![]() We have been working with Symantec to try and help them to fix this since our initial private disclosure in July 2017 (full timeline at the end of this article), however no patch has yet been released. Spot check the records to check that they match your expectations.Note: These vulnerabilities remain unpatched at the point of publication.Use WinSCP to download the /var/lib/ovid/customization/report_users_not_seen.csv file and import it into Microsoft Excel or similar.To capture users not seen in 12 months regardless of whether Encryption Management Server found them in Active Directory:.For example, to capture users not seen by Encryption Management Server in the last 12 months and not found in Active Directory by Encryption Management Server: Run the script with arguments to generate the /var/lib/ovid/customization/report_users_not_seen.csv file.Run the script without arguments to get help:.SSH to Encryption Management Server and extract the report_users_not_seen.sh script:.Use WinSCP to upload the file to the /var/lib/ovid/customization directory on Encryption Management Server.If you wish only to generate a report, download the file 1631294282085_report_users_not_ from this article and do the following: In order to obtain the script, please open a support case. Have not contacted the server for N months.Note that removable drives can be encrypted to a key.īroadcom can supply a script to generate a report of inactive users and, optionally, delete inactive users. Therefore, if a WDRT is needed for a machine whose primary user has been deleted, provided administrators are willing to search by computer name, it is perfectly reasonable to delete drive encryption users who have left the organization.įor users who encrypt data to their key, more careful consideration will be required. However, this issue should be rare and can be dealt with on a case-by-case basis.ĭrive encryption of the C drive does not use PGP keys. This can cause problems if the original user account is not deleted from Encryption Management Server. Duplicate email addresses - Encryption Management Server treats email address as a unique identifier so it is possible to find cases where a user with email address leaves and someone else with the same email address joins the organization.Backup performance - Having fewer internal users will speed up backups and result in smaller backup sizes in large environments.In a large environment, searching for thousands of users that are not in Active Directory can slow down the regrouping process. Performance when regrouping against Active Directory - When a user is deleted from Active Directory, Encryption Management Server will search Active Directory unsuccessfully for that user each time it regroups.However, such performance improvements will generally not, by themselves, justify the deletion of user accounts. Performance of the administration console - In very large environments there will be marginal performance improvements when searching for users from the administration console.Licensing - It is easier to track how many user licenses are needed if only active users are listed in the Encryption Management Server management console.Reasons why you may wish to delete user accounts from Encryption Management Server include the following: If a machine's WDRT (Whole Disk Recovery Token) is required for a user who has left the organization, it is often easier for an administrator to search for the user name rather than the machine name.Clearly, the private ADK should be kept in a very secure location but sometimes the private ADK cannot be located. However, since the ADK allows any user's data to be decrypted, the private key is not stored on the server. Note that in all cases, if you have configured an ADK (Alternate Decryption Key), it can also be used to decrypt data encrypted by users.Hence, if the user has left the organization, this key will probably be of no use. For GKM (Guarded Key Mode) keys, a copy of a user's private key can be exported from the server but it will be protected with a passphrase chosen by the user.For SCKM (Server Client Key Mode) keys, all except a user's signing key can be exported from the server and again the administrator can set the passphrase.Deleting the user means that the user's key would not be available. It can therefore be used to decrypt items encrypted by a user who has left the organization. For users with SKM (Server Key Mode) keys, the private key for a user can be exported from the server by an administrator and the administrator can set a passphrase at the time of export.Deleting a user also deletes their encryption key.Users are not deleted for two main reasons:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |