the company's deployment software). · To enable this option, be sure to check the "Run executable after publish" box, and provide a link to the custom made executable.
Chapter: Implementation
To enable Registry Policy Publishing, after the installation make sure to change the policy distribution method in the Management Console Administration to use registry files. This is done by opening the TOOLS menu in the Management Console, and selecting Policies, checking the "Publish policies to a shared folder" box, and specifying a location to store the regfiles. Make sure that "Use Active Directory" is not checked.
88 | P a g e
10.1.2. Environment Requirements Estimates for the Safend Protector QUESTION: What are the system requirements and network requirements of the Safend Protector? ANSWER: Numerous real-life tests of the Safend software in live installations have shown that the effect on network and endpoint performance of the software is insignificant, in that it is virtually unnoticeable and remains under the average 'noise level' in a standard network environment. Following is some data about the performance of the Safend system in a network environment. Statistics regarding network bandwidth: 1. Safend Management Server → Endpoints: 1a. Update policy command over WMI – 1KB per machine (eg, sending an Update Policy trigger to an OU with 1,000 machines would require ~1MB). 1b. Retrieve logs command over WMI – 1KB per machine (eg, sending a Retrieve Logs trigger to an OU with 1,000 machines would require ~1MB). 2. Endpoints → Safend Management Server 2a. Send endpoint logs to database – Assuming average device activity, this will require around 40KB per machine per day. The machines will send their logs every predefined interval, which can be fine-tuned according to the organization's size, needs and network configuration. 3. Safend Management Server → Safend Management Console: 3a. Because the Safend Management Console will be installed only on a limited number of machines, the network bandwidth required in this case is insignificant. Statistics regarding workstation performance: The installation of the Safend Protector Client on an endpoint has minimal effect on the system's performance. Following are details of CPU & RAM utilization of the Safend Protector Client in both idle and active states: 1. Safend Protector Client Worker Process when idle: CPU utilization = 0%; RAM usage = 12MB. 2. Safend Protector Client Worker Process when active (ie: when the Safend Protector Client policy is being updated): CPU utilization = 12% for less than a second, then back to 0%; RAM usage = 12.5MB 3. Safend Protector Client Worker Process when active upon the connection of a restricted device: CPU utilization = 2% for less than a second, then back to 0%; RAM usage = 12.76MB.
Environment requirements for the installation of the Safend Management Server v3.0: The following estimations assume that the customer has a dedicated Safend server. 1. Organizations with up to 1,000 endpoints -- We recommend using a server PC with 1 3~GHZ Processor, 1GB RAM, a standard 7,200rpm HD, and Windows 2003 Server. We estimate that the Safend database will require about 25-30GB a year, depending on device activity at the endpoints. 2. Organizations of up to 10,000 endpoints -- A dedicated server with 2-4 3.4~ Ghz Dual Xeon Processors, with at least 2GB RAM and a large 10,000rpm HD. It is recommended that the customer install Windows 2003 Enterprise
Chapter: Implementation
Note: The above results were recorded in our test lab, on a Pentium IV machine running WinXP SP2 with no special additional applications running. The results may differ for machines with different specs than those in our lab.
89 | P a g e Server. The Safend DB will reach about 250-300GB a year. 3. Organizations of up to 50,000 endpoints -- A dedicated server with 4 3.4~ Ghz Dual Xeon Processors, with at least 2-4GB RAM and a large 10,000rpm HD. It is recommended that the customer install Windows 2003 Enterprise Server. The Safend DB will reach about 1-2TB a year. 4. Organizations serving 50,000+ endpoints – Please contact Safend Support for a more precise hardware requirements estimation according to the specific domain and clustering configurations. Log files size: Usually, the log files do not tend to exceed 1-2KB each when the machine is idle (and users are simply logging off and back on), and you shouldn’t expect more than 10 log files a day. However, if there is much activity at the endpoint (device connection/disconnection, such as you would expect for example on the sysadmin's endpoint), the log files can reach 10-20KB each, plus another couple of KBs if file logging is enabled.
