ZENworks Full Disk Encryption supports the use of a Windows PE emergency recovery disk to regain access to encrypted devices. Creating a Windows PE disk is an extensive command-line activity that requires the entry of more than 30 commands to create the correct directory structure and add the appropriate registry entries.

The Windows Powershell script automates the creation of the Windows PE emergency recovery disk, reducing the time required to create the disk and eliminating possible mistakes.

The result of the script is a Windows PE ISO image that you can burn to a CD or DVD.

Prerequisites:

1. Install the Windows Automated Installation Kit (AIK). The script expects the AIK to be located at C:\Program Files\Windows AIK. If you do not install it to this location, you will need to change the AIK path in the script (see step 1 in the Usage section).
2. Create a C:\erd\WinPE directory.
3. Extract the ZFDE_WinPE_Plugin.zip to the C:\erd\WinPE directory. The plugin is available under ZENworks Tools in ZENworks Control Center,
4. Unzip Build_FDE_WinPE_recovery_disk_x86.zip to get the Powershell script file (Build_FDE_WinPE_recovery_disk_x86.ps1). Copy the Powershell script to the C:\erd directory.
5. (Optional) Copy the emergency recovery information (ERI) files that you want included on the Windows PE disk to the C:\erd\WinPE\ERI directory. You must create the ERI directory. If you place the files in a different directory, you will need to change the ERI path in the script (see step 1 in the Usage section).

   If you don't include the ERI files on the disk, you can supply the files via a USB device at the time the disk is used for recovery.

6. Make sure a C:\WinPE directory does not exist before executing the script; this directory is created and used as the build directory.

Usage:

1. If necessary, edit the Powershell script with a text editor to change the following variables:

Variable	Default Setting	Description
$BuildDir	C:\WinPE	The build directory used to create the Windows PE ISO image.
$Architecture	x86	x86 is for Intel and AMD 32-bit processors amd64 is for Intel and AMD 64-bit processors ia64 is for Intel Itanium processors
$Language	en-us	The user locale. Values are standard international language code formats (en-us, de-de, es-es, and so forth).
$KbLayout	0409:00000409	The keyboard layout. The default is en-us. See the Microsoft Go Global Development Center (http://msdn.microsoft.com/en-us/goglobal/bb895996) for layout Ids.
$WAIKInstallation	C:\Program Files\Windows AIK	The path to the Windows AIK installation.
$ISOLabel	Novell_FDE_Recovery_WinPE	The volume label assigned to the ISO image.
$PluginDir	.\WinPE\EN\files	The path to the Full Disk Encryption plugin files. The default uses a relative path from the perspective of the script location.
$ERI_Dir	.\ERI	The path to the emergency recovery information (ERI) files to include in the ISO image. The default uses a relative path from the perspective of the script location.

2. Run Windows PowerShell with Administrator privileges.
3. Change to the C:\erd directory.
4. Enter the following command to ensure that the Execution Policy for Windows Powershell is set to Unrestricted:
   

   Set-ExecutionPolicy Unrestricted
   
   

   If the Execution Policy is set to Restricted, the script will not run and the following error will be displayed:

   File Build_FDE_WinPE_recovery_disk_x86.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details.
   At line:1 char:40
   + .\Build_FDE_WinPE_recovery_disk_x86.ps1 <<<<
       + CategoryInfo          : NotSpecified: (:) [], PSSecurityException
       + FullyQualifiedErrorId : RuntimeException 
   	
   	

5. Execute the script:
   

   .\Build_FDE_WinPE_recovery_disk_x86.ps1
   
   

   After the script successfully completes, the Novell_FDE_Recovery_WinPE.iso is added to the C:\WinPE directory.

Additional Information:

For information about using the Win PE disk to recover an encrypted device, see the ZENworks 11 Full Disk Encryption Emergency Recovery Reference

Coming off our 10th annual ATT Live, I wanted to share an event review for this year's conference that was held in Las Vegas, May 15th through the 18th. For the previous nine years, ATT Live has been a December conference, with an occasional repeat in the early spring based on demand. However, this year... the sunshine and warm weather of May was a nice change.

If you have not had the opportunity to attend ATT Live in the past 10 years then you may not know much about the event. In a nutshell, Training Services has made this the premier technical conference of the year for our customers and partners. All of the sessions delivered are hands-on and presented by subject matter experts. Most sessions typically run up to 4 hours in length and offer an in-depth view of the technology or solution. A great opportunity to enhance your skills, learn new technologies and network with peers.

Every year we pride ourselves in meeting the training needs of our customers by listening to our attendee's feedback and making an improvement each year on the previous. This year will be no exception! Here are a couple of comments I felt were worth sharing:

"I'm self employed. Coming to ATT Live means not only paying for the conference, hotel and airfare, it also means giving up the income I'd earn working these days, but it was well worth it!"

"The core of the event was the quality of the instructors. They were consistently excellent and knowledgeable."

"I look forward to ATT Live every year, thanks for another great conference - best one yet!"

"An excellent forum to exchange knowledge with my peers"

"I love just having great sessions! Its a great value for the money"

Outside of the customer comments, which I regard as most important.... here are some highlights to focus on from this year's conference:

• 200+ attendees - The highest attended ATT Live to date. We initially set our resources to accommodate 150 students, but found ourselves increasing the number to 180 by end of April and eventually having 207 registrants by the event date.
• 80+ hands-on sessions - We extended our 4 day technical tracks from 10 to 12, offering a good mix of sessions across all three Business Units (Novell, NetIQ and Suse). This gave our customers an excellent opportunity to attend sessions needed for their current job focus, but also allowed them to explore some new products of interest.
• Learning Central App - We launched the new Learning Central App at the conference. Giving our ATT Live attendees the first chance at using electronic content distribution for both lecture and lab. It was a huge hit, and the feedback was awesome. This will change the future of how we distribute content and will also help us extend value for Ondemand training. To check out more on the Learning Central App visit https://learningcentral.novell.com/ or download the app from the Apple App Store - LearningCentral (One customer said - "Loved the Learning Central App. It was nice not having to lug books around")
• Adding SMEs - In order to extend our tracks and accommodate more students, we asked help from services employees to help deliver these sessions, adding their product knowledge and real world experience to the sessions. Several product managers also attended to present on their product futures. On behalf of Training Services, I want to thank them all for the value they added to the conference and the time they spent away from their day jobs developing content and delivering at the ATT Live Conference. The impact they had on our customers not only benefited the attendees, but also gave some good face to face time for them with customers.
• Testing - We offered both Certification and Practicum testing, included in the price of the conference. Many customers find value in validating their knowledge and improving their credentials.

The M Resort was a perfect venue for our conference. You would have to look long and hard to try and find a negative comment about the location, (Okay... maybe the pool closing at 6:00 and sessions running until 5:30). The M resort is known for its excellent food, buffets, and restaurants, so we took what worked well for us last year and extended our buffet vouchers for lunch, giving our customers a choice and quantity of food. Seems that a happily feed customer never hurts in the overall evaluation.

There were plenty of reasons for attending, and we were excited to have filled the hotel during the week with Novell, NetIQ and Suse customers.

We will be looking to add events to our calendar in the coming months that will allow those that missed out on the ATT Live event to still get access to the most popular modules delivered during the week. We will be bundling advanced modules to add advanced courses to the public schedule and plan to put a Virtual ATT Live events that focus on specific business units.

If you have any questions or comments, general feedback, you can reach my team at training@novell.com, training@suse.com or training@netiq.com. We will be watching the inbox for your feedback.

Jeff McMurdie

Come one Come All ! Find out how only real integrated full disk encryption protects you completely, works with what you have, and locks out intruders without locking you out of your devices.
Novell ZENworks Full Disk Encryption gives you both worlds: security and manageability.

• Get automated data protection that locks out threats
• Manage encrypted devices remotely and cut travel costs
• Give IT staff a familiar management environment
• Avoid security breaches and stay out of the news

Join the discussion -- check out these webinars.

Best practice

A "Best Practice" is commonly defined as "a technique or methodology that, through experience and research, has proven reliably to lead to a desired result. "Best Practice" is not about "perfection", its about getting the job done.

In the context of the next series of paragraphs, sentences, words and occasional doodle, Best Practice is all about sharing knowledge about lessons learned in deploying Novell ZENworks Full Disc Encryption (ZFDE) to ensure the highest degree of success.

What does Novell Full Disk Encryption do?

Novell Full Disk Encryption provides sector-based encryption for standard IDE, SATA, and PATA hard disks. All disk volumes (or selected disk volumes) are encrypted, including any temporary files, swap files, and operating system files on the volumes. The data cannot be accessed until a valid user successfully logs in, and the data can never be accessed by booting the device from media such as PXE, CD/DVD, floppy disk, or USB drive. Literally, everything is encrypted including that browser history you'd rather not be made public. For an authenticated user, accessing data on the encrypted disk is no different than accessing data on an unencrypted disk.

Hardware and Software based encryption

Encryption can work in two ways:-

1. Hardware-based FDE

This provides support for hard drives that use an on-board hardware encryption chip. All data written to the drive or read from drive passes through the hardware encryption chip first. This approach does not have a performance impact on operating system or applications as all encryption / decryption is done on a dedicated processor on the drive itself. The Encryption Key is supplied on the drive by manufacturer. Currently only Seagate Momentus FDE.x Drives are supported for hardware-based FDE with support in a future release for drives adhering to the TCG's OPAL Standard.

2. Software-based FDE

Used for machines with "standard" drives in them and can be used on most drive types and sizes. The drive must undertake an initial encryption process and the time required varies with whether or not entire drive is encrypted or just used sectors. Encryption happens at sector level – not the file level.

Pre-deployment considerations

There are a number of factors that you'll need to take into account before commencing deployment. The minimum is given here; you will need to adjust depending on your I.T environment and organizational policies / structures.

Supported platforms

ZFDE is fully integrated with and managed by ZENworks Configuration Management (ZCM). The range of supported platforms for ZFDE is a subset of those for ZCM, namely:-

• Windows XP SP2 & SP3

• Windows Vista (32-bit)

• Windows 7 (all versions)

NOTE: Future versions of ZFDE will support Windows 8.

Free space requirements.

If using Hardware-based FDE, the drive must have 130 MB of disk space available. The free space required when using software-based FDE varies depending if the PBA will be used (Pre-Boot Authentication is a hardened Linux OS that must be authenticated to first before Windows is started). With PBA 230 Mb is needed; without 95 Mb.

Partitions

The PBA resides on a primary partition on the System Drive and Windows only allows 4 primary partitions. Windows newer than Windows XP, have a 100 Mb disaster recovery partition as the first partition on the System Drive. This leaves 3 partitions available.

The partitions must be Windows basic disc types; Dynamic is not supported.

Format

NTFS must be used for existing partitions.

Types

SATA and SSD drives are supported, including hybrid drives that combine both technologies; SAS / SCSI controllers are currently not supported.

PreBoot Authentication

Pre-boot authentication is the process of authenticating a user to a device before the device boots to the primary operating system. For ZENworks Full Disk Encryption, the ZENworks Pre-Boot Authentication module, referred to as the ZENworks PBA, performs this operation on a device. The two primary advantages of using the PBA are:-

1) It adds another layer of authentication before Windows starts, an extra padlock if you like.

2) Protects against attack vectors for devices that have FireWire ports. This simple attack takes advantage of the FireWire protocol and its ability to directly access and modify the RAM of a target machine with a FireWire port installed. Using a simple and readily available forensics software tool, it is possible to connect a FireWire cable to a computer, and within seconds bypass the Windows authentication and log in as a local administrator. This method has also been adapted to capture the security keys used to decrypt and encrypt the disc.

The primary disadvantage of using PBA is hardware support. The ZENworks PBA is hosted by a fully hardened Linux OS installed on the device which is protected against changes. The PBA uses Direct Media Interface (DMI) to do a "soft reset" into Windows after the end user has authenticated. Older or brand new machines, or ones that simply have badly written BIOS may not work properly with the PBA Kernel's default settings. You can change the settings for those naughty devices so that the soft reset works. Another disadvantage is the hardware support contained with the Linux kernel; very new hardware may not be fully supported.

Also don't forget that PBA introduces a visible change on users devices. If end users are comfortable with normal Windows login procedures and are resistant to change then this could cause acceptance issues. Whether you use PBA or not, ZFDE is active and prevents disk access until authentication is successfully completed.

You may now be forming the view that the additional security protection offered by using PBA outweighs any potential clash with BIOS and hardware drivers. Deploying FDE without using PBA for devices that have FireWire ports sounds rather building a deep moat around your office complete with a stolid drawbridge which you then leave in the down position.

Unless you're using ZENworks Endpoint Security Management ( ZESM ) that is. One of the capabilities of ZESM is port control and one of those ports that can be disabled is the FireWire port. With ZFDE and ZESM, you can safely use Windows only authentication and be protect against potential FireWire port based comprise attempts.

Encrypt entire disc or just used sectors

Unless you have Seagate Momentus drives which support hardware-based encryption then you'll be using software-based encryption. With software-based encryption, the drive needs to be encrypted. The time required to do this will vary depending on if you have selected the entire drive to be encrypted or just used areas. As a rough estimate it takes 30 – 40 minutes for every 10Gb worth of data.

Existing FDE applications

If you have already deployed another vendors full disk encryption application, it will need to removed before deploying ZFDE. On removal, it is likely that the drive will be decrypted but you will need to check that this is the case. Allow time for the decryption process to complete before deploying ZFDE.

CHKDSK

Chkdsk (Chkdsk.exe) is a command-line tool that checks volumes on your hard disk drive for problems. The tool then tries to repair any problems that it finds. For example, Chkdsk can repair problems related to bad sectors, lost clusters, cross-linked files, and directory errors. Chkdsk must be run by an administrator or as someone who is a member of the local Administrators group. It is critical that chkdsk is run on every device before ZFDE is installed and there is an option in the ZFDE policy definition to do this. Alternatively create a ZCM bundle which installs and runs a batch file that has the following content

CD c:\Windows\System32
 Echo Y | chkdsk /r

CHKDSK will run the next time the device is restarted. You may force this as part of the bundle.

Hardware testing

Make sure to do interoperability testing on your hardware prior to deployment. You will need gather a representative samples of all hardware and test in a lab environment. This will indicate configuration changes for ZFDE if using PBA. There may be device BIOS changes also required for PBA depending on the hardware.

Backup

You are strongly advised to backup any device prior to install a ZFDE policy especially if that device is located in an area that is know to have sporadic power outages. ZFDE will resume encryption following a device power cycle but it is better to have a backup in case of non-optimal circumstances.

Novell ZENworks Full Disk Encryption: Best Practice:

• Novell ZENworks Full Disk Encryption: Best Practice - Part One
• Novell ZENworks Full Disk Encryption: Best Practice - Part Two

In Novell ZENworks Full Disk Encryption: Best Practice - Part One I looked at what you needed to take into account before deployment. In part two I look at steps you can follow to ensure a successful deployment.

Deployment

Planning

The first step in the process of deployment is planning the actual deployment. The following are recommendations on how to plan this process:

Contact departmental leaders and inform them about the deployment.

Make suggestions on how you want to roll out ZFDE to devices, including which departments are going to be targeted by date and time. Make sure you line this up with your planned deployment schedule in your project plan. Ensuring that everyone knows that this is a deliverable of the organization makes it much easier to line up the departments, sites, or groups for deployment.

Identity and notify individuals that are part of the pilot phase of the deployment.

Emphasize that feedback is key to the success of this project. Individuals who are part of the pilot and more wider-scale deployment should provide feedback directly to the IT organization or to the Service Desk.

Make sure your teams are well informed of the deployment. This includes:

• Departmental leaders.
• Employees of the organization.
• The organization’s Service Desk (staff members should have the full documented schedule posted everywhere so everyone onsite knows what is going on, and when). This also includes everyone involved in Incident and Problem Management processes.
• The entire IT department, including desktop support, network services, and other operational groups.
• Change Management.
• Security services groups, they need to be well informed that this is a planned organizational initiative.

Documentation

Documentation is key to the success of every aspect of the project, including how you plan to deploy the services and agents. Everyone directly involved in the actual deployment, should have documentation that they can reference at all times, eliminating the chance of error.

Documentation regarding the deployment processes needs to be completed during the design phase, and while you are testing the deployment in your test lab facilities. After you have proven the concept and included deployment activities in the design document, you should create a Deployment Assistance Guide that can be used by the individuals who are involved. You might not need to share the entire design document with everyone involved in the deployment of the product. Use your best judgement here.

Final testing

We recommend that you set aside some time before you perform your pilots to further prove your deployment by running some last-minute tests. Allow enough time so that any adjustments can be made and documented prior to deployment.

Perform the test in your lab facilities, using three or four sample workstations with a sample of line-of-business applications installed. This can be a replica of tests done during your full testing phase.

Pilot deployments

The first phase of the actual deployment is the pilots. This is where you deploy ZFDE to those devices that you identified and notified as part of the pilot phase. You are looking for feedback from these individuals, and this can be done through a feedback form, e-mail, or face-to-face meetings.

Do not perform the pilots all at once. Use a rolling approach to this phase. If something goes wrong with the deployment, you want to limit the number of people that are impacted. After you are confident that the deployment is going as planned, you can increase the number of devices you deploy to.

Wider deployment

After you have completed the pilot deployments, you can move on to a wider deployment. Continuing to use the deployment plan that you have documented. You should execute against your project plan until you have completed the rollout to all remaining workstations on your network.

Post-Deployment Documentation and Validation

After you have completed the deployment, you should document all steps you took to deploy across your entire infrastructure. We recommend that you do this outside of the project plan, and include this in your documentation repository as either a separate document or as a part of your existing design document.

In addition, you should validate your success as much as possible. This can be done by doing the following:

Perform physical spot checks wherever you can. Interview individuals briefly to see if they are experiencing any issues with the deployment, and more specifically with the addition of ZFDE

Review error logs in ZENworks Control Center and investigate further from there. Visit workstations to find out more details if necessary.

Monitor Service Desk activity throughout the duration of the deployment phase. Service Desk incidents reveal a lot of information. You are looking for spikes in activity and the details of the individual Service Desk requests.

Novell ZENworks Full Disk Encryption: Best Practice:

• Novell ZENworks Full Disk Encryption: Best Practice - Part One
• Novell ZENworks Full Disk Encryption: Best Practice - Part Two