10.1.3. Resolving and Identifying GPO Errors In order to verify that the computer can receive Group Policy updates, the computer must be connected properly to the domain. All errors from SecCli , Userenv or Netlogon in the event viewer must be checked out thoroughly. These errors can cause the computer not to receive group policy update or even to prevent proper domain logon. 2. The command line utility gpresult.exe can be used to verify that the Group Policy was received and applied properly by the client computer (this utility should be run locally on the client computer). It is imperative to make sure that the GPO is applied to the appropriate OU and Domain. Gpresult is built in Windows XP and you can download it for Windows 2000 from: http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp After running this tool in a command window with the /v option this utility will output all the Group Policy objects that were applied to the local system. The output will be divided to user settings and computer settings. Verify that all the Group Policy objects configured in the active directory are properly applied to the local system. If some or all group policies are missing from gpresult's output, the event viewer needs to be checked for errors. 3. The command line utility gpotool.exe can be used to verify that all the group policy objects stored in the active directory are valid and contain all the information needed to apply the group policy locally. (This utility should be run locally on the client computer) This tool can be downloaded from: http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpotool-o.asp
Two more utilities that can be used to diagnose a misconfiguration in the network or the domain are netdiag.exe and dcdiag.exe: 4. The Command line Utility netdiag.exe is used to test the network status and indicate problems with the connectivity of your client. This utility is included in the support tools package which is located on the install CD under support\tools, it can also be downloaded from: http://www.microsoft.com/downloads/details.aspx?familyid=1EA70814-7E6C-46E5-8C8C3C439A732E9F&displaylang=en Use this utitlity by typing netdiag in the command line prompt and inspecting the results to make sure there are no
Chapter: Implementation
If you cannot find a certain group policy in the gpresult's output but you can find it in the gpotool, this might occur due to late replication schedule.
90 | P a g e connectivity issues. 5. The command line utility dcdiag.exe is used to verify that the domain controller is configured properly and fully functional, this tool runs numerous tests on the domain controller and any errors received need to be fixed and verified. A poorly configured domain, or a malfunctioning domain controller can prevent the computers from receiving a valid Group Policy. (This utility could be run locally on the client computer or on the domain controller). This utility is included in the support tools package which is located on the install CD under support\tools, it can also be downloaded from: http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/dcdiag-o.asp
10.1.4. Building Protector Policy per Security Group (GPO policy distribution) *This KB article describes the method of applying policies in Version 3.1, in version 3.2 this problem can be easily resolved using 'Policy Server' mechanism. NEED: In some cases several Group Policy Objects need to be applied to different user/machine objects located in the same OU. The "Normal" way to apply the Protector Policies on objects that reside in an OU, is to link the GPO to the OU, thus applying the Policy to all of the objects contained in the OU. In some cases, mainly large scale organizations, this may be cumbersome, and very difficult to manage. SOLUTION: There is a way that enables us to apply several Protector/Group Policies on users that reside in security groups in the same OU, in a process called security filtering. A good example of an organization which could use this method is an organization which contains all users in one OU, and all computers in another OU (in the domain). In this case it will be easier to use existing security groups and apply the Protector policy on them rather than rearrange the whole computers/users in a new OU structure. The security filtering is essentially a procedure where we apply several Protector/Group Policy objects on the same OU (which contains users/computers) and then change the ACE (Access Control Entries) on those Protector/Group Policy objects to only allow users in certain security group to read and apply that specific Protector/Group Policy.
Chapter: Implementation
Detailed instructions with screenshots can be found in the attached pdf document:
91 | P a g e
10.1.5. Enabling Verbose logging for GPO installations NEED: In some cases, the GPO installation of the Safend Protector Client may fail due to misconfiguration of the Active Directory, or other components of the OS. In such cases, detailed logs called Verbose Logs will need to be created in order to help identify and solve the problem. SOLUTION: Following, are Microsoft's instructions on how to enable Verbose logging for GPO installations: Warning!!! - Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by any other method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. Use Registry Editor to add the following registry value (or modify it, if the value already exists): Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Value: UserEnvDebugLevel Value Type: REG_DWORD Value Data: 10002 (Hexadecimal) UserEnvDebugLevel can have the following values: NONE 0x00000000 NORMAL 0x00000001 VERBOSE 0x00000002 LOGFILE 0x00010000 DEBUGGER 0x00020000 The default value is NORMAL|LOGFILE (0x00010001). Note: To disable logging, select NONE (where the value is 0X00000000). You can also combine the values. For example, you can combine VERBOSE 0x00000002 and LOGFILE 0x00010000 to get 0x00010002. So if UserEnvDebugLevel is set with a value of 0x00010002, this turns on both LOGFILE and VERBOSE. Combining these values is the same as using an OR statement: 0x00010000 OR 0x00000002 = 0x00010002 Note If you set UserEnvDebugLevel = 0x00030002, the most verbose details are logged in the Userenv.log file. The log file is written to the %Systemroot%\Debug\UserMode\Userenv.log file. If the Userenv.log exists and is greater than 300 KB, the existing file will be renamed to Userenv.bak, and a new log file created.
Chapter: Implementation
These instructions can also be found at: http://support.microsoft.com/kb/221833/
Related Documents
Securing Your Endpoints
June 2020 0
Securing Your Laptop
May 2020 1
Securing-your-web-server3593
July 2020 14
Securing Your Windows Server Systems
November 2019 6
Securing Mac
June 2020 